Business operations require the processing of personal data (personal data is all information that identifies or can be used to identify a person, such as their name, email address, organisation and profile picture). We are committed to protecting personal data in accordance with applicable legislation.
We act in the role of personal data processor for most of our customers (“customer”/”customers”), for example, when users (“user”/”users”) working in customer organisations save personal data in our services. With regard to our customers who act as controllers, the principles of personal data processing are outlined in our customers’ own privacy policies or statements, which should be read carefully in order to achieve an overall understanding of personal data processing.
Personal data processing
Doninto Oy (hereinafter ”Doninto” or ”we”)
Business ID: 3021314-6
Itämerenkatu 1, 00180 Helsinki
The aforementioned contact information can be used for any questions or enquiries concerning data protection and the personal data that we process. It may be necessary to take necessary measures to verify your identity in order to address the issue. We are happy to provide further information and instructions on the matter.
Purpose and bases of data processing
We collect, save and process personal data for pre-specified purposes. We always ensure that we have a lawful basis for processing. Purposes and bases for processing are:
Service provision and delivery. We collect and process personal data to fulfil our contractual obligations and to provide services. During the customer relationship, we process personal data in order to manage service provision, invoicing, debt collection, complaints and customer service feedback. We also collect data on our partners’ representatives.
- We also collect functional data relating to customer-specific service use, including completed courses, tests, usage times and content reviews.
The lawful basis for personal data processing in such cases are the preparation and fulfilment of contractual obligations, and our grounds of legitimate interest.
- Marketing and customer communications. Personal data can be used for marketing and customer communications:
- We may carry out digital direct marketing and social media marketing to our existing customers and their named users.
- We may also carry out marketing when searching for new potential customers (“prospective customers”). In such cases, we process the personal data of companies’ contact persons. Should applicable law so require, we will request advance consent to marketing. We also take care of other legal regulations relating to marketing.
In this regard, the lawful basis for personal data processing are our grounds of legitimate interest as well as any advance consent given by the data subject.
- Developing our business operations. We may process personal data in order to develop our business operations relating to service provision. By this we mean e.g. personal data processing to offer a suitable range of courses.
The lawful basis for personal data processing in this case is our grounds of legitimate interest.
- Fulfilment of legal obligations. We may also process personal data in order to fulfil our legal obligations (including bookkeeping and taxation), to respond or to prepare for legal claims, or to investigate and prevent crime, fraud or other misuse.
The lawful basis for personal data processing in this case is legal obligations or rights.
What personal data do we collect?
Data on users, customers, partners and potential customers, such as:
- User data: first name, last name, email (username), password, profile picture, organisational unit/department/division, completed tasks and reporting, time spent, performance, possible test results
- Customer or partner contact persons: first name, last name, organisation, title, telephone, email
- Prospects: first name, last name, organisation, email
- Marketing data: consent / prohibitions
What are the sources of personal data?
We primarily collect personal data from the customer or data subject themselves. Data is collected when agreements are made, among other things, and when the user logs into and uses our service. The user can voluntarily add any other additional information to their profile.
Who processes personal data, and is the data disclosed to others?
Personal data is processed by our company’s personnel when they perform their work tasks. In addition, personal data is also processed by our partners in cooperation. In such cases, we ensure through e.g. agreements that personal data is kept confidential and that data is otherwise processed legally and only for our benefit. We also provide the right to view performance data to the customer organisation’s named contact persons in order to fulfil our contractual obligations.
Otherwise we may disclose data if the law, a court or competent authority so requires, in order to prepare or respond to a legal claim, or if the data subject has consented to the disclosure of data (e.g. provision of skills information to the customer). We may also disclose data if we are participating in a corporate or business acquisition, or in other business or company reorganisation.
Will personal data be transferred outside of the EU?
