Get to know the data

The data controller must have information available about personal data categories, transfers and disclosures.

The retention period of personal data is also described here.

What is the life cycle of personal data?

Databanks and the life cycle of personal data

Personal data is collected from reliable sources. The data that is collected is necessary and it is verified before storing in the database. The data is stored for a necessary amount of time. The retention period for each data category/service has been determined separately after which the data will be erased or transferred to Data Warehouse database for statistics or modelling purposes. The data is removed from the Data Warehouse database after ten years. Retention periods have been defined in the “what data is collected to databases” section.

DATA LIFE CYCLE

COLLECTING PERSONAL DATA   

  • Personal data is collected from multiple sources. Data sources and the legitimate grounds for processing data have been described in the section: data collection and processing

VERIFYING PERSONAL DATA

  • Data is validated manually in Asiakastieto or with automated verifications

  • All personal data that is stored in the registers is defined according to the regulation

  • All personal data must be: necessary, up-to-data and minimised. Personal data is processed in legitimate ways

PERSONAL DATA IN REGISTERS AND SYSTEMS

  • Personal data is stored in many different databases

  • Access to data is restricted

  • Comprehensive measures have been taken to ensure data protection 

PERSONAL DATA IN SERVICES AND TO OWN MARKETING

  • Services that use personal data have been described in get to know the data section

  • Personal data is disclosed to international partners and customers with a separate agreement

DISCLOSURE OF PERSONAL DATA

  • To government officials when regulations require

  • To customers according to a separate agreement

  • To data subjects themselves when they exercise their right to access this data

DATA ERASURE

  • Data erasure protocols have been defined according to the data category. Data about the retention periods can be found in the get to know the data section

 

 

 

What personal data is collected, disclosed and stored? How are the right to transfer data, right to object and informing implemented?

Data content, disclosure and retention in personal data categories

 

Asiakastieto’s registers (Asiakastieto as data controller) have data in many different categories. Typically the personal data that are disclosed are name, contact information, data related to payment defaults, as well as position information about company decision-makers. In addition, classifications and scoring services use Population Register Centre data, like age and place of residence. Asiakastieto also processes personal data about the users of its services and its personnel as data controller. 

Personal data categories 

Below data contents, disclosures and retention periods are described.

1. PERSONAL CREDIT INFORMATION  (paymen defaults, for example)

Data content

Person’s contact information, payment defaults and other credit information.

The register only contains data about people, including contact information, to whom data about neglecting a payment or an instalment of payment default or other data specified in 12§ or 13§ of the Credit Information Act have been stored. The stored data is based on the Credit Information Act.

The information that is included in the payment default contains the entry payment default title, possible amount, data source, possible creditor information, registering date and default date (for example, the date of judgement or when the inability to pay has been recognised). When registering a settlement of payment, the date when the information about the payment was received and the payment data are entered into the system. Additional information about conditions in the backgound of the entry provided by the data subject can belinked to the entry.

Data disclosure

Personal credit information is disclosed based on customer contract to be used in credit granting, credit control or other purpose specified in 19§ of the Credit Information Act. Data is also disclosed to a data subject at his or her request.

Retention period

Payment default data is updated when information about the conditions related to the payment or information specified in 13§ 2nd or 3rd subsections of the Credit Information Act is provided.

Payment default data is stored for 2 to 4 years (based on 18§ of the Credit Information Act).

2. Persons with business involvement (PERSONS IN CHARGE)

Data content

Data, including contact information, that describe the position and tasks of the data subject. Official position information such as members of the Board of Directors, CEO, partners and a limited partnership, a trader, proprietor of a business name, an initiator, a authorised signatory, holder of procurator, shareholder, founder shareholder, auditor and trustee in bankruptcy.

Data related to these positions: position, name, occupation, address, identity number, plave of residence, start and/or end date for a position or date for the data, nationality,Business ID given to a person (Y-tunnus in Finnish).

In addition, information on the supplementary information provided by the data subject to the Trade Register, shareholder ownership and / or number of shares, and the signing method for the holders of procuration.

