Privacy policy

Revised on 2 November 2020

Data controller

A-Katsastus Group Oy
Valimotie 9–11, 00380 Helsinki
PO Box 200, FI-00381 Helsinki, Finland

Contact person in matters related to the register

tietosuoja@a-katsastus.fi

Name of register

Consumer customer register of A-Katsastus Oy and Ajovarma Oy

Purpose of processing personal data and legal grounds for processing

Personal data included in the register can be processed for the following purposes:

• management, development and analysis of customer relationships
• customer communication
• service provision
• verification of customer transactions
• development of customer service and business
• marketing
• analysis and statistics

Customer data can also be processed in other Finnish companies belonging to the A-Katsastus Group. Registered data can be used, as permitted by the legislation, for direct advertising, distant sales or other direct marketing of companies belonging to the A-Katsastus Group, opinion polls or market surveys or other similar addressed deliveries and customer communication, also in electronic channels, in accordance with the consent given by each customer.

Legal grounds for processing personal data include the data controller’s legitimate interests, the provision of services, consent given when ordering services or general consent.

Data content of the register

The register may contain the following data:

• Name of the customer
• Address, postal code and town/city
• Date of birth
• Email address
• Telephone number
• Marketing and contact permissions
• Revision history for customer data
• Customer number
• Personal identity code (for identification purposes only; not saved in the register in plain text)
• Vehicle registration number
• Customer relationship data, such as invoicing and payment data, product and order data, customer feedback and queries, prize draw and competition data, and appointment data

Regular sources of data

Customer data can be obtained from data subjects during the customer relationship through the internet, in customer service situations, by telephone, via email or by other similar means. Updates in data may also be obtained from officials and companies that provide update services.

Recipients of personal data

In order to provide services in accordance with the purpose of use, partners may also process personal data. Partners carry out technical services related to the register and offer IT systems connected to the use of the register.

Transfer of data outside the EU or EEA

We only use partners operating outside the EU or EEA to send reminders of vehicle inspections and other inspection messages via email to customers who have separately given their consent. Transferred data includes the customer’s email address and the message content (emails from A-Katsastus to customers). With regard to our partners operating outside the EU or EEA, we have ensured the protective measures required by the EU General Data Protection Regulation (GDPR) by adding standard contractual clauses adopted by the European Commission concerning the transfer of data to our agreements or by using other similar means approved in accordance with the GDPR.

Principles of register protection

The customer register can only be used by those employees of the A-Katsastus Group or its service providers who need the data in their work-related tasks. These employees use personal usernames and passwords. Data is collected in databases that are protected by firewalls, passwords and other technological means. Databases and their backup copies are located in locked facilities, and they are under the management of the IT service provider in accordance with information security principles.

Retention period for personal data

We will retain your personal data in our services until five years have elapsed from the most recent identifiable service event or for the statutory period, if it is longer.

Rights of data subjects

Customers have the following rights:

• Right to withdraw consent given to the processing of personal data
• Right to access their personal data
• Right to have their personal data rectified
• Right to have their personal data erased if legal grounds for processing no longer apply
• Right to object to the processing of their personal data if the processing of personal data is based on the data controller’s legitimate interests. In addition, customers can object to the processing of personal data for direct marketing purposes at any time.
• Right to have the processing of their personal data restricted if the data subject contests the accuracy of their personal data or considers the processing of their personal data to be illegal, or if an action related to objecting the processing of personal data is pending

Data subjects can also present a complaint with the supervisory authority if they consider that the processing of their personal data is in breach of the applied data protection regulations.

Exercising the rights of data subjects

In order to exercise their rights, data subjects can contact by electronic form our customer service or send their request to the address indicated in this privacy policy.

It may not be possible to erase all personal data due to statutory obligations.

A-Katsastus Group reserves the right to modify this privacy policy as a result of service development or changes in legislation. This privacy policy supersedes the previous register description.

A-Katsastus Group’s telephone and email service register

Revised on 19th March 2019

Data controller

A-Katsastus Group Oy

Contact person in matters related to the register

tietosuoja@a-katsastus.fi

Name of register

A-Katsastus Group’s telephone and email service register

Purpose of processing personal data

The register is used, with the customer’s consent, to serve customers of the A-Katsastus Group and its subsidiaries A-Katsastus Oy and Ajovarma Oy and to process customer feedback.

Data content of the register

The register contains recorded calls and email messages and identifiers related to these.

The register may contain the following personal data:

• Email address
• Telephone number
• Personal data provided by customers during calls or in email messages, such as
  • name
  • Personal identity code or date of birth
  • Address
  • Registration number

Regular sources of data

Data provided by customers by telephone or via email.

Recipients of personal data

In order to provide services in accordance with the purpose of use, partners may also process personal data. Partners carry out technical services related to the register and offer IT systems connected to the use of the register.

Data can be disclosed to the Finnish Transport and Communications Agency (Traficom) for queries related to services produced for it.

Transfer of data outside the EU or EEA

Data will not be transferred outside the EU or EEA.

Principles of register protection

The information security of the register and the confidentiality of personal data are verified by proper technological and administrative means following good data processing practices.

The system can only be used by those employees of the A-Katsastus Group or the service provider who need to process the data in their work-related tasks. Every user is authenticated in the system using their personal credentials that are provided in conjunction with the right to use the system. The right of use ends when an employee transfers to a new position from the position for which the right of use was provided. The secrecy and confidentiality obligation remains valid after the end of the tasks or service relationship in which data was processed.

Databases and their backup copies are located in locked facilities, and they can only be processed by designated employees of the data controller and IT service providers. Data is protected in accordance with legal provisions on the protection of electronic communications and the regulations and guidelines of the Finnish Communications Regulatory Authority (FICORA).

Rights of data subjects

Customers have the following rights:

• Right to withdraw consent given to the processing of personal data
• Right to access their personal data
• Right to have their personal data rectified
• Right to have their personal data erased if legal grounds for processing no longer apply
• Right to object to the processing of their personal data if the processing of personal data is based on the data controller’s legitimate interests. In addition, customers can object to the processing of personal data for direct marketing purposes at any time.
• Right to have the processing of their personal data restricted if the data subject contests the accuracy of their personal data or considers the processing of their personal data to be illegal, or if an action related to objecting the processing of personal data is pending

Exercising the rights of data subjects

In order to exercise their rights, data subjects can contact by electronic form our customer service or send their request to the address indicated in this privacy policy.

It may not be possible to erase all personal data due to statutory obligations.

Retention of data

Data is retained for at most 210 days, after which it will be erased automatically. Data related to official assignments (Traficom) cannot be requested to be erased before the end of the retention period.