Data collection and processing

We collect personal data to provide services. We process personal data in management, marketing, development and as part of service entities.

An organisation must determine a legitimate purpose for the use of all data it starts to process.

What are the purpose and legitimate grounds for processing personal data?

Processing personal data in Asiakastieto

 

Asiakastieto processes different types of personal data categories. The purposes of data processing for different categories and the legitimate grounds compliant with the regulation are described here.

Personal data categories

Below the data contents, disclosures and storing times are described

1. PERSONAL CREDIT INFORMATION (payment defaults, for example)

Purpose of processing

Personal credit information purposes 

Legitimate grounds for processing

Processing is based on article 6, section 1.e. of the General Data Protection Regulation (grounds regarding public interest). The processing is provided in the Credit Information Act. Using the data in the register does not require a consent from the data subject. Disclosure and use purposes are provided in the Credit Information Act 19§. 

Data subjects are notified about the processing of data as provided in the Credit Information Act 29§. The data subject whose data has been added to the register for the first time is sent a notification about this registration, the data subject’s right to make a rectification request, as well as the effects that making a payment has on the credit history register entries. Information is also given about storing times, a data subject’s rights, data sources and other things related to data processing.

2. PERSONS WITH BUSINESS INVOLVEMENT (PERSONS IN CHARGE)

Purpose of processing

The credit information operations of companies also process personal data. Company personnel statuses, tasks and public information about their management in the industry are included in this data.

As specified in the 29§ of the Credit Information Act, storing data about persons in charge (company link data) does not involve notifying the person in question.

Data concerning persons with business involvementis processed and disclosed to customers to be utilised to secure benefits and rights. Personal credit information is also disclosed to make assessments about a person’s financial status and ability to meet requirements. Company link data is disclosed to parties that want this data, as provided in Credit Information Act 12§ 1.2. subsection. Requesting this data does not require a specific reason.

As provided in the Credit Information Act 3§ 3. subsection, the data of company persons in charge is processed according to the Credit Information Act when classifying companies (Credit Information Act 27§).

The data of company persons in charge is also processed for marketing purposes.

Legitimate grounds for processing

In compliance with article 6 of the GDPR (and the ePrivacy Regulation) personal data can be processed if the processing concerns the person’s status, tasks and their management in the industry, organisation operations or other equivalent operations and the purpose of the processing is relevant in regard to the public interest and appropriate in regard to the goal pursued.

Processing the personal data of company persons in charge in credit information operations is provided in the Credit Information Act.

According to the national Credit Information Act, the personal data of company persons in charge can also be processed for other purposes than solely in relation with credit information operations.

The statute for the use of data in digital marketing has been provided in the Information Society Code (917/2014). Digital marketing related to a company representative’s work may be sent to their work email (Information Society Code 202§, 203§). In this case, it is considered marketing towards the company.

3. COMPANY OWNER DATA

Purpose of processing

Personal data is processed to provide useful information about company owners for companies utilising this data. Customer companies require this data when complying with their obligations under the Act on the Prevention of Money Laundering and the Prevention of Terrorism in the process of identifying the actual beneficiaries of the business.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

Those that utilise this data have the obligation under the Act on the Prevention of Money Laundering and the Prevention of Terrorism to identify the actual beneficiaries of companies. Processing this data in Asiakastieto serves those utilising the data in fulfilling this obligation and is thus a legitimate interest.

4. COMPANY DECISION-MAKER DATA

Purpose of processing

Personal data is processed to provide useful information for marketing and sales purposes, or for opinion polls and marketing research or for updating the customer register.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (Recital 47 of the GDPR).

The statute for the use of data in digital marketing has been provided in the Information Society Code (917/2014). Digital marketing related to a company representative’s work may be sent to their work email (Information Society Code 202§, 203§). In this case it is considered marketing towards the company.

In compliance with article 6 of the GDPR personal data can be processed if the processing concerns the person’s status, tasks and their management in the industry, organisation operations or other equivalent operations and the purpose of the processing is relevant in regard to the public interest and appropriate in regard to the goal pursued.

Using the data of the data subjects in the register does not require a consent from an individual data subject.

5. CONSUMER DATA FOR MARKETING PURPOSES

Purpose of processing

The register serves company customers providing data in support of marketing and sales operations. The data in the register can be utilised for updating customer databases and customer registers.

The registers containing this data are processed and disclosed for customers to use in sales and marketing and for other deliveries containing addresses (marketing research, for example) and for companies’ own operations, such as maintaining a customer register.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (Recital 47 of the GDPR).

The statute for the use of data in digital marketing has been provided in the Information Society Code (917/2014).

6. USER DATA (INTERNAL USER AGREEMENTS FOR SERVICES AND SYSTEMS, CONTRACT CUSTOMERS, OPEN COMPANY DATA, OMATIETO SERVICES FOR CONSUMERS)

Purpose of processing

The purpose of processing is to manage the access rights and service usage of Suomen Asiakastieto Oy`s services and systems.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller or when the user is granted access to Asiakastieto’s network and services.

Asiakastieto has the right to process its services’ users’ personal data because providing the service requires it.

7. CUSTOMER REGISTER (CRM)

Purpose of processing

The purpose of processing personal data is using the data that concerns the data controller’s customers’ liaisons and potential customers’ persons in charge in order to be in contact with the customer or potential customer.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (Recital 47 of the GDPR).

