Last updated: 25.9.2020
CYF Digital Services is compliant with applicable data protection legislation, including EU Data Protection Legislation.
1. Controller of the personal data file
CYF Digital Services Oy
SparkUp, Tykistökatu 4 B
Business ID 2761064-2
2. Name of the register
a) Customer registry
b) Registry of information collected by surveys and research
3. Processing condition
According to general GDPR legislation, processing conditions are:
- contracts between controller and customer
a) Customer registry: Purpose of handling this information is to manage customer relations and invoicing and payment collections.
b) Surveys and research: Purpose of handling this information is to collect information to create new services and develop current services.
Information is not used for automated decision making nor profiling.
4. Information content of the register
a) Personal data that is stored in customer registry:
- First name, last name
- Contact information: phone number, email address, street address, postal code and city
Generally, to the extent permitted by applicable laws and regulations, the data controllers retain Contact Data at most three years after the last business activity where the data subject has been involved. Additionally, as the case may require, data controllers may have to extend Contact Data retention on the grounds of establishment, exercise or defense of legal claims or execution of our internal investigations. This retention period is justified due to data controllers’ obligations or needs related to e.g. product and service warranties, product liability statutes as well as burdens of proofs in possible litigation situations.
b) Personal data that can be collected and stored during surveys and research is for example:
- Name, profile name
- Phone number, email address
- Age, gender, household size
Every survey and research states what is the purpose to collect the information. Background information is handled in such a way that individual respondents cannot be identified from the results.
5. Regular sources of information
Information is retrieved from customers themselves by email, by phone, through social media services, from contracts, in customer meetings and other situations where a customer discloses information.
7. Regular transfer of personal data to third parties, information transfer outside EU and ETA
Personal information will stay within CYF Digital Services and applicable partner organization and won’t be transferred to third parties. Information can be shared with third parties but only with a customers prior consent.Personal data can be transferred and stored outside of ETA. If personal data is stored outside of ETA, the Data Controller will take care of sufficient security by transferring data only to countries where the European Commission has confirmed the data protection is at adequate level. If data is transferred to a country whose privacy level is not sufficiently high, the Data Controller will take into consideration data protection regulation requirements and implications of data transfer to customers’ rights and liberties and the Controller will take necessary precautions.
8. Principles of protecting personal data
Personal information is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of personal information.Such measures include but are not necessarily limited to proper firewall and virus protection arrangements, appropriate encryption of telecommunication and messages. Personnel processing Personal data as part of their tasks is trained and properly instructed in data protection and data security matters. Whereas we will protect this information to the best of our ability this cannot be guaranteed and in the event of a data breach the appropriate authorities will be informed and this will be notified to those affected.
Whereas we will protect this information to the best of our ability this cannot be guaranteed and in the event of a data breach the appropriate authorities will be informed and this will be notified to those affected.
9. Right of access of personal data and rectification
Every person whose data is stored in the register has a right to review his/her stored information, demand corrections for incorrect information or demand completion for incomplete information. In order to use this right, the request needs to be sent in writing. The Controller may if necessary request the person to prove his/her identity. The Controller will reply to the customer within time limits set by EU Data Protection Regulation (usually within one month).
10. Other rights
Registered person has a right to request removal of his/her data (“right to be forgotten”). In addition, a registered person has all other rights mentioned in EU Data Protection Regulation, such as limiting personal data processing in certain situations. In order to use this right, the request needs to be sent in writing. The Controller may if necessary request the person to prove his/her identity. The Controller will reply to the customer within time limits set by EU Data Protection Regulation (usually within one month).