1. Register controller and contact information

Avalon Oy
Tammasaarenkatu 3
00180 Helsinki

2. Purposes of handling personal information

Register controller Avalon Oy processes personal information according to the applicable data protection laws, including the EU's General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).

Purposes for handling personal information:

  • maintaining customer relationships and carrying out customer services
  • offering useful, targeted and personalised services to customers
  • carrying out the rights and obligations of the customer and register controller
  • processing the personal information of different stakeholder groups (suppliers, job applicants, partners)
  • processing website user data to verify and develop website functionalities
  • processing personal data connected to products and services of the register controller, such as developing, offering, operating and marketing products and services

Additionally, personal data saved in the register may be used in accordance with the data protection legislation for stakeholder communications of the register controller, such as sending newsletters, electronic notifications and electronic direct marketing. 

3. Legal bases for processing personal data

The legal bases for processing personal data are, depending on the purpose, requirements set by the law, agreement, consent and the register controller's legitimate interests. 

The register controller’s legitimate interests are the basis of processing personal data when there is a relevant relationship between the controller and data subject. This kind of relevant relationship is formed, for example, when the data subject contacts the register controller on their own initiative or when the register controller processes the personal information of the data subject, for example in conjunction with business or partnership activities with the data subject’s employer.

In addition, based on the register controller's legitimate interests, the register controller may save the data of potential customer companies and their contact persons and representatives where the register controller can reasonably expect them to be interested in acquiring products or services that the register controller offers. 

Digital marketing of the register controller can be sent to the data subjects who have given their consent to direct marketing. When the data subject is asked to give their consent to direct marketing, they are also made aware that cancelling this consent is straightforward and can be done at any time. In addition, in accordance with the applicable data protection legislation, direct marketing can be sent to such recipients that the register controller can reasonably assume have responsibilities or assignments essentially connected to the marketable goods and services.

Cancelling direct marketing subscription is possible by contacting the register controller or by clicking on the unsubscribe function available in every marketing message (named “Poistu postituslistalta” or “Unsubscribe”). This will remove the data subject’s details from the list of subscribers.

4. Different personal information classes

The register may contain information regarding the following stakeholders:

  • Clients of the register controller and the representatives and contact persons of these clients
  • Subcontractors and suppliers of the register controller and the contact persons of these subcontractors and suppliers
  • Potential clients and the representatives and contact persons of these potential clients
  • Members of other stakeholder groups (such as job applicants and other partners)

The following information that is necessary for the aforementioned functional purposes will be processed of a given data subject:

  • Name
  • Email address
  • Phone number
  • Company name, company ID, the contact person in the company and their position
  • Subscription information, agreement and quote information, invoicing and payment information
  • Client feedback and contact details
  • Information based on the client relationship, such as contact log, feedback and follower information
  • Additional information provided by the data subject (such as a CV sent by a job applicant)

The data subject is not obliged to provide their personal information to the register controller; however, refusing to provide necessary information may lead to difficulties in remaining in touch with the register controller. 

5. Regular sources of information on the register

Personal information has primarily been collected from the following sources of information:

  • Directly from the data subject for the purposes of maintaining the customer relationship (for example, via the contact form on the website)
  • Directly from the data subject as part of a job application and recruitment process
  • Directly from the data subject as part of another partnership
  • From publicly/commonly available sources (such as the internet and trade register)
  • From a registered employee or a representative of a stakeholder currently in a customer, business, partner or contractual relationship with the register controller

During business operations, company information is checked from Suomen Asiakastieto Oy's registers, which may also contain information about company representatives.

6. Recipients of personal data

The register controller does not generally release any personal information of the data subjects to third parties, excluding instances where authorities so require in accordance with the law, or in order to provide services to customers. For carrying out its services, the register controller uses trusted third-party service providers who may, in accordance with data protection law, process personal information on behalf of the register controller to carry out these services.

With Google Analytics and HubSpot, the register controller collects user data from the website in order to better analyse and improve the website and to offer targeted marketing to the site users.

The register controller uses cookies to improve user experience. Cookies are small text files that are placed on your computer by websites that you visit, by the request of your browser. You can disable cookies from the browser’s settings.

Potential transfers of personal data out of the European Union or European Economic Area will always be executed following the applicable data protection regulations.

7. Storage period of personal data

The register controller will process and store personal data only as long as it is necessary for the pre-determined purpose of use. Unnecessary personal data that the register holder has no valid reason to store or process will be regularly deleted in accordance with the register controller's data protection policy. Personal data becomes unnecessary, for example, when the customer, business, partner or contractual relationship to the register controller has ended, apart from where the law requires the continued storage of the personal data.

8. Rights of the data subject

The data subject has the following rights that will be applied depending on the case:

Right to access personal data
The data subject has the right to obtain confirmation from the register controller on whether the data subject's personal information is being processed. If personal information is processed, the data subject has the right to access this information.

Right to rectification, erasure or restriction of processing
The data subject has the right to ask the register controller to rectify information concerning them, erase any information concerning them or ask to limit the processing of the data based on law.

Right to object
The data subject has the right to object to the processing of their information based on their unique situation, when the register controller processes the data based on the register controller’s legitimate interests.

Right to complain to the supervisory authority
In Finland, the relevant supervisory authority is the Data Protection Ombudsman, whose contact details and instructions you can find at www.tietosuoja.fi

Using your rights

You can use the aforementioned rights by contacting the register controller by sending an email to info@avalon.fi. We will respond to you as soon as possible and will provide you with further information or request additional information as applicable due to your request.

We ask you to note that before we can comply with your request, we have the right and obligation to confirm your identity, which means we will need to use sufficient means to identify you.

If your request is clearly without basis or unreasonable, we may either charge you a reasonable fee for the administrative costs incurred or refuse to carry out the requested action.

9. Processing personal data and profiling

The register controller does not use automatic decision-making, such as automatic profiling, as a part of the processing of personal data.

10. General description of the relevant technical and organisational security measures of the register controller

Personal data registers can only be accessed by such employees of the register controller who have signed applicable non-disclosure agreements and who have been trained on how to use the personal data registers.

The register controller has given its employees written instructions and orders on data protection and how to process personal data, and the employees are obliged to follow them.

The information network and hardware that belongs to the register controller and hosts the personal data is protected by a firewall and other applicable technical measures.

The register controller regularly checks its personal data processing functions and the systems and hardware used in them in order to, for example, estimate any risks to personal data associated with deploying new technology.

11. More information

If you have questions regarding the data processing carried out by the register controller, please contact us by using the contact information mentioned at the start of this privacy policy. The privacy policy was last updated on 15/04/2019.