The statute for the use of data in digital marketing has been provided in the Information Society Code (917/2014). Digital marketing related to a company representative’s work may be sent to their work email (Information Society Code 202§, 203§). In this cas,e it is considered marketing towards the company.

Using the data of the data subjects in the register does not require a consent from an individual data subject.

8. ASIAKASTIETO’S OWN MARKETING DATABASE

Purpose of processing

The purpose of processing personal data is the use of the data controller’s centralised customer database which contains all data about customers’ digital activities. A marketing tag which identifies the first point of contact is recognised for each customer. The purpose is to enable better targeting and timely communication. In addition, measuring and monitoring the customership is enabled in regard to collected leads or online store purchases.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest (Recital 47 of the GDPR).

The statute for the use of data in digital marketing has been provided in the Information Society Code (917/2014). Digital marketing related to a company representative’s work may be sent to their work email (Information Society Code 202§, 203§). In this case it is considered marketing towards the company.

9. PERSONNEL DATA

Purpose of processing

To manage the employment relations in Asiakastieto Oy.

Legitimate grounds for processing

Processing is based on article 6 section 1.f. of the GDPR (processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party).

Recital 47 of the GDPR. Such legitimate interest could exist for example where there is a relevant and appropriate relationship between the data subject and the controller in situations such as where the data subject is a client or in the service of the controller.

10. OTHER REGISTERS

Signups to Asiakastieto Group’s annual general meeting

Other

The data controller uses registers also for informative purposes and to implement the right of access (GDPR article 15, Credit Information Act 30§),

Data of data subjects is also utilised for research and statistics purposes that the data controller either conducts or supports. When data is processed for research and statistics purposes, it is carried out so that individual data subjects cannot be identified.

Special data categories specified in article 9 of the GDPR are not processed in the registers (sensitive data),

Special data categories specified in article 10 of the GDPR are not processed in the registers (criminal convictions and offences).

 

The data is delivered to Asiakastieto customers as a service. Check the services here.

Where does Asiakastieto collect personal data from?

Collecting personal data in Asiakastieto

 

Personal data is collected from different sources. Data sources are described here according to personal data categories.

Personal credit information (payment defaults and other personal credit information)

  • Consumer credit companies: consumer credit defaults
  • District courts: public payment defaults
  • Credit and financial institutions and other institutions giving out or backing loans: written agreement of a failure to pay recognised by the debtor (voluntary debt arrangements)
  • The Legal Register Centre: debt arrangement data, bankruptcy data
  • Data subjects: payments, additional debt information
  • Enforcement authorities: enforcement and bankruptcy data, payments
  • Creditors: payments
  • Tax authorities: tax deductions and VAT items
  • Population Register Centre: eligibility information

COMPANY DECISION-MAKER DATA

  • Data subjects: work tasks, contact information, age, gender
  • Data subject employers: work tasks, contact information, age, gender
  • Press and other public sources (nomination news)
  • Publicly available data (publications, databases, internet)
  • Trade Register
  • Phone conversations between data subjects, data subjects’ employers and employer representatives may be recorded. The recording will be destroyed immediately after the data that has been collected this way has been stored.

PERSONS WITH BUSINESS INVOLVEMENT

  • Trade Register

COMPANY OWNER DATA

  • Particular companies (owner register): ownership data
  • Trade Register: ownership data when registering a company

CONSUMER DATA FOR MARKETING PURPOSES

  • The data is updated from Suomen Numeropalvelu oY’s phone number database, Finnish Post’s address database, preference services maintained by Finnish Customer Marketing Association and other equivalent public and commercial registers and data sources.
  • A recurring source of data is also the official Trade Register that is maintained Patent and Registration Office.

USER DATA (CONTRACT CUSTOMERS, OPEN COMPANY DATA, OMATIETO SERVICES)

  • User data from companies, user data from the user while registering

CUSTOMER REGISTER (CRM)

  • Data subjects: contact information
  • Data subject employers: contact information
  • Trade Register
  • Decision-maker data from Asiakastieto’s decision-maker register

PERSONNEL DATA

  • Data is mainly collected from the employees.

ASIAKASTIETO’S OWN MARKETING DATABASE

  • Personal data in the marketing database is collected from Asiakastieto’s own databases: user data the open company data service, user data from digital channels, customer register (CRM) data, decision-maker register data.
Who processes my personal data?

Who processes my personal data?

 

Asiakastieto’s access management has been defined as rights to view, process and modify personal data. These rights are granted to people that have the necessity to process personal data due to the nature of their work. The principles of the right to access have been defined in a separate document.

Customers have personal credentials also. The access rights for customers are always determined according to need. If the access to personal credit information is granted, the customer must have a purpose for the use according to the Credit Information Act.

Does Asiakastieto automated decisions or profiling?

Automated decisions and profiling

 

Asiakastieto uses personal data in the modelling process to create different credit classifying models or to form marketing target groups. The data controller has the right to perform this type of profiling when it has the right to process data.

However, as data controller Asiakastieto does not make decisions that would have legal effects or similarly significant effects concerning the data subject (GDPR article 22). The users of the data might use it in credit decisions. Legal effects only arise from this.