Combined privacy notice and information document in accordance with the Data Protection Act and the EU General Data Protection Regulation (2016/679/EU).
Controller
Oun Oy
business ID: 3179402-6
Contact person for data protection
Henri Leksis
+358 (0)20 7436 150
info@oun.fi
Name and content of the register
Oun Oy’s customer register (“Customer Register”).
Purpose for which personal data are collected and legal basis for processing
General information on the processing of personal data
To the extent that the Customer Register contains personal data, the processing of such data is in compliance with the Data Protection Act and other applicable laws, regulations, orders and instructions of the authorities concerning the processing of personal data. Personal Data means information that can be associated with a specific person. This document describes in more detail the procedures for the collection, processing and disclosure of personal data, as well as the rights of the customer, i.e. the data subject.
Purpose of collecting personal data
- Contractual, customer or similar relationship
- The purpose of the customer register is the controller’s contractual or customer relationship with the principal.
- Relationship with any counterparty of the principal in relation to the performance of the mandate
- Contractual relationship with the user of a consultancy assignment or other professional services
- For the purpose of finding housing and other services for a potential client
In this paragraph
- These persons are referred to in this notice as the Customer.
- Legal control of money laundering
- In accordance with Chapter 3, Section 3 of the Act on the Prevention of Money Laundering and Terrorist Financing (444/2017, hereinafter referred to as the “Money Laundering Act”), the Customer’s identifying information and other personal data under the Act are recorded, stored and may be used for the prevention, detection and investigation of money laundering and terrorist financing and for the investigation of money laundering and terrorist financing and the crime by which the property or the proceeds of crime that is the subject of money laundering or terrorist financing have been obtained. Customer identifiers or other personal data obtained for the sole purpose of preventing and detecting money laundering and terrorist financing will not be used for purposes incompatible with those purposes.
- Consent-based data storage:
- Insofar as the right to registration based on the aforementioned laws or circumstances is exceeded, or if there is no other legal basis, the Customer’s consent to the storage, processing and retention of personal data will be requested separately. Engagement data will also be used for contractual relationships relating to consultancy and other professional services and will be stored in a manner similar to the Engagement Log.
Purpose of the data
The information contained in the customer register may be used for the following main purposes:
- customer relationship management and development
- producing, providing, developing, improving and protecting services
- billing, collection and verification of customer transactions
- advertising targeting
- analysis and statistics on services
- customer communication, marketing and advertising
- protecting and safeguarding the rights and/or property of the controller and other persons and entities related to the services,
- the performance of the controller’s legal obligations; and
- other similar uses.
Sanctions for non-receipt of data:
If the controller does not receive the information referred to in paragraphs 1, 2 and 3 of the purpose of collection of personal data, the customer relationship cannot be established or continued, or any other contract or legal action can be entered into with the Customer.
The content of the customer register, i.e. what information we collect
The following information is or may be collected in connection with the management of the customer relationship:
- Basic customer information, such as full name, address
- Personal identification number of the person acting on their own behalf or on behalf of the company and, if applicable, the company’s identification number for reliable identification
- Information related to billing and collection
- Information related to the customer relationship and the contractual relationship, such as the services provided to the Customer, the date of their use, the fee, the details of the service vendor and other similar information.
- Authorisation information and prohibitions, such as direct marketing authorisations and prohibitions
- Interests and other information provided by the Customer
- Other events data for services
- Complaints and their handling data
- Customer credit and other financial information to assess the performance of contractual obligations
The following information relating to the Customer is or may be processed for the purposes of the Money Laundering Control Act:
-
- name, date of birth and social security number
- name, date of birth and personal identification number of the representative
- full name of the legal person, registration number, date of registration and registration authority
- the full names, dates of birth and nationalities of the members of the board of directors or equivalent decision-making body of the legal person
- the sector of activity of the legal person
- the name, date of birth and personal identification number of the actual beneficiaries
- the name of the document used to verify the identity, the document number or other identifying information and the issuer or a copy of the document or, if the customer is remotely identified, the procedure or sources used for verification
- information on the Customer’s activities, the nature and scope of the business, the financial situation, the reasons for the use of the transaction or service and information on the origin of the funds, as well as other information necessary to obtain knowledge of the Customer as referred to in Section 4(1) of the Money Laundering Act.
- Information relating to the tracing of the origin of funds pursuant to Section 4(3) of the Money Laundering Act, and information necessary to fulfil the enhanced duty of disclosure in relation to a politically influential person pursuant to Section 13.
- for a foreign Customer who does not have a Finnish personal identity code, information on the Customer’s nationality and travel document details.
Data retention period
Data collected in the register will be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.
The need to retain personal data will be assessed regularly; and in any case, data relating to a data subject will be erased from the register two years after the end of the data subject’s customer relationship with the controller and the completion of the obligations and measures relating to the customer relationship. Accounting records shall be kept for five years from the end of the accounting year.
