Privacy Statement for SRV’s Contractor and Supplier Register
SRV Construction Ltd, Business ID 1728244-6
P.O. Box 555, Tarvonsalmenkatu 15
FI-02601 ESPOO, FINLAND
2 Contact person for matters related to the filing system
P.O. Box 555, Tarvonsalmenkatu 15
FI-02601 ESPOO, FINLAND
3 Name of the filing system
SRV’s contractor and supplier register
4 Basis and purpose of the processing of personal data
The processing of personal data is based on SRV’s legitimate interest and the execution of a contract between SRV and a contractor or other cooperation partner (such as a supplier) and on fulfilling the requests that the data subject makes prior to concluding a contract, for example, in relation to matters such as newsletter subscriptions and inquiries.
The purposes for which personal data is used include managing, maintaining, developing and analysing the relationship between SRV and its contractors, suppliers and other cooperation partners, as well as the compilation of statistics. In addition, SRV uses the data for direct marketing (including the sending of newsletters), the organising of marketing competitions, profiling, opinion polls and market research. The information is also used in the planning and development of SRV’s business and services.
5 The information content of the filing system and categories of data subjects
The filing system includes the following information on the decision-makers and contact persons of contractors, suppliers and other cooperation partners:
- Name, title, company, postal address, email address, phone number
- The areas of professional interest as provided by the data subject and the marketing activities targeted at the data subject
- Public information concerning tasks and status in business life or in a public office
- Access details such as data on service use, for example browsing and search data, cookies and IP addresses
- Data related to communication
- Customer/user and marketing segments and profiles created based on analyses and profiling carried out by using the data described above
- Refusals and consent related to direct marketing
- Any other information the data subjects themselves have provided
6 Any other information the data subjects themselves have provided Information sources
As a rule, the data in the filing system is collected from the data subjects themselves via phone, online, in meetings or in other similar manner. The filing system is compiled, for example, in connection with the conclusion of a contract with SRV, by using the information provided by the contractors or suppliers during the contract period and based on information otherwise obtained in the course of the relationship. Personal data can be collected and updated from the business register and other similar public and private registers.
7 Disclosure and transfer of data and data transfers to countries outside the EU or EEA.
As a rule, SRV does not disclose the data in the filing system to external parties unless it is required in order to fulfil the legal or contractual obligations of the controller.
SRV uses external service providers (subcontractors) to carry out the tasks defined in this privacy statement. Such service providers include, for example, providers of ICT, marketing and communication services. In this case, personal data can be transferred to subcontractors to the extent that is necessary in order to provide services. These subcontractors process personal data on behalf of the controller in accordance with the controller’s instructions. In order to ensure that data is protected, SRV concludes data processing agreements with its subcontractors who process personal data.
As a rule, personal data is not transferred to locations outside the EU or EEA. If, as an exception, personal data is transferred to a location outside the EU or EEA, SRV ensures that the level of data protection is adequate by using, for example, the standard clauses approved by the EU Commission.
8 Principles for securing the filing system and the period for retaining data
Only employees who are authorised to process customer data due to their work tasks have access to the system that contains customer data. Each user has a unique user ID and password for the system. Data is collected into databases that are protected with firewalls, passwords and other technical means. Databases and the related backups are located in locked premises and data can be accessed only by pre-defined persons.
After the relationship with SRV’s contractor, supplier or other cooperation partner ends, personal data is retained until all warranty obligations and other contractual and legal obligations between the parties have been fulfilled and the retention and liability periods set out in legislation such as the Accounting Act and the Act on Prepayment of Tax have ended. As a rule, personal data is retained for five years from the end of the validity of the works contract and/or principal-contractor agreement.
After the contract and cooperation has ended, SRV can retain basic information on the data subject, as defined above in this privacy statement, for direct marketing purposes to the extent permitted by law. SRV regularly assesses the necessity to retain personal data, in addition to which it takes reasonable measures to ensure that the filing system does not include personal data that is incompatible with the purpose of the processing or that is outdated or incorrect.
9 Rights of data subjects
Data subjects have the right to prohibit the controller from processing the data subject’s personal data for purposes related to direct marketing, market research, opinion polls and any profiling related to these. Such a refusal of consent can be provided at any time to the contact person of the filing system or, for example, by unsubscribing to messages in the manner described in marketing messages.
Data subjects have the right to check their own information stored in the filing system, and they have the right to demand that data is corrected or erased. Such requests must be submitted in person or in writing to the address provided in section 2.
In accordance with the General Data Protection Regulation, data subjects have the right to object to the processing of their data, request that the processing of their data be restricted and lodge a complaint concerning the processing of personal data to the data protection ombudsman.