Hairmail Oy, Santaradantie 10, 01370 Vantaa, Finland
+358 9 2538 5800 / email@example.com
2. Person responsible for register-related matters
Customer register: Heli Aarnio, heli.aarnio(at)hairmail.fi, +358 408 682 506
Supplier register: Virpi Nyman, virpi.nyman(at)hairmail.fi, +358 40 844 2843
3. Name of register
Hairmail Oy’s customer and supplier register
4. Legal ground for and purpose of processing personal data
The legal ground for processing personal data according to the General Data Protection Regulation of the European Union is
the legitimate interests of the controller (customer relationship).
We process personal data in order to maintain, manage and develop, analyse and compile statistics on customer relationships in relation to our services, as well as to produce, offer and develop our services, and carry out marketing and market research for Hairmail and their partners.
We do not use the data for automated decision-making or profiling.
5. Data content of the register
We collect the following data: full name, username, password, company/organisation, the company’s business-ID, student customers’ identity number, contact information (phone number, e-mail address, address), information about services ordered and changes made to them, billing information, and other data related to the customer relationship and services ordered. Phone calls are recorded and the recordings are saved in our system for a year. We keep the data for as long as is required by the Finnish Bookkeeping Act or other legislation.
6. Data sources
The data stored in the register is obtained from the customers on the basis of e.g. submitted online forms, e-mails, telephone calls, social media services, agreements, customer meetings, and other situations where customers hand over their data.
If the customer wishes to use invoices as payment method, the data is collected through credit rating information about companies and private individuals offered by Suomen Asiakastieto Oy and Creditsafe i Sverige AB. A note of the credit rating check is made in Hairmail’s system.
When sourcing new customers, company information from Suomen Asiakastieto Oy and CreditSafe i Sverige AB, which also contains information about individuals connected to the company in question, is regularly used.
7. Transfer of data to third parties and transfer of data outside the EU or EEA
The data is not normally transferred to other parties. Data may be made public to the extent agreed upon with the customer.
Data may also be transferred by outside the EU or EEA by the data controller, e.g. when e-mail address information is saved in the MailChimp app and IP address information is saved in the Google Analytics app.
8. Principles for protecting the register
The register is managed with care, and all data processed by data systems will be appropriately protected. When register data are stored on online servers, physical and digital data protection of the systems is appropriately implemented. The controller will make sure that the stored data, server access rights, and other data critical for the safety of the personal data is processed with confidentiality and only by employees who are responsible for such processing.
9. Right of review and right to demand rectification
All registered parties are entitled to review their registered data and to rectify erroneous data or supplement missing data. If an individual wants to review his or her data and demand rectification, he or she must submit a written request to the controller. The controller may ask that the individual submitting the request verifies his or her identity. The controller will respond to the request within the time period specified in the General Data Protection Regulation of the European Union (generally within one month).
10. Other rights related to the processing of personal data
Registered parties are entitled to request the deletion of their personal data from the register (“right to be forgotten”). Registered parties are also entitled to exercise all other rights specified in the GDPR, including limitation of processing of personal data in certain situations. Such requests must be submitted in writing to the controller. The controller may ask that the individual submitting the request verifies his or her identity. The controller will respond to the request within the time period specified in the General Data Protection Regulation of the European Union (generally within one month).