Tietosuojaseloste

1. Controller

Kaskea Group Oy
Opastie 10, 62375 Ylihärmä, Finland
Telephone: +358 (0)6 4822 200

2. Contact person for matters concerning the register

Kaskea Group Oy
Vesa Rautava
Opastie 10, 62375 YLIHÄRMÄ, FINLAND
Telephone: +358 (0)6 4822 200
firstname.lastname(at)kaskea.fi

3. Name and purpose of the register

Kaskea Group Oy’s Customer Register.

The purpose of this privacy statement is to inform you how we collect, process and share your personal data when you purchase our products or services as a corporate client or use the products or services we provide as a private individual. This statement also explains your rights with regard to data protection.

4. What data do we collect and how?

Next, we will inform you what personal data we may collect about you and how this collection takes place. In Section 5, you can find a table in which we have detailed the purposes of collecting your personal data as well as the legal basis of the personal data processing.

We may collect, use, retain and transfer different categories of your personal data, which we have grouped as follows:

1. Identifying information refers to your name, date of birth, client number, position and title.
2. Contact information refers to your email address, phone number and home address.
3. Client information refers to your subscriptions, orders you have placed or services you have used, individual contacts we have made with you (such as phone conversations), conversations and agreement negotiations, information on sales and offers, your preferences, feedback, and answers to surveys.
4. Transactional information refers to the products and services that you have purchased from us as well as the details of the agreements we have concluded with you, the payments we have made to you and the payments you have made to us. When you use an application we provide as a private individual, we process your card and/or banking information to the extent necessary in order to carry out payment transactions.
5. Technical information refers to your IP address, login information, browser information (browser type and version), time zone and location, browser extension type and version, operating system and platform, as well as other technical equipment utilised in the use of our website and applications.
6. Usage information refers to information indicating your interaction with our website and application as well as our products and services.
7. Marketing and communications information refers to your preferences regarding receiving marketing from us and our partners, as well as your communications settings.
8. As information related to the parking solution, we also process your vehicle registration certificate.

5. Purposes and legal basis of personal data processing

We process your personal data only to the extent permitted by law. Usually, we process your personal data in the following situations:

1. Processing is necessary in order to implement an agreement to which we have committed or are about to commit with you in accordance with Article 6(1)(b) of the General Data Protection Regulation.
2. Processing is necessary for compliance with a legal obligation in accordance with Article 6(1)(c) of the General Data Protection Regulation or for the establishment, exercise or defence of legal claims in accordance with Article 9(2)(f) of the General Data Protection Regulation.
3. You have given us your consent for the processing of your personal data in accordance with Article 6(1)(a) or 9(2)(a) of the General Data Protection Regulation.
4. Processing is necessary for the purposes of the legitimate interests pursued by us or by a third party, except where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data, in accordance with Article 6(1)(f) of the General Data Protection Regulation.

Below is a table in which we have described all purposes for which we process your personal data and the legal basis of this processing. We have also described our legitimate interest if the processing is based on this legal basis of processing.

