Privacy policy for customers, potential customers and stakeholders

1 Data controller

Impact Agency Fabrik Oy – Y-tunnus: 1059043-8 (hereinafter referred to as the “Controller”) Address: Siltakatu 14 B, 80100, Joensuu Phone: +358 400 570 270 Email: perttu@fabrik

Contact person for data protection issues: Perttu Kouvalainen, perttu@fabrik.fi

2 What do we mean by different terms?

“Data Subject” means the person whose personal data is processed by the Controller in its personal files in the ways described in this Privacy Policy.

3 For what purposes do we process your personal data?

We process the personal data of Data Subjects for the following purposes (one or more at the same time):

  • supply of products and services We may use your Personal Data to provide you with products and services if, for example, you or the company you represent have purchased a product or service from us, used our digital services, subscribed to our newsletter or participated in our events. The personal data will be used to carry out the rights and obligations arising from a contract or other commitment between the controller and the data subject or the company represented by the data subject.
  • customer communication We may use your Personal Data in our customer communications, for example, to send you notifications about products and services, to inform you about changes to services and to request feedback about our products and services.
  • Marketing We may contact you to tell you about new products, services or benefits. We may use your Personal Information to tailor our offerings and provide relevant content. This means, for example, that we may provide recommendations or display tailored content and customized advertisements on our own and third party services, such as targeting online advertising to Data Subjects who have visited our website.
  • studies We may contact you to carry out opinion, marketing and other surveys necessary for our business.
  • customer and stakeholder relationship management, analysis and development We may use your Personal Data to manage, analyse and develop a customer or stakeholder relationship with the company you represent or directly with you.
  • developing products and services We may use your Personal Data to develop our products and services, for example, to improve our range of products and services to make them more attractive to customers. The legal basis for processing your personal data is the following subparagraphs of Article 6 of the EU General Data Protection Regulation: (a) you have given your consent to the processing of your Personal Data for one or more specific purposes;(b) processing is necessary for the performance of a contract to which you or the company you represent are party or for the performance of pre-contractual measures at your request;(c) processing is necessary for compliance with a legal obligation of the Controller; and(f) processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by your interests requiring the protection of personal data or by your fundamental rights and freedoms. We process your data to perform a contract with a company you represent or directly with you (e.g. to provide a communication service or market research). We have legitimate interests in the conduct of our business, such as the right to promote our products and services through marketing and sales, and we may have a legitimate interest in carrying out direct marketing and sales using your contact information, including processing Personal Data for targeting purposes. Other legitimate interests for which we may process your Personal Data include providing advice and other customer service to non-customers, further developing our business and investigating possible misuse. Where the processing is not based on a contractual need or legitimate interest, we may ask for your consent to process your Personal Data for other purposes. We may also process your Personal Data where required to do so by law, for example on the basis of the obligation to retain your Personal Data under the Accounting Act or money laundering legislation.

4 What types of data can we process?

The Personal Data we process may include, but is not limited to, the following types of information and any changes made to it:

4.1 Basic information on all Data Subjects

  • first name and surname
  • contact details (postal address, email address, telephone numbers)
  • sex
  • Communication to the data subject and related activities
  • direct marketing choices
  • Information on the use of the controller’s digital services
  • information about cookies and other similar activities sent to the data subject’s terminal equipment (such as computers and mobile devices) and the data collected through them, insofar as the person can be identified on the basis of this information.
  • any recordings of customer service calls and customer service-related email and online conversations, for example on social media channels

4.2 Additional information on business representatives

  • title and/or job description in current and previous positions related to the activities of the Data Controller

4.3 Data of Data Subjects who have purchased, provided feedback on and/or made a complaint about the products or services of the Controller

  • the time and manner of the beginning and end of the customer or similar relationship
  • Promotions and offers targeted at the data subject and their use
  • Interests and other information provided by the data subject
  • the content of feedback and complaints, related correspondence and follow-up actions

4.4 Data of Data Subjects who have participated in the Controller’s events

  • dietary information (specific information provided voluntarily by the Data Subject)
  • date of birth for those events for which the shipping company, for example, requires it
  • the name and date of birth of the travelling companion, if required by the shipping company, for example

4.5 Identification data of customers of the controller’s online services

  • Registered login credentials
  • activity on the online service after logging in

5 From which sources do we collect your Personal Data?

Most of the Personal Data is obtained from you at the beginning and during the customer and stakeholder relationship and from the devices and software that you use to access our products and services. We also receive Personal Data and updates to Personal Data from government agencies and organizations that provide services to obtain and update Personal Data and credit information, as well as from public directories and other public information sources, such as company websites and various media. For marketing purposes, we collect your Personal Information from you in connection with various activations such as sweepstakes, contests, surveys or events (by the Controller or its partners). We also receive Personal Data about company representatives from their colleagues, i.e. the main contact person of the company may also provide us with Personal Data about other persons related to the use of the Registrar’s products and services.

6 Do we target our marketing?

We may analyse the Personal Data in our records and combine it with cross-referenced data and data from third parties. This processing may be used, for example, to create target groups interested in similar types of content, and to target content to different groups in order to create the best possible customer experience and attract the interest of potential customers.

