CYF Digital Services – Privacy Policy

Last updated: 29.7.2018

CYF Digital Services is compliant with applicable data protection legislation, including EU Data Protection Legislation.

1. Controller of the personal data file CYF Digital Services, Choose Your Future
SparkUp, Tykistökatu 4 B
20520 Turku

Business ID 2761064-2
info@cyf.fi

2. Contact person of the personal data file Soile Puranen
Business Development Manager, CYF Digital Services
soile@cyf.fi
040 513 5545
3. Name of the register Customer registry
4. Processing condition According to general GDPR legislation, processing conditions are:

  • consent
  • contracts between controller and customer

Purpose of handling this information is to manage customer relations and invoicing and payment collections.

Information is not used for automated decision making nor profiling.

5. Information content of the register Personal data that is stored:

  • First name, last name
  • Title
  • Contact information: phone number, email address, street address, postal code and city

Generally, to the extent permitted by applicable laws and regulations, the data controllers retains Contact Data at most three years after the last business activity where the data subject has been involved. Additionally, as the case may require, data controllers may have to extend Contact Data retention on the grounds of establishment, exercise or defense of legal claims or execution of our internal investigations. This retention period is justified due to data controllers’ obligations or needs related to e.g. product and service warranties, product liability statutes as well as burdens of proofs in possible litigation situations.

6. Regular sources of information Information is retrieved from customers themselves by email, by phone, through social media services, from contracts, in customer meetings and other situations where a customer discloses information.
7. Regular transfer of personal data to third parties, information transfer outside EU and ETA Personal information will stay within CYF Digital Services and applicable partner organization and won’t be transferred to third parties. Information can be shared with third parties but only with a customers prior consent.

Personal data can be transferred and stored outside of ETA. If personal data is stored outside of  ETA, the Data Controller will take care of sufficient security by transferring data only to countries where the European Commission has confirmed the data protection is at adequate level. If data is transferred to a country whose privacy level is not sufficiently high, the Data Controller will take into consideration data protection regulation requirements and implications of data transfer to customers’ rights and liberties and the Controller will take necessary precautions.

8. Principles of protecting personal data Personal information is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of personal information.

Such measures include but are not necessarily limited to proper firewall and virus protection arrangements, appropriate encryption of telecommunication and messages.

Personnel processing Personal data as part of their tasks is trained and properly instructed in data protection and data security matters. Whereas we will protect this information to the best of our ability this cannot be guaranteed and in the event of a data breach the appropriate authorities will be informed and this will be notified to those affected.

Whereas we will protect this information to the best of our ability this cannot be guaranteed and in the event of a data breach the appropriate authorities will be informed and this will be notified to those affected.

9. Right of access of personal data and rectification Every person whose data is stored in the register has a right to review his/her stored information, demand corrections for incorrect information or demand completion for incomplete information. In order to use this right, the request needs to be sent in writing. The Controller may if necessary request the person to prove his/her identity. The Controller will reply to the customer within time limits set by EU Data Protection Regulation (usually within one month).
10. Other rights Registered person has a right to request removal of his/her rights (“right to be forgotten”). In addition, registered person has all other rights mentioned in EU Data Protection Regulation, such as limiting of personal data processing in certain situations. In order to use this right, the request needs to be sent in writing. The Controller may if necessary request the person to prove his/her identity. The Controller will reply to the customer within time limits set by EU Data Protection Regulation (usually within one month).