DATA PROTECTION DESCRIPTION FOR CAR PAINT.EU'S CUSTOMER REGISTER
The registry responsible for the registry is Automaalit.net Sweden AB,
(Organization number 559100-9922)
The contact person for registry matters is: Markku Korkiakoski CEO
The name of the register is billackering.eu customer register.
Personal data is processed for purposes in connection with managing, administering and developing the customer relationship, providing and delivering services and in connection with the development and invoicing of services. Personal data is also processed for the purposes required to