The controller regularly assesses the necessity of data retention in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data which are inaccurate, inaccurate or out of date, having regard to the purposes of the processing, are erased or rectified without undue delay.
Data under the Money Laundering Act will be kept for five (5) years, unless the further retention of such data is necessary to protect the rights of the controller or its employees in the course of a criminal investigation or pending legal proceedings. In such cases, the necessity of further storage of the data and documents shall be reviewed no later than three (3) years after the previous review of the necessity of storage (Section 4 of the Act on Prevention of Money Laundering and Terrorist Financing, 444/2017).
For potential customers of all the different services offered by the company, data is kept for approximately 12 months from the last contact.
We keep visitor and analytics data on our website for 38 months.
Other personal data will be deleted after there is no longer a need to keep the personal data. If the collection and storage of personal data has been based solely on the Customer’s consent, for example to subscribe to a newsletter or similar, the personal data will be deleted at the Customer’s request.
Regular data sources and where the data are collected from
Personal data is collected from the Customer in connection with the contract and the preparation of documents, when otherwise using the services of the controller or otherwise directly from the Customer. Personal data may also be collected and updated from, for example, civil registers and other official registers and credit registers.
Consent-based information is collected directly from the Customer or, with the Customer’s consent, from registers or sources maintained by public authorities or third parties.
Personal data is collected through web forms, e-mail or any other appropriate means. Personal data may also be collected from terminal devices through cookies or other similar technologies.
Disclosure of data, i.e. where data can be disclosed
Personal data will not be disclosed to third parties.
Data is not regularly transferred outside the European Union or the European Economic Area. However, data may be transferred or disclosed outside the European Union or the European Economic Area as permitted by law, provided that the data is transferred to a country where the European Commission has determined that an adequate level of data protection exists or where contractual arrangements can guarantee an adequate level of data protection. The transfer outside the EU may also take place in connection with the use of cloud services such as OneDrive, Google Drive, iCloud, Dropbox or similar.
Information is disclosed to public authorities in cases required by law.
In the case of outsourcing of the controller’s IT management, personal data may also be processed by the controller’s subcontractors, but only on behalf of the controller.
OUN Oy uses a service provided by WooCommerce, whose privacy statement can be found here.
Principles of register protection, i.e. how we protect your personal data
Access to the register requires a user ID issued by the administrator of the Customer Register. The administrator also determines the level of access to be granted to other users. Only those employees of the controller and employees of subcontractors who need to have access to the data in order to carry out their work-related tasks. The data are collected in the service’s databases, which are protected by firewalls, passwords and other technical means.
To the extent that personal data are processed on behalf of the controller by a subcontractor, agreements between the controller and the subcontractor have ensured that appropriate safeguards are in place and that the processing of personal data complies with data protection legislation.
Temporary local copies (such as Excel, CSV and printout) of parts of the register may be kept from time to time by authorised employees, for example for customer mailings and regular communication. Temporary copies will be deleted after the end of their intended use.
Customer rights and what I can do to ensure the lawfulness of the processing
Checking, accessing and transferring data:
The Customer has the right to check what information concerning him/her is stored in the Customer Register. The Customer must submit a request for inspection to the controller in writing, in a hand-signed form or in a document certified in an equivalent manner, or by e-mail.
Notwithstanding the above, the Customer does not have the right to inspect information obtained in order to fulfil the reporting or reporting obligation under the Money Laundering Act (Section 4:3 of the Money Laundering Act). However, the Data Protection Ombudsman may, at the Customer’s request, verify the lawfulness of the processing of such data.
The controller shall provide the above information to the Customer within 30 days of the request for inspection.
The customer has the right to have the customer data concerning him/her transmitted to a third party in a structured and commonly used machine-readable format. However, the controller will retain the transferred data in accordance with this Privacy Policy.
Correction of incorrect information:
The customer has the right to rectify the personal data stored in the personal data file concerning him/her, to the extent that it is incorrect.
Objection or restriction of processing and erasure of data:
The customer has the right to object to the processing of personal data concerning him/her for the purposes of direct marketing, distance and other direct selling, market research, opinion polling and the development of the controller’s business, and to restrict the processing of personal data concerning him/her, as well as the right to obtain the erasure of personal data already recorded concerning him/her for the aforementioned purposes, even if the processing is otherwise justified.
Withdrawal of consent:
If the information in the register is based on the consent given by the Customer, the consent can be withdrawn at any time by notifying the representative of the controller mentioned in this notice. Upon request, all data that should not be, or cannot be, retained by law or on any other grounds specified in this Privacy Policy will be deleted.
Procedure for exercising rights:
Requests for inspection, rectification or other requests may be made by contacting the controller’s customer service using the contact details provided in this notice.
Disagreements:
The Customer has the right to refer the matter to the Data Protection Ombudsman if the controller does not comply with the Customer’s request for rectification or other request.
Profiling and automated decision-making:
The controller does not use personal data to profile the Customer or use automated decision-making.