Stakeholder register privacy policy
This privacy policy applies to the processing of personal data in the Finnish Commerce Federation’s stakeholder register
Data controller
The Finnish Commerce Federation is the data controller and is responsible for the processing of personal data. For the stakeholder register, you can contact the controller in the following ways:
- tietosuoja@kauppa.fi
- tel. +358 9 1728 5151
- Eteläranta 10, PL 340, FI-00131 HELSINKI, FINLAND
What information do we process?
In the stakeholder register, we process, for example, the following information from our stakeholders (other than member companies and member associations):
- first and last name
- contact information
- job title
- organisation and Business ID
- feedback survey activities
- activities concerning lobbying
- caller IDs
- technical information to ensure the quality of service
Personal data have been obtained from the data subject themself or from public sources, such as websites.
For what purposes and for how long is your personal data processed?
The purposes of the processing of personal data and the data retention period for each purpose are described in the table below. We process the personal data in the stakeholder register to implement the legitimate interests of the Data controller.
| Purpose of processing | Processed categories of personal data | Data retention period |
| Processing of phone call data | Telephone number | Phone call data is deleted from the system every year. |
| Gathering feedback | Name, organisation, Business ID, contents of the feedback, telephone number, e-mail address | Data is deleted from the system after the feedback is processed. |
| Collection of campaign registrations (for example, The summer job campaign Tutustu työelämään ja tienaa) | Name of the company, Business ID, name of the contact person, street address, city, postal code, telephone number, e-mail address | Data is deleted from the system after the campaign has ended. |
| Processing stakeholder activities (such as influencer communcations and meetings) | Organisation, Business ID, name of the person, street address, city, postal code, telephone number, e-mail address, time and description of the activity | The need for data retention is assessed regularly, generally on an annual basis. At the same time unnecessary data is deleted. |
| Processing of applications for membership | Official name of the company, Business ID, first and last name of the contact person, position in the company, address, postal code and city, telephone number, e-mail address | Data is deleted from the system after the membership application has been processed. |
If necessary, we may send direct marketing to the data subject to implement the legitimate interests of the Data controller. In addition, we may process personal data in order to comply with a legal obligation under the statute of limitations or when the processing is necessary to prepare, file or defend a legal claim.
What rights do you have?
- You have the right to know, at your request, whether the Data controller processes your personal data. If we process your personal data, you have the right to receive a copy of the information we process. If we do not process your personal data, you have the right to receive confirmation of this as well.
- You have the right to demand rectification or supplement of your personal data that is incorrect or incomplete in terms of processing
- You may have the right to have the controller erase your personal data in certain situations covered by the Regulation. We will erase the personal data at your request if the criteria set out in the legislation are met.
- According to the Regulation, you have the right to have the Data controller erase your personal data from our system if
-
- your personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; or
-
- you object, referring to personal reasons, to processing that is necessary for implementing the legitimate interests of the Data controller or a third party, such as profiling;
-
-
- In this case, the Data controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
-
-
- your personal data have been processed unlawfully;
-
- your personal data have to be erased to meet a statutory obligation arising from EU or Member State law to which the Data controller is subject;
-
- the personal data have been collected from a child in relation to the offer of information society services.
-
- You may have the right to restrict the processing of your personal data. We will limit the processing of your personal data at your request in the case of situations defined by law.
- You may restrict the processing of your personal data if
-
- you contest the accuracy of your personal data, in which case the processing is restricted for the period during which we are able to verify the accuracy of the personal data;
-
- the processing is unlawful and you object to the deletion of personal data and request the restriction of its use instead;
-
- the personal data in question is no longer required by the Data controller for the purposes of the processing, but are required by the data subject for the establishment, exercise or defence of a legal claim; or
-
- you have objected on grounds relating to personal reasons, to processing that is necessary for either the performance of a task concerning the public interest or in the exercise of official authority vested in the Data controller or in implementing the legitimate interests of the Data controller or a third party, pending the verification whether the legitimate grounds of the controller override your legitimate grounds.
- If the processing of your personal data is restricted, the personal data shall, with the exception of storage, only be processed with your consent; or to establish, exercise or defend a legal claim; or protect the rights of another natural or legal person; or for reasons of important public interest of the EU or of a Member State.
- You may have the right to object to the processing of your personal data. We will no longer process your personal data at your request in the case of situations defined by law.
- You can object to the processing of your personal data
-
- that is necessary for implementing the legitimate interest of the controller or a third party, such as profiling, referring to personal reasons;
-
- In this case, the Data controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
-
- at any time, if your personal data are processed for the purpose of direct marketing, including profiling, where it relates to such direct marketing.
How do you exercise your rights?
You can send us a request to exercise your rights by filling out the form on our website and sending it to us signed either by e-mail or by mail to the Data controller’s address.
If the response contains your personal data, we will primarily provide the information by mail as a registered letter. The letter cannot be acknowledged as received by anyone other than the person marked as the recipient. This will ensure the confidentiality of the data of the correct recipient of the letter.
About the recipients of personal data
The Finnish Commerce Federation, as the Data controller, processes personal data itself but also uses various service providers. The Finnish Commerce Federation strives to use the best and most reliable partners and is responsible for the activities of the service providers of its choice when processing personal data.
The Finnish Commerce Federation uses external service providers to carry out, for example, communication services and the maintenance and development of the applications it uses.
In addition, the Finnish Commerce Federation acts as a joint Data controller with the Confederation of Finnish Industries (EK) as described in section 3.
Our service provider may transfer personal data outside the EU or the European Economic Area when the service provider is established outside these territories. In these cases, we will take appropriate safeguards to ensure the rights and freedoms of the data subjects.
Some authorities also have a statutory right of access to information. Such authorities include, for example, the police, the customs, the border guard and tax authorities.
Appeal instructions
If you feel we are not processing your personal data in accordance with the EU’s General Data Protection Regulation, you can file a complaint with the supervisory authority in the EU Member State where you have your permanent address or workplace or where you believe the breach has taken place. In Finland, this authority is the Data Protection Ombudsman.
Personal data necessary for the stakeholder register
The processing of certain personal data is necessary for us to provide the services and functions described in this document. Such information is the information regarding feedback, campaign registrations and applications for membership described in section 3.
Use of personal data for other purposes
We will not use your personal data for purposes other than those stated in this document. If new needs for use arise later, we will inform you and provide you with the legal processing criteria for the processing of your personal data or, if necessary, we will ask you for your consent to the processing of your personal data for new uses.
