Report on processing operations in accordance with Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council
1. The controller shall:
Papinsaarentie 1, 23800 Laitila
Business ID: 1729447-1
2. The controller’s representative in matters concerning the register:
Papinsaarentie 1, 23800 Laitila
3. Name of the register:
Veme Oy’s customer, prospectus, employee and applicant and marketing register
4. Purpose of the processing of personal data:
The processing of personal data is based on a contract, the data subject’s consent, the performance of statutory obligations, the legitimate interest of the controller or any other similar material connection. Personal information is used by Veme Oy
- To manage, maintain and develop existing and potential customer relationships
- For targeting communication and marketing
- To produce, provide and develop services
- For information and marketing of services and events
- To manage training and courses
- Business planning and development
- For market research and the collection and reporting of customer feedback and customer satisfaction data
- To apply for and hire potential new employees
- To perform the statutory obligations of employees
- For employee benefits
- Due to the special nature of the employees’ work tasks
5. Information content of the register:
In connection with the register, we process the following information provided by the data subject:
- Name information
- Address information
- Telephone number
- Email address
- Position in the organization
With regard to employees and applicants, in addition to the above, we deal with:
- Salary, banking, tax, annual leave, sick leave and pension information
- Information on employee benefits
- Employment-related documents and various discussion and other notes
- Information on job applications, job history and potential references
In addition, the register may contain other notes related to the data subject and, for example, the customer relationship and other information required to manage the customer relationship, such as direct marketing authorizations / prohibitions, past or future participation, food allergies and billing. In addition, the registry may contain information collected through cookies on the data subject’s visits and activities on the registrar’s website. The IP addresses of the registrant’s visits are anonymized.
6. Regular sources of information:
We primarily receive information directly from the registrant himself or through cookies on the registrar’s website. The information is obtained from a person eg. by e-mail, telephone, otherwise orally or in other situations where a person discloses his or her information with his or her express consent. In addition, personal data may be collected and updated for the purposes described in this Privacy Statement also from publicly available sources and on the basis of information received from public authorities or other third parties, within the limits of applicable law. Such updating of data shall be performed manually or by automatic means.
7. Regular information sources:
Personal data may be disclosed and transferred for the purpose of processing personal data to the service providers and authorities of the controller. Personal data is disclosed to occupational health, insurance companies, IT service providers, telephone operators, auditors and potential advisors. Such processors of personal data shall not have the right to process personal data other than on behalf of the controller and subject to professional secrecy.
8. Data transfer outside the EU or the EEA:
The controller may also outsource the processing of personal data to outside companies, which may also be located in countries outside the European Union and the European Economic Area. These companies may process personal information to provide, for example, IT services. In such cases, the transfer will always comply with EU standard contractual clauses or other appropriate safeguards to ensure that the transfer complies with the requirements of the EU Data Protection Regulation.
9. Registry security principles:
The register is handled with care. The data stored and processed by the information systems are available to limited and designated persons. Use requires logging in to the information system with your own personal username and password. Information systems are protected by appropriate anti-virus programs and firewalls. Manual documents containing personal data are protected against unauthorized access and unauthorized processing (eg destruction, alteration or disclosure). Each processor can only process personal data that he or she needs in the course of his or her work.
10. Data Retention
We retain personal information as long as the customer relationship is in force or for as long as required by law.
Employee payroll and other employment records will be retained for as long as required by law. Job applications are retained for 6 months after the end of the application, unless otherwise agreed with the job seeker.
The personal data of those who have granted a marketing authorization will be kept in the marketing register until the registrant prohibits marketing. In that case, however, the register shall contain the basic information of that person and information on the marketing ban.
Sensitive personal data (food allergies) of participants in the training will be deleted after participating in the training.
Visitor data will be retained for as long as necessary to ensure security. However, no more than one month. The data will then be properly destroyed.
We regularly assess the need for data retention, taking into account applicable legislation. In addition, we will take reasonable steps to ensure that personal data about data subjects that are incompatible, out of date or inaccurate for the purposes of processing is not stored in the register. We will correct or destroy such information without delay.
11. Rights of the data subject
The data subject has the right to withdraw his or her consent by contacting the data controller. Upon withdrawal of the consent, the controller shall delete the data of the data subject, unless there is a legitimate reason to retain the data, or the legitimate interest of the controller so requires.
The data subject shall have the right to object to the use of his data for electronic direct marketing by using the order cancellation or prohibition link in the newsletter or other electronic message or by contacting the registrar’s representative mentioned in point 2 in writing.
The data subject has the right to check what information about him or her has been stored in the register and, if necessary, to demand that the data controller correct or supplement the information concerning him or her in the register. The data subject is responsible for the accuracy of the information provided. The data subject must notify in writing if there are any changes to the information provided by the data subject. The controller may also correct incorrect information on its own initiative after receiving information about the incorrect information.
In accordance with the Data Protection Regulation, the data subject has the right to object to or request a restriction on the processing of data, to lodge a complaint against the processing of personal data with the supervisory authority and to request the deletion or transfer of data from one system to another. All requests from the data subject shall be sent in writing to the representative of the controller mentioned in point 2.
12. Changes to the Privacy Statement
If we change this statement, we will display the changes in the statement dated. If the changes are significant, we may also inform you of them in other ways, such as by e-mail or by posting a notice on our website. We recommend that you use our website regularly and take note of any changes to this statement.
Updated: March 30, 2021