Privacy Policy Annex
Privacy Notice
Updated 8 June 2020
This Privacy Statement supersedes the previous Registry Statement.
- Data Controller
Lymed Oy (Business ID: 0935988-8)
Pyhäjärvenkatu 5 A, 33200 Tampere
Contact: info (at) lymed.fi, data controller Mr Tanu Toikka
- Purposes of processing personal data
Lymed Oy (data controller) processes personal data in accordance with applicable data protection legislation, including EU General Data Protection Regulation (2016/679).
The purposes of processing are:
- managing customer relationships and customer services
- managing assignments related to legal services
- fulfilling the rights and obligations of the customer and the data controller
- identifying customers and conducting conflict-of-interest research
- processing of personal data concerning stakeholders (suppliers, job applicants, other co-operation partners)
- processing of personal data of website visitors for the purpose of ensuring and developing the functionality of our website
- processing of personal data for the purposes related to the data controller’s products and services including developing, providing, fulfilling, and marketing of products and services
Furthermore, personal data in our data filing systems are processed in accordance with requirements of data protection legislation for Lymed Oy’s communication to stakeholders, such as newsletters, electronic communication, electronic direct marketing and invitations. Lymed Oy offers, among other things, services related to the manufacturing of pressure garments and products, other services related to textile manufacturing and textile production, and offers related training events and newsletters. Each customer is regarded as a specified person in the Privacy Policy. The customer must accept the terms of this privacy notice in order to use any of Lymed Oy’s services.
- Legal basis for processing of personal data
Legal basis for processing of personal data are legal obligations of the data controller, contract, consent and legitimate interests of the data controller.
The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation matter between the data subject’s employer and the data controller.
On basis of its legitimate interest, the data controller may also save to its customer data filing system personal data of potential clients and their contact persons and representatives which can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.
The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work.
Withdrawal of consent may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.
- Categories of personal data processed
The data filing system includes personal data of the following persons:
- Customers of the data controller and their representatives and contact persons
- Representatives and contact persons of the data controller’s subcontractors and suppliers
- Potential customers
- Other stakeholders (job applicants, co-operation partners)
- Persons related to assignments
The following personal data of the data subjects, relevant on the basis of the above mentioned purposes of processing, are processed, such as:
- Name
- E-mail address
- Phone Number
- Company and title
- Name and business ID of the company and contact person
- Additional information provided by the data subject himself/herself
- Personal data processed on a case-by-case basis in connection with assignment (such as emails, documents, other communication)
- Information based on customer relationship, such as contact history, feedback and follow-up information
- Information needed for identifying a person such as name, date of birth, personal identification number
- Regular information sources of the data filing system
Personal data has been primarily obtained from the following information sources:
- Directly from the data subject himself/herself for the purpose of managing customer relationship and assignments
- Directly from the data subject himself/herself in connection with job application and recruitment process
- Directly from the data subject himself/herself in connection with other co-operation partnership
- Insurance companies and/or authorities
- Public/commonly available sources (such as internet or Trade Register)
- the data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party
- Recipients of personal data
In principle, the data controller will not disclose personal data of the data subjects to third parties, except when authorities in accordance with legislation require to do so or mandatory laws stipulate this.
Despite the above stated, in connection with implementing its technical services, the data controller uses reliable service providers which process personal data on behalf of the data controller on basis of data protection agreement required by data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data controller’s documented instructions.
In principle, personal data is not transferred outside of European Union or European Economic Area. Possible transfers of personal data will always be carried out in accordance with applicable data protection legislation.
- Retaining personal data
The data controller will process and retain personal data only as long it is necessary for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis to retain or process, will be deleted on regular basis in accordance with the data controller’s own data protection policy. Personal data has become redundant, for example, when the customer, business, co-operation or contract relationship to the controller has ceased, notwithstanding cases where legislation requires retaining personal data.
- Rights of the data subject
The data subject shall have the following rights, applicable on case by case basis.
Right to withdraw consent
On basis of Article 7 of the EU General Data Protection Regulation (679/2016, ”GDPR”) , the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
Right of access by the data subject to his or her data
On basis of Article 15 of the GDPR, the data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and certain information concerning data processing stipulated in the Article.
Right to rectification
On basis of Article 16 of the GDPR, the data subject has the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking in to account the purposes of processing, the data subject has the right to have incomplete personal data completed, including means of providing a supplementary statement.
Right to erasure
On basis of Article 17 of the GDPR, the data subject has the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, and the data controller will have the obligation to erase personal data without undue delay, provided that requirements stipulated in the Article are fulfilled.
Right to restriction of processing
On basis of Article 18 of the GDPR, the data subject has the right to obtain from the data controller restriction of processing, provided that requirements stipulated in the Article are fulfilled.
Right to data portability
On basis of Article 20 of the GDPR, the data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, in cases where processing is based on consent or contract and the processing is carried out by automated means.
When exercising the above described right to data portability, the data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.
Right to object
On basis of Article 21 of the GDPR, the data subject has the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the data controller, including profiling. The data controller will no longer process personal data unless the data controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
Right to lodge a complaint with a supervisory authority
If the data subject considers that the data controller is infringing applicable legislation concerning personal data processing and data protection, the data subject has the right to lodge a complaint with a supervisory authority. The supervisory authority in Finland is the Data Protection Ombudsman, www.tietosuoja.fi.
Responsibilities of the data controller arising from the rights of the data subject
The data controller will inform the data subject about all measures that have been taken on basis of a request made pursuant to Articles 15-22, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The data controller will inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.
If the data controller does not carry out the measures based on the data subject’s request, the data controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and to use other legal remedies.
Exercising rights
You may exercise your above stated rights by contacting the data controller via sending an e-mail to the e-mail address info(at)applex.fi. We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.
Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to recognize you in an adequate manner.
Legislation applicable to our activities and rules of the Finnish Bar Association may prevent us from executing your request.
If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.
- Processing of personal data and profiling
The data controller does not use automated decision-making, such as automated profiling, as part of processing personal data.
- Further processing of personal data
The data controller does not process personal data for other purposes besides those described in this Privacy Notice.
Should the data controller further process personal data for other purposes, the data controller has a duty, in accordance with data protection legislation, to notify the data subject about this intent prior to further processing. In such case the data controller will also give all additional information concerning the matter.
- General description of appropriate technical and organizational security measures of the data controller
Access to data filing systems have been granted solely to such designated employees of the data controller who have signed appropriate non-disclosure agreements.
The data controller has provided all its employees with binding written instructions and orders concerning processing of personal data and data protection, which instructions and orders the employees are bound to obey.
Data security of information systems has been arranged adequately, including encryptions and technical restrictions. The system is protected by security software. Access to the system requires each user to enter a username and password. The server environment is protected with passwords and an appropriate firewall. The communication between the server and the user’s device is encrypted. In addition, the data controller’s computer network and the hardware on which the data filing systems are located are protected by a firewall and other technical measures. The destruction of personal data is carried out with secure measures.
The data controller will revise its processing operations and equipment on regular basis and, amongst other things, assess risks related to processing of personal data for example when introducing new technology.
- Changes to this Privacy Notice
This Privacy Notice has been last updated on 8 June 2020.
The data controller may change this Privacy Notice. The data controller will inform the data subjects of significant changes to this Privacy Notice and the processing operations reasonably before their entry into force on its website and/or by other appropriate means to allow the data subjects to reasonably assess the consequences of such changes.
If you have any questions regarding the processing of your personal data by the data controller, please contact us by email at info(at)lymed.fi or by phone: +358 20 779 2233.