Customer relationship register privacy policy
Data Controller
Reflector Oy
Itämerenkatu 3 A, 00180 Helsinki
[email protected]
Contact person for register matters
Ilkka Lilius
Itämerenkatu 3 A, 00180 Helsinki
[email protected]
Name of the register
Reflector Oy Customer relationship register
Purpose and legal basis for processing personal data
The customer relationship register is used for managing customer relationships (contracts, invoicing, customer communications) as well as sales and marketing.
The legal basis for processing personal data is our legitimate interest based on the customer relationship and/or other relevant connection, performance of a contract, and consent.
Data content of the register
The customer relationship register processes the following data:
- Information used for invoicing: contact person’s first and last name, company’s official name and business ID, address information and invoice delivery details, e-invoicing address, telephone number, email address, and payment terms. Additionally, information on deliveries and invoicing.
- Mailing information for direct marketing purposes, which includes the following customer contact details: company name, contact person’s first and last name, position in the organization, street address, postal code, and post office. This information is used by Reflector for communications, direct marketing, or customer relationship management.
- Information for sales and marketing management: customer contact person’s name, position in the organization, email address, telephone number, company’s official name and contact details, and contact history.
- Any direct marketing prohibitions and consents.
Regular data sources
Register data is updated based on information provided by the customer to the data controller and by obtaining information from publicly available publications and files.
Reflector Oy employees enter customer contact-related activity data into the system.
Data Disclosure and Transfer Outside the EU or EEA
Reflector Oy does not disclose data.
We utilize subcontractors working on our behalf in the processing of personal data. We have outsourced functions related to invoicing, newsletter distribution, and contact storage to external service providers.
We transfer personal data outside the EU or EEA. When personal data is processed outside the EU or EEA, we ensure that the subcontractor has committed to the EU Commission’s standard contractual clauses for the processing of personal data and/or is covered by the Privacy Shield framework.
Register protectionprinciples and retention period
Manual material
Manual material is stored in a locked space and is accessible only to authorized personnel.
Digitally stored data
Data contained in the register is kept confidential and access is restricted. Access rights are granted only to those who require the information for their work. These individuals are bound by confidentiality obligations. The data controller requires all IT service providers it uses to maintain confidentiality and appropriate data security, and to commit to the principles set forth in data protection legislation.
We retain personal data for as long as the customer relationship is active and for 3 years thereafter.
We regularly assess the necessity of data retention, taking into account applicable legislation. In addition, we implement reasonable measures to ensure that the register does not contain personal data that is incompatible with the purposes of processing, outdated, or incorrect. We correct or destroy such data without delay.
Rights of the Data Subject
Under the General Data Protection Regulation, the data subject has the following rights regarding their personal data:
- Access to their personal data
- Request correction of incomplete or incorrect personal data
- Object to or restrict the processing of personal data, and object to automated decision-making
- Request the data controller to delete personal data
- Transfer personal data to another data controller
If the data subject wishes to exercise their rights, they should contact the aforementioned contact person. If the data subject has given consent for processing and there is no other legal basis, the data subject is entitled to withdraw their consent by contacting the aforementioned contact person. If the data subject believes that their personal data is not being processed in accordance with the General Data Protection Regulation, the data subject has the right to lodge a complaint with the supervisory authority.
Job Applicant Register Privacy Policy
Date of preparation: 24.2.2022
Data Controller
Reflector Oy
Itämerenkatu 3 A, 00180 Helsinki
[email protected] (hereinafter “we”)
Contact person forregister matters
Seme Hokynar
Itämerenkatu 3 A, 00180 Helsinki
[email protected]
Name of the register
Job applicant register
What is thepurpose and legal basis for processing personal data?
The purpose of processing personal data is to receive and process job applications and to manage our recruitment processes. We process information related to the job application process of individuals who have applied to our services to enable necessary communications and for decision-making when filling positions.
