Data protection policy
1. Data controller
Nimi
EKE-Rakennus Oy, Business ID: 2321457-0
Address
Piispanportti 11, 02240 Espoo
Other contact information (e.g. phone number during office hours, email address)
hanna.mannonen@eke.fi
2. Contact person for matters regarding the register
Hannu Niemi
Piispanportti 11, 02240 Espoo
Other contact information (e.g. phone number during office hours, email address)
asuntomyynti@eke.fi, tel. +358 9 613 03450
3. Register name
Client and marketing register
4. Purpose of the processing of personal data
Personal data is processed for purposes relating to management, administration and development of the client relationship; providing, selling and delivering services and products; developing, analysing and producing statistics on services and products; and invoicing. Personal data is also processed in relation to registering reservations and sales and drawing up deeds of sale. Personal data is also processed for the purposes of investigation of any complaints and other claims.
Personal data is processed in communications aimed at clients, such as bulletins and newsletters. Furthermore, personal data is processed for marketing, market research and organising marketing competitions by the controller and other companies in the same group, as a part of which, personal data is also processed for purposes relating to direct marketing and electronic direct marketing. The client has the right to prohibit any direct marketing aimed at them.
5. Legal bases for processing
The legal bases for the processing of personal data are:
(a) the data subject has given consent to the processing of their personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for the purposes of realising the legitimate interests pursued by the controller or by a third party.
Such legitimate interest is based on there being a relevant and appropriate relationship between the data subject and the controller as the data subject is a client or potential client of the controller, and when the data subject could reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.
6. Data content of the register
In general, the register contains the following personal data for all data subjects:
(a) Basic information and contact information for the individual: such as first name, last name, address, phone number, email address.
(b) Details of the individual’s interests.
(c) Information relating to the individual’s company or other organisation, and their position or job title in the company or organisation, as well as a scan of their business card.
(d) Email correspondence with the individual and minutes of phone calls.
(e) Data collected through website cookies, including but not limited to data about the device used by the data subject, such as device type, browser, IP address and other device data. You can read details about how we use cookies by clicking on the cookie settings button at the bottom left of the website (Cookiebot).
(f) Data collected via social media channels (Facebook, LinkedIn, Instagram).
(g) Potential other data collected with the consent of the data subject.
The data in the register is not processed with automated decision-making means.
The controller will always notify the individual of the collection of the data and whether providing their data is obligatory. As you are a client of the controller and/or the primary contact of the company you represent, not providing data may influence the client relationship between the controller and you and/or the client relationship between the controller and the company you represent.
7. Regular sources of data
Personal data is collected from the data subject themselves.
Data may be collected via our website, emails, text messages or other electronic and written forms, or in person.
8. Regular recipients of data
Personal data is disclosed to other companies in the EKE Group for financial administration, shared systems, and reporting purposes.
When processing personal data, the controller uses subcontractors, i.e. personal data processors, who process personal data for and on behalf of the controller. These subcontractors include but are not limited to personal data processors used for the implementation of ICT services.
The controller users the following personal data processors:
- Moor Oy’s Roomdesk system (formerly Nettikoti/Kotikauppa) and Raksa service
- the Netvisor financial administration system
- the Zeffi electronic survey system
- Derigo Oy’s Pro3 document management system
- the Leadoo chatbot and contact form on our website
- agencies and retailers we have a contractual relationship with, in so far as
it is necessary to ensure our customer service provision.
Furthermore, personal data is transferred to the EKE Group’s parent company, EKE-Finance Oy, when it offers financial administration and access control services to the controller in the position of personal data processor.
9. Transfer of data outside the EU and EEA
In general, data is not transferred outside the EU or EEA.
If personal data is transferred to or stored on a server outside the EU/EEA for processing by the Controller or on its partner for processing on the Controller’s behalf, we will ensure that the appropriate protective measures are taken as required by the EU’s General Data Protection Regulation (GDPR) and the Finnish Data Protection Act.
10. Storage periods for personal data
Personal data collected for managing the client relationship is stored for the duration of the client relationship.
Furthermore, personal data is stored for the following periods:
(a) Personal data relating to management of the client relationship is stored for ten (10) years following the end of the client relationship.
(b) Material relating to accounting is stored for six (6) or ten (10) years following the current year in accordance with the Finnish Accounting Act (1336/1997).
(c) The data of clients who purchase an apartment is stored for 10 years.
The controller assesses whether storing the data is necessary on a regular basis. Furthermore, the controller carries out all possible reasonable measures to ensure that, regarding processing purposes, inaccurate, incorrect or outdated personal data is removed or rectified immediately.
11. Principles for protection of the register
Manual material
Personal data is stored in locked premises to which access is restricted.
Data processed in data systems
Personal data stored electronically is protected with firewalls, passwords and other technical means. Access rights to the data are restricted, and are protected with usernames and passwords.
12. Data subjects’ rights
Data subjects have the rights set out below:
- The right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where that is the case, access to the personal data.
- The right to withdraw their consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal.
- The right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning them, and the right to have incomplete personal data supplemented.
- The right to obtain from the controller the erasure of personal data concerning them without undue delay, if the requirements of applicable data protection legislation are met.
- The right to obtain from the controller restriction of processing, if the requirements of applicable data protection legislation are met.
- The right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the requirements of applicable data protection legislation are met.
- The right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, that is based on the controller’s legitimate interest, if the requirements of applicable data protection legislation are met.
- The right to submit a complaint to the supervisory authority if the data subject considers the processing of data concerning them to violate the EU’s GDPR.
Requests to exercise the data subject’s rights should be addressed to the aforementioned contact person for the controller.
The controller may supplement this data protection policy by publishing a new version on its website. Clarifications to the data protection policy shall be valid from the date of publication.