The registrar is COLOURBALL OY (Business ID 0809375-8)
The contact person for the register matters: Jussi Saxholm
Address: Lönnrotinkatu 5, 87100 Kajaani
Phone: +358 40 7589 143
2 The name of the register
The register is called a customer register of COLOURBALL OY.
3 The purpose of processing personal data
The personal data is handled for the purposes related to taking care of, managing and developing customer relations, offering and delivering services as well as billing. Personal data is processed also in the event of solving any possible reclamations and claims.
In addition, personal data is handled in communications targeted to customers for informational, news-related and marketing purposes which also covers handling of personal data for direct marketing and electronic direct marketing purposes.
The registrar processes the information itself and utilizes subcontractors for the personal data handling, whom are working on behalf of the registrar.
4 The legal basis for the processing of the personal data
The legal basis for processing personal data consists of the following criteria of the EU general Privacy Regulation (hereafter referred to as “GDPR”):
a. the person registered has consented to the processing of his or her personal data for one or more specific purposes (GDPR 6 Art. 1.a);
b. processing is necessary for the execution of a contract to which the person registered is a party or to put in the effect the pre-contractual measures at the request of a data subject (GDPR 6 Art. 1.b);
c. the processing is necessary to achieve the interest of the legitimate registrar or a third party (6 GDPR Art. 1.f).
The aforementioned registrar’s legitimate interest is based on a necessary and appropriate relationship between the person registered and the registrar as a result of the fact that the person registered is a customer of the registrar and when the processing takes place for purposes that the person registered could reasonably have expected when the personal data was collected and that it took place in the appropriate terms.
5 Data content of the register (the processed personal data batches)
In principle, the register contains the following personal data for all persons registered:
a. the basic information and contact details of the person: [first name, last name, address, telephone number, e-mail address];
b. information related to a company or other organization of the person as well as the position or the job title of a person in the company or organization in question;
c. direct marketing permits and prohibitions.
6 The regular sources of information
Personal data is collected from the registered person himself.
Personal data will also be collected and updated within the applicable legislation from publicly available sources related to the implementation of the customer relationship between the registrar and the person registered and with which the registrar implements the duties of maintaining the customer relations.
7 Retention time for personal data
The data collected in the register will be kept for as long as necessary and only to the extent needed for the original or compatible purposes for which the personal data has been collected.
The need to maintain personal data is evaluated every five years, and in any case data relating to a registered person is deleted from the register ten years after the date of the end of the relation between the registered customer and the registrar and the obligations and actions related to the customer relationship have been accomplished. For example, accounting records are kept for six years after the end of the financial year.
The registrar assesses regularly the need to maintain the data in accordance with its policies and rules. In addition, the registrar shall conduct all the reasonable procedures to ensure that inaccurate, inaccurate or obsolete personal data relating to the purposes of processing are removed or corrected without delay.
8 Personal data recipients (recipient groups) and regular disclosure of information
Personal data will not be disclosed to external parties.
9 Transfer of data outside the EU or EEA
Personal data contained in the register will not be transferred outside the EU or EEA.
10 Principles of registry protection
Materials containing personal data are kept in locked premises accessible only to designated and authorized persons for access due to their duties.
A database containing personal data is stored on a server physically stored in a locked premise accessible only to designated and authorized persons for access due to their duties. The server is protected by an appropriate firewall and technical security.
Access to databases and systems is allowed only with singly provided personal accounts and passwords. The registrar has restricted access rights and authorization to information systems and other storage so that information can only be accessed and processed by persons who are legally required to process them. In addition, events for access for the databases and systems are registered with the controller’s IT system logs.
The registrar’s employees and other persons are committed to follow confidentiality and keep the information they receive in connection with processing of personal data confidential.
11 The rights of the person registered
The person registered has the following rights under the EU’s general data protection regulation:
a. the right to receive a confirmation from the registrar of the personal data relating to him or her being processed or not processed and, where these personal data is processed, the right of access to this personal data as well as the following information: (i) the purpose of the processing; (ii) the personal data groups concerned; (iii) the recipients or recipient groups to whom personal data have been or are to be disclosed; (iv) as far as possible, the planned retention period for personal data or, if this is not possible, the criteria for determining this period; (v) the right of the data subject to request the registrar to correct or remove personal data relating to himself or to limit or protest such processing; (vi) the right to appeal to the supervisory authority; (vii) where no personal data is collected from the data subject, all information available on the origin of the data (GDPR Art. 15). This basic information described (i) – (vii) will be provided to the person registered by this form;
b. the right to cancel the approval at any time, without it affecting the lawfulness of the processing executed with consent of the person registered before the cancellation (GDPR Art. 7);
c. the right to require the registrar to correct, without undue delay, inaccurate and incorrect personal data relating to the data subject, and the right to have incomplete personal data completed, i.a., by providing further explanation considering the purposes for which the data were processed (GDPR Art. 16)
d. the right to have the personal data relating to the data subject removed by the registrar without undue delay, provided that (i) personal data is no longer needed for the purposes for which they were collected or for which they were for other reasons processed; (ii) the person registered cancels the approval on which the processing is based and there is no other legitimate reason for processing it; (iii) the person registered opposes the processing on a basis of specific personal situation and there is no legitimate reason for processing or the person registered opposes the processing for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) the personal data must be removed to comply with Union law or a statutory obligation under the national legislation for the registrar (GDPR Art. 17);
e. the right to have the registrar to restrict processing if (i) the person registered denies the accuracy of the personal data, resulting in limited processing to a period during which the registrar can verify their accuracy the data; (ii) the processing is unlawful and the person registered opposes the removal of personal data and instead claims its use to be limited; (iii) the registrar no longer needs the personal data for purposes of processing it but the person registered needs it to prepare, present or defend a legal claim; or (iv) the person registered has objected to the processing of personal data on a basis of their specific personal situation, waiting for a pending verification of whether the legitimate grounds of the registrar exclude the grounds of the person registered (GDPR Art. 18);
f. the right to obtain personal data relating to the person registered, which the data subject has submitted to the registrar, in a structured, commonly used and machine-readable form, and the right to transfer this information to another registrar without the registrar to whom the information has been provided, opposing if the processing is based on the consent by the regulation and the processing takes place automatically. (GDPR Art. 20);
g. the right to file a complaint with the supervisory authority if the person registered considers that the processing of personal data relating to him violates the EU’s general data protection regulation (GDPR Art. 77).
Requests for the implementation of the rights of the person registered are addressed to the registrar’s contact person mentioned in section 1.