Data protection and register description

Privacy policy

Data protection at Tietokeskus

We process your personal data in accordance with the applicable data protection regulations, the General Data Protection Regulation (GDPR), other legislation and this privacy policy. We regularly review and develop our operating methods. On this page, you will find our up-to-date privacy policy and register descriptions.

General principles of processing personal data

Data protection and privacy are important for Tietokeskus. When using our services, you provide us with personal information, and we will not break this trust.

• We process personal data carefully and with a high level of professionalism.
• We use appropriate technical measures to protect personal data.
• We always use personal data systematically and lawfully. We collect only the personal data that is necessary for our operations.
• We seek to operate transparently, which is why we have made this privacy policy available.

Personal data means all data attributable to a natural person.

What personal data do we collect?

This depends on the services you use. Below are examples of data that our register may include.

General information

We collect information about you so we can identify you as our customer and keep in touch with you. This type of general information includes your name, telephone number, address, workstation location, email address and instant messaging address, for example.

Information about your employer

Tietokeskus engages in B2B business. The personal data we collect is usually based on a customer relationship between Tietokeskus and the employer of the person in question. For this reason, we also collect information about your employer.

Information related to our services and your devices

When we provide our customers with maintenance and expert services, we store data related to these services that can be attributed to a natural person. Such information includes support requests in the ticketing system, the network location or physical location of the device, the user IDs of the users logged in to the device or information about the user designated for the device, for example.

Sometimes our customers request that we include the users to whom we have delivered devices as reference information in invoices. This information is also stored in our systems.

Information related to payment transactions

When you make purchases from our online store, we store information related to the payment transaction. However, we never store your credit card number.

Password and user ID information

If you have user IDs for our online services, we need your individual user ID. Your password is always stored encrypted in our systems, and it cannot be read as clear text from the stored data.

Phone and video recordings and log data

We may record our customer service calls for quality assurance or training purposes or to fulfil our accountability obligation. When you are using Tietokeskus’ online services, identity attributes related to you may be stored in your servers’ log files.

Customer enquiries and information from social media

The email messages you send to us and your chat conversations with us are stored in our systems, along with your other communication history. In addition, we have a social media presence, and information from your public profile may be stored in our systems.

Where do we collect your personal data?

Directly from you

We collect your data when you contact our customer service department or use our services.

From your employer

We provide services to companies, and our corporate customers provide us with information about their employees or other natural persons related to the service delivered to the customer. Depending on the situation, this data may be part of your employer’s personnel register, and Tietokeskus serves as the processor. In some cases, data may also be stored in Tietokeskus’ customer register.

From websites and public social media profiles

For example, our website or services may use cookies to optimise your service experience.

From our partners

We may receive contact information from hardware suppliers for warranty maintenance, for example, or from insurance companies for fixing a broken device. We may also engage in marketing communications in cooperation with our partners.

From technical systems

When providing services, we use systems that help us maintain the devices you use. These maintenance systems may collect data about devices, and this data is also related to you as the user of the device. This information may include the network location and the physical location of the device, in addition to information related to using the device.

How do we use your personal data?

Sales and customer relationship management

We process your personal data to identify you as our customer, communicate with you and send you messages about our services.

Business development

We process your personal data to further develop our business operations and products and to conduct marketing research and analysis, including customer satisfaction surveys.

Marketing

We collect and analyse personal data, such as information about your online behaviour or location, to send you information about our services or other messages that we think may be useful to you. We may also improve your user experience on our website based on your personal data.

Provision of services

We need your personal data in order to provide you with services that help you benefit from information technology and enjoy its use. For example, our helpdesk needs your personal data in order to identify you as a user of the service and to view information about the device you are using. In life-cycle and logistics services, we need your personal data in order to provide you with a new device.

Statistics

We also use the data we collect to compile statistics and measure our operations.

Grounds for personal data processing

We always process your personal data based on one of the following legal grounds:

• You have given us consent to process your personal data. Consent can be given by using our services or contacting our customer service department. You may withdraw your consent at any time.
• The processing of your personal data is necessary for the execution of our agreement with your employer or employer’s partner.
• Personal data processing is necessary for the purposes of our, or third parties’, legitimate interests. This may mean, for example, that we process your personal data to prevent fraud, target direct marketing at you or maintain the security of our information systems.
• Personal data processing is necessary for protecting your or someone else’s vital interest.
• Personal data processing is necessary for compliance with our statutory obligations.

Automatic decision-making and profiling

We may use automatic decision-making in some of our services, such as our online store, or in the automatic processing of service requests. Automatic decision-making is based on the information provided to us.

We use profiling to send marketing messages that we believe are suitable for you, and we seek not to send messages that are irrelevant to you. You have the right to refuse to be subjected to profiling for direct marketing purposes.

