Data security

28.3.2022

Data protection is a matter of trust. The trust of our customers and other data subjects is very important to us. We process all personal data you provide to us with care, in accordance with EU general data protection regulation and national data protection laws.

When you purchase Palsatech’s products and services, have a contractual relationship with us or visit Palsatech.fi, we collect and process personal data you provide with us in order to serve you in the best possible way and to deliver and track the orders you place.

DATA PROTECTION DESCRIPTION

Palsatech Ltd’s data protection description in accordance with the EU general data protection regulation (Regulation 2016/679 of the European Parliament and of the Council “GDPR”).

1. Controller
Palsatech Ltd (”Palsatech”)

Address: Verkkokarintie 11, 94900 Kemi

Business ID: 2591403-6

You can ask more about privacy and the processing of personal data by e-mail: info@palsatech.fi

2. Grounds and purpose of processing Personal Data

We process data subject’s personal data based on the following processing principles as stipulated in the GDPR:

  • the express consent of the data subject;
  • to perform a contract to which the data subject is a party (e.g. a customer or supply contract);
  • to comply with the legal obligations to which controller is subject to (e.g. to meet employer obligations); and
  • on the basis of controller’s legitimate interest (e.g. performing camera and accessing control).

We collect, store and process personal data of the data subjects for the following purposes:

  • to maintain a customer and supplier relationship
  • for delivery, processing and archiving of orders
  • to provide good customer experience
  • to improve customer experience
  • for analytical and statistical purposes
  • to produce more personalized targeted content and marketing
  • to prevent abuse

3. Person Registers formed from Personal Data and Groups of Personal Data

Depending on your relationship with Palsatech, we will have one or more person registers in which we store and on the basis of which we process your personal data.

For each person register, we have described for what purpose it has been established and, by the way of example, what personal data in such person register is stored.

Customer Register contains personal data that we use for managing and developing customer relationships. Such processed personal data includes, for example, the name, address, telephone number, job title and other contact details of the data subject and the content of the products and services the customer has purchased from Palsatech from time to time.

Supplier Register contains personal data that we collect and process for managing, analyzing and developing the supply relationship between Palsatech and the supplier. Such personal data to be processed include, for example, the name and contact details of the supplier and its representative / contact person, the supplier’s number, the starting and termination dates of the contractual relationship, information relating to the supply contract and communication between Palsatech and the supplier.

Marketing Register contains personal data that we collect and process for marketing and promotional purposes. We can target our marketing to, for example, our potential and current customers, to whom we market our products and services and inform about our operations. Such personal data to be processed include, for example, the name, address, e-mail address, telephone number and job title of the data subject.

Website Register contains personal data that we collect from visitors to our website and which we process in order to ensure the functionality of our website and to develop our website. Examples of such personal data are cookies.

Recruitment Register contains personal data that we collect from potential employees, such as those who have applied to Palsatech, and that we collect and process for the purposes of making recruitment decisions. Such personal data to be processed include, for example, the contact information of applicants, applicants’ job history information and other personal data provided to us by applicants in their job applications.

Employee Register contains personal data of our current and, in part, former employees that we collect and process to fulfil our employer obligations. Such personal data to be processed include, for example, employees’ contact details, personal data relating to remuneration and personal data relating to the performance of other statutory employer obligations.

Personal Registers for the Security of the Controller contain personal data of employees and contractors, as the case may be, who use and have access to our security systems. We have, for example, an access control system, an electronic locking system and an alarm system. We process personal data in these systems to ensure the security of our premises and to prevent misuse. Such personal data to be processed include, for example, personal data of employees and employees of our contractors, such as the name and telephone number and information about when the system was used.

Camera Surveillance Register contains personal data of data subjects which are used: (i) for the prevention of crime on the properties owned by the controller, in the courtyards and on the premises of the controller; (ii) to ensure the personal safety of those on the premises; (iii) to protect property and information; (iv) for the prevention and detection of vandalism and other abuse of security or property; and (v) for the maintenance of law and order and investigation of accidents. Such personal data to be processed are personal data from which the data subject is identifiable.

We do not appropriately collect sensitive personal data in the context of camera surveillance. However, we may inadvertently obtain specific personal data in connection with camera surveillance. Such sensitive personal data will be handled with special care.

