Name of Register
Customer Register of Megalight Systems Oy
Purpose and Legal Basis of Personal Data Processing
The purpose of personal data processing consists in managing and maintaining the customer relationship between the company and business customer, keeping in touch with customers, and marketing. The company uses register data for direct marketing, unless the customer has prohibited direct marketing.
The purchase and transaction data, as well as location data processed in the register can also be used for profiling and marketing purposes, as well as for tailoring customer communications for them to be of interest to the data subject.
Personal data are also processed in connection with sending of newsletters and participation in events and other marketing activities.
As regards the customer contact person and the customer, processing is carried out to ensure realisation of the Data Controller’s legitimate interest.
If a data subject should fail to provide the requested data required for completion of the contact form, the Data Controller cannot accept the contact form from the data subject or enter into a contact form-related contract between the Data Controller and the data subject.
Personal Data Retention Period
Personal data shall be retained for as long as required for submission of the data subject’s contact form and performance of the related measure. The retention period depends on the need for retention of the data collected; for example, under the Accounting Act, invoicing data must be retained for six years. The data provided in the contact form shall be retained only with the customer’s consent.
Data Subject Group Description and Data Content
The Register contains personal information on the company’s business customers. The form data entered by the data subject may contain the following information, inter alia: e-mail address, telephone number, address.
Regular Sources of Data
Information submitted by contacting persons, the customer information system, and invoicing database.
Regular Release of Data
As a general rule, personal data are not released outside the organisation, with the exception of personal data necessary for accounting purposes released to the accounting firm used by Megalight Systems Oy.
Nevertheless, personal data may be disclosed based on an agreement between the customer and Megalight Systems Oy, customer relationship between the customer and Megalight Systems Oy, or legislation in force, incl. to competent authorities.
Data are not transferred outside the EU or the EEA.
Principles of Register Protection
The data retained are technically protected. Physical access to the data is prevented by access control and other security measures. Access to the data requires respective rights and multi-stage authentication. Unauthorised access is also prevented by using firewalls and technical protection, inter alia. Access to register data is restricted solely to the Data Controller and designated technical personnel. Only persons duly appointed have the right to process and maintain register data. The users are bound by the obligation of confidentiality. Register data are backed up safely and can be restored if necessary.
Rights of the Data Subject
A data subject is entitled to the following rights, inter alia:
- A data subject has the right to check the personal data stored in the register and to obtain copies thereof. The respective request must be in writing andaddressed to the party responsible for the register (see Administrator of Customer Register).
- The Administrator of Customer Register shall correct, remove, or supplement any personal data contained in the register that are incorrect, unnecessary, incomplete, or outdated for the purposes of processing, either on its own initiative or at the request of the data subject. For correction of data, the data subject must contact the Data Controller’s Administrator of Customer Register (see Administrator of Customer Register) in writing.
- To the extent that the processing of personal data is based on the data subject’s consent, cancel the consent at any time without prejudice to the lawfulness of the processing carried out based on the consent prior to revocation thereof.
- Submit complaints on personal data processing to the supervisory authority.