CUSTOMER AND MARKETING REGISTER PRIVACY STATEMENT

1 CONTROLLER

Generics Finland Oy (Business ID: 2087908-3)
Askonkatu 4
FI-15100 Lahti, Finland

2 CONTACT PERSON FOR REGISTER-RELATED MATTERS

Jyri Paasonen
+358 (0)45 257 3488
jyri.paasonen@osaava.fi

3 DATA PROTECTION OFFICER

The Data Protection Officer of the controller is Jyri Paasonen.

4 NAME OF THE REGISTER

The name of the register is the customer and marketing register.

5 PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA

Personal data is collected for specified, explicit and legitimate purposes to fulfil contractual obligations related to customer relationships. The controller has the right to engage in marketing based on a legitimate interest of the controller.

Personal data is collected according to this privacy statement and will not in any situation be used, altered or transferred in any other way except as stated in this privacy statement.

6 DATA CONTENT OF THE REGISTER

The register contains the personal data of the customers of the controller, including the name, address, telephone number, email address, position within the company and other information related to the management of the customer relationship.

7 COOKIES

The website of the controller uses a third-party website analytics and marketing system (Google Analytics). The system uses cookies to collect data on users. However, this data will not be used to identify individual users, but to develop the website and services. Google Analytics transfers and stores the data on its own server.

8 REGULAR DATA SOURCES

Data is collected in the register from the data subjects themselves and from the sources of customers and stakeholders. Data is also collected in the register from public sources, such as the contact information of organizations on websites or address registers.

9 REGULAR DISCLOSURE OF DATA

Necessary customer data may be disclosed for legal purposes to authorities. The controller does not disclose data to third parties or automatically to other partners. In individual cases, the controller discloses the data on a customer to a designated party if the party in question so requests or if a competent authority requires the controller on legal grounds to disclose specified data in a database in the controller’s possession.

10 DATA TRANSFER TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

Data is not transferred to third countries or international organizations.

11 RIGHT OF ACCESS

Data subjects have the right to inspect what data concerning them has been stored in the register. In addition, having submitted a sufficiently precise and specific inspection request, data subjects have the right to access the data that concerns them and is included in the records. The inspection request must be submitted in writing, signed and sent to the contact person of the controller and a copy of a personal identification document containing a photo of the data subject must be included.

12 RIGHT OF RECTIFICATION AND ERASURE

The controller must rectify incorrect data specified by a concerned party in the personal data register. The controller is also independently obligated to verify that the data included in the register is accurate and up to date. Data subjects may also request the controller to remove data concerning them from the register. The procedure is managed by the Data Protection Officer.

13 OTHER RIGHTS RELATED TO THE PROCESSING OF PERSONAL DATA

Data subjects have the right to request restriction of processing personal data. Data subjects also have the right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller. In addition, data subjects have the right to object to the processing of data, decisions based on automated processing, and profiling.

14 ERASURE OF DATA AND DATA RETENTION PERIOD

The controller will erase the customer’s data from the register when operational grounds for processing the data no longer exist or if the concerned person demands the controller on a legal basis to remove his or her data.

Personal data is erased by overwriting when grounds no longer exist for processing or storing the data. However, data will not be erased if the law provides otherwise or if a competent authority has initiated a process that requires the controller to retain the data or another party has requested a Finnish court of law to decide on safeguarding the data.

15 APPROVAL OF THE PRIVACY STATEMENT

The privacy statement was reviewed and approved for continued use on April 26, 2018.