Privacy policy

Privacy policy drafted on 20 November 2019

1. Data controller

Pauhu Ltd (VAT number: FI07681718)
Visiting address: Vänrikki Stoolin katu 5, 00100 Helsinki, Finland
Tel. +358 (0)40 866 8669

2. Point of contact

Please e-mail: support@pauhu.com

3. Name of register

Pauhu's general client, stakeholder and marketing register

4. Purpose of personal data processing and basis for processing


Category of data subjects

Data utilised for

Basis for processing

Client organisations’ contact persons

Maintenance and development of Pauhu's client relationships as well as publishing information regarding Pauhu’s tasks and services and for marketing.

Public interest, contract, data controller’s legitimate interest

Newsletter subscribers

For delivering the Pauhu newsletters and blogs selected by the person as well as for publishing information regarding Pauhu’s tasks and services and for marketing.

Public interest, contract

Participants at events and visits

For communications concerning events and visits organised by Pauhu (e.g. distribution of the programme and materials, sharing of participant information for networking purposes and collecting feedback) as well as for the arrangements of events (e.g. informing the speakers of the event about the participants and backgrounds, forwarding information on the participants to the reception/signing-up desk and space reservations, as well as for arranging food and accommodation bookings).

The data is also used for the marketing of services. Photographs taken at events may be used in marketing communications.

Public interest, contract, data controller’s legitimate interest

Stakeholders

For communications concerning Pauhu and its services and tasks as well as for public affairs.

Public interest, data controller’s legitimate interest

Contact persons of potential client organisations

For publishing information concerning Pauhu’s services and tasks, marketing and for tentative service surveying of potential clients.

Public interest, data controller’s legitimate interest

Personal data shall not be used for profiling purposes.

Processing tasks may be outsourced to third party service providers in accordance with the data protection legislation and the boundaries imposed by same.

5. Data content of register

For example the following type of information regarding the data subject may be stored:

Data

Client organisations’ contact persons

Newsletter subscribers

Participants at events and visits

Stake- holders

Contact persons of potential client organisations

Name of person

x

x

X

x

x

Client organisation

X

x

X

x

x

Position/tasks at the company

x

x

X

x

x

Work contact details

x

x

X

x

x

Work e-mail

x

x

X

x

x

Work telephone

x

x

X

x

x

Information regarding any direct marketing prohibition

x

x

X

x

x

Details of contacts/ meetings/ participants

x

 

X

x

 

Quality and client feedback

x

 

X

x

 

6. Personal data retention period

We shall erase data concerning a person from the register latest if there have been no active measures in relation to a client for a period of five years and the person is not related to any pending matter.

Information concerning practical arrangements provided for the purposes of event arrangements (such as food/accommodation, etc. details) shall be erased once there is no longer any need to process the event information.

The erasing shall take place by means of deleting the information in its entirety, by rendering the data passive so that the data are no longer processed and access to the data is restricted, by means of encrypting or overwriting.

7. Regular sources of information

Information concerning the client contact persons shall be collected from the persons themselves or from other representative of the client organisation in connection with contacting them, either orally or in writing. The data may be received also from the other contact person of the client organisation.

Information regarding potential clients may also be collected from public sources, such as the company’s website.

On a case-specific basis we may also obtain participation information, for example, from co-operation partners.

8. Regular disclosures of information and recipient categories

Information may be disclosed to parties referred to under the Act on the Corporate Services Client Register System (293/2017) on the basis of the provisions of the same.

Data may be disclosed to Pauhu’s co-operation partners for non-commercial purposes, for the purpose of arranging visits and events and for sending out various event/visit invitations.

9. Transfer of data outside of the EU or EEA

Personal data may be transferred outside of the European Union or the European Economic Area in accordance with the data protection legislation and within the boundaries imposed by same. If no decision regarding an adequate level of data protection has been issued in relation to the target country or if the transfer does constitute a transfer to the United States in accordance with the Privacy Shield system, the transfer shall occur by means of employing the standard clauses approved by the European Commission.

Pauhu Oy may transfer personal data outside of the EU and the European Economic Area in accordance with the data protection legislation and within the boundaries imposed by the same to its employees, subsidiaries and subcontractors and to its service providers retained for data processing.

10. Principles for protecting the register

Manual material

Any material to be retained on paper is stored in locked facilities equipped with access control. The data controller’s personnel have undertaken confidentiality obligations.

Data to be processed electronically

Personnel access to the electronic data content of the register has been protected with personal user IDs and passwords. Utilisation of some of the data content of the register has been restricted to a limited group of users. The environment has been protected with appropriate firewalls and other technical safeguards.

The purpose of the above-mentioned measures is to secure the confidentiality, availability and integrity of the personal data to be stored in the register, as well as the implementation of data subjects’ rights.

11. Automated decision-making

The information in the register shall not be utilised for decision-making entailing legal effects for the person and that is based on automated data processing, such as profiling.

12. Data subject’s right to object to the processing of personal data

The data subject shall have the right, in connection with their personal specific circumstances, to object to profiling pertaining to themselves and to other processing measures directed by the data controller at the data subject’s personal data to the extent the data processing is based upon the data processor’s legitimate interests.

The data subject may present their claim regarding the objection in accordance with section 15 of this privacy policy. In conjunction with the claim, the data subject must specify the specific circumstances based on which they are objecting to the processing. The data controller may refuse to carry out the request pertaining to the objection on the grounds stipulated for under the legislation.

13. Data subject’s right to object to direct marketing

The data subject may issue the Data Controller consents or prohibitions pertaining to direct marketing on a channel-specific basis, including profiling taking place for direct marketing purposes.

14. Other data subject’s rights pertaining to the processing of personal data

Data subject’s right to obtain access to the information (Right of Access)

The data subject shall have the right to inspect which data concerning them has been stored in the register. The inspection request must be submitted in accordance with the instructions set forth in this privacy policy. The right of access may be denied upon grounds stipulated in the law. As a point of departure, exercising one’s right of access in an ordinary manner is free of charge.

Data subject’s right to require the rectification or erasure of data or restriction of processing

To the extent the data subject is able to act for themselves, the data subject shall, without any undue delay, after becoming aware of the error, or, having detected the error themselves, rectify, erase or supplement any piece of information found in the register being contrary to the purpose of the register, erroneous, unnecessary, deficient or outdated.

To the extent, the data subject is not able to rectify the information themselves, the correction request shall be submitted in accordance with section 15 of this privacy policy.

The data subject shall also have the right to require the data controller to restrict the processing of their personal data, for instance in circumstances where the data subject is awaiting the data controller’s response to their request regarding the correction or erasure of their personal data.

Data subject’s right to lodge a complaint with the supervisory authority

The data subject shall have the right to lodge a complaint with the competent supervisory authority, if the data controller has not complied with the applicable data protection regulation in its operations.

15. Contacts

In all questions concerning the processing of personal data and situations related to the exercise of the data subject’s rights, the data subject should contact the data controller. The data subject may exercise their rights by contacting support@pauhu.fi

16. Versions

This privacy policy was updated on November 20, 2019.

The data controller follows the developments in legislation and will develop its operations constantly, and consequently, retains the right to update this privacy policy.