This is a statement on the processing of personal data by the EU General Data Protection Regulation (679/2016). Last update of the statement: 29.11.2021.
Controller
Wonsta Oy
Business ID: 3204106-9
Address: Lapinlahdenkatu 16, 00180 HELSINKI, Finland
e-mail: julius@wonsta.io
Contact for data protection issues
Data Protection Officer
Julius Aho
For all questions related to the processing of personal data and the exercise of your rights data subjects are invited to contact the Data Protection Officer.
Name of the personal data file
Wonsta Oy electronic customer register
Grounds for and purposes of the processing of personal data
The legal basis for the processing of personal data is:
- The data subject’s consent to the processing of personal data
- The contractual relationship between the data subject and the controller
The purposes for which the personal data are processed include the provision of the service, the maintenance of customer relations, and the processing of personal data.
The purpose of the service is to provide the service, to maintain customer relations and partnerships, and for general customer and marketing communications.
Regular data sources
The personal data processed are normally obtained from the following sources:
- From the data subject himself/herself
- From the trade register
The personal data processed
The data controller collects personal data from data subjects only to the extent that it is relevant and necessary.
The only data collected from data subjects are those which are relevant and essential for the use described in this Privacy Policy.
The following data of data subjects are processed:
- Full name
- E-mail address
- Address details of the company or individual represented, such as:´
- Country
- Street address
- Postal code
- Town or city
- Name of the company or individual represented
Disclosure of personal data
As a general rule, personal data will not be disclosed to third parties, with the exception, however, of the company’s current valid partnerships in the following categories:
- The Company’s IT and ICT partners who are technically responsible for the Company’s technical database and server solutions
- Communication tools and services, such as customer service or customer support tools and services used by the company marketing tools
- Payment transaction partners for money transfer purposes
- Analytical and statistical partners
- Advertising and marketing partnerships for cookie-based advertising
In addition, data may be disclosed, for example to public authorities, as required by law.
Transfers of personal data to third countries
In principle, personal data will not be transferred outside the EU and the European Economic Area. If this is the case for a specific reason, the transfer will be carried out following the European Commission’s data protection adequacy decision of the European Commission, and only to the recipients mentioned in the previous chapter partners referred to in the previous paragraph.
Data retention period
The controller processes personal data for the duration of the active customer relationship. At the end of this period, the controller shall erase or make anonymous the data within a maximum of six months of the end of the period of data protection deletion processes. An active customer relationship is defined as at least annual activity with the company’s services and products.
The controller may be obliged to process some of the personal data contained in the register as described above longer than stated above to comply with legal or regulatory requirements.
Rights of the data subject
Right of access to personal data
The data subject has the right to obtain confirmation as to whether personal data concerning him or her are being processed, and if the right to obtain a copy of his or her personal data.
Right to rectification
The data subject has the right to request that inaccurate or incorrect personal data concerning him or her be corrected.
The data subject also has the right to have incomplete personal data completed by providing by supplying the necessary additional information.
Right to erasure
The data subject has the right to request the erasure of personal data concerning him or her where
a. the personal data are no longer necessary for the purposes for which they were collected;
b. the data subject withdraws the consent based on which the personal data were processed and the processing is no longer there is no other legitimate basis for the processing; or
c. the personal data have been unlawfully processed.
Right to restriction of processing
The data subject has the right to restrict the processing of personal data concerning him or her where
a. the data subject contests the accuracy of his or her personal data;
b. the processing is unlawful and the data subject objects to the erasure of his or her personal data and requests instead of the restriction of their use; or
c. the controller no longer needs the personal data for the purposes for which they were originally processed, but the data subject needs them for the establishment, exercise, or defense of legal claims.
Right to withdraw consent
The data subject has the right to withdraw his or her consent to the processing at any time by this without affecting the lawfulness of the processing carried out based on that consent.
Right to data portability
The data subject has the right to obtain access to personal data relating to him or her and supplied by him or her in a structured, commonly used, and machine-readable format and the right to transfer the data concerned to a third-party data to another controller.
Right to complain about a supervisory authority
The national supervisory authority for personal data matters is the Finnish Office of the Data Protection Ombudsman. You have the right to refer your case to the supervisory authority if you consider that the processing of personal data concerning you infringes the relevant legislation.
Changes to data protection practices
The controller is constantly developing its activities and may, where necessary, be required to amend and update its privacy practices as necessary. Such changes may also be based on data protection changes in the legislation on data protection.
If the changes include new purposes for the processing of personal data or otherwise significantly change, the controller will give prior notice and, where appropriate, request consent, if necessary.