4. Data Content of the Register

The primary source of the personal data processed by Palsatech is the data subject itself. The information to be stored in the register is obtained from the data subject e.g. in relation to messages sent via web forms, e-mail, telephone, via social media services, contracts, customer meetings and other situations in which the data subject discloses his or her personal data to Palsatech.

Such personal data includes, for example:

  • Information provided by the data subject or other personally identifiable information
  • Identification information, such as name
  • Contact information, such as address, e-mail address, and phone number
  • Company / organization
  • Payment information, such as billing address
  • Customer feedback and contacts
  • Information relating to subscribing to the newsletter

The information content of the registers varies depending on what personal data the data subject discloses to the data controller.

In addition, personal data may be obtained from publicly available sources, such as websites, trade registers, and other public and private registers to which the person has consented to the processing of his or her data or to which the controller otherwise has appropriate access.

5. Transfer of Personal Data between the Controller and the Processors

In some cases, we may transfer data subjects’ personal data to our contractual partners who process personal data on behalf of us pursuant to a data processing agreement (DPA) between us and the data processor. Data processors do not have the right to process personal data on their own benefit and to decide independently on the use of personal data.

For example, your personal data may be transferred to the following processors:

  • IT companies that produce and maintain our IT services
    Auditor who audits our accounts
  • Other service providers (for example, digital marketing providers) that provide services related to the services and products we sell

We can use a variety of digital marketing service providers to conduct marketing for us. Such digital marketing service providers may process your personal data. You have the data subject’s rights as described in Section 9.

An example of such a digital marketing service provider is Prospect Global Ltd (trading under the name Sopro) Reg. UK Co. 09648733. You can contact Sopro and view their privacy policy here: http://sopro.io. Sopros are registered in the ICO register: ZA346877, you can send an email to their Data Protection Officer at: dpo@sopro.io.

In cases of suspected criminal offenses or similar, we shall have right to provide and disclose information to the police for the purpose of investigating suspected criminal conduct or misconduct, as well as, to other authorities or to persons engaged in security services who are entitled to receive such information by law.

We may also disclose or transfer data subjects’ personal data in accordance with the requirements of applicable laws as required by the competent authorities or other parties.

Palsatech may also share data subjects’ personal data with third parties (such as potential purchasers and / or their advisors) in connection with the preparation and execution of a potential acquisition, acquisition or transaction, provided that the recipient of the personal data is bound by appropriate confidentiality.

We will not disclose data subjects’ personal data to third parties unless there is a legitimate reason described above or due to law.

6. Transfer of Personal Data outside the EU and the European Economic Area

Personal data will not be regularly transferred or disclosed outside the EU or the European Economic Area (EEA).

If data subject’s personal data is processed outside the EU or the EEA, we will ensure that the adequate level of data protection of data subject’s personal data is safeguarded before processing personal data in third countries.

We ensure the security of data subject’s personal data by applying the protective measures required by EU and national data protection law (e.g., standard model contract clauses, SCCs, stipulated by the EU Commission). We also comply with other obligations under data protection laws.

We use third-party tools on our website, whose service providers may be located outside the EU or the EEA. Examples of such providers are Google Analytics. In this case, we ensure the adequate level of protection of personal data.

7. Retention of Personal Data

We will retain your personal data for as long as the purpose and grounds for processing personal data described in this data protection notice exist.

The data retention periods (or determination criteria) can also be derived from mandatory (statutory) retention periods and from the controller’s industry code of conduct. Binding retention periods for the processing of personal data are enacted, for example, in the accounting and labor legislation.

The personal data in the Customer and Supplier Register will be stored for the duration of the customer and supplier agreement and thereafter until the obligations and claims under these agreements have been finally solved.

The personal data in the Employee Register will be stored during the term of the employee’s employment agreement and thereafter for ten (10) years. The personal data may be stored for a longer period if that is necessary for the handling of the obligations or claims between the parties.

The personal data in the Recruitment Register will be stored during the recruitment process and thereafter for one (1) year from the end of the recruitment process. The personal data may be stored for a longer period if that is necessary for the handling of the obligations or claims between the parties.

