Updated on 9 May 2022
1 Controller
SRV Group Plc and all companies belonging to the group (hereinafter ‘SRV’).
SRV Group companies:
SRV Construction Ltd (FI-17071868)
SRV Asumisen Palvelut Oy (FI-29525249)
Each SRV Group company is responsible for the processing of personal data conducted under its own business operations for the purposes and with the legal basis set out in this Privacy Statement and may use the necessary personal data collected by other group companies for the same purposes.
2 In matters relating to this register, please contact
SRV Group Plc
Privacy
PL 555
02601 Espoo
privacy@srv.fi
Tel. 020 145 5200
3 Register name
SRV’s Consumer Customer Register and Marketing Register
4 Purpose and basis for processing personal data
The processing of personal data is based on the execution of a contract between SRV and the data subject and on fulfilling the data subject’s requests related to inquiries, newsletters, requests for quotations, orders of products and services and other pre-contract activities carried out based on the data subject’s request. In addition, the processing of personal data is based on SRV’s legitimate interest in managing the customer relationship and directly marketing its products and services to existing and potential customers, as well as on the data subject’s consent, where it is necessary for the transmission of electronic direct marketing materials or for the collection of data from the use of SRV’s website through cookies or other similar technical monitoring methods for the purposes set out in this Privacy Statement.
The purposes for which personal data is used include the following:
- managing, maintaining and developing the customer relationship between SRV and the data subject
- selling, marketing, offering, providing and developing SRV’s products and services
- checking credit ratings, invoicing, monitoring of payments and debt collection
- customer communication, including feedback requests and customer satisfaction surveys
- direct marketing via mail, phone and electronic channels as well as online advertising and targeting it
- conducting customer and market surveys, organising marketing-related competitions and draws
- planning and developing SRV’s business, products and services
- detecting, preventing and investigating misuse, fraud and other crimes
- sanctions screening and analysis, profiling, segmentation and statistics compilation for the purposes listed above.
5 Register content and data subject categories
The register contains the following information on current and potential customers and former customers with which the customer relationship has ended:
- Basic customer information: first name, last name, personal identification number, postal address, phone number, email address, fax and customer ID
- Title/profession, age, language and investor information
- The start and end date of the customer relationship and the manner with which the customer relationship started and ended
- information on product and service agreements, orders, purchases and cancellations
- invoicing, payment and debt collection information and details on credit rating
- Information on areas of interest (such as SRV’s housing construction projects and areas that the customer is interested in and other interest areas the customer has provided details on), marketing actions targeted at the data subject
- Information on the use of SRV’s website and online services, such as service use, for example browsing and search data, cookies and IP addresses
- Customer feedback, other contacts and complaints
- Customer/user and marketing segments and profiles created based on analyses and profiling carried out by using the data described above
- Refusals and consent related to direct marketing and any other information the data subjects themselves have provided
6 Information sources
As a rule, the information in the filing system is collected from the data subjects themselves on the basis of service and website use, contact requests or the filling of other forms or based on information obtained in connection with the use of other services, event participation, contract conclusion and contract execution.
In addition, personal data can be collected and updated from the population register, credit reference register, other similar public and private registers and sanctions lists.
Disclosure and transfer of data and transfers to countries outside the EU or European Economic Area
7 Disclosure and transfer of data and transfers to countries outside the EU or European Economic Area
Personal data is disclosed to the following parties:
- Credit institutions holding the safekeeping documents as set out in section 2 of the Housing Transactions Act
- Property managers of housing construction projects
- Supervisors and parties monitoring the construction work during the housing construction projects
- The boards of housing cooperatives (e.g. information on received loan payments is provided as part of the financial statements at assignment)
- Any other transferees based on transfers that are required for SRV to fulfil its legal or contractual obligations.
Data can occasionally be disclosed in accordance with law to cooperation partners selected by SRV for direct marketing purposes, if the data subject has not refused consent for such processing and disclosure.
SRV uses external service providers (subcontractors) to implement and provide its services. Such subcontractors include, for example, providers of ICT, marketing and communication services. In this case, personal data can be transferred to subcontractors to the extent that is necessary in order to provide services. These subcontractors process personal data on behalf of the controller in accordance with the controller’s instructions. To ensure privacy protection, SRV signs data processing agreements with all subcontractors that process personal data.
Personal data is not transferred to locations outside the EU or EEA. However, if such transfer of personal data is necessary, SRV will ensure an adequate level of data protection, e.g. by using standard contractual clauses approved by the European Commission.
8 Principles for securing the filing system and the period for retaining data
Only employees who are authorised to process customer data due to their work tasks have access to the system that contains customer data. Each user has a unique user ID and password for the system. Data is stored in databases that are protected with firewalls, passwords and other technical means. Databases and the related backups are located in locked premises and data can be accessed only by pre-defined persons.
After the customer relationship has ended, personal data is retained until all warranty obligations and other contractual or legal obligations between the parties have been fulfilled and the retention and liability periods set out in legislation, for example, the Housing Transaction Act, Consumer Protection Act, Accounting Act and the Act on Prepayment of Tax have ended. As a rule, the personal data of apartment buyers is retained for 11 years starting from the most recent housing transaction.
After the customer relationship has ended, SRV can retain basic information on the data subject, as defined above in this privacy statement (excluding the personal identification number), for direct marketing purposes to the extent permitted by law. SRV regularly assesses the necessity to retain personal data, in addition to which it takes reasonable measures to ensure that the filing system does not include personal data that is incompatible with the purpose of the processing or that is outdated or incorrect.
9 Data subjects’ rights
Data subjects have the right to prohibit SRV from processing the data subject’s personal data for purposes related to direct marketing, market research, opinion polls and any profiling related to these. Such a refusal of consent can be provided at any time to the contact person of the filing system or, for example, by unsubscribing to messages in the manner described in marketing messages.
Data subjects have the right to check their own information stored in the filing system, and they have the right to demand that data is corrected or erased. Such requests must be submitted in person or in writing to the address provided in Section 2.
In accordance with the General Data Protection Regulation, data subjects have the right to object to the processing of their data, request that the processing of their data be restricted, withdraw at any time any consent they have given and lodge a complaint to the supervisory authority concerning the processing of personal data.