Privacy policy

PRIVACY STATEMENT OF THE CUSTOMER, MARKETING AND STAKEHOLDER REGISTER

1. Data controller

Bitwise Oy (Business ID 1844153-3)
Address: Viinikankatu 1C, 33100 Tampere

2. Name of the register

Customer, marketing and stakeholder register

3. Person responsible for register matters

Name: Sales Manager Miska Kuusisto
Email Address: miska.kuusisto<at>bitwise.fi
Phone number: +358-50-4803658

4. Purposes and legal bases for processing personal data

The controller processes personal data in compliance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and the Data Protection Act (1050/2018).

The purposes of processing personal data are:

  • customer relationship and customer service management
  • fulfilling the rights and obligations of the customer or other stakeholder and the controller
  • processing of personal data of stakeholders (suppliers, subcontractors, other partners) for the purpose of managing the cooperation relationship
  • processing of website visitors’ data to ensure and develop the functionality of the website
  • processing of personal data for purposes related to the controller’s products and services, such as developing, providing, implementing and marketing products and services

Depending on the purpose of the processing of personal data, the legal bases for the processing of personal data are the controller’s legal obligations, contract, consent and the controller’s legitimate interest.

The legitimate interest of the controller is the basis for processing when there is a material connection between the data subject and the controller. Such a material connection is established, for example, when the data subject contacts the controller on his or her own initiative or when the controller processes the data subject’s personal data, for example, in connection with business or cooperation activities between the data subject’s employer and the controller.

In addition, the controller may, on the basis of legitimate interest, enter in the customer register the data of potential customers and their contact persons and representatives who the controller can justifiably expect to be interested in acquiring the services or products offered by the controller.

The controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. Withdrawal of consent is possible easily and at any time. In addition, in compliance with applicable data protection legislation, electronic direct marketing may also be sent to recipients for whom the controller can justifiably consider that the products or services marketed have an essential connection to the potential customer’s area of responsibility or work tasks.

Consent to direct marketing can be withdrawn by notifying the controller or by clicking on the opt-out option in connection with each marketing message (“Unsubscribe” function), in which case the data subject’s data will be removed from the controller’s electronic direct marketing subscriber list.

5. Categories of personal data processed

The register contains information on the following persons:

  • The controller’s customers, customer representatives and contact persons
  • Representatives and contact persons of the controller’s subcontractors and suppliers
  • Potential customers, subcontractors and suppliers as well as their representatives and contact persons
  • Other stakeholders

The following data is processed about the data subject that is necessary for each of the above-mentioned purposes, such as:

  • Name
  • E-mail address
  • Telephone number
  • Company name, business ID, contact person and position
  • Order information, contract and quotation information, invoice and payment information
  • Customer feedback and contact information
  • Information based on customer and cooperation relationship, such as contact history, feedback and follow-up information
  • Usage data of the controller’s website (e.g. IP address, browser software)
  • Any additional information provided by the data subject

    6. Regular sources of information in the register

    Personal data has been obtained from the following data sources:

    • Directly from the data subject himself or herself to manage the customer relationship
    • Directly from the data subject himself or herself in connection with another cooperation relationship
    • From publicly available sources (such as internet, social media and trade register)
    • From a representative of the data subject’s employer or other party in a customer, business, cooperation or contractual relationship with the controller
    • From the controller’s website (contact forms, customer service window, material downloads, campaign websites, usage tracking, cookies)
    • Registration for the controller’s events
    • Information on companies is checked from Suomen Asiakastieto Oy or similar registers in connection with business operations, which reports may also contain information on company representatives

