Privacy Statement for the Website

‍

Data Controller

‍Pusatec Oy
Business ID: 2347736-2
Putkikatu 16 B
21110 Naantali

Person Responsible for the Register

‍The person responsible for the register and its usage rights is:
Jussi-Pekka Heurlin
CEO
040 960 7770
jp.heurlin@pusatec.fi

Data Protection Officer

Tuomas Pusa, email: tuomas.pusa@pusatec.fi

Name of the Register

‍Financial Management

Purpose and Legal Basis for Processing

‍The purpose of processing personal data is the management and maintenance of Pusatec Oy's (“Pusatec”) customer relationships; acquisition of customers; improving the customer experience; providing better customer service; producing more personalized targeted content and marketing; delivering newsletters; managing campaigns and competitions; implementing marketing prohibitions as required by law; preventing misuse; developing the services of third parties who provide services; analytics and statistical purposes; and the development of Pusatec's operations and services.

The legal basis for processing personal data is the consent provided by the data subject.
Examples of data processed based on consent include:
(i) Cookies
(ii) Newsletters and marketing
The data is not used for automated decision-making or profiling, such as remembering the website's language preference for the next visit.

Contents of the Register

‍The contents of the register are as follows:

• Name
• Email
• Mobile phone number
• Company name
• Address, postal code, and city
• Information related to the use of the website:
  • IP address
  • Cookie information
  • Activity on the website, e.g., times and page usage
• Other information:
  • Direct marketing permissions and prohibitions
  • Information on requests for marketing materials

Regular Sources of Data

‍The regular sources of data are the data subjects themselves during the use of the website or through other communications.

Regular Transfers and Recipients

‍In relation to the processing of personal data, information may also be transferred by the data controller outside the EU or EEA (e.g., cloud services) to parties committed to complying with the General Data Protection Regulation (GDPR) requirements in ways that ensure adequate protection for the processing of personal data. Transfers of data outside the EEA comply with the European Commission's standard contractual clauses.

Rights of the Data Subjects

• Right to Access Register Data
  The data subject has the right to inspect what information concerning them has been stored or to confirm that no information about them is in the register.
• Right to Request Correction and Deletion
  The data controller must, without undue delay, correct, delete, or complete any incorrect, unnecessary, incomplete, or outdated personal data in the register on its own initiative or at the request of the data subject.
• Right to Restrict Processing
  The data subject has the right, in certain situations, to request the restriction of the processing of their personal data if:
  • The data subject disputes the accuracy of the personal data, in which case processing is restricted for the period during which the data controller can verify their accuracy;
  • The processing is unlawful, and the data subject opposes the deletion of the personal data and instead requests the restriction of their use;
  • The data controller no longer needs the personal data for processing purposes, but the data subject needs them to establish, exercise, or defend a legal claim.

Data Retention, Archiving, and Destruction

‍Personal data related to active accounts and ongoing services is retained for the duration of the customer relationship and up to 7 years after the relationship ends. Once the retention period has ended and there is no longer a legitimate need to retain the data, it will be securely destroyed to prevent unauthorized access or recovery.

Principles of Register Protection

‍The security of the register and the confidentiality, integrity, and availability of personal data are ensured through appropriate technical and organizational measures. The data controller does not process personal data that would likely pose a high risk to the rights and freedoms of the data subject.

Only those individuals who need the information for their duties are allowed to process the personal data, and only to the extent required by their duties. Additionally, employees processing the data are legally bound to confidentiality and non-disclosure obligations.

If a third party processes personal data in the register on behalf of the data controller, the data controller is responsible for ensuring that sufficient safeguards and confidentiality have been agreed upon in the contract with the data processor.