Name of the data file: Marketing data file of the network of Business Espoo.
Marketing data file of the network of Business Espoo
The seven actors of Business Espoo are co-controllers. The actors of the network of Business Espoo are the following:
- City of Espoo/Espoon kaupunki/Esbo stad
- Enter Espoo Oy
- Federation of Espoo Enterprises/Espoon Yrittäjät/Företagarna i Esbo
- Helsinki Region Chamber of Commerce/Helsingin seudun kauppakamari/Helsingforsregionens handelskammare
- Uusimaa TE Office/Uudenmaan TE-toimisto/Nylands arbets- och näringsbyrå
Otakaari 5A, 02150 Espoo
Paula Pernilä, data protection officer, City of Espoo
P.O. Box 12 (PL 12), 02070 CITY OF ESPOO (ESPOON KAUPUNKI)
tel. 043 827 3077
The marketing data file shall be used for marketing the services and networking events of Business Espoo, for sending newsletters and customer bulletins and for other similar activity.
When marketing to a private person, the processing of personal data in the data file is based on consent given by the data subject (Article 6(1a) of the EU General Data Protection Regulation).
When marketing to businesses, the processing of personal data in the data file is based on public interest (Article 6(1e) of the EU General Data Protection Regulation).
Groups of persons whose data may be processed are the contact persons of the data controller’s customer and partner companies, those classed as an ex officio partner, potential customer and/or within the sphere of marketing, persons in contact with the data controller, and those who have participated in events organised by the data controller or have given marketing permission.
A data file may contain, among other things, the following data about the data subjects:
- organisation (and department) and position
- organisation’s address
- e-mail address
- telephone number
- marketing measures targeted at the data subject and participation in them
- other data disclosed by the person him/herself
- possible mailing bans (e-mail and mail)
- information about changes to the above data
- log data (e.g. openings of newsletters)
Data in the marketing data file shall be acquired or collected from the data subject him/herself through the customer relationship, through registration for the events organised by actors at Business Espoo and third parties, from Business Espoo’s website, businessespoo.com (contact forms, downloads of material, newsletter order forms) and from publicly available Internet sources and other possible public sources. Personal data may also be collected, saved and updated from data files of a data controller providing an address, updating or other similar service.
According to regulations, personal data may not be released to a third party. Actors at Business Espoo may, however, disclose data in a manner permitted by legislation to, for example, their partners for marketing purposes, if the data subject has given permission for disclosing his/her data. Data may also be disclosed in cases where it is considered that a third party can offer special information or benefit to a company represented by a person in the data file.
Information will not be transferred outside the EU or the European Economic Area (EEA).
Personal data is retained as long as it is necessary for the operations of Business Espoo or until the person him/herself prohibits the processing of the data.
The data is saved in CRM systems of the actors at Business Espoo and, as an Excel file, in the Teams teamwork space, which can only be accessed by users of the marketing data file.
The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals.
Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked.
The processing of personal data is monitored and controlled with the help of usage log information if it is possible to get the log information from the data system.
Every user of the data file accepts the actor-specific information security commitment of the Business Espoo network, including a usage and confidentiality commitment. The personnel are introduced to data protection and appropriate processing of personal data.
If material is manually printed from a data file, it is kept in a locked facility and only the data controller has the right to use it.
The data subject has the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed. The controller shall provide a copy of the personal data undergoing processing. If the data subject requests further copies, the controller may charge a reasonable fee based on administrative costs.
The controller shall provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. The controller shall inform the data subject of any such extension within one month of receipt of the request, together with the reasons for the delay.
If the controller does not take action on the request of the data subject, the controller shall inform the data subject without delay and no later than within one month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
Personal data provided upon request as well as information provided under Articles 13 and 14 of the EU General Data Protection Regulation and any communication and any actions taken under Articles 15 to 22 and 34 shall be provided free of charge.
Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the controller may either:
- charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested; or
- refuse to act on the request. The controller shall bear the burden of demonstrating the manifestly unfounded or excessive character of the request.
The request for information shall be addressed to the data file contact person.
A request concerning the right to inspect data saved in the data file can be submitted to the person responsible for the data file.
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.
The data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. Whether the data is incomplete or not shall be assessed in the light of the purpose of the processing of personal data.
If the controller refuses the request of a data subject for the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also include the reasons for the refusal and information on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.
The rectification request shall be addressed to the data file contact person.
Without prejudice to any other administrative or judicial remedy, a data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. This right is based on EU General Data Protection Regulation (2016/679, Article 77).
The requests shall be addressed to the data file contact person.
Right to remove data (Data Protection Regulation, Article 17)
The data subject shall have the right to have personal data concerning the data subject removed by the controller without undue delay, provided that any of the requirements in the Data Protection Regulation, Article 17(1) is met. There shall be no right to remove the data if, for example, following the statutory commitment requires processing of the data or the processing is done for the purpose of performing a task concerning public interest or exercising official authority vested in the controller.
Right to request limitation of processing (Data Protection Regulation, Article 18)
The data subject shall have the right to have the processing of the personal data limited by the controller if any of the requirements in Article 18(1a–d) is met.
Right of opposition (Data Protection Regulation, Article 21)
On the grounds of a special personal situation, the data subject shall at any time have the right to oppose the processing of personal data relating to him or her for the purpose of performing a task concerning public interest or exercising official authority vested in the controller. The controller shall not be allowed to process the personal data anymore, unless the controller can show that there is a very important and justified reason for the processing.
If personal data is processed for direct marketing purposes, the data subject shall at any time have the right to oppose the processing of personal data relating to him or her for this kind of marketing, including profiling relating to this kind of direct marketing. If the data subject opposes the processing of personal data for direct marketing purposes, the data may not be processed for this purpose anymore.
Right to transfer data from one system to another (Data Protection Regulation, Article 20)
The data subject shall have the right to the transfer only if the processing is based on consent or agreement and if the processing is performed automatically. The right of the data subject to transfer the data from one system to another shall not be applied to processing that is necessary for performing a task concerning public interest or exercising official authority vested in the controller.
If the data processing is based on consent, the data subject shall have the right to cancel his or her consent at any time.