The personal data in the Marketing Register will be stored until further notice and for as long as data subject’s consent is valid.

The personal data in the Website Register will be stored for a period of six (6) months, unless otherwise expressly indicated in the website cookie notice. We may store some cookies for a longer period of time. Up-to-date information on the retention periods for cookies can be found in the cookie notice on the website.

Personal data in the Camera Surveillance Register shall be retained for the time required for processing purposes. Personal data will normally be destroyed under a new recording within a maximum of 5 weeks of recording. However, personal data may be retained for a longer period if the purpose and grounds for the processing of personal data so requires (for example, conducting an official or police investigation). At the end of the investigation, the information shall be kept for the time necessary for the preparation, submission or defense of the legal claim and its final processing.

We will delete data subjects’ personal data if we no longer have grounds and purpose for processing personal data as described in this data protection notice.

We may store your personal data either electronically or manually, depending on your personal data and Palsatech’s current policies.

8. Protection Principles of Registers

The personal data contained in the registers are adequately protected by both technical and organizational security measures. Processing of personal data belonging to the register shall be carried out with due care and the data processed by means of information systems shall be properly protected. When registry data is stored on Internet servers, the physical and digital security of their hardware is adequately addressed. The controller shall ensure that the data stored, as well as the access rights to the servers and other information critical to the security of personal data, are treated confidentially and only by the employees whose job description it belongs to.

9. The Rights of the Data subject

Right of Inspection and Rectification

According to data protection legislation, the data subject has the right to inspect the data stored in the register concerning him or her, as well as the fact that there is no data concerning him or her in the register, and to submit a request to the controller to correct any errors in the register.

Contacts concerning the right to inspect and rectify, as well as any requests for rectification, must be made in writing. If necessary, the controller may ask the data subject to prove his or her identity. The controller will respond to the data subject within the time limit set by the GDPR (generally within one month).

Right to Delete Data

The data subject has the right to request the deletion of personal data concerning him or her from the register if there is no legal basis for processing personal data.

Right to Restrict Processing

The data subject may request a restriction on the processing of personal data on the grounds provided by law.

Right to Object

The data subject shall have the right to prohibit the controller from processing personal data concerning him or her for the purposes of direct mail, distance selling and other direct marketing, as well as market and opinion research. Prohibition on the processing of personal data must be made in writing.

The data subject has the right to object to profiling and other processing in situations where we process data subject’s personal data on the basis of our legitimate interests, based on a special situation.

Right to Transfer Data from one system to another

If the data subject has provided the controller with personal data which is processed with consent, the data subject shall have the right to obtain such information in a machine-readable form as a general rule and to transfer this information to another controller.

Right to Withdraw Consent

If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw his or her consent at any time.

However, the processing of the data subject’s personal data prior to the withdrawal of the consent shall not become unlawful, even if the consent is subsequently withdrawn.

Right to lodge a Complaint with the Supervisory Authority

Each data subject has the right to lodge a complaint with the supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of employment or where the alleged breach of the GDPR has taken place. The Office of the Data Protection Ombudsman acts as the national supervisory authority (http://www.tietosuoja.fi).

Requests for the exercise of rights must be sent in writing to the controller. If necessary, the controller may ask the data subject to prove his or her identity. The controller will respond to the data subject within the time limit set by the GDPR (generally within one month).

10. Other

As data controller, we do not perform automatic decision-making or profiling regarding your personal data.

If we require you to provide us with your personal data and refuse to do so, we will not be liable for any direct or indirect consequences that you incur or may incur as a result of not providing your personal data. It is not possible to use certain of the services we provide and to obtain our products without processing your personal data.

Our website or services may contain links to sites and content owned or operated by third parties. When accessing such sites or services, you should review and accept any such data protection notices. Such sites or services are not under the control of the controller and the controller is not responsible for their content or data protection notices.

11. Change to Data Protection Notice

This data protection notice may be updated or amended from time to time. When we make changes to this data protection notice, we will include the date the data protection notice was last updated. If there have been material changes to this data protection notice or how we use your personal data, we will notify you either by posting a visible notice of such changes before making changes to our website or by sending you a notice directly.

This data protection notice was last updated and takes effect in 28.3.2022.