- our legitimate interest, which is based on the need to process personal data for recruitment purposes and which arises from the connection established between us
- your consent, which may be requested in the following situations, for example:
- collecting personal data from referees
- processing personal data in suitability assessments
- processing personal data in connection with medical tests
What data do we process?
In connection with the job applicant register, we process the following personal data:
- basic information such as name, date of birth, language of communication;
- contact details such as personal email address, personal telephone number, home address details;
- information related to the position you are applying for such as information on the form and nature of employment, information on the person responsible in the recruitment process, salary expectations, information related to starting. More detailed information is provided in the job advertisement;
- information important for suitability and other information about yourself, your background, etc., that you provide to us during the recruitment process such as photograph, information related to studies and education, profession, information about work history (such as employers, employment start dates and durations, and the nature of job duties), language skills, other special expertise, description of personal characteristics, various certificates and assessments, references to portfolios, profiles, or other sources found on the Internet, references, and the results and related information from personality assessments and suitability assessments conducted with your consent;
- information on the progress of the recruitment process such as information on further interviews or termination of the recruitment process;
- any other information you have voluntarily provided during the job application process or otherwise specifically published for professional purposes, such as a LinkedIn profile, or information we have collected with your separate consent.
Providing personal data is a prerequisite for us to proceed with the job application process.
Where do we obtain data from?
To whom do we disclose and transfer data, and do we transfer data outside the EU or EEA?
We do not regularly disclose register data to external parties unless your specific consent has been requested and obtained for the disclosure of data, such as for suitability assessments. We disclose personal data in the manner permitted and required by applicable legislation to parties that have a legal and/or contractual right to receive information from the register, such as TE offices. We may also disclose data for other purposes in accordance with Finnish law.
We process data ourselves and utilize subcontractors working on our behalf in the processing of personal data. Paraplyy Oy acts as a processor of personal data for HR support services. In addition, we use subcontractors in the processing of personal data for the following services:
- HR and recruitment services
- IT system providers
We have ensured your data protection with our subcontractors by entering into the necessary processing agreements. We cannot name all subcontractors, for example due to projects under development, so we have decided to name only the subcontractor types.
We transfer personal data outside the EU/EEA. When personal data is processed outside the EU or EEA, we ensure that the subcontractor has committed to the EU Commission’s standard contractual clauses for the processing of personal data.
How do we protect data and how long do we retain it?
Only those employees who have the right to process job applicant data as part of their work are authorized to access databases containing personal data. The register is protected by necessary technical and organizational measures. Data is collected in databases that are protected by username, password, firewall, and other technical means. The register is stored on the protected servers of the technical administrator, and the electronic connection is secured. Individuals processing data are bound by confidentiality obligations regarding the information they receive.
We retain personal data for as long as is necessary for the purpose of using the personal data. In principle, data may be used for six (6) months for job applications. The data is destroyed within two (2) years. If you become our employee, we will retain the information you provided as a job applicant and information related to the job application as part of your personnel profile in accordance with the privacy policy for our employees’ data.
We regularly assess the necessity of data retention, taking into account applicable legislation. In addition, we implement reasonable measures to ensure that the register does not contain personal data that is incompatible with the purposes of processing, outdated, or incorrect. We correct or destroy such data without delay.
What are your rights as a data subject?
You have the right to review the data stored in the personal register concerning you and to request the correction or deletion of incorrect, outdated, or unlawful data. To the extent that processing is based on consent, you also have the right to withdraw or modify your consent at any time. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal of consent.
You have the right to object to or request restriction of the processing of your data and to lodge a complaint with the supervisory authority regarding the processing of personal data.
For specific personal reasons, you also have the right to object to processing operations directed at you when the legal basis for processing the data is legitimate interest. In connection with your request, you must specify the particular situation on which you base your objection to processing. We may refuse to implement a request concerning objection only on the grounds provided by law.
Who can you contact?
All communications and requests concerning this policy must be submitted in writing or in person to the contact person named in section two (2).