Socialbbq.fi Customer Register Privacy Policy
1 Data controller
The data controller of the register is JT Embla Oy (Business ID 3217626-2)
Contact person for register matters: Teemu Saarinen, CEO
JT Embla Oy
Address: Portinkaari 5 D, 21380 Aura
Email: myynti@socialbbq.fi
2 Name of the register
The name of the register is socialbbq.fi customer register.
3 Purpose of processing personal data
Personal data is processed for purposes related to managing, administering, and developing customer relationships, providing and delivering services, and developing services and billing. Personal data is also processed for purposes required to resolve potential complaints and other claims.
In addition, personal data is processed in communications directed at customers, such as for information and news purposes, as well as in marketing, where personal data is also processed for direct marketing and electronic direct marketing purposes.
Customers have the right to prohibit direct marketing directed at them.
The data controller processes data itself and uses subcontractors acting on behalf of and for the data controller in processing personal data.
4 Legal grounds for processing
The legal grounds for processing personal data are as follows, in accordance with the EU General Data Protection Regulation (also referred to as “GDPR”):
- the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR);
- processing is necessary for the performance of a contract to which the data subject is a party or for carrying out pre-contractual measures at the request of the data subject (GDPR Art. 6 Art. 1.b);
- processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party (GDPR Art. 6 Art. 1.f).
The legitimate interest of the controller referred to above is based on a relevant and proper relationship between the data subject and the controller, resulting from the fact that the data subject is a customer of the controller, and where the processing is carried out for purposes which the data subject could reasonably have expected at the time of collection of the personal data and in the context of the relevant relationship.
5 Data content of the register (categories of personal data processed)
The register contains the following personal data in principle for all data subjects:
- basic information and contact details: [first name, surname, address, telephone number, email address];
- information relating to the person’s company or other organisation and the person’s position or job title in the company or organisation;
- the person’s direct marketing authorisations and prohibitions.
6 Regular sources of information
Personal data is collected from the registered person themselves.
Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources related to the implementation of the customer relationship between the data controller and the registered person, and through which the data controller fulfills its obligations related to maintaining customer relationships.
7 Retention period of personal data
Data collected in the register is stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.
The need to retain personal data is assessed every five years; and in any case, data concerning a registered person is deleted from the register fifteen years after the registered person’s customer relationship with the data controller has ended and the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for five years from the end of the financial year.
The data controller regularly assesses the necessity of retaining data in accordance with its internal codes of conduct. In addition, the data controller implements all reasonable measures to ensure that personal data that is inaccurate, incorrect, or outdated in relation to the purposes of processing is deleted or corrected without delay.
8 Recipients (categories of recipients) of personal data and regular transfers of data
Personal data will not be disclosed to third parties.
9 Transfer of data outside the EU or EEA
The personal data contained in the register will not be transferred outside the EU or EEA.
10 Principles of register protection
Materials containing personal data are stored in locked premises accessible only to designated persons authorized for access due to their duties.
The database containing personal data is on a server stored in a locked space accessible only to designated persons authorized for access due to their duties. The server is protected with appropriate firewall and technical security.
Access to databases and systems is granted only through separately issued personal usernames and passwords. The data controller has limited access rights and authorizations to information systems and other storage platforms so that only persons necessary for their lawful processing can view and process the data. In addition, usage events of databases and systems are recorded in the log data of the data controller’s IT system.
The data controller’s employees and other persons are committed to observing confidentiality and keeping secret the information they receive in connection with processing personal data.
11 Rights of the data subject
The data subject has the following rights under the EU General Data Protection Regulation:
- the right to obtain confirmation from the controller that personal data concerning him or her are being processed or not being processed and, if such personal data are being processed, the right of access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or are to be disclosed; (iv) where possible, the envisaged period of retention of the personal data or, if that is not possible, the criteria for determining that period; (v) the data subject’s right to obtain from the controller the rectification or erasure of personal data concerning him or her or the restriction of the processing of personal data or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information on the origin of the data (Art.). This basic information described in (i) to (vii) is provided to the data subject on this form;
- the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (Art. 7 GDPR);
- the right to obtain from the controller, without undue delay, the rectification of inaccurate or incomplete personal data concerning the data subject and the right to have incomplete personal data completed, inter alia, by providing additional explanations, taking into account the purposes for which the data were processed (Article 16 GDPR);
- the right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other lawful basis for the processing; (iii) the data subject objects on grounds relating to his or her particular personal situation and there is no legitimate ground for the processing or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased in order to comply with a legal obligation under Union or national law to which the controller is subject (Art. 17 GDPR).);
- the right to have processing limited by the controller if (i) the data subject contests the accuracy of the personal data, in which case the processing is limited for a period of time within which the controller can verify its accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use; (iii) the controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation, pending verification whether the legitimate grounds of the controller override those of the data subject (Art.);
- the right to receive personal data concerning him or her which the data subject has provided to the controller in a structured, commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from the controller to whom the personal data have been provided, where the processing is based on consent within the meaning of the Regulation and the processing is carried out automatically (Article 20 GDPR);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the EU General Data Protection Regulation (Article 77 GDPR).
Requests concerning the exercise of the rights of the data subject shall be addressed to the contact person of the controller mentioned in point 1.
12 Network analytics
The services listed below collect anonymized information about page visits without personal information.
– Google Analytics
13 Targeted marketing
Based on the referrals on the website, we may carry out targeted advertising on the following services
- TikTok
