Registry and Privacy Policy

ON-TIME RESEARCH SOLUTIONS OY’S PRIVACY NOTICE

(updated on 18.11.2019)

Before we process your (see Section 3 below) personal data, we provide you with the information according to Articles 13 and 14 of the GDPR through this this Privacy Notice. We inform our personnel with similar notifications separately.

We also act as the processor for the personal data we process on behalf of our customers when they use our telephone robotics service to arrange surveys and messaging for their customers. Our customers are controllers for the personal data of their customers. Hence, when we process personal data on behalf of our customers, we comply with the provisions of our data processing agreement.

1. BASIC INFORMATION

Controller:                                                                   

On-Time Research Solutions Oy (2562657-9)                       
Kivääritehtaankatu 6
40100 Jyväskylä                                 

Contact Person:

Matias Nygård
+358 50 359 9497
matias.nygard@ontime.fi

2. PERSONAL DATA PROCESSING ACTIVITIES

a)

  • Purpose for processing: Customer relationship
  • Legal basis for processing: Contract -> We must implement our contracts
  • Data subjects and personal data: Customers -> (I) contact details, (II) relationship data, (III) other data disclosed to us
  • b)

  • Purpose for processing: Business partner relationships
  • Legal basis for processing: Contract -> We must implement our contracts
  • Data subjects and personal data: Business partners and potential business partners -> (I) contact details, (II) relationship data, (III) other data disclosed to us
  • c)

  • Purpose for processing: Direct marketing (emails, phone calls, text messages)
  • Legal basis for processing: Our legitimate interest -> We must implement, establish and develop our customer relationships, as well as our business operations. NB! You have the right to opt out from our direct marketing
  • Data subjects and personal data: Customers and potential customers -> (I) contact details, (II) relationship data, (III) other data disclosed to us
  • d)

  • Purpose for processing: Recruiting
  • Legal basis for processing: Our legitimate interest -> We must manage our recruitment
  • Data subjects and personal data: Jobseekers -> (I) contact details, (II) CV-information, (III) other data disclosed to us by the jobseeker
  • e)

  • Purpose for processing: Contacts and social media
  • Legal basis for processing: Our legitimate interest -> We must manage the contacts directed to us
  • Data subjects and personal data: People contacting us -> (I) contact details, (II) relationship data, (III) other data disclosed to us
  • f)

  • Purpose for processing: Cookies and other technology
  • Legal basis for processing: Consent in accordance with the Act on Electronic Communications (917/2014)
  • Data subjects and personal data: People visiting our website -> IP-addresses
  • 3. REGULAR SOURCES OF INFORMATION

    Data regarding the data subject are regularly gathered:
    Purposes a, b, c: (I) Customers themselves, (II) business partners and (III) public sources, such as the internet, postal services, the Finnish Patent and Registration Office, the Finnish Population Register Center, etc.
    Purposes d, e, f: (I) Data subjects themselves

    4. DATA TRANSFERS

    We may transfer your personal data to third parties (e.g. to data storage service providers), as it is a part of normal business operations. When personal data is transferred to third parties, we ensure that we conclude adequate personal data processing agreements and safeguards in relation to the data transfers.

    Your personal data may be transferred to our business partners, data storage service providers and communications services providers, accounting and auditing services providers and relevant authorities.

    We may transfer personal data outside the EU and the EEA. When doing so, we ensure adequate safeguards for the data transfer, such as standard contractual clauses and Privacy Shield arrangements.

    5. PERSONAL DATA RETENTION PERIODS

  • a) Customer relationship: Necessary data shall be retained for three (3) years following the end of the customer relationship.
  • b) Business partner relationships: Necessary data shall be retained for as long as it necessary, taking into consideration our field of business.
  • c) Direct marketing: The necessary personal data shall be retained until you let us know that you no longer want to take part of our marketing (opt out), or we find out that you no longer want to receive our marketing.
  • d) Recruiting: Necessary data shall be retained for a maximum period of twelve (12) months following the first contact made, if the jobseeker has not become our employee.
  • e) Contacts and social media: Necessary data shall be retained for three (3) years following the contact. Necessary data shall be retained for as long as you follow us on social media.
  • f) Cookies and other technology: The retention period regarding the necessary data is depending on cookies and other technology.
  • However, we may retain the necessary data of the data subjects for longer than is described above, where we are required to do so by law, it is necessary due to legal proceedings and it is necessary for any similar reason.

    We inspect the necessity of the personal data stored regularly and keep records of the inspections.

    6. DATA SUBJECTS’ RIGHTS

    The data subject has a right to use all of the below mentioned rights.

    The contacts concerning the rights shall be submitted to the contact person stated in Section 1. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.

  • Right to inspect: The data subject has the right to inspect what, if any, data the controller has stored of her/him.
  • Right to rectify and erasure: The data subject has a right to request the controller to rectify or erase the personal data concerning the data subject on the grounds provided by law.
  • Right to restriction of processing: The data subject can request the controller to restrict the processing of the personal data concerning the data subject on the grounds provided by law.
  • Right to data portability: The data subject shall have the right to receive the personal data concerning her/him, which he/she has provided to the controller, in a structured, commonly used and machine-readable format where the processing is based on consent or a contract.
  • Right to object: Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her/him for such marketing.
    Where personal data are processed on the basis of the legitimate interests of the controller, the data subject shall have the right to object the processing of personal data concerning her/him for such purposes in accordance with the law.
  • Automated individual decision-making, including profiling: The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
  • Right to withdraw consent: Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw her/his consent.
  • Data subjects shall have the right to lodge a complaint with a supervisory authority, if the data subject considers that the processing of personal data relating to him or her infringes the GDPR. The complaint can be lodged in the Member State of her/his habitual residence, place of work or place of the alleged infringement.

    7. SECURITY OF PROCESSING

    We use e.g. the following data security measures: (I) personal data access is limited; (II) we protect data with anti-malware, antivirus and other such software; (III) each category of data has been assigned with a responsible party; (IV) we use up-to-date and reliable systems and services to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (V) we use up-to-date and reliable systems and services to ensure the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (VI) we regularly assess and evaluate our personal data processing activities.