1. Register controller and contact information
2. Purposes of handling personal information
Register controller Avalon Oy processes personal information according to the applicable data protection laws, including the EU's General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).
Purposes for handling personal information:
Additionally, personal data saved in the register may be used in accordance with the data protection legislation for stakeholder communications of the register controller, such as sending newsletters, electronic notifications and electronic direct marketing.
3. Legal bases for processing personal data
The legal bases for processing personal data are, depending on the purpose, requirements set by the law, agreement, consent and the register controller's legitimate interests.
The register controller’s legitimate interests are the basis of processing personal data when there is a relevant relationship between the controller and data subject. This kind of relevant relationship is formed, for example, when the data subject contacts the register controller on their own initiative or when the register controller processes the personal information of the data subject, for example in conjunction with business or partnership activities with the data subject’s employer.
In addition, based on the register controller's legitimate interests, the register controller may save the data of potential customer companies and their contact persons and representatives where the register controller can reasonably expect them to be interested in acquiring products or services that the register controller offers.
Digital marketing of the register controller can be sent to the data subjects who have given their consent to direct marketing. When the data subject is asked to give their consent to direct marketing, they are also made aware that cancelling this consent is straightforward and can be done at any time. In addition, in accordance with the applicable data protection legislation, direct marketing can be sent to such recipients that the register controller can reasonably assume have responsibilities or assignments essentially connected to the marketable goods and services.
Cancelling direct marketing subscription is possible by contacting the register controller or by clicking on the unsubscribe function available in every marketing message (named “Poistu postituslistalta” or “Unsubscribe”). This will remove the data subject’s details from the list of subscribers.
4. Different personal information classes
The register may contain information regarding the following stakeholders:
The following information that is necessary for the aforementioned functional purposes will be processed of a given data subject:
The data subject is not obliged to provide their personal information to the register controller; however, refusing to provide necessary information may lead to difficulties in remaining in touch with the register controller.
5. Regular sources of information on the register
Personal information has primarily been collected from the following sources of information:
During business operations, company information is checked from Suomen Asiakastieto Oy's registers, which may also contain information about company representatives.
6. Recipients of personal data
The register controller does not generally release any personal information of the data subjects to third parties, excluding instances where authorities so require in accordance with the law, or in order to provide services to customers. For carrying out its services, the register controller uses trusted third-party service providers who may, in accordance with data protection law, process personal information on behalf of the register controller to carry out these services.
With Google Analytics and HubSpot, the register controller collects user data from the website in order to better analyse and improve the website and to offer targeted marketing to the site users.
Potential transfers of personal data out of the European Union or European Economic Area will always be executed following the applicable data protection regulations.
7. Storage period of personal data
The register controller will process and store personal data only as long as it is necessary for the pre-determined purpose of use. Unnecessary personal data that the register holder has no valid reason to store or process will be regularly deleted in accordance with the register controller's data protection policy. Personal data becomes unnecessary, for example, when the customer, business, partner or contractual relationship to the register controller has ended, apart from where the law requires the continued storage of the personal data.
8. Rights of the data subject
The data subject has the following rights that will be applied depending on the case:
Right to access personal data
The data subject has the right to obtain confirmation from the register controller on whether the data subject's personal information is being processed. If personal information is processed, the data subject has the right to access this information.
Right to rectification, erasure or restriction of processing
The data subject has the right to ask the register controller to rectify information concerning them, erase any information concerning them or ask to limit the processing of the data based on law.
Right to object
The data subject has the right to object to the processing of their information based on their unique situation, when the register controller processes the data based on the register controller’s legitimate interests.
Right to complain to the supervisory authority
In Finland, the relevant supervisory authority is the Data Protection Ombudsman, whose contact details and instructions you can find at www.tietosuoja.fi.
Using your rights
You can use the aforementioned rights by contacting the register controller by sending an email to firstname.lastname@example.org. We will respond to you as soon as possible and will provide you with further information or request additional information as applicable due to your request.
We ask you to note that before we can comply with your request, we have the right and obligation to confirm your identity, which means we will need to use sufficient means to identify you.
If your request is clearly without basis or unreasonable, we may either charge you a reasonable fee for the administrative costs incurred or refuse to carry out the requested action.
9. Processing personal data and profiling
The register controller does not use automatic decision-making, such as automatic profiling, as a part of the processing of personal data.
10. General description of the relevant technical and organisational security measures of the register controller
Personal data registers can only be accessed by such employees of the register controller who have signed applicable non-disclosure agreements and who have been trained on how to use the personal data registers.
The register controller has given its employees written instructions and orders on data protection and how to process personal data, and the employees are obliged to follow them.
The information network and hardware that belongs to the register controller and hosts the personal data is protected by a firewall and other applicable technical measures.
The register controller regularly checks its personal data processing functions and the systems and hardware used in them in order to, for example, estimate any risks to personal data associated with deploying new technology.
11. More information