1. Data controller
Fiberwood Oy, hereinafter also referred to as “Fiberwood” (Business ID: 3012157-5)
Satukukanpolku 5 A 6-7, 04430 Järvenpää, Suomi
Fiberwood is the controller of the personal data processed and is responsible for ensuring that the processing takes place in accordance with the applicable legislation.
2. Contact person for data protection matters
Name: Tage Johansson
Satukukanpolku 5 A 6–7, 04430 Järvenpää, Finland
Phone: +358 40 726 1231
3. Name of the register
Fiberwood customer and marketing register.
4. General information
The privacy of our clients is important to us. As a data controller, we ensure that all personal data is always protected in accordance with best practice and up-to-date legislation.
Personal Data = Any information relating to an identified or identifiable natural person (e.g. name, email, telephone number, address).
Data subject = The natural person whose personal data are processed.
5. Grounds for keeping the register, source of personal data and purposes of use
Personal data are processed on the basis of a customer or service relationship or any other comparable relationship with Fiberwood, a mandate given to Fiberwood by a person or entity, or the performance of rights and obligations arising from contracts between Fiberwood and the data subject and from legislation. The processing of data may also be based on the consent of the individual. The processing of personal data may also be based on a legitimate interest of Fiberwood based on a factual connection, which may apply under certain conditions in relation to a processing operation that cannot be carried out on the basis of a contractual relationship.
We only market our services to organisations on a job role basis, in which case we only process personal data relating to them. To the extent permitted by law, we use relevant data provided to us or relating to the customer relationship for the purposes of marketing and targeting communications.
Personal data is also collected, processed and stored in our records to comply with legal obligations, such as for accounting and regulatory purposes, in accordance with the relevant regulations and time limits.
The processing of personal data is primarily based on the consent of the data subject or a contract between the controller and the data subject.
The purposes for which the customer and marketing register is used are:
• Contact and customer relationship management with the person and customers
• Electronic communication with the data subject
• Other processing of personal data necessary for the operation of Fiberwood.
6. Regular sources of data
Personal data is collected from the individual in connection with the conclusion or preparation of a contract, the purchase or use of products and services, participation in events, meetings and communications between a representative of Fiberwood and the individual, and, where necessary and permitted by law, also from public sources. Data relating to an individual may also be collected when he or she visits websites managed by Fiberwood.
The person’s data may be updated and verified for accuracy and timeliness in civil registration systems. Personal data may also be obtained and updated from other external data sources, where permitted by law, for the purposes for which the data subjects have been informed.
7. Disclosures and transfers of data
Personal data may be disclosed to marketing partners of Fiberwood for the purpose of targeting the services of marketing partners.
Data will be disclosed to public authorities in cases required by law, such as for the detection and prevention of abuse.
Personal data may also be transferred or disclosed for the purpose of carrying out a task carried out by the data subject or, with the data subject’s consent, to temporary registers such as event, contact, participant or research registers. Data from these registers will only be processed for the purposes for which they are intended, in an individually informed manner.
As a general rule, Fiberwood does not transfer or disclose personal data outside the European Union or the European Economic Area. However, where necessary, data may be transferred or disclosed outside the European Union or the European Economic Area if the data subject has given his or her consent. Data may be transferred outside the EU if the communication tools, website platforms or data centres hosting the cloud services that substantially support the operations are located, for example, in the United States.
Where personal data is transferred outside the EU/EEA, there are legal grounds for doing so: the European Commission has determined that the recipient country ensures an adequate level of data protection, the transferee is Privacy Shield certified, or the transfer is made using standard clauses published by the EU Commission. Any data transfer will be carried out on the basis of the law and with adequate safeguards.
8. Principles for the protection of the register
Appropriate technical and administrative measures shall be taken to ensure the security of the register and the confidentiality, integrity and availability of personal data. Personal data shall be protected against unauthorised access and unlawful or accidental processing.
Personal data will be processed only by persons designated by Fiberwood, as well as by third parties operating or developing services on behalf of Fiberwood. These third parties are identified by means of a personal username and password.
9. Right of access
The data subject has the right, in accordance with the legislation in force, to inspect the data relating to him/her that are recorded in the register.
The request for inspection is made by submitting a written and signed request for inspection to the contact person for register matters mentioned in point 2 and by providing reliable proof of identity.
The controller shall respond to the data subject’s request for information within the time limits laid down in the EU Data Protection Regulation (as a general rule, within one (1) month). In case of manifestly unfounded or unreasonable requests for information, in particular if they are repeated, the administrative costs of responding to and implementing the requests for information may be charged.
The data subject also has the right to object to certain types of processing of his/her personal data and to withdraw his/her consent to their use. An individual may withdraw his or her consent to the processing of personal data at any time by contacting the Controller either by post or by e-mail.
10. Correction of data
The data subject may, in accordance with the legislation in force, update and modify his or her personal data by informing the contact persons for data protection matters mentioned in section 2.
Milan may ensure the accuracy and timeliness of personal data by updating personal and contact information from the sources described in Section 5.