Register privacy statement
This is Burgal Ltd’s register privacy statement in accordance with Personal Data Act (§ 10 and 24) and the EU General Data Protection Regulation (GDPR). Drafted on 10.04.2020. Latest change made on 11.04.2020.
- Burgal Ltd., Vilppulantie 29 K 132, 00700 HELSINKI 0452772828
2. Registrar liaison
- Mohamud Yusuf Abdirahman, firstname.lastname@example.org, tel 0452772828
3. Registry name
- Company Customer Registry, Marketing Registry, Stakeholder Register, Online Service User Registry, Membership Register, Employee Registry.
4. The legal basis and the purpose of processing personal data in accordance with the General Data Protection Regulation of the EU
- — person’s consent (documented, voluntary, identified, informed and unequivocal)
— a contract to which the data subject is a party
— the legitimate interest of the controller (e.g. customer relationship, employment, membership).
The purpose of processing personal data is communication with customers, maintenance of the customer relationship, marketing. The data is not used for automated decision-making or profiling.
5. Registry information content
- Information to be stored in the register includes: person’s name, age, occupation, work experience, native language, language skills, nationality, jobs of interest, address, education, employment history, driver’s license, hobbies, telephone number, email address, health records, salary wish, tax and other arrest information, working time and annual leave information, company/organization y ID, contact information (telephone number, email address, address), website addresses, Ids/profiles in social media services, information about subscribed services and changes thereto, billing information, other customer relationship and subscribed information related to services. Data is retained only for the duration of the customer relationship or when the information is deemed necessary, however, for a reasonable period after the termination of the customer relationship.
6. Regular sources of information
- Information to be stored in the registry is obtained i.a. from the customer messages sent via web forms, email, telephone, social media services, contracts, customer appointments and other situations where the customer discloses their information.
7. Regular disclosures and transfer of data outside the EU or the EEA
- Information is not released regularly to other entities. Information may be published in a bridging manner as agreed with the customer. Data may also be transferred by the controller outside the EU or the EEA.
8. Principles of registry protection
- Care is provided to the processing bed of the registry and the information processed using the information systems is properly protected. When registry data is stored on Internet servers, the physical data security provider of their hardware is subject to relevant care. The controller shall ensure that stored data as well as access to servers and other information critical to the security of personal data are processed confidentially and only by employees whose job description is included.
9. Right of audit and right to require correction of information
- Each person in the register has the right to verify their data stored in the register and require correction of any erroneous information or supplementation of incomplete information. If a person wishes to verify or require correction of the data stored thereof, the request should be sent in writing to the controller. If necessary, the controller may ask the applicant to prove his identity. The controller shall respond to the customer within the time set out in the EU Data Protection Regulation (as a rule, within a month).
Other rights relating to the processing of personal data
- The person on the register has the right to request the removal of personal data relating to him from the register (the “right to be forgotten”). The data subjects also have other rights under the EU General Data Protection Regulation, such as restricting the processing of personal data in certain situations. Requests should be sent in writing to the controller. If necessary, the controller may ask the applicant to prove his identity. The controller shall respond to the customer within the time set out in the EU Data Protection Regulation (as a rule, within a month).