Contract Register

Privacy Policy

Last updated:
08.04.2024

Data Controller:
Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara

Contact person for registry matters:
Akseli Juurinen
akseli.juurinen@metsaavain.fi
040 1606157

Legal basis for processing:
Legitimate interest

Purpose of personal data processing:
The purpose of the registry is to maintain, manage, archive, and process contracts with the organization’s customers and other stakeholders, as well as to manage customer relationships. The data may also be used for the development of the data controller’s operations, statistical purposes, and for creating more personalized targeted content. Personal data will be processed within the limits allowed and required by data protection law. The registry data may be used in the data controller’s own systems for purposes such as targeting advertising, without disclosing personal data to third parties. The organization may use third-party partners for the maintenance of customer and service relationships, in which case some of the registry data may be transferred to the partner’s servers due to technical requirements. Data is processed only through technical interfaces to maintain customer relationships.

Basis of legitimate interest:
The data controller must process personal data to carry out tasks related to its business operations. The processing of personal data cannot necessarily be justified on the basis of a legal obligation or a contract with an individual. The data controller has determined through a balancing test that the legitimate interest is the most appropriate basis for processing based on the nature, scope, and implementation of the processing as well as the rights and freedoms of the data subjects. The data controller has assessed that the processing of personal data in accordance with legitimate interest does not cause significant harm to the rights and freedoms of the individuals (data subjects) concerned.

Personal data categories involved:

  • Name

  • Represented organization

  • Contact information

  • Contractual terms

Recipients and categories of recipients:
Data controller’s personnel, as well as external partners, as applicable (e.g., financial administration, IT administration, debt collection, etc.).

Content of the register:
The contract registry contains the following information:

  • First and last name

  • Represented organization

  • Business ID

  • Email address

  • Postal address

  • Phone number

  • Ordered services

  • Other mutually agreed business matters

Regular sources of information:

  • Telephone and other electronic communication tools

  • Data may also be obtained from subcontractors related to the use or production of services

  • Data may be collected from other actions taken by customers in a digital environment, such as from partner websites, information systems, or other digital sources accessed through electronic invitations (links), cookies, or using customer-specific credentials
    The data in the contract registry is used exclusively by the data controller, except when an external service provider is used to provide additional services or support credit decisions. Data is not disclosed to third parties outside of the data controller’s organization, except in matters related to credit applications, debt collection, or invoicing, and as required by law. Personal data of data subjects will be deleted at their request unless prohibited by legislation, open invoices, or debt collection actions.

Retention period for personal data:
Data in the contract registry is retained for 10 years after the contract has ended.

Regular disclosures of data:
The data in the registry is used exclusively by the data controller, except when external service providers are used for providing additional value-added services or supporting credit decisions. Data is not disclosed outside of the data controller’s organization or to its partners, except in matters related to credit applications, debt collection, or invoicing, and as required by law. Personal data of data subjects will be deleted at their request unless prohibited by legislation, open invoices, or debt collection actions.

Transfer of data outside the EU/EEA:
Data from the registry is not regularly transferred outside the EU/EEA. However, it is possible that non-EU/EEA service providers may be used or that service provider clouds may be located outside the EU/EEA. In such cases, the transfer is based on Standard Contractual Clauses (SCC) and additional security measures, such as internal guidelines on pseudonymization of personal data and similar measures, or possibly a Transfer Impact Assessment (TIA) if required. If the organization processing the personal data is committed to the EU-US Privacy Shield framework, the transfer will be based on that during its validity period.

Data protection principles A: Manual data
Contact details and other customer information collected in customer transactions are stored after initial processing in locked and fireproof storage areas. Only designated employees who have signed confidentiality agreements have the right to handle manually stored customer data. The protection and processing of the registry data comply with data protection laws, government regulations, and good data processing practices.

Data protection principles B: Electronic data
Only designated employees of the organization and its subcontracted companies have the right to access and maintain the contract registry data. Each user has a personal username and password. All users have signed confidentiality agreements. The system is protected by a firewall that protects against external connections to the system. The protection and processing of the registry data comply with data protection laws, government regulations, and good data processing practices.

Cookies
We use cookies on our website. A cookie is a small text file sent to and stored on the user’s computer. Cookies do not damage users’ computers or files. The primary purpose of using cookies is to enhance and personalize the visitor’s experience on the website, as well as to analyze and improve the website’s functionality and content. Data collected through cookies may also be used to target communication and marketing and optimize marketing efforts. Visitors cannot be identified by cookies alone. However, information collected via cookies may be linked to information gathered about the user through other means, such as when the user fills out a form on the website. The following information is collected through cookies:

  • Visitor’s IP address

  • Time of visit

  • Pages visited and time spent on pages

  • Visitor’s browser

Your rights:
Users visiting our site have the ability to block cookies at any time by adjusting their settings in the cookie banner. Some browsers also allow users to disable cookies or delete previously stored cookies. Blocking cookies may affect the functionality of the site.

Right of access (Right to access personal data):
The data subject has the right to check what information is stored about them in the registry. A request for access must be made in writing or from an identifiable email address. The data subject has the right to object to the processing and disclosure of their personal data for direct marketing, distance selling, and market and opinion research by contacting the data controller’s customer service point.

Right to transfer data from one system to another:
The data subject has the right to request the transfer of their data to another system. A transfer request can be directed to the contact person of the registry.

Right to request correction of data:
If personal data in the registry is inaccurate, unnecessary, incomplete, or outdated for the purpose of processing, it must be corrected, deleted, or supplemented. A correction request must be made in writing, signed personally, to the data controller’s customer service, or from an identifiable email address. The request must specify what data needs to be corrected and the basis for the correction. The correction will be carried out without undue delay. The data subject will be informed of the correction. If the correction request is denied, the person responsible for the registry will provide a written justification for the denial. The data subject may appeal the denial to the data protection authority.

Right to restrict processing:
The data subject has the right to request a restriction on the processing of personal data, e.g., if the data is inaccurate. Requests should be directed to the person responsible for the registry.

Right to object:
The data subject has the right to request their personal data, as well as the right to request corrections or deletion of their personal data. Requests can be directed to the contact person for the registry. If you are acting as a business or organizational contact person, your data cannot be deleted during this period.

Right to lodge a complaint with the supervisory authority:
If you believe that the processing of your personal data has violated the data protection regulation, you have the right to lodge a complaint with the supervisory authority. You can file the complaint in the member state of your habitual residence or place of work. The contact details of the national supervisory authority are:
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Mailing address: P.O. Box 800, 00531 Helsinki
Phone exchange: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

Other rights related to personal data processing:
The data subject has the right to refuse the disclosure and processing of their data for direct marketing or other marketing purposes, request the anonymization of their data where applicable, and the right to be forgotten once the contract has expired.