Privacy Policy for customer register

1 Controller

Lemminkäisenkatu 59
20520 Turku
(hereafter ”we” or ”Nidos”)

2 Contact person for register matters

Jussi Hakunti
Lemminkäisenkatu 59
20520 Turku
Phone +358405825229

3 Name of register


4 What is the legal basis for and purpose of the processing of personal data?

The basis of processing personal data is the company’s justified interest on the basis of a customer relationship or other appropriate connection or implementing a contract.

The basis of processing personal data is:

  • the delivery and development of our products and services,
  • fulfilling our contractual and other promises and obligations,
  • taking care of the customer relationship,
  • analyzing and profiling behaviour of a customer or other data subject,
  • electronic and direct marketing,
  • targeting advertising in our and others´ online services

We use automated decision-making (inc. profiling) to identify eg the data subjects’ personnel profiles, consumer habits, online behaviour, age, We use this information to target marketing and to develop services.

5 What data do we process?

We process the following personal data of our customers or other data subjects, like individuals participating in our trainings, in connection with the customer register:

  • Basic information of the data subject such as name*, date of birth, identification number, customer number, username and/or other identifying identifier, password, gender, mother language;
  • Contact information of the data subject such as e-mail address*, phone number, address;
  • Information of company and company’s contact persons such as Business ID, names and contact details of the contact persons
  • Information of the customership and the contract such as past and current contracts and orders, other indormation of the customership
  • Other possible information gathered with data subject’s consent

Committing personal data marked with a star, is a requirement for our contractual and/or customer relationship. Without necessary information we are not able to provide the product and/or service.

6 From where do we receive data?

We receive information primarily from following sources eg. from the data subject, population register, credit information companies, contact information service providers and other similar reliable sources.

For the purposes described in this privacy policy, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.

7 To whom do we disclose data and do we transfer data outside of EU or EEA?

We may provide personal data to third parties.

  • In the extent provided by international laws, regulations and the EU General Data Protection Regulation. E.g. to perform a task requested by the supervisory authority or national courts.
  • When our subcontractors process data under our scrutiny. We will enforce that your personal data is process with appropriate technical and organizational means.
  • If our business involves merging, acquisition or other related arrangements.
  • When it is necessary to practise our, your or other natural persons’ rights, to ensure their safety, to investigate misuses and to give response to supervisory authorities.
  • When you have given a consent for a specific process.

We may transfer personal data outside EU or EEA region in cases that our subcontractors are located in such regions. In such cases we will realise appropriate safeguards to ensure the protection of fundamental rights and freedoms of natural persons as stated in the EU General Data Protection Regulation (679/2016).

E.g. Our subcontractor might be a cloud service that transfers data to the United States. In this case the safeguards include that the service provider has successfully adopted the EU-U.S. Privacy Shield protocol and we will use the privacy statement templates provided by the European Commission. More details of the Privacy Shield can be viewed at

8 How do we protect the data and how long do we store them?

We shall implement the appropriate measures (including physical, digital and administrational actions) in order to prevent the loss, destruction, misuse and unauthorized access and distribution of personal data.

E.g. only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use a system containing personal data. Each user has a personal username and password to the system. The information is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons.

We store the data as long as it is necessary for the purpose of processing the data. By default, customer data will be stored by maximum ten years after the termination of customer contract.

We estimate regularly the need for data storage taking into account the applicable legislation. In addition, we take care of such reasonable actions of which purpose is to ensure that no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing. We correct or erase such data without delay.

9 What are your rights as a data subject?

As a data subject you have a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data. You also have a right to withdraw or change your consent.

As a data subject, you have a right, according to EU’s General Data Protection Regulation (applied from 25.5.2018) to object processing or request restricting the processing and lodge a complaint with a supervisory authority responsible for processing personal data.

For specific personal reasons, you also have a right to object profiling and other processing concerning you, when processing the data is based on the customer relationship. In connection to your claim, you should identify the specific situation on which you object the processing. We can refuse to act on such request on the basis of the law.

As a data subject you have the right to object processing at any time free of charge, including profiling in so far as it relates to direct marketing.

10 Who can you be in contact with?

All contacts and requests concerning this privacy policy shall be submitted in writing or in person to the person mentioned in section two (2).

11 Changes in the Privacy Policy

Should we make amendments to this privacy protection statement, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review these privacy protection principles from time to time to ensure you a