Purpose/activity	Data type	Basis of processing, including grounds for the exercise of our legitimate interest
Concluding agreements with corporate clients and managing these agreements, including processing the personal data of the contact person of such as client in the context of the following purposes: registration of a new client; purchasing our products and services; drawing up agreements; processing and delivery of orders and subscriptions for products and services; management, invoicing, collection and recovery of payments concerning our products and services; provision of client benefits and customer service, including complaints; communications related to account management; general compliance with our obligations that are based on agreements concluded with corporate clients, and exercise of our rights based on the concluded agreements.	(A) Identifying information (B) Contact information (C) Client information (D) Transactional information	Processing is necessary in order to conclude an agreement or take action based on a request before an agreement is concluded or in order to execute such an agreement. For the purpose of fulfilling our legal obligations (accounting, auditing and taxation).
When you use the parking solutions we provide as a private individual, we process your data for the following purposes: collection and transmission of parking fees; parking enforcement; creation of reports related to parking; provision of customer service related to parking; transmission of card payments; granting, editing and transmission of parking permits.	(A) Identifying information (B) Contact information (C) Client information (D) Transactional information (H) Information related to the parking solution	Processing is necessary in order to conclude an agreement with you or take action based on your request before an agreement is concluded or in order to execute such an agreement. For the purpose of fulfilling our legal obligations (accounting, auditing and taxation).
Furthermore, if you use the application we provide in connection with the use of the parking solution as a private individual, we process your data for the purposes of account creation and management as well as provision of the application.	(A) Identifying information (B) Contact information (E) Technical information	Processing is necessary in order to conclude an agreement with you or take action based on your request before an agreement is concluded or in order to execute such an agreement.
When you use our bicycle storage lockers as a private individual, we also process your data for the following purposes: collection and transmission of fees related to the use of the bicycle storage lockers; creation of reports related to the use of the bicycle storage lockers; provision of customer service in relation to the use of the bicycle storage lockers; transmission of card payments. Furthermore, when you register as a user of the application related to the use of the bicycle storage lockers and use this application, we process your data for the purposes of account creation and management as well as provision of the application.	(A) Tunniste­tiedot (B) Yhteys­tiedot (C) Asiakastiedot (D) Transaktio­tiedot (E) Tekniset tiedot	Käsittely on tarpeen sopimuksen solmimiseksi kanssasi tai pyynnöstäsi toimiin ryhtymiseksi ennen sopimuksen solmimista. Täyttääksemme laillisen velvoitteemme (kirjanpito, tilintarkastus ja verotus).
Analysis and improvement of business processes and practices	(A) Identifying information (B) Contact information (C) Client information (D) Transactional information	Processing is necessary on account of our legitimate interest in order to analyse and develop our business activities, including our products and services.
Maintenance of our website and applications	(E) Technical information	We have a legitimate interest in providing you with access to our website and applications.
Electronic communication with you on our website, via an application, by email, via social media or in another way.	(A) Identifying information (B) Contact information (C) Client information (G) Marketing and communications information	We have a legitimate interest in communicating with you.
Sending newsletters and other marketing	(A) Identifying information (B) Contact information (C) Client information (G) Marketing and communications information	We have a legitimate interest in sending you relevant marketing. We send you marketing by email or via another relevant electronic communication channel if you have given us your consent for this or if we are otherwise entitled to do so based on the Act on Electronic Communications Services.
Management and protection of our business activities, website and applications (including troubleshooting, data analysis, testing and system maintenance)	(A) Identifying information (B) Contact information (E) Technical information (F) Usage information	Processing is necessary on account of our legitimate interests, such as running our business, provision of administration and IT services, ensuring network security, and prevention of fraud.
Use of data analytics in order to develop the website, applications, products/services, marketing, client relations and experiences	(E) Technical information (F) Usage information	Processing is necessary on account of our legitimate interests, in order for us to determine the client types for our products and services, keep our website up to date and meaningful, develop our business activities and improve our marketing strategy. We use cookies – other than absolutely necessary technical cookies – only if you have given your consent.

6. Retention period of personal data

The personal data is retained for as long as the client relationship is valid. After the client relationship ends, the personal data will be retained for up to 10 years from the end of the client relationship. The personal data may be retained for a longer period of time if the applicable legislation requires a longer retention period. Furthermore, the data may also be retained for a longer period of time if retention is necessary for the establishment, exercise or defence of legal claims in legal proceedings.

The data may be erased if the data subject requests the erasure of the data concerning them after the end of the client relationship, once all rights and obligations of the client and controller have been implemented. The data may also be marked as archived/inactive before the aforementioned date. Retention for a longer period of time than specified here requires the personal data to be anonymised. The register is checked regularly for expired data.

The personal data of potential clients is retained in the Direct Marketing Register for as long as the data subject serves in roles to which the marketed product or service is related, provided that the data subject has not opted out of direct marketing. Regular checks are carried out to ensure that this information is up to date. In this case, however, the Direct Marketing Register may retain the information about the person and their opting out of direct marketing.

7. Regular sources of data

Personal data is collected in conjunction with the establishment of a client relationship and during the client relationship, as well as during any work carried out in order to establish the client relationship, directly from the client company or the data subject in question.

When you use our parking solution or bicycle storage lockers as a private individual, we collect your data when you create an account in the application and when you use the application and service.

Data may be collected and completed with the person’s consent (e.g. by using cookies) from the Population Information System as well as other registers maintained by third parties. Data may also be collected in conjunction with various marketing measures, such as events. With regard to data on an organisation, data may also be retrieved from the Business Information System of the Finnish Patent and Registration Office or public sources such as websites.

8.  Regular disclosures of data

Data is disclosed to the controller’s group companies for the purposes of use described in Section 5 of this privacy statement. Additionally, data may be disclosed for other internal purposes of the Group, such as the use of a centralised IT system as well as harmonisation of business activities and strategies. This processing is based on our legitimate interest in transferring data for internal purposes within the Group.