Data disclosure

Data is disclosed to those customers of the data controller that have made a customer contract with the data controller about the use of this data. Data is also disclosed without a permanent customership, without the user being identified (for instance, Asiakastieto’s open company service). Data, excluding personal credit information, about company persons in charge is also disclosed for direct marketing purposes and other deliveries requiring addresses.

Data is also disclosed to data subjects at their own request.

Retention period

Data is continuously updated. The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data.

Data is erased according to the Credit Information Act when a person resigns from an aforementioned position. The main rule is that the data is erased one year after the resignation has been entered in the Trade Register.

3. COMPANY OWNER DATA

Data content

The register contains data about owners of limited companies.

The register contains the name of the person and the amount of the company's ownership.

The register also contains other data that the data controller views necessary for the purpose of the register.

Data disclosure

Data from the register is disclosed to those that need it in identifying the beneficial owners of the business which is a process required by law.

The terms and conditions of utilising data are agreed upon in customer contracts and/or terms of service.

Data is disclosed via browsers (online service) and as electronic files.

Data is also disclosed to data subjects at their own request.

Retention period

Data is continuously updated. The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data.

Data is erased immediately after notification about the termination of ownership has been received.

4. COMPANY DECISION-MAKER DATA

Data content

The register contains data that is related to data subject’s tasks or position in the industry or public position and it is utilised to send information about his or her work. This data includes contact information, for instance.

The register also contains other data that the data controller views necessary for the purpose of the register.

The register contains the data processing prohibition for those people that have objected to processing of their data (regulation article 21).

Data disclosure

Data from the register is disclosed to those that need the data to send the data subject information in regard to his or her work tasks. Data may also be utilised in opinion polls or marketing research, as well as in updating a customer register.

The terms and conditions of utilising data are agreed upon in customer contracts and/or terms of service.

Data is disclosed via browsers (online service) and as electronic files.

Those that use address information in their deliveries are required to give the address source and to comply with data protection regulations and data processing regulations.

Data is also disclosed to data subjects at their own request.

Retention period

Data is continuously updated. The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data.

5. CONSUMER DATA FOR MARKETING PURPOSES

Data content

The database contains, for instance, the following elements:
- person’s first and last name
- address information
- phone number information
- gender information
- possible direct marketing and telemarketing prohibition

The register contains the data processing prohibition for those people that have objected to processing of their data (regulation article 21).

Data disclosure

Data is disclosed to customers to be used in sales and marketing and other deliveries that require address information (for example, marketing research), as well as for companies’ own customer management, such as maintaining a customer register.

The terms and conditions of utilising data are agreed upon in customer contracts and/or terms of service.

Data is disclosed via browsers (online service) and as electronic files.

First name, last name, address, postal code and city are disclosed for a delivery by mail.

First name, last name, address, postal code, city and phone number are disclosed for calling purposes.

Those that use address information in their deliveries are required to give the address source.

Data is also disclosed to data subjects at their own request.

Retention period

Data is continuously updated. The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data.

6. SERVICE USER DATA (CONTRACT CUSTOMERS, OPEN COMPANY DATA, OMATIETO SERVICES)

Data content

The data, including contact information, related to contract customers concerns only those people whose employers had had a customership with Suomen Asiakastieto Oy. The register also contains Asiakastieto’s personnel who have access rights to the services.

The stored data about the data subjects include the person’s position, work tasks and other data relevant to customership and using the services. The data subjects are not in customership with Suomen Asiakastieto Oy. 

The personal data of customers of Omatieto service and open company data service: 

  • First name
  • Last name
  • Identity number 
  • The user's unique identifier, such as personal identification number, is obtained from the data subject, from the identifying bank with the consent of the data subject, or from a third party.


Contact information:

  • Email
  • Mobile phone number
  • Permanent address
  • Postal code
  • City
  • Marketing consent for email or phone


Data related to customership or the use of content, such as:

  • Start and end date of customership
  • Username
  • Data about ordered services or services in use (for example, Minun omatietoni service order)
  • Data collected about the effectiveness of advertising or direct marketing (opens and clicks of marketing newsletters)
  • Data collected about the use of web service content
  • Data related to online store transactions, such as purchases, their times and payment details
  • When the user chooses “Invoice”, the address information of the user is automatically received from Population Register Centre’s address database for invoicing purposes.
  • With cookies and other technologies, which are described at a later stage, we can collect data about how the user uses the site or our services.

