Privacy Policy for Kaski Agency Business Customers, Suppliers and Leads

1. Controller and contact points in privacy questions and requests

Controller Kaski Creative Agency Oy, Business ID 0207888-0
Visiting address Kauppakatu 1
Postal address 33200, Tampere
Phone +358 43 200 0206
Contact point in all privacy questions and requests tietosuoja@salomaa.fi

 

2. Legal basis for and purposes of processing personal data

The legal basis for processing personal data by the Controller are:

  • Performance of a contract between the Controller and its business customer, supplier or business partner (Company) as well as fulfilment of requests of the data subject prior to entering into a contract, e.g. requests for information or quotation, newsletter subscriptions or purchase orders;

 

  • Controller´s legitimate interest for management of customer, supplier, partner or other similar relationship between the Controller and the Company, e.g. delivery of products and services; creation, management and development of the relationship; development of products, services and businesses; communication with the Company, including customer and supplier feedback and satisfaction surveys;

 

  • Controller´s legal obligations as well as its legitimate interest for detection, prevention and investigation of fraud, money laundering and other criminal offences and misuse;

 

  • Controller´s and its business partners´ legitimate interest for targeting and sending direct marketing of products and services (incl. newsletters) by mail, phone calls, email, text messages or other electronic communication (including newsletters); and for carrying out opinion polls, surveys and marketing research, arrangement of promotional sweepstakes, contests and other events;

 

  • Controller´s and its business partners´ legitimate interest for targeting and performance of digital advertising in their own and other internet and mobile media, services and applications;

 

  • Controller´s and its business partners´ legitimate interest for analyzing, profiling, segmentation of the data subjects and their data in the context of and for the purposes explained above;

 

  • Consent of the data subject when it is necessary for locating the data subject or collecting data about the use of Controller´s Internet or mobile services by the means of cookies, advertising ids or other similar tracking technology for the purposes defined in this policy.

3. Data subjects and categories of personal data

The Controller processes personal data of the contact persons of its prospective, current, and former business customers, suppliers and business partners. Following categories of personal data are processed for the purposes described above:

  • Basic information of the data subject, e.g: name, title, profession, and position; data about the employer, employment related contact data (postal address, e-mail address, phone number), year of birth, gender, native and service language, preferred way of communication;
  • Marketing data, e.g: positions and activities in business and public service; professional preferences and interests; other information provided by the data subject; marketing efforts performed; participation to events; direct marketing and other permissions and consents (opt-in), restrictions and bans (opt-out);
  • User data of digital services, e.g: registration data required for a digital account, such as username, nickname, password and any other identifier; information about the service use, such as data about the use of agreed services, browsing of Controller´s websites, ads seen or clicked by the user, e.g. the device model, individual device and/or cookie identifier, the channel through which the service is accessed (web browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system; location data;
  • Data related to contacts and communication, e.g. feedback and contact requests, emails, digital forms, chat discussions, phone call recordings;
  • Data about the use of social media, eg: The Controller´s website may include Social Media Features, such as the Facebook Like button and Share button. The Controller can receive a comment or link that the user share from the Controller´s website on Facebook. The Controller can also receive user´s public profile data on Facebook, and any information that Facebook user shares with the Controller´s services. Your interactions with these Features are governed by the privacy policy of the company providing it, for example Facebook: https://www.facebook.com/about/privacy/update?ref=old_policy and Linkedin: LinkedIn https://www.linkedin.com/legal/preview/privacy-policy
  • Profile and segment data, e.g: customer and marketing segments and profiles derived by statistical analysis of the above described data and other segmentation and classification data from regular sources.

Only basic data and marketing data as defined above are processed for the purposes of direct marketing to the contact persons of prospective or former customers.

4. Regular sources of personal data

Personal data are collected directly from the data subject when the data subject is registering or using a web site or other service; sending request for contact or information or filling in a form; purchasing or ordering, contracting, participating events, otherwise interacting with the Controller personally, by phone or digitally. Personal data can also be collected and updated from the websites of companies, public and private company and business registers, public authorities, postal operators, public telephone directories (e.g. Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy), direct marketing and other data brokers, and other similar public and private registers.

5. Disclosure and transfer of data

Controller may disclose personal data to other companies in the Salomaa Group and to Controller´s business partners when it is necessary for the purposes defined in this policy, e.g. to deliver or provide agreed products or services. Otherwise, personal data will not be disclosed to third parties except with the consent of the data subject.

Controller may outsource ICT, marketing, communication and other functions to third party suppliers, vendors, or other sub-contractors. In such case the Controller may transfer personal data to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the Controller and must comply with the Controller´s instructions and this privacy policy. Controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.

Controller may also transfer personal data to be processed in a country outside the European Union and the European Economic Area. Unless the European Commission has decided that that the level of data protection is adequate in such a country, the Controller will ensure adequate data protection with the processor by using standard contractual clauses approved by the European Commission (decision C (2010)593) or by other lawful means.

6. Data security and retention

Access to personal data will be permitted only to persons who need to process data as a part of their employment. All data is kept in locked premises secured with physical access control. Digital data is protected by firewalls, user rights managements and other technical means.

Personal data will be retained as long as it is necessary for the purposes.  After the relationship between the Controller and the Company has ended or after the Controller gets informed that the data subject no longer is a contact person of the Company, the personal data will be deleted with the following exceptions:

  • User data of digital services and data related to contacts and communication shall be retained for five years after the above defined events.
  • Anonymized data can be retained permanently.
  • Basic data and marketing data of the data subject can be retained permanently for direct marketing purposes.
  • When retention is permitted by valid legislation.

(Note that data related to the Company is not personal data and can be retained by the Controller e.g. correspondence, purchase orders, data about the use Controller´s products and services when such acts have been performed on behalf of the Company.)

7. Access, rectification and other rights of the data subject

Every data subject has a right to inspect his/her personal data stored in the register and the right to demand rectification or erasure of the data. The data subject may also at any time withdraw a previously given consent for processing his/her personal data. Withdrawing the consent does not affect the lawfulness of processing performed before the withdrawal of the consent.

The data subject has a right to object processing of his/her personal data or to demand restriction of processing of the data and to lodge a complaint with the supervisory authority about the processing.

If the data subject has provided personal data to the controller and the processing is based on his/her consent of on a contract, the data subject has a right to receive such data in a structured, commonly used and machine-readable format and a right to transmit those data to another controller in compliance with valid legislation.

When the processing is based on legitimate interest, data subject has a right to object such processing on grounds relating to data subject´s particular situation. In the request, the data subject must specify his/her particular situation.

The controller may require the data subject to specify any request in writing and to prove his/her identity.