OK5.fi Privacy Policy for customers, potential customers and stakeholders

List of contents

1. Controller
2. What do we mean by different terms?
3. For what purposes do we process your personal data?
4. What types of data can we process?
5. From which sources do we collect your personal data?
6. With whom can we share your personal data?
7. Do we transfer your personal data outside the EU?
8. How long do we process your personal data?
9. How can you exercise your rights in relation to your personal data?
10. Which country's legislation applies to the processing of your data?
11. How can we update this privacy policy?

1. Data controller

The Registrar of Companies

OK5 Oy

Business ID: 3321275-5

Any questions regarding the processing of personal data should be addressed to: [email protected].

2. What do we mean by the different terms?

"Data subject" means the person whose personal data are held by the controller in its personal files.

"Personal data" means any information relating to an identified or identifiable natural person, i.e. the data subject, such as name, address, email, telephone number and transaction history.

"Customer" means consumers and the contact persons of businesses and other entities (hereinafter "business") with whom the controller has a customer relationship or with whom a customer relationship has lasted for two calendar years or less. Customers are also employees of companies to whom the company acquires access to use the services of the controller as an identified data subject.

"Potential customers" means consumers and business contacts with whom the controller is seeking to establish a new customer relationship or renew a customer relationship that has ended more than two years ago.

"Stakeholders" means consumers and business contacts with whom the controller has a cooperative relationship (for example, representatives of businesses that provide services to us) or other contact (for example, social decision-makers in the context of public relations activities)

"Controller" means a controller who defines processing purposes and means.

3. For what purposes do we process your personal data?

The controller processes personal data of data subjects for the following purposes (one or more at the same time):

• Managing, analysing and developing customer and stakeholder relations

The controller may use your personal data to manage, analyse and develop the customer relationship established directly with you or with the company you represent.

• Provision of services

The controller may use your personal data to provide services if, for example, you or a company you represent has purchased a service from the controller, otherwise used the controller's digital services, subscribed to the controller's newsletter or participated in their events. The personal data is used for the purposes of implementing the rights and obligations arising from a contract or other commitment between the controller and the customer.

• Customer communication

The controller may use your personal data in its customer communications, for example to send you notifications about the services, to inform you about changes to the services and to request feedback on the services.

• Marketing

The Registrar may contact you to tell you about new services and benefits. The controller may use personal data to tailor its offerings and provide relevant content. This means, for example, that the controller may provide recommendations or display customised content and customised advertisements on its own and third-party services.

• Development of services

The data controller may use your personal data to improve its services, for example to improve the range of products to make them more attractive to customers.

The legal basis for the processing of personal data is Article 6 of the EU General Data Protection Regulation, which provides the following sub-paragraphs:

• processing is necessary for the performance of an agreement to which you are a party or for the performance, at your request, of pre-contractual measures;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party, except where the protection of your personal data is necessary for the purposes of your interests or fundamental rights; and -your freedoms override such benefits;
• you have given your consent to the processing of your personal data for one or more specific purposes; and/or
• processing is necessary for compliance with a legal obligation of the controller.

The controller processes your data to perform a contract with you or a company you represent (e.g. to provide a digital service).

The data controller has legitimate business interests, such as the right to promote its services through marketing and sales, and may engage in direct marketing and sales using your contact information on the basis of legitimate interests. Other legitimate interests for which the controller may process your personal data include providing advice and other customer services to noncustomers, further developing the business and investigating possible misuse.

Unless the processing is based on a contractual need or a legitimate interest, the controller may ask for your consent for other types of processing of personal data, such as the processing of the data subject's health or other information classified as sensitive.

In addition, the controller may process your personal data where required to do so by law, such as under the retention obligation of the Accounting Act.

4. What types of data can we process? 

Personal data collected by the controller may include, but are not limited to, the following types of data and changes made to them:

4.1 Basic information on all registrants

• first name and surname
• contact details (postal address, email address, telephone numbers)
• age
• language
• communications to the data subject and related activities
• Direct marketing choices
• data concerning the use of digital services by the data controller and content created by the data subject for the services

• information about cookies and other similar activities sent to the data subject's terminal equipment (such as computers and mobile devices) and the data collected through them, if the person can be identified on the basis of this information

• any recordings of customer service calls, as well as recorded email and online conversations related to customer service, for example on social media channels

4.2 Additional information on business representatives

• the name and other necessary identification of the company that employs the representative
• title and/or job description

4.3 Data subjects who have purchased, provided feedback and/or made a complaint about the services of the controller

• the time and manner of the start and end of the customer or similar relationship
• Customer promotions and offers and their use
• Customer declared interests and other information
• content of feedback and complaints, related correspondence and follow-up

4.4 Sensitive personal data

• if the data subject voluntarily and with his or her own consent provides the controller with sensitive personal data (such as health data), including in the open fields of digital services

5. From which sources do we collect your personal data?

The data controller receives a large part of your personal data from you at the beginning and during your relationship with us and from the programs you use to access our services.

The controller also receives personal data and updates thereof from public authorities and organisations that provide services for obtaining and updating personal and credit data, as well as from public directories and other public information sources, such as websites and social media channels. For marketing purposes, the controller collects personal data from data subjects in connection with various activations, such as lotteries, competitions, surveys or events (by the controller or their partners).

The controller also receives personal data about company representatives from their colleagues, i.e. the main contact person of the company may also disclose personal data about other persons related to the use of the controller's services to the controller.

