Company: Gredi Oy (hereinafter ”Gredi”)
Business identity code: 1474817-5
Address: Tekniikantie 14, FI-02150 Espoo
Tel: +358 10 778 7100
Tel: +358 10 778 7100
When registering personal data, Gredi complies with the EU’s General Data Protection Regulation (EU) 2016/679, GDPR.
The personal data of users is not collected or recorded when they are visiting or browsing Gredi’s website. Only personal data voluntarily provided by the user can be used, when the user enters their personal data in a newsletter subscription form, upon which the data is added to the newsletter mailing list.
Advance permission is requested for any customer references posted on Gredi’s website.
Customer and marketing register.
Gredi collects and processes the personal data of representatives of Gredi’s customers and potential customers included on the data file.
Personal data is collected and processed for sales, marketing and customer information purposes, i.e. the following:
Maintenance of customer relationship and customer service.
Sales management and monitoring, and the development of sales processes.
Targeting of marketing activities.
The grounds for processing personal data in accordance with the GDPR consist of Gredi’s legitimate interests in processing the contact information of its customers’ representatives.
The data file includes the following:
Name, position within organisation, address of workplace, telephone number, email address.
Prohibitions and limitations
Keywords, which are used to monitor items such as marketing material sent to the customer.
Customer satisfaction information provided by the data subject.
Personal data is obtained from the following sources in the first instance:
– Customer contracts
– Customer meetings and training
– Call lists of outsourced marketing companies
– The Finnish Patent and Registration Office’s Business Information System
– Vainu. io Software Oy (2557864-2)
– Fonecta Oy (1755007-6), enterprise and contact information search service
Under no circumstances is personal data disclosed to parties other than those participating in Gredi’s marketing and communications, or the marketing and communications of parties acting on behalf of Gredi, without prior agreement, express consent and/or specific legislation. Where required for official purposes, data can be disclosed to the Finnish public authorities as provided by law.
Data is not disclosed outside the European Union or European Economic Area.
Only persons who, in the pursuit of their duties, have the right to process data recorded in the data file shall have access to the data file. The data network and devices in use are protected by a firewall and other technical, data-security measures, such as passwords.
Manual materials are stored in Gredi’s facilities, which are locked and monitored. Electronic copies of contracts and, where necessary, other manual material, are also stored. Access to digital material is restricted by means of various levels of user rights.
Customer contracts are stored for three years after the end of the customer relationship. The storage period depends on possible information requests from the customer, invoicing-related reasons, or on grounds of a contract renewal.
The data of contact persons for customer accounts is stored until the customer relationship ends, or Gredi is notified that the data subject’s employment relationship has ended. With regard to data subjects related to marketing and sales, data is stored during the sales process. Deleted data is stored as a backup copy of the CRM system supplier for two weeks after deletion, after which it is permanently deleted.
Documents in manual format are destroyed through a data security process whereby the Encore data security service is responsible for the locked paper disposal container. The contents of the container are destroyed once a year.
As part of the processing of personal data stored on the customer register, Gredi can also use the data for profiling purposes. Profiling is done using keywords, based on which items such as a newsletter mailing list are created. In addition, a title is defined for the contact persons of potential customers, on the basis of which Gredi can target its sales and marketing campaigns at the right target group.
Profiling is not used in support of automated decision making.
Right of access in order to check what data Gredi has recorded regarding the data subjects themselves. Exercising right of access is free of charge. Gredi has the right to refuse access to data in cases where the data subject makes an unreasonable number of requests for this.
Right to demand the rectification or erasure of inaccurate or outdated data. The data subject can also demand that the data controller restrict the processing of personal data, for example while the data subject is awaiting a reply to a request for the rectification or erasure of his or her data.
Right to prohibit the processing of personal data and direct marketing. The user can prohibit direct marketing and the newsletter subscription can be cancelled by selecting ‘do not subscribe for the newsletter’ or providing notification of cancellation in accordance with section 4.
The right to transfer data, provided by the data subject, from one system to the other, if processed on the basis of consent or an agreement. The data subject has to right to be provided with data, primarily in machine-readable format, and to transfer such data to another controller.
Right to lodge a complaint with a supervisory authority if Gredi fails to comply with the applicable data protection regulations.
Right to be forgotten, i.e. demand the erasure of all personal data upon the end of the customer relationship or contract and/or when there are no longer grounds for the processing of personal data.
Right to withdraw consent to the processing of personal data at any time. The withdrawal of consent shall not affect the lawfulness of processing before the withdrawal.
Right to be notified of a high risk of a data security breach without undue delay. Notification will be made via the media if direct notification cannot be made by a reasonable effort, or would cause an unreasonable delay. Any contact information submitted to Gredi by the data subject can be used for direct notification.
Right to lodge a complaint with a supervisory authority, in the event of breach of the GDPR when processing personal data.
Contact details of Finnish supervisory authority:
The Office of the Data Protection Ombudsman
PO Box 800, Ratapihantie 9, FI-00521 Helsinki
tel. +358 (0)29 56 66700
Innopoli 2, Tekniikantie 14, FI-02150 ESPOO
Tel: +358 10 778 7100
In order to exercise their rights and make requests, the data subject must sign in using their name and email address and, where necessary, give the name of the organisation they represent.
Data is not systematically collected from persons under the age of 18, and the services are not aimed at such persons. The data of minors is deleted immediately and Gredi requests that it be informed immediately whenever there is suspicion that a minor has been included on its data file.