Data disclosure

Data about the service access details of contract customers can be disclosed to the person’s employer.

Data is also disclosed to data subjects at their own request.

User data from Omatieto service and open company data service can be disclosed for appropriate purposes. The data you submit through the service can be disclosed to parties belonging to the following categories:

  • Service providers that are part of implementing our site and services, such as payment services
  • Government officials in cases where the law requires it

Retention period

The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data, i.e. customership management.

In Omatieto service and open company data service the data is stored for the duration of the customership and 24 months after the customership has ended. If the customership consists only of an individual enquiry for one’s own data (excerpt) or for other person’s personal credit information, the register data is stored for 13 months. The retention period is based on the right of inspection provided in 30§ of the Credit Information Act. It must be possible to inform the target of the enquiry (the data subject in the personal credit information register) to whom the data has been disclosed within the previous year.

If the person in question has given his or her consent for marketing, the data is stored for five years. 

7. CUSTOMER REGISTER (CRM)

Data content

The register only contains data of people, including contact information, whose employers have a customership with Suomen Asiakastieto Oy or companies which are potential customer of Suomen Asiakastieto Oy.

Employer data, position, work tasks and other relevant data is among the information about the data subject. The data subjects do not have a customership with Suomen Asiakastieto Oy.

Data disclosure

Register data is not disclosed to third parties.

Data is disclosed to data subjects at their own request.

Retention period

Data is continuously updated. The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data.

The data subject can also erase data in Asiakastieto’s GDPR service.

8. PERSONNEL DATA (HR, PAYROLL)

Data content

The register only contains data, including contact information, of people that are currently or have been employed by Asiakastieto.

Data categories:
•    general personal data (date of birth, identity number, contact information)
•    employment data
•    payroll data
•    training and course data
•    employment history and internal transfers
•    possible data about a security clearance

Data disclosure

Annual reports to the pension company and tax authorities.
Reports to the accident insurance company.
External payroll company.

Data is also disclosed to data subjects at their own request.

Retention period

The data controller erases, rectifies or completes, either unprompted or at the request of the data subject or the data subject’s employer, all incorrect, unnecessary, incomplete or outdated information in the register without undue delay. Vital in rectifying, completing, or erasing data is the purpose of the data, i.e. being related to employment.

Statutory retention period for personal data.

9. ASIAKASTIETO’S OWN MARKETING DATABASE

The purpose of processing personal data is to utilise the data controller’s centralised marketing database in communications and marketing to customer,s to those registered to the online services and to those joined in our marketing mailing lists.

Data content

Decision-maker contact and position information.

Data disclosure

Data is not disclosed to third parties.

Data is disclosed to data subjects at their own request.

Retention period

For the duration of the customership, five years for those registered to services and those joined in mailing lists

10. OTHER REGISTERS

 

What personal data is provided in the services?

The services provide personal data to Asiakastieto’s customers

Data is provided to Asiakastieto’s customers and partners that have legitimate grounds to process personal data (Credit Information Act, GDPR). The users have personal credentials or the customer company keeps a log file about the enquiries. Credit information (personal payment defaults) enquiries always leave an entry in the log. A notification of the so-called “first registration” of credit information is also always sent to the data subject in writing.

The services where data is provided are listed below. The registers in which the content is personal data are described in the section data collection and processing.

As described in a separate document, data is transferred into Data Warehouse database from where this data can be utilised in research and modelling. Separate user rights for history data to be used by research and modelling groups only have been defined.

Personal data is provided as individual data elements (for example, payment default information or information that the person does not have payment default entry in Asiakastieto’s database, as part of reports, ratings, decision-making systems or applications (such as Yritysfiltteri Pro and Connecton Map). In addition, personal data is used as background variables in modelling and different kinds of statistics. Asiakastieto also compiles reports where population register data is attached to the general information of person.

