A record of processing activities under Article 30 of Regulation (EU) 2016/679 of the European Parliament and of the Council.
ED-Design Oy, Iso-Heikkiläntie 6, 20200 Turku, Finland, Business ID: FI18197745
2. Representative of the Controller in Register-related matters
CEO, ED-Design Ltd.
Iso-Heikkiläntie 6, FI-20200 Turku, Finland
3. Name of the register
ED-Design Oy’s customer, prospect, and marketing register
4. Purpose of Personal Data Processing
The processing of personal data is based on the company’s legitimate interest based on a customer relationship or another relevant association. Personal data is used for
- Managing, administering, maintaining, and improving existing and potential customer relationships of ED-Design Ltd.
- Targeting communications and marketing
- Producing, providing, and developing services
- Communication and marketing related to services and events.
- Managing training and courses
- Designing and developing business operations.
- Market research and collecting and reporting customer feedback and customer satisfaction data.
5. Data contents of the register
The following data provided by the data subject is processed in the register:
- Name information
- Address information
- Telephone number
- Position within the organization
In addition, the register may contain other notes pertaining to the data subject and their possible customer relationship as well as other information required for the administration of the customer relationship, such as information on direct marketing permissions and prohibitions, participation in previous or future events, food allergies (information provided voluntarily by the data subject when registering for a training event), or information pertaining to the data subject’s purchases as well as their delivery and invoicing. The register may also contain information collected using cookies pertaining to the data subject’s visits to and use of the controller’s website.
6. Regular sources of data
7. Regular disclosure of data
Personal data may be disclosed and transferred for processing purposes to the service providers used by the controller and its subsidiaries and to the subsidiaries of the controller. The processors of personal data mentioned above do not have the right to process personal data other than on behalf of the controller.
8. Transfer of data outside the EU or the EEA
ED-Design Oy shall always aim to store and process personal data within the European Union or the European Economic Area. ED-Design Oy may also outsource the processing of personal data to service providers that may also be located outside of the European Union or the European Economic Area, such as in the United States. Such companies may process personal data in order to provide IT services, for example. In order to appropriately protect your personal data, we ensure that appropriate safeguards are utilized with regard to any service providers that process your personal data outside of the European Union or the European Economic Area. Such safeguards include, for example, agreements pertaining to international transfers of personal data.
9. Data protection principles
Access to data stored and processed using data processing systems is provided to a limited number of designated personnel. Use of the data requires logging in to the data processing system with a personal user ID and password. The data processing systems are protected with appropriate virus control software and firewalls.
Physical documents containing personal data are protected against unauthorized access and unlawful processing (such as destruction, alteration, and disclosure). Each processor only has access to such personal data they require in the course of their tasks.
10. Storage of data
We store personal data for as long as the customer relationship exists or for as long as is required by law.
The personal data of data subjects who have consented to marketing is stored in the marketing register until the data subject withdraws the marketing consent. In this case, the basic information of the data subject in question and the information pertaining to the marketing prohibition will however be stored in the register.
Sensitive personal data (food allergies) pertaining to data subjects who participate in training events will be deleted after the participation.
Information pertaining to visitors shall be stored for as long as necessary in order to ensure safety. After this, the information will be disposed of appropriately.
We will regularly review the need to store information taking into account applicable legislation. Furthermore, we shall take reasonable measures to ensure that no personal data pertaining to the data subjects that is inconsistent, expired, or erroneous with regard to the purposes of the processing is stored in the register. We will rectify or delete any such data immediately.
11. Rights of the data subject
The data subject has the right to object to the use of their personal data for electronic direct marketing by using the cancellation or prohibition link included in a newsletter or another electronic message, or by contacting the representative of the controller mentioned in section 2 in writing.
The data subject has the right to review the data pertaining to them that is stored within the register and, where necessary, demand the controller to rectify or complete the data pertaining to them in the register. The data subject is personally responsible for the accuracy of the data they provide. The data subject must notify the controller if the changes occur in the data they have provided. The controller may also rectify incorrect information on its own initiative having been informed of incorrect information.
Under the data protection regulation, you have as a data subject the right to object to or request the controller to restrict the processing of personal data pertaining to you, and to lodge a complaint regarding the processing of personal data with the supervisory authority, and to request the controller to delete personal data pertaining to you or transmit the data to another system. All requests by data subjects must be sent in writing to the representative of the controller mentioned in section 2.