DATA PROTECTION POLICY FOR ISNPIRATION MARKET’S CUSTOMER REGISTER
The controller is DIGIMAMA association (business ID 1442668)
Contact person for matters related to the file: vice-chairman Johanna Juntunen
Official address: Asemamiehenkatu 4, 00520 Helsinki, Finland
Postal address: Ratamotie 4, 12600 Läyliäinen
The name of the file is Inspiration market customer register.
Personal data are processed for purposes related to maintaining, managing and developing the customer relationship, offering, supplying and developing services as well as invoicing. Personal data are also processed for the purposes necessitated by resolving any possible complaints and other claims.
Furthermore, personal data are processed in communications directed at customers as well as marketing, in conjunction to which the data are also processed for purposes pertaining to direct marketing and electronic direct marketing.
Customers have the right to refuse direct marketing targeted at them.
The controller processes personal data directly and also utilises subcontractors working on its behalf in the processing activities.
The legal grounds for processing personal data are the following grounds specified in the European Union’s General Data Protection Regulation (hereinafter referred to as “GDPR”):
The aforementioned legitimate interest of the register keeper is based on a meaningful and appropriate relationship between the data subject and controller as a result of the data subject being a customer of the controller and the processing being conducted for purposes that the data subject can have reasonably anticipated at the time of collecting the personal data and in the context of the appropriate relationship.
As a general rule, the file contains the following personal data on all data subjects:
Personal data are collected from the data subjects themselves.
In addition to this, personal data are collected within the framework of the applicable legislation from generally available sources that pertain to fulfilling the relationship between the controller and data subject, and that the controller can use to perform its duties related to maintaining customer relationships.
Personal data collected in the file are stored only for as long and to the extent that is necessary in relation to the original or a compatible purpose for which the personal data has been collected.
The need to retain personal data is assessed every five years and, in any case, data concerning a data subject are removed from the file 5 years after the end of the customer relationship between the data subject in question and the controller has ended, and the obligations and measures related to the customer relationship have been fulfilled. For example, accounting records are kept for six years after the end of a financial period.
The controller shall regularly assess the necessity of storing the data in accordance with its internal code of conduct. Furthermore, the controller shall by all reasonable measures ensure that any personal data that are inaccurate, erroneous or contain obsolete information in terms of the purposes of processing the data are deleted or corrected without delay.
No regular data disclosures are made from the user register.
The information is used entirely and only by us, except in cases where we use third party agents to perform certain functions for us, such as credit card processing and fulfilling orders. In those cases, we provide only the information necessary for the performance of those specific functions.
In e-mail communications, we use the MailChimp system, in which personal data is saved in servers outside the European Union and the service provider is in the PrivacyShield system of the US, which means that data protection is at the EU level.
Personal data contained in the file will not be transferred outside the EU or EEA.
[Materials containing personal data are stored in locked spaces that can only be accessed by the appointed persons with task-based authorisation.
The database containing personal data is on a server which is stored in a locked space that can only be accessed by the appointed persons with task-based authorisation. The server is protected with the appropriate firewall and technical safeguards.
The databases and systems can only be accessed with separately provided personal user IDs and passwords. The controller has restricted access rights and authorisations to information systems and other storage platforms so that the data can only be viewed and processed by persons who are required to do so to ensure the lawful processing of the data. Furthermore, the database and system interactions are registered in the log data of the controller’s IT system.
The controller’s employees and other persons have undertaken to observe secrecy and keep secret any information they may gain in the context of processing personal data.]
The Data subject has the following rights under the EU General Data Protection Regulation:
Any requests regarding the enforcement of the data subject’s rights are to be addressed to the controller’s contact person listed in Section 1.