We have gathered a comprehensive package of information on this data security site where the life cycle, security, content, processing and validity of personal data, as well as the data subject’s rights to manage their own personal data are outlined.
My rights page has the rights that are defined in the regulation and how the data subject can exercise these rights.
Secure data page has the descriptions of data protection, secure transferring and technical verifications for databases. This section also describes how accessing the data has been limited and how staff is trained to ensure data privacy.
Data collection and processing - an overview of the purposes of personal data processing and its compliance with the regulation in different data groups, data sources and data processors.
Get to know the data section depicts the life cycle of personal data from the collection of data to the erasure. In addition, database (in which personal data is stored) descriptions about content and validity.
A data subject has the right to get confirmation from the data controller that data concerning him or her is being processed, or not being processed, and if it is processed the data subject has the right to access the personal data, as well as the data according to the data protection regulation / Credit Information Act:
the purpose and lawfulness of the processing, as described in Data collection and processing
content descriptions, recipients and storing times of personal data groups have been defined in Get to know the data
The data subject’s rights are comprehensively defined in My rights
When exercising the right of access according to the Credit Information Act/General Data Protection Regulation, the data subject must prove their identity either while personally visiting or by attaching a copy/scanned document of an official ID in a written/email request. The person will then be handed the data specified in 30 § of the Credit Information Act (credit information) and after possible additional information (such as employer information) data from other registers. Data from separate registers must be requested separately.
Registers with identity data (social security number)
- Personal credit information, company persons in charge, company owners
- Employee information
Fill out and print the form
Registers that require additional information, such as employer information
- Personal data of user management (personal data of liaison’s for company contract customers, omatieto customer data, open company data, registered users’ personal data)
- Decision maker data
- Consumer information for marketing purposes
- Asiakastieto’s own marketing register
Fill out and print the form
Registers that have been imported to Asiakastieto’s GDPR portal
- personal data of CRM contacts
Portal email address / phone number is used for identification and a one-time code is delivered for viewing, updating and deleting data.
Link to the portal
One can purchase a document of their own personal credit information through internet (Credit Information Act 10§). In this case a person is identified through Finnish banks’ Tupas verification service.
A data subject has the right to object to the processing of their personal data based on a specific personal situation (Article 21) when processing is based on performing a task related to public interest or legitimate interest. In Asiakastieto this can concern the processing of personal credit information or personal data of company persons’ in charge. Because the processing of this data is governed by law (Credit Information Act and Personal Data Act) there cannot be a situation, in normal circumstances, that would prevent the processing of data.
If data is processed for direct marketing purposes, the data subject has the right to object to the processing of their personal data for marketing purposes, including profiling when it is related to direct marketing.
The data subject has the right to demand that the data controller rectifies imprecise and incorrect personal data without unnecessary delays. Taking into consideration the purposes that data was processed for, the data subject has the to fill in incomplete personal data by providing an additional material, for example.
The use of Asiakastieto’s personal credit information is specified in Credit Information Act. A person has the right to get a ref-note that validates making a payment as an attachment to defaults in credit report.
The data subject has the right to demand that data controller rectifies imprecise and faulty personal data without unnecessary delays.
The data subject has the right to demand the data controller restricts the processing of personal data in the case of one of the four criteria listed in the regulation, such as the data subject denying the correctness of personal data.
If the processing has been restricted, this personal data, storing of it not included, can only be processed with the consent of the data subject or to draft, present or advocate a legal claim, or to protect the rights of another natural or legal person.
In regard to Asiakastieto’s personal credit information, the data subject does not have the right specified in the regulation to have the data controller restrict the processing of data due to the processing being necessary to protect the rights of another natural or legal person or important for reasons concerning the public interest of the union or its member states (General Data Protection Regulation Article 18, section 2).
As stated in Article 18, section 2, data can be processed for reasons based on public interest despite of the restriction obligation. Personal credit information operations are based on public interest and national regulations specified in Article 6, section 1e of General Data Protection Regulation (Credit Information Act).
Exercising the right would mean preventing the use of data in a way that would jeopardise the register’s usage, even in the case of a very short restriction to processing. Data will only be removed if it is perceived as the correct course of action after an appeal has been received (Credit Information Act).
The data subject has the right to obtain from the controller the erasure of personal data concerning him or her without unnecessary delay and the controller has the obligation to erase personal data without unnecessary delay, requiring that one of the regulation’s six grounds applies. The right for erasure is not implemented is processing is necessary for completing a task related to public interest.
In regard to Asiakastieto’s personal credit information, a data subject does not have the right specified in the regulation to demand the erasure of data from the personal credit information register (“the right to be forgotten”).
The data subject does not have the right specified in the General Data Protection Regulation to obtain from the controller the erasure of personal data concerning him or her because the processing is carried out for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the performance of a task carried out in the public interest (General Data Protection Regulation Article 17, section 3b). Based of the regulation, the right for erasure is therefore revoked when processing data under these circumstances.
The data will be erased following the storing times specified in the Credit Information Act.
When personal data is rectified, erased or the processing of the data is restricted in any way, the data controller must notify every recipient who has accepted the data, unless this proves to be impossible or excessively difficult. The data controller must provide the data subject information on these recipients if the data subject asks for it.
Asiakastieto does not have an obligation to keep a log file on the transfers of all personal data (data transfers of persons in charge, data transfers of decision makers). It is thus impossible to notify about the rectifications, erasure and restrictions to the processing of the aforementioned data.
The Data Information Act has a specific provision which states that the data controller must notify the recipient of incorrect personal data about a rectification if the data subject requests this.
When a personal data breach is likely to result in a risk to the rights and freedoms of natural persons, the data controller must make a notification of the breach
to the data subject without without unnecessary delay
to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.
the data processor shall notify the controller without undue delay after becoming aware of a personal data breach
The notification shall at least:
- describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
- communicate the name and contact details of the data protection officer or other contact point where more information can be obtained
- describe the likely consequences of the personal data breach
- describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.
That documentation shall enable the supervisory authority to verify compliance with this Article.
The data subject has the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.
The data subject has this right when the processing is based on consent or a contract and the processing is carried out automatically.
Therefore, this right does not concern personal credit information, company data about persons in charge or decision maker data because the processing of this data is not based on consent or a contract and instead on other processing grounds.
In Asiakastieto this type of personal data is the data gathered from the customers of Omatieto and the open corporation service and the purchase records concerning the services.
Every data subject has the right to appeal to a supervisory authority (Data Protection Ombudsman in Finland) if he or she considers that the regulation is infringed in the processing of his or her personal data.
In addition, the data subject has the right to take effective legal action if he or she considers that the regulation has been infringed because the processing of his or her personal data has not followed the obligations in the regulation.
If the data subject suffers material or immaterial damage due to infringement of the General Data Protection Regulation, he or she is entitled to receive compensation for the damage from the data processor.