for JCDecaux Finland Oy’s Corporate Customer, Supplier, Partner and Marketing Register
1 Data Controller and Contact Details
JCDecaux Finland Oy (Business ID 0201696-2)
Mekaanikonkatu 11, 00880 Helsinki, Finland
Contact details for any data protection questions and requests:
• by email: firstname.lastname@example.org
• by telephone: +358 20 7758 200
2 Legal Bases and Purposes of Personal Data Processing
The data controller processes personal data based on the following legal bases and for the following purposes:
- implementation of a contract between the data controller and a company being its customer, supplier, subcontractor, landlord or co-operation partner (hereinafter, the ”Company”) and the carrying out of actions preceding the conclusion of the contract upon the data subject’s request, e.g. responding to queries, quotation requests, etc., provision and obtaining of agreed products and services, administration of contracts and orders, invoicing and debt collection;
- the creation, management, maintenance and development of a customer or other relationship between the data controller and the Company, in accordance with a legitimate interest based upon the contractual relationship between the data controller and the Companies; design and development of business, products and online as well as other services and customer service; customer and other satisfaction surveys, along with any other communications based upon the relationship between the Company and the data controller;
- carrying out the data controller’s statutory obligations, as well as the detection, prevention and investigation of any fraud, money laundering and other criminal action and malfeasances, in accordance with the data controller’s legitimate interests;
- in accordance with the data controller’s legitimate interests, the direct marketing of its products and services and targeting of same (incl. sending a newsletter) by telephone, by letter, email, SMS message or otherwise in electronic form; carrying out of surveys and market research, arranging marketing contests and other events;
- in accordance with the data controller’s legitimate interests, for analysing, profiling, segmentation and compiling statistics of the data subjects and their data in conjunction with the aforementioned purposes and for the purposes of same.
3 Data Subjects and Data Content of Register
The register contains the following information concerning the decision-makers and contact persons of the current and potential customer, subcontractor and co-operation partner companies and entities:
- Basic information: name, rank or occupation, status or position in the company, company details, work-related contact details (mailing and visiting address, email address, telephone number), year of birth, gender, mother tongue, service language, preferred mode of communication;
- Marketing information: information concerning tasks and position in business life or in public office, professional interests, other information disclosed by the data subject; marketing measures directed at the data subject, attendance at events, direct marketing and other permissions and consents, as well as prohibitions and restrictions;
- Information on the use of electronic services: e.g. registration details required by the right of use, such as user ID, alias, password and any other individualising identification; information concerning the reading of newsletters, utilisation and browsing information concerning services collected with the aid of cookies, advertising identifiers or other comparable technical means of monitoring, displayed advertisements as well as details of clicking on advertisements; site from which the user has transferred to the data controller’s site, device model, individual device and/or cookie identifier, data collection channel (internet browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, as well as screen resolution and operating system, positioning data.
- Information related to communications: e.g. feedback and communications, emails, electronic communications forms, chats, telephone call recordings, other measures undertaken by the data subject on behalf of the company it represents
- Profiling and classification information: customer/user and marketing segments and analyses formulated on the basis of analysing and profiling the information described above, as well as classification etc. information collected from regular data sources.
4 Regular Data Sources
The information in the register is as a rule collected from the data subject themselves in connection with their use of services and the website, filling out a contact request or other form, conclusion of an agreement or other personal, electronic or telephone dealings or in connection with attendance at events. Furthermore, personal data may be collected and updated from publicly available information sources, such as from corporate websites, trade register, postal operators, contacts services (for instance Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy) as well as from other comparable corporate and decision-making registers and other public and private registers.
5 Disclosure and Transfer of Personal Data
The data controller may disclose information recorded in the register to the data controller’s group companies and co-operation partners, when necessary for carrying out the intended purposes of the register, e.g. to deliver the agreed products or services. Otherwise information is not disclosed to third parties without the data subject’s consent.
The data controller also has the right to utilise subcontractors for carrying out the intended purposes of the register. Such subcontractors include, for instance:
Personal data may be transferred to be processed also in a country outside of the EU/EEA. Unless the European Commission has decided that the level of data protection in the processing country is acceptable, the data controller ensures appropriate data protection by concluding with its subcontractors written agreements using the standard clauses approved by the European Commission (Decision C (2010)593) or through another lawful procedure.
6 Principles of Protecting the Register and Data Retention Period
The right of use to the data is limited to only the persons who by virtue of their work are entitled to process the information in the register. The data is retained in locked premises, protected by access control. Electronic data has been protected with firewalls, access rights control and other technical means. Each user has their own user ID and password to the system. The data controller ensures the actualisation of data security in its subcontractors’ services by means of data processing agreements to be concluded with its subcontractors processing personal data.
Personal data is retained for as long as necessary for the intended purpose. As a general rule, the information is deleted when 1.5 years have elapsed from the cessation of the customer, supplier or other relationship between the data controller and the Company, or once the data controller has been informed that the data subject is no longer a contact person of the Company, with the following exceptions:
- Utilisation data of electronic services and information related to communications is retained for five years from the said time. (The data controller retains the information of corporate customers on other bases, i.e. information of such use of the data controller’s products and services, correspondence and other communications that the data subject has carried out on behalf and in the name of the corporate customer, in its capacity as its representative. It is not used for purposes concerning the data subject and it does not constitute personal data.)
- Anonymised data may be retained permanently.
- The basic details of the data subject and the marketing information may be retained permanently for the purposes of direct marketing.
- Data collected on the basis of consent shall be retained in accordance with the consent.
- In circumstances permitted by the legislation in force from time to time, beyond the above-mentioned retention periods.
The data controller assesses the necessity of retaining data on a regular basis and takes all reasonable measures to ensure that no personal data concerning the data subject that are incompatible with the purposes of the processing, outdated or incorrect are retained in the register.
7 Inspection Right, Rectification Right and other Rights of the Data Subject
Each data subject has the right to inspect their data recorded in the register of persons and to have any incorrect, outdated, unnecessary or unlawful information be rectified or erased. The data subject also has the right to retract at any time the personal data processing consent they have previously granted. Retracting consent shall not affect the lawfulness of the processing that occurred prior to retracting consent.
The data subject has the right to object to personal data processing or to request a restriction on the processing, as well as to lodge a complaint to the data protection officer regarding personal data processing.
If the data subject has submitted their personal data to the data controller and the processing is based upon consent or agreement, they have the right to obtain such information for themselves in a structured, generally used and machine-readable form and the right to transfer the data to another data controller in accordance with the legislation in force.
When the basis for the processing of personal data is a legitimate interest, the data subject has the right to object to the processing of their data on a basis related to their particular personal situation. In connection with filing the request, the data subject must specify the particular situation that the objecting is based upon.
Requests concerning the exercise of the above-mentioned rights must be sent to the email address mentioned under Clause 1. If necessary, the data controller may request the data subject to specify their request in writing and to prove their identity.