7 Who can we share your Personal Data with?

We will not give, sell or otherwise disclose your Personal Information to outside third parties unless otherwise stated below. We will share your Personal Information with third parties who provide services to us. These services may include, for example, customer service, software services, research, marketing and event production, and billing. We may share your Personal Information to collect payments for products and services, and may, for example, transfer or sell unpaid invoices to third parties that provide collection services. The protection of your Personal Information is important to us, which is why we do not allow these parties to use your information for any purpose other than to provide the agreed services, and we require them to protect your Personal Information in accordance with this Privacy Policy and applicable law. We may share your Personal Data with partners with whom we jointly manage and implement joint projects, such as joint events. We may share your Personal Data with carefully considered third parties for their independent direct marketing purposes. Information may only be shared for those purposes where the intended use by the third party is not incompatible with the uses set out in this Privacy Policy. We will only disclose the minimum amount of your Personal Data necessary to carry out the transaction agreed with the third party for such purposes. We may, at our discretion, share Personal Data of Data Subjects attending events we organise with other participants of that event and with the public, for example on social media, where the nature of the event makes this appropriate (for example, sharing a list of participants in an event organised for stakeholders with all participants and posting pictures and videos taken at the event on social media). We may share your Personal Data in the context of an acquisition or other business reorganisation, or when the service is transferred to another service provider. We may share your Personal Data on the basis of a court order or similar mandatory order.

8 Do we transfer your Personal Data outside the EU?

We may use resources and servers located around the world to provide our services. We may therefore transfer your Personal Data outside the country where the services are used and possibly to countries outside the EU where data protection laws are different.

9 How long do we process your Personal Data?

We will process your Personal Data in our records within the meaning of this Privacy Policy for as long as we have any of the grounds for processing described in section 2 of this Privacy Policy in force, and for a reasonable period thereafter.

10 Is it necessary for you to provide us with your Personal Data?

In order to fulfil our contractual obligations in relation to the customer relationship between us, we need to obtain and process Personal Data about you. Without the necessary Personal Data, we cannot provide you with our products and services.

11 How you can exercise your rights relating to your Personal DataVisitors’ comments may be checked through an automated spam service.

As a registered user, you have various possibilities to influence the processing of your Personal Data. As a general rule, we will comply with your request within one month. Please contact us at the contact details provided in section 1 of this Privacy Policy to exercise your rights. Your rights include (the extent of these rights depends on the basis on which your personal data are processed, i.e. not all the rights listed below will be available to you in all situations): a) Right of access to the Personal Data collected about you. In practice, this takes the form of a report on the Personal Data collected about you in your identified personal data file, based on your valid and identified request. b) The right to request the rectification or erasure of Personal Data collected about you. If you discover any errors or omissions in your Personal Data, you may submit a request for rectification to us. c) The right to request the erasure of Personal Data collected about you. We are obliged to delete the Personal Data you have requested from our personal records if one of the following criteria is met and there is no obligation to retain the data under any other law or regulation:

  1. Your personal data is no longer needed for the purposes for which it was processed;
  2. you withdraw your consent and there is no other lawful basis for the processing;
  3. you object to processing on grounds relating to your particular personal situation and there is no legitimate ground for the processing or you object to the processing of your Personal Data for direct marketing purposes;
  4. Your personal data has been unlawfully processed;
  5. Your personal data must be erased in order to comply with a legal obligation under European Union law or Finnish law applicable to the Controller; or
  6. Your personal data has been collected in connection with the provision of information society services, such as subscriptions to the Controller’s digital information services.

d) The right to request restriction of the processing of Personal Data collected about you. You can ask us to restrict the processing of your Personal Data if:

  1. you contest the accuracy of your Personal Data held by us;
  2. the processing is unlawful and you request restriction of use instead of deletion;
  3. we no longer need that Personal Data for the purposes of processing, but you need it to establish, exercise or defend a legal claim;
  4. you have objected to the processing of Personal Data pending verification of whether our legitimate grounds override yours.

e) The right to object to the processing of Personal Data concerning you. Where we process your data on the basis of a legitimate interest, you have the right to object to the processing of your Personal Data on grounds relating to your particular personal situation. All persons on the registers covered by this Privacy Policy have the right to object to the processing of their Personal Data for direct marketing purposes. f) The right to transfer the data you provide from one system to another. If the automated processing of your Personal Data is based on consent or a contract, you have the right to receive the Personal Data you have provided to us in a structured, commonly used and machine-readable format, and the right to transfer such data to another Data Controller. g) The right to withdraw consent. If all or part of your Personal Data is processed in the registers covered by this Privacy Policy on the basis of your consent, you have the right to withdraw your consent. h) The right to lodge a complaint with a supervisory authority. In the event that a potential disagreement between you and us regarding the processing of your Personal Data cannot be amicably resolved, you have the right to refer the matter to a supervisory authority.

12 Which country’s legislation applies to the processing of your personal data?

We are a Finnish company. The personal data files covered by this Privacy Policy and the processing of Personal Data contained in them are governed by Finnish law and EU law directly applicable in Finland, such as the EU General Data Protection Regulation.

13 How can we update this Privacy Policy?

We are constantly developing our business and this may also mean changes in the processing of Personal Data. We will update this Privacy Policy as necessary to reflect any changes in our practices. Changes may also be based on changes in legislation. We recommend that you review the contents of our Privacy Policy regularly. If we start to process your Personal Data for a purpose other than that for which your Personal Data was collected, we will notify you of this and the updated Privacy Policy before such further processing. For other changes, we will post on our website an update to the Privacy Policy.