Privacy Policy

Updated 5/2024

1 Data Controller

The data controller of the register is Ideavirta Oy (business ID 2085105-6) The contact person for register matters is Ari Mäkinen, CEO Ideavirta Oy Address: Reelinkikatu 2, 02330 ESPOO Phone: 0400 620026 Email: ari.makinen@ideavirta.fi

2 Name of the Register

The name of the register is Ideavirta Oy's customer register.

3 Purpose of Processing Personal Data

Personal data is processed for purposes related to managing, administering, and developing customer relationships, providing and delivering services, and developing and invoicing services. Personal data is also processed for purposes required to handle possible complaints and other claims. Additionally, personal data is processed for customer communications such as information and news purposes and marketing, including direct marketing and electronic direct marketing. The customer has the right to prohibit direct marketing targeted at them. The data controller processes the data itself and utilizes subcontractors operating on behalf of and for the data controller in processing personal data.

4 Legal Basis for Processing

The legal basis for processing personal data are the following grounds according to the EU General Data Protection Regulation (hereinafter also “GDPR”):
  1. the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
  2. processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
  3. processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Art. 6(1)(f)).
The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, which is the result of the data subject being a customer of the data controller, and when the processing occurs for purposes that the data subject can reasonably expect at the time of collection of the personal data and in the context of the appropriate relationship.

5 Data Content of the Register (Categories of Personal Data Processed)

The register contains the following personal data, in principle, about all registered individuals:
  1. basic and contact information of the person: [first name, last name, address, phone number, email address];
  2. information related to the person's company or other organization and the person's position or job title in the said company or organization;
  3. the person's direct marketing permissions and prohibitions.

6 Regular Data Sources

Personal data is collected from the registered individual themselves. Personal data is also collected and updated within the limits of applicable legislation from publicly available sources related to the implementation of the customer relationship between the data controller and the registered individual and through which the data controller fulfills its obligations related to maintaining customer relationships.

7 Data Retention Period

Data collected in the register is retained only as long as necessary in relation to the original or compatible purposes for which the personal data was collected. The necessity of retaining personal data is assessed annually, and in any case, data about a registered individual is removed from the register within two years after the customer relationship between the registered individual and the data controller has ended, and obligations and measures related to the customer relationship have been completed. For example, accounting records are kept for five years from the end of the financial year. The data controller regularly assesses the necessity of retaining data according to its internal policies. Additionally, the data controller implements all possible reasonable measures to ensure that inaccurate, erroneous, or outdated personal data, considering the purposes for which they are processed, are erased or rectified without delay.

8 Recipients (Recipient Categories) of Personal Data and Regular Data Disclosures

Personal data is not disclosed to external parties.

9 Transfer of Data Outside the EU or EEA

Personal data contained in the register is not transferred outside the EU or EEA.

10 Principles of Register Protection

Materials containing personal data are stored in locked premises accessible only to designated individuals authorized to access such data due to their tasks. Databases containing personal data are on servers stored in locked premises accessible only to designated individuals authorized to access such data due to their tasks. The server is protected with an appropriate firewall and technical security measures. Access to databases and systems is only granted with individually granted personal usernames and passwords. The data controller has restricted access rights and authorities to the information systems and other storage platforms so that only individuals necessary for lawful processing of data can view and process the data. Additionally, the usage events of databases and systems are logged into the data controller's IT system logs. Employees and other individuals of the data controller are committed to confidentiality and to keeping any information received in connection with the processing of personal data confidential.

11 Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation:
  1. the right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Art. 15). These described basic information (i)–(vii) is provided to the data subject with this form;
  2. the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
  3. the right to request that the data controller rectifies without undue delay inaccurate and incorrect personal data concerning the data subject, and the right to have incomplete personal data completed, including by means of providing a supplementary statement taking into account the purposes of the processing (GDPR Art. 16);
  4. the right to obtain from the data controller the erasure of personal data concerning them without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; (iii) the data subject objects to the processing based on their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject (GDPR Art. 17);
  5. the right to restrict processing by the data controller if (i) the data subject contests the accuracy of the personal data, for a period enabling the data controller to verify the accuracy of the personal data; (ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to processing based on their particular situation pending the verification whether the legitimate grounds of the data controller override those of the data subject (GDPR Art. 18);
  6. the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, if the processing is based on consent as referred to in the Regulation and the processing is carried out by automated means (GDPR Art. 20);
  7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Art. 77).
Requests concerning the exercise of the rights of the data subject should be addressed to the contact person of the data controller mentioned in section 1.

12 Web Analytics

The services below collect anonymized information about website visits without personal information. Matomo analytics.

13 Targeted Marketing

Based on visits to the site, we may conduct targeted advertising on the following services Not in use at the moment.
Ideavirta Oy ⎪ Kaivomestarinkatu 3 b 25, 02770 ESPOO, FINLAND

Privacy policy