    7. Processors and recipients of personal data

    In connection with the technical implementation of its services, the controller uses reliable service providers that process personal data on behalf of the controller on the basis of a data processing agreement between the controller and each service provider required by applicable data protection legislation. Service providers process personal data under the controller’s responsibility in accordance with the data processing agreement and the controller’s documented instructions.
    If separately agreed with the data subject on a case-by-case basis, the controller may also disclose personal data to another controller or a third party.
    In addition, if the requirements of data protection legislation are met, the contact information of the data subject may be disclosed to the controller’s partners in individual cases, for example, when the controller arranges a joint customer event or training with a partner. The partner in question is responsible for the processing of personal data.
    Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits set by data protection legislation. The controller ensures an adequate level of data protection in accordance with the requirements of applicable data protection legislation also in situations where personal data is transferred outside the European Union or the European Economic Area by complying with adequacy decisions issued by the European Commission and, where necessary, by using standard contractual clauses approved by the European Commission for transfers of personal data together with the necessary additional safeguards.

    8. Cookies

    The controller’s website uses cookies to improve the user experience. Some cookies are necessary for the website to function. According to legislation, the controller may store cookies on the data subject’s device if it is necessary for the operation of the website. The use of all other cookies requires the consent of the data subject.

    The data subject can make choices on the website about the purposes for which cookies are collected. In accordance with the data subject’s choices, the controller may use cookies to tailor the website, analyse the number of visitors, for marketing purposes and to support social media features. Some cookies are set by third parties.

    9. Storage period of personal data

    The controller processes and stores personal data only for as long as required by a legal obligation or as is necessary for the predetermined purpose of processing the personal data. Personal data that has become unnecessary and that the controller no longer has a basis or obligation to store or process will be deleted at regular intervals in accordance with the controller’s own data protection policies.

    10. Rights of the data subject

    The data subject has rights under the EU’s General Data Protection Regulation.

    Right Description
    Right of access to personal data The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data is processed, the data subject has the right to access the data.
    Right to request rectification, erasure or restriction of processing The data subject has the right to request the controller to rectify inaccurate data concerning him or her, to erase personal data concerning him or her, or to request restriction of processing on grounds laid down by law.
    Right to object The data subject has the right to object to the processing of his or her personal data in relation to his or her particular situation when the controller processes personal data on the basis of a legitimate interest.

    Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling insofar as it is related to such direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, personal data may no longer be processed for this purpose.
    Right to data portability The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a commonly used and machine-readable format and the right to transmit such data to another controller without hindrance from that controller, if the processing is based on consent or a contract and the processing is carried out by automated means. The data subject has the right to have personal data transferred directly from one controller to another, if technically feasible.
    Right to withdraw consent When the data subject’s personal data is processed on the basis of his or her consent, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent does not affect the lawfulness of the processing of personal data based on consent before its withdrawal.
    Right to lodge a complaint with a supervisory authority In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact information and instructions can be found at www.tietosuoja.fi.

    Exercising your rights

    You can exercise your data subject rights described above by contacting the controller by sending an email to the address indicated at the beginning of this privacy statement. We will strive to respond to you as soon as possible and, if necessary, provide further instructions or ask additional questions in response to your request.

    Please note that before executing your request, we have the right and obligation to verify your identity, which requires us to be able to identify you adequately.

    If your request is manifestly unfounded or excessive, we may either charge a reasonable fee based on administrative costs to carry out the request or refuse to take the requested action.

    11. Processing and profiling of personal data

    The controller does not use automated decision-making, such as automatic profiling, as part of personal data processing activities.

    12. General description of the controller’s appropriate technical and organisational security measures

    Access to the personal data register has only been granted to representatives of the controller who have signed appropriate confidentiality commitments and who have a justified need to process the data content of the personal data register in order to perform their duties.

    The controller has given its employees and service providers binding written instructions and orders concerning the processing of personal data and data protection, which they have undertaken to comply with.

    The information security of information systems has been arranged appropriately, e.g. with encryption and technical restrictions.

    The controller inspects its personal data processing operations and the systems and equipment used in them at regular intervals and, among other things, assesses the risks involved in the processing of personal data, for example, when introducing new technology.

    13. Changes to the Privacy Statement

    If necessary, the controller may make changes to this privacy statement.

    This privacy statement was last updated on 9.10.2023.