Revised on 19 March 2019
A-Katsastus Group Oy
Valimotie 9–11, 00380 Helsinki
PO Box 200, FI-00381 Helsinki, Finland
Contact person in matters related to the register
Name of register
Consumer customer register of A-Katsastus Oy, Yksityiset K-Asemat Oy, Ajovarma Oy and A-Katsastuspiste Oy
Purpose of processing personal data and legal grounds for processing
Personal data included in the register can be processed for the following purposes:
- management, development and analysis of customer relationships
- customer communication
- service provision
- verification of customer transactions
- development of customer service and business
- analysis and statistics
Customer data can also be processed in other Finnish companies belonging to the A-Katsastus Group. Registered data can be used, as permitted by the legislation, for direct advertising, distant sales or other direct marketing of companies belonging to the A-Katsastus Group, opinion polls or market surveys or other similar addressed deliveries and customer communication, also in electronic channels, in accordance with the consent given by each customer.
Legal grounds for processing personal data include the data controller’s legitimate interests, the provision of services, consent given when ordering services or general consent.
Data content of the register
The register may contain the following data:
- Name of the customer
- Address, postal code and town/city
- Date of birth
- Email address
- Telephone number
- Marketing and contact permissions
- Revision history for customer data
- Customer number
- Personal identity code (for identification purposes only; not saved in the register in plain text)
- Vehicle registration number
- Customer relationship data, such as invoicing and payment data, product and order data, customer feedback and queries, prize draw and competition data, and appointment data
Regular sources of data
Customer data can be obtained from data subjects during the customer relationship through the internet, in customer service situations, by telephone, via email or by other similar means. Updates in data may also be obtained from officials and companies that provide update services.
Recipients of personal data
In order to provide services in accordance with the purpose of use, partners may also process personal data. Partners carry out technical services related to the register and offer IT systems connected to the use of the register.
Transfer of data outside the EU or EEA
Some of our partners also operate outside the EU or EEA. We require any partners located outside the EU or EEA to sign the EU-US Privacy Shield agreement or another agreement accepted for the processing of personal data in accordance with the GDPR.
Principles of register protection
The customer register can only be used by those employees of the A-Katsastus Group or its service providers who need the data in their work-related tasks. These employees use personal usernames and passwords. Data is collected in databases that are protected by firewalls, passwords and other technological means. Databases and their backup copies are located in locked facilities, and they are under the management of the IT service provider in accordance with information security principles.
Retention period for personal data
We will retain your personal data in our services until five years have elapsed from the most recent identifiable service event or for the statutory period, if it is longer.
Rights of data subjects
Customers have the following rights:
- Right to withdraw consent given to the processing of personal data
- Right to access their personal data
- Right to have their personal data rectified
- Right to have their personal data erased if legal grounds for processing no longer apply
- Right to object to the processing of their personal data if the processing of personal data is based on the data controller’s legitimate interests. In addition, customers can object to the processing of personal data for direct marketing purposes at any time.
- Right to have the processing of their personal data restricted if the data subject contests the accuracy of their personal data or considers the processing of their personal data to be illegal, or if an action related to objecting the processing of personal data is pending
Data subjects can also present a complaint with the supervisory authority if they consider that the processing of their personal data is in breach of the applied data protection regulations.
Exercising the rights of data subjects
It may not be possible to erase all personal data due to statutory obligations.