Services that include personal data

Personal facts and credit information

(Contact information, position: person in charge/decision-maker/influencer, payment default)

  • EBR/ company representatives and company profile (decision-maker data)

  • AI (artificial intelligence) virtual assistant (personal data)

  • Payment default enquiry

  • Decision-makers

  • Persons in charge

  • Owners

  • Beneficial owners

  • Population Register data (link service)

  • Person’s participation in companies (positions for persons in charge as provided in the Credit Information Act)

  • Number update (name, address, phone number)

  • Address updates (Population Information System, postal register)

  • Resident enquiry (name, date of birth, address, moving date)

  • Real estate service personal data that is saved into cached memory for 30 minutes

Services that have personal data as part of reports or data compilations

  • Asiakastieto’s register report (persons in charge,authorised signatories 

  • Company Rating Alfa, national and international (persons in charge, procurators, shareholders)

  • ESG report (persons in charge)

  • Contractor's liability report (person in charge, authorised signatory)

  • Trade Register extract(person in charge, autorised signatory)

  • Personal reports (depending on the report: contact information, credit information, supervision of  interests,  eligibility, participation in companies, Population Register information, business connection, information on engaging in business)

  • PEP and sanction lists (contact information, passport number, PEP status, related party information and possible sanctions)

  • Personal data (contact information, credit information)

  • Direct marketing services, other target groups (name, address, phone number)

  • Vahti (name, address, phone number, email)

  • Business information reports from the open information service (name, email)

  • Visitor data (masked cookie data)

Decision-making systems (no automated decision-making or profiling)

  • Optimi, 3D Decisioning Service (depending on the model persons in charge, Population Register data, customer’s data, company participation in companies of person in charge, credit information, employment, personal credits and its management)

  • Scoring (depending on the model: credit information, business connections information)

  • Credit information rating (credit information)

  • A person's Risk Prognosis (rating information, person’s participation in companies)

  • A person's risk meter (rating information, age,person’s participation in companies)

  • Personal Rating Delta (rating information, population register information, person’s participation in companies)

  • Person Rating Alfa (rating information, population register information,person’s participation in companies)

Other

  • Connection Map

  • Omatieto service

  • Salesoptimizer, Companifilter Pro (name, address, phone number, email, position in a company)

  • Purchase service (name)

What data is collected and transferred in the systems?

What personal data do Asiakastieto’s systems contain?

Asiakastieto’s internal systems have personal data as required by law and/or according to necessity. The data contents are a person’s contact information (CRM, subscription forms, billing, working hours monitoring) and more detailed information about employment and salaries (identity number, payroll, education and other HR information). In addition, internal user information (employee’s name, username, access rights) is in the access rights register (Ahti personal data, Asta company data, IT production services).

The Data Warehouse system contains sales contact person information, history/statistics data from company data registers and personal data registers.

Log and archive data, as well as enquiry data of services and systems have been described separately. These systems have limited user rights.

Using Cookies

Cookies


Suomen Asiakastieto uses cookies on their websites to enable the use of certain functions and to collect data about visits to their website.

  • What are cookies?
    A cookie is a small data file that is stored on the user's computer. There are two types of cookies. The first type is the so-called persistent cookie that saves the data on the user’s computer until this particular file is deleted. The second type is the non-persistent cookie which disappears when the user closes the browser.
     
  • What are cookies used for?
    Non-persistent cookies that are valid for one session are sent between the user’s computer and Asiakastieto’s server in order to get data about the users, such as which account they use. In addition, external cookies are used to collect data about user behaviour on the site, such as which parts of the site are visited most by the user. The objective is to analyse the usage of the site and improve user experience.
     
  • How can a user disable cookies?
    The user can decide whether he or she wants to enable or disable cookies. The user can avoid receiving cookies by modifying browser settings.  However, this can lead to the the service not functioning correctly. It depends on the browser in use how cookies are disabled. The instructions can be found from the “Help” tab of the browser menu or other equivalent menu.