Privacy statement – customer and stakeholder data
KTI Kiinteistötieto Oy, company identification number 1582468-6
Address: Eerikinkatu 28, 7th floor, 00180 HELSINKI
2. Person in charge of file matters
Cecilia Hokkanen, Finance and HR Manager
tel. +358 400 649 487
3. Name of the file
Privacy statement – customer and stakeholder data
4. Purpose of use of the file
Personal data is processed in purposes relating to the management, control and development of customer and stakeholder relationships, offering services, sales and deliveries, development of services, invoicing and the management and use control of KTI online user rights. Personal data is also processed in order to clarify possible reclamations and other demands.
In addition, personal data is processed in communications directed at customers and stakeholders, such as newsletters, market surveys and sending notifications, informing about KTI’s services, events and projects and in order to perform barometer surveys and market studies. The customer has the right to refuse targeted direct marketing.
The controller mainly processes the data themselves. Occasionally, subcontractors operating on their behalf are used in processing personal data.
5. Legal basis of the processing
The legal bases of the processing of personal data are the following principles according to the EU General Data Protection Regulation:
a) The data subject has given their consent to process their personal data for one or more special purposes of use.
b) The processing is necessary in order to execute such an agreement in which the data subject is a party, or in order to implement the actions preceding the agreement on request of the data subject.
c) The processing is necessary in order to execute the legitimate interest of the controller or the third party.
The aforementioned legislative interest of the controller is based on the relevant and appropriate relationship between the data subject and the controller, which is the consequence of the fact that the data subject is the customer or a partner of the controller, and when the processing takes place for purposes the data subject could have reasonably expected when the data was collected and in conjunction with the appropriate relationship.
6. Information content stored
In the beginning of a customer/other cooperative relationship, customer’s basic information (first name and surname, employer’s name, address, zip code and city, customer’s job title, phone number and e-mail address) are collected in the customer file.
In addition, the customer file also contains information about the data subject’s consent or refusal of direct marketing.
7. Transfer of information
Personal data is not transferred to third parties in a regular manner.
8. Sources of information
The customer/partner provides their own information in order to manage and maintain the cooperative relationship.
Providing the aforementioned personal data for the controller is the requirement of executing the cooperation and the agreement between the parties. In case the controller is not able to receive the personal data in question, the controller might not be able to perform cooperation-related and contractual obligations.
9. Principles of data protection
The data containing personal data is stored in locked rooms, in which only KTI employees and authorized subcontractor parties have access to.
The database containing personal data is located in such an environment, where only KTI employees and authorized subcontractor parties have access to. The data entry environment and the data communications between the database and the users is protected with appropriate and up-to-date data security solutions.
The access to the databases and the systems is allowed only by individually admitted personal user names and passwords. The controller has limited the user rights and authorizations in a way that the data can only be seen and processed by KTI employees and authorized subcontractor parties based upon their job descriptions. The controller’s employees and other personnel are committed to comply with the confidentiality requirements and to maintain the confidentiality of the information received during personal data processing.
10. Duration of data retention
The data collected in the file is retained only as far and to such an extent as it is necessary in relation to the original or for compatible purposes for which the data was collected.
The need for personal data retention is assessed every five years.
General customer data is retained for a maximum period of five years, and the data will be removed from the file five years after the data subject customer/other partnership to the controller has ended and the obligations and actions relating to the customer relationship are finished.
The data collected about the recipients of newsletters, market surveys and other KTI marketing material, in order to deliver the newsletters, is retained for a maximum period of five years after the data subject has informed about their desire to stop receiving the newsletter and other notifications.
The data subject’s consents and refusals to direct marketing are retained for a maximum period of five years.
The controller performs all the required, reasonable actions to ensure that the inaccurate, incorrect or expired personal data, for the purpose of processing, are removed or corrected immediately.
11. Data transfer outside EU or ETA
The personal data in the file is not transferred outside the EU or ETA.
12. Rights of the data subject
The data subject has the following rights according to the EU General Data Protection Regulation:
a) the right to obtain from the controller at any time, confirmation as to whether or not personal data relating to the data subject is being processed, and if this personal data is processed, the right to have access to personal data and the following information: (i) purposes of processing; (ii) categories of personal data in question; (iii) recipients or recipient groups, to whom personal data has been transferred or are meant to be transferred; (iv) the planned duration of data retention, where possible, and if this is not possible, the definition criteria of the duration of data retention; (v) the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (vi) the right to lodge a complaint to the supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to their source. This described personal data (i)–(vii) is given to the data subject with this form;
b) the right to obtain from the controller the rectification without delay of inaccurate or incomplete personal data and the right to obtain completion of incomplete personal data, including the delivery of supplementary information taking the purposes of data processing into account;
c) the right to request from the controller erasure of the personal data concerning the data subject without delay, provided that (i) personal data is no longer needed for the purposes they were collected and processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal justification for the processing; (iii) the data subject objects the processing, on grounds relating to their particular situation, and there is no other legal justification for the processing, or the data subject objects the processing for direct marketing purposes; (iv) personal data has been unlawfully processed; or (v) personal data must be removed in order to comply with the legislative obligation applied to the controller under the EU law or national legislation;
d) the right to have the controller limit the processing, provided that (i) the accuracy of personal data is contested by the data subject, where the processing is limited for the period in which the controller is able to ensure the accuracy of the data; (ii) the processing is unlawful and the data subject objects the removal of the personal data and claims the limitation of use instead; (iii) the controller does not need the data in question for processing purposes, but the data subject needs them in order to compile, exercise or defend legal claims; or (iv) the data subject has objected the processing, on grounds relating to their particular situation, waiting for the verification whether the legitimate interests of the controller override the legitimate interests of the data subject;
e) the right to have personal data concerning them, which the data subject has delivered to the controller, in a structured, generally used and in a machine-readable format, and the right to transfer such data to another controller without limitation from the controller, to whom the personal data was delivered, if the processing is based on the regulation’s purpose and the processing is performed automatically;
f) the right to lodge a complaint to the supervisory authority if the data subject sees that the processing of the personal data concerning them breaches the EU General Data Protection Regulation.
The requests regarding the exercise of data subject’s rights are addressed to KTI. Verification requests need to be made by e-mail to kti(a)kti.fi. The controller replies to the requests in one month.