Personal data is generally not disclosed outside of the EU, but as data is saved and processed primarily in a digital format, some of our service
providers/contractual partners may be located in countries outside of the EU. In such cases, the use of data will be agreed separately together with the customer ordering the service. This includes e.g. Mailchimp (The Rocket Science Group LLC) and Survey Monkey (SVMK Inc.), which we use for collecting activation messages and participation surveys. In this case, we ensure that data transfer takes place utilising sufficient and appropriate protection as stipulated by law. The primary alternatives are (1) transfer to a country approved by the EU Commission as having adequate data protection, (2) data transfer to an EU-US Privacy Shield-certified company (transfer recipients in the USA) or (3) use of the EU’s standard contractual clauses.
How long is the data stored?
We do not store personal data for any longer than is necessary for its purpose or longer than an agreement or law dictates. Storage times vary depending on purpose, lawful basis for processing, and the situation in general. Personal data can be erased if the data subject withdraws their consent or requests the erasure of their information (and we have no other lawful basis for processing), or once the contractual relationship ends, after which time the login credentials will be deactivated.
Personal data will automatically be erased once the customer relationship ends within 365 days or within a corresponding period upon the data subject’s request. The storage time allows for reporting and user credentials to be reactivated when the service continues between contract periods. Personal data is also erased if a user’s user credentials are not used for 365 days.
Personal data storage times are also regulated by legislation (for example, bookkeeping and taxation) and by deadlines relating to legal claims (e.g. deadlines for filing claims).
How is the data protected?
Personal data is protected using technological methods. Access to personal data is restricted using user access rights, user credentials and passwords. We process data confidentially. Our premises are located in an access-controlled property and the facilities in which the data is processed are monitored and protected appropriately.
What are the consequences of failing to provide data?
The provision and processing of personal data is compulsory for testing our services and for making and fulfilling contracts so that we can ensure that the persons making the agreements are authorised and eligible to do so, and we are able to fulfil our contractual obligations and simultaneously ensure that our rights are exercised and no misuse occurs.
What rights does the data subject have?
The data subject’s rights are based on the EU’s General Data Protection Regulation and include, in certain situations, the right to access data as well as the right to have data rectified or erased. The data subject may exercise their rights in the situations specified in legislation. There may be some restrictions on exercising the data subject’s rights in full.
Requirements concerning the rights of the data subject must be submitted in writing to the contact person for the personal data processor. Situations involving exercising these rights are assessed on a case-specific basis and a separate solution is always given. A response to the data subject’s request to exercise their rights will primarily be given within one (1) month of receiving the request. The request is free of charge. If the request is clearly unfounded or unreasonable, especially if the request is repeated, the data subject may be charged a reasonable fee, or their request may be denied. The data subject’s requests may only apply to their own personal data. Rights include:
If we process personal data based on consent, the data subject may at any time withdraw their consent by notifying us by contacting us using the aforementioned contact information.
Access to data and submission of request to access data
The data subject has the right to obtain confirmation from us whether we are processing their personal data, and to know what personal data we are processing. In addition, the data subject also has the right to receive supplementary information concerning the bases for the processing of personal data.
Right to rectification
The data subject has the right to request that we rectify any inaccurate, obsolete or otherwise inadequate personal data about them.
The right to refuse direct marketing
Although we do not process personal data for direct marketing purposes based on consent, the data subject can at any time prohibit the processing of their personal data for direct marketing purposes by contacting us using the aforementioned contact details.
Right to object to processing
If we process a personal data in accordance with a public task or our legitimate interest, the data subject has the right to object to the processing of their personal data where there is no compelling reason that would supersede the data subject’s rights, or if there is no need for the processing in order to take care of a legal claim. Please note that in this situation we are probably unable to provide the service for use by the data subject.
Right to restrict
In certain situations, the data subject has the right to request that we restrict the processing of their personal data.
Right to data portability
If we have processed personal data on the basis of consent or in order to fulfil a contract, the data subject has the right to receive the data that they have submitted electronically in a commonly used format in order for their data to be transferred to another service provider.
Contact regarding personal data
For matters relating to data processing, please contact us using the aforementioned contact information for the personal data processor. If the data subject feels that their personal data processing issue is not resolved through mutual contact with us, they can contact the competent authority; the data protection ombudsman: www.tietosuoja.fi.
Copyright © Doninto Oy 2020. All rights reserved.
More info: firstname.lastname@example.org
Policy last updated on 22.4.2020.