Moreover, data may be disclosed to third parties in the following situations:

• when necessary for the purposes listed in Section 5;
• to public authorities, such as health authorities, tax authorities or enforcement authorities when required by law;
• when you pay on our website and the payment is administered by a payment service provider that acts as an independent controller;
• our website may set cookies and collect or transfer data to third parties. Please read the description of the use of cookies that is available on our website in order to receive information about these third parties as well as the purposes for which data is collected. We use cookies other than necessary cookies only with your consent;
• to persons or corporations that acquire our entire company, most thereof, or all or most of our shares or property, or corporations with which we are about to merge;
• when we believe in good faith that disclosure of the data is necessary in order to exercise our rights or defend against legal claims, ensure your security or that of others, investigate fraud or respond to requests by the central government;
• when disclosure of the data to our cooperation partners is necessary in order to investigate crimes, damage or vandalism related to our products or services or their use.

We cooperate with trustworthy third parties that provide us with certain services that we require. Examples of such services include hosting services; maintenance and upkeep of IT systems; sales management on our website; communications; planning and implementation of marketing; customer service; processing of payments; delivery of products; analytics; and other services.

Third-party service providers may have access to or an opportunity to process personal data in order to provide us with the aforementioned services. Third parties may not make use of your personal data for any purposes other than ones related to the services they provide. We have concluded data processing agreements with the third parties in question, and they process our personal data in accordance with our specific instructions.

9. Transfer of data outside the EU or EEA

We do not transfer your data to countries outside the European Union or the European Economic Area unless we have first made sure that the transfer meets the requirements laid down in Chapter V of the General Data Protection Regulation.

Some of the third-party service providers that we use are based outside of the European Economic Area in the United States. Of course, this means that the personal data processing that they carry out also involves transferring personal data outside of the European Economic Area. In order to provide sufficient protection for your personal data, we have made sure that our service providers based in the United States undertake to comply with the EU-US Data Privacy Framework. This ensures that the transfer meets the requirements of Chapter V of the General Data Protection Regulation.

If you would like to receive further information about the parties based outside of the European Economic Area that process your personal data, as well as the security measures that we have taken to ensure the continuation of data transfers, you can contact us as described in Section 13.

10. Principles of register protection

1. Manual materials
   Stored in a location to which only specific persons have access.
2. Information stored electronically
   Employees of the controller and external persons acting on behalf of the controller who participate in data processing are under an obligation of secrecy with regard to all data contained in the register. Use of the register is protected by means of encryption, user IDs, passwords and access rights.

11. Profiling

The controller may also make use of the data for profiling purposes. Profiling is implemented with an identifier that allows for combining of the data generated about the data subject in conjunction with the use of the service. The profile created with this method may then be compared to the profiles created of other data subjects. The purpose of profiling is to determine the demand for services and client behaviours.

12. Right of the data subject to object to personal data processing and direct marketing

Data subjects have the right to object to being profiled and being subjected to other processing measures that the controller carries out on the data subjects’ personal data in so far as the data processing is based on the controller’s legitimate interest. Data subjects may submit a request concerning an objection in accordance with the section ‘Contact’ in this privacy statement. Data subjects must specify the special situation on the grounds of which they object to processing. The controller may refuse to fulfil the request concerning an objection if the controller has grounds to refuse as provided by law.

Data subjects may submit opt-ins or opt-outs concerning direct marketing or profiling to the controller.

13. Other rights of data subjects related to personal data processing

 13.1 Right to access data (right of access)

Data subjects have the right to see what data concerning them is recorded in the controller’s register. Data access requests must be submitted in accordance with the section ‘Contact’ in this privacy statement. The right of access may be refused on grounds provided by law.

13.2 Right to request rectification or erasure of personal data or restriction of processing

Data subjects may, upon noticing inaccurate information, submit a request for rectification or erasure of personal data or restriction of processing in accordance with the section ‘Contact’ in this privacy statement. Data subjects also have the right to request that the controller restrict the processing of their personal data in situations such as when the data subject is waiting for the controller to reply to the data subject’s request for rectification or erasure of their personal data.

13.3 Right to transfer data from one system to another

In so far as the data subject has personally provided the register with data that is processed on the basis of consent or mandate provided by the data subject, the data subject has the right to receive such data, generally in a machine-readable format, or to have it transferred to another controller.

13.4 Right to file a complaint with the supervisory authority

A data subject has the right to file a complaint with the competent supervisory authority if the data subject believes that the controller has not complied with the applicable data protection rules in its activities.

13.5 Other rights

If the personal data processing is based on the data subject’s consent, the data subject has the right to withdraw their consent by notifying the controller of this in accordance with the section ‘Contact’ in this privacy statement.

14. Contact

Data subjects may contact the person named in Section 2 regarding any questions about personal data processing and in situations involving the exercise of the data subject’s rights. If necessary, the controller or the person named in Section 2 may ask the data subject to clarify their request in writing, and the data subject’s identity may be verified before any other measures are undertaken, if needed.