Data storage and security

We are committed to ensuring the security of your personal data through good data management and careful processing. We use appropriate technical, physical, judicial and organisational measures to protect your data. All service providers that serve as processors of personal data have committed to compliance with the requirements of the General Data Protection Regulation and the measures described in this privacy policy.

We will store your personal data for as long as is necessary to achieve the purposes described in the privacy policy and register descriptions, unless a longer storage period is required or allowed by law.

Disclosure of personal data to third parties

We will not disclose your personal data to third parties without your consent, unless one the following conditions is met:

• The disclosure of data is based on a law, a regulation or an agreement binding on Tietokeskus.
• Tietokeskus and a third party have entered into an agreement on personal data processing.
• The disclosure of personal data is necessary for a service provided by Tietokeskus to you or your employer. For example, when ordering a licence or registering a device warranty, we may have to disclose the contact information of the end customer’s contact person to the supplier or manufacturer.
• Your personal data was collected in connection with an event we organised in cooperation with our partners. We may disclose your personal data to such partners for marketing communication purposes related to the event.

International transfer of personal data

As a rule, your personal data will be stored only within the European Union (EU) and the European Economic Area (EEA). However, some of our partners may be based in non-EU or non-EEA countries. We may, for example, transfer data classified as personal data to processors providing cloud services in the United States or elsewhere outside the EU and the EEA. In such cases, Tietokeskus has entered into a separate GDPR-compliant data processing agreement with the partner in question, or the transfer is made within the framework of an agreement approved by the EU (e.g. Privacy Shield).

Your rights

You have the right to review your personal data that has been stored in our registers, the right to have inaccurate personal data rectified, the right to have your personal data erased (right to be forgotten), the right to transmit your personal data to another service, and the right to restrict the processing of your personal data. You can exercise your rights by contacting us by email at tietosuoja@tietokeskus.fi or by calling Eetu Salpaharju, who is in charge of data protection at Tietokeskus, tel. +358 207 191 614.

Register descriptions

Customer register

Register description in accordance with section 10 of the Personal Data Act (523/1999)

Controller

Tietokeskus Finland Oy
Lukkosepänkatu 14
20320 TURKU

Business ID 0204687-0

Contact person for the register

Eetu Salpaharju
Lukkosepänkatu 14
20320 TURKU
tietosuoja@tietokeskus.com

Name of the register

Tietokeskus’ customer register

Purpose of personal data processing

Personal data is processed for the purpose of managing Tietokeskus companies’ (the controller and its subsidiaries) business operations, service provision and customer relationships. This also covers the sale and marketing (including direct marketing) of the products and services provided by Tietokeskus.

Data content of the register

The register contains information about Tietokeskus’ private customers and the contact persons of its corporate customers as follows:

• Name
• Customer ID/user ID for services provided by Tietokeskus or its partners
• Address
• Telephone number
• Email address
• Information about service events and the related records (ticketing)
• Information about devices related to a person
  • Device serial number
  • Device login history
  • Location information
  • Network location
  • Log data collected by the device and the management system
• Communication
  • Letters, emails and instant messages
  • Telephone calls (identity attributes and recordings)
• Employer or other related organisation
• Purchase history and information related to purchase events, payment transactions and delivery events
• Customer service management information
  • Direct marketing opt-outs
  • Service event information
• Information related to a person’s behaviour in Tietokeskus’ and its partners’ online services
  • Cookies
  • Log data

Sensitive data as described in section 11 of the Personal Data Act will not be stored in the register.

Regular sources of data

• Information provided by the data subject
• Information provided by Tietokeskus’ corporate customers about the users of its services
• The systems used for the provision of services, such as ticketing systems with their self-service portals and systems used for the maintenance of service devices.
• Tietokeskus’ website

Regular destinations of disclosed data

Tietokeskus discloses personal data only with consent from the data subject under circumstances that comply with current legislation and when the disclosure of personal data is necessary for a service provided by Tietokeskus to its customer.

Transfer of data to non-EU or non-EEA countries

Data from the register may be transferred to non-EU or non-EEA countries, when Tietokeskus uses cloud services located in such countries, for example.

The transfer of data to non-EU or non-EEA countries requires that:

• The country in question ensures a sufficient level of data protection, or
• The controller ensures, through contractual clauses or by other means, a sufficient level of protection of the data subjects’ privacy and rights, or
• The data subject has given their express consent for the transfer.

Principles of register protection

• The servers on which data is processed are located in facilities with sufficient physical protection. In addition, the servers are protected by means of firewalls and other appropriate technical measures.
• Personal user IDs are always required for logging in to the systems in which personal data is processed or stored. Credential management is used to ensure that the data subjects’ information can be processed only by employees who are entitled to do so.
• The employees who process data contained in the register have signed a non-disclosure agreement.
• Documents are stored in facilities with access control and a burglar alarm system.
• Material is transferred encrypted in public data communication networks.
• The employees who process personal data are provided with training related to data protection and information security on a regular basis.