6. With whom can we share your personal data?

The Controller will not give, sell or otherwise disclose your personal data to third parties, unless otherwise stated below.

The controller may share your personal data with third parties providing services to the controller. These services may include, for example, customer service, software services, research, marketing and event production. The controller may share your personal data for the purpose of collecting payments for products and services, and may, for example, transfer or sell unpaid invoices to third parties providing collection services.

The protection of your personal data is important to the data controller and we do not allow these parties to use your data for any purpose other than to provide the agreed services, and we require them to protect the personal data of data subjects in accordance with this Privacy Policy and applicable law.

The controller may share your personal data with partners with whom the controller jointly manages and implements projects.

The Controller may share your personal data with carefully considered third parties, for legitimate reasons, for joint or independent direct marketing purposes. Data may only be shared for such purposes where the intended use by the third party is not incompatible with the purposes set out in this Privacy Policy. In principle, a very limited amount of information will be shared, mainly the name and contact details of the individual for the purpose of contacting them.

The data controller may share your personal data in the context of an acquisition or other business reorganisation or when the service is transferred to another service provider. The controller may share your personal data on the order of a court or similar authority.

7. Do we transfer your personal data outside the EU?

In providing its services, the registrar may use resources and servers located around the world. The controller may therefore transfer your personal data outside the country where the services are used and possibly to countries outside the EU w i t h different data protection laws.

In some cases, the controller will ensure that there is a legal basis for the transfer and that personal data are protected, for example by using standard contracts and processing agreements approved by the relevant authorities (where applicable), and by requiring compliance with appropriate technical and other data protection measures.

8. How long do we process your personal data?

The controller will process your personal data in this register for as long as the controller has any of the grounds for processing described in section 3 of this Privacy Policy in force, and for a reasonable period thereafter.

The data controller may process personal data of customers for the duration of your relationship with us and until the end of the second year following the year of the decision. After this period, the controller may transfer your necessary personal data to a marketing register and process you again as a potential customer.

The controller may process the personal data of potential customers for the time being until you become a customer or until you request the removal of your data from the controller's marketing register.

9. How can you exerciseyour rights in relation to your personal data? 

As a registered user, you have various possibilities to influence the processing of your personal data. As a general rule, we will comply with your request within one month. Please contact us at the contact details provided in section 1 of this Privacy Policy to exercise your rights. The rights you have (the extent of these rights depends on the basis on which your personal data are processed, i.e. not all the rights listed below will be available to you in all situations):

1. Right of access to the personal data collected about you. In practice, this is achieved by providing you with a report on the personal data collected about you in a personal file, based on your valid and identified request.
2. Right to request the rectification or erasure of personal data collected about you. If you notice any errors or omissions in your data, you may submit a request for rectification to us.

The right to request the erasure of personal data collected about you.

We are obliged to delete the personal data you have requested from our personal data file if one of the following criteria is met and no other legal or regulatory obligation to retain the data exists:
• the personal data are no longer needed for the purposes for which they were processed;
• you withdraw your consent and there is no other lawful basis for the processing;
• Object to processing based on your particular personal situation and there is no legitimate ground for the processing or you object to the processing of your personal data for direct marketing purposes;
• your personal data has been unlawfully processed;
• your personal data must be erased in order to comply with a legal obligation under European Union law or Finnish law to which the controller is subject; or
• Your personal data have been collected in connection with the provision of information society services, such as subscriptions to the controller's digital information services.

4. Right to request restriction of the processing of personal data collected about you. You may request the controller to restrict the processing of your personal data if:

• the personal data are no longer needed for the purposes for which they were processed;
• the processing is unlawful and you are requesting a restriction of use instead of removal;
• the controller no longer needs the personal data concerned for the purposes of the processing, but you need them for the establishment, exercise or defence of legal claims;
• you have objected to the processing of personal data pending verification of whether the controller's legitimate grounds override yours.

5. Right to object to the processing of personal data concerning you. Where the controller processes your data on the basis of a legitimate interest, you have the right to object to the processing of personal data concerning you on grounds relating to your particular situation. Anyone on the registers covered by this Privacy Notice has the right to object to the processing of their personal data for direct marketing purposes.

6. Right to data portability. If the automated processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided to the controller in a structured, commonly used and machine-readable format, and the right to transmit those data to another controller.

7. Right to withdraw consent. If all or part of your personal data is processed in this register on the basis of your consent, you have the right to withdraw your consent.

8. Right to lodge a complaint with a supervisory authority. If a potential disagreement between you and the controller regarding the processing of your personal data cannot be settled amicably, you have the right to refer the matter to the data protection authority.

10. Which country's legislation applies to the processing of your data?

Finnish legislation and EU legislation directly applicable in Finland, such as the EU General Data Protection Regulation, apply to the personal registers of the controller and the processing of personal data contained therein.

11. How can we update this Privacy Policy?

A data controller is constantly developing its business and this may also mean changes in the processing of personal data. We will update this Privacy Policy as necessary to reflect any changes in our practices. Changes may also be based on changes in legislation. We recommend that you review the contents of the Privacy Policy regularly.

If a controller starts to process your personal data for a purpose other than that for which your personal data was collected, we will notify you of this and of the updated privacy notice before such further processing. For other changes, we will inform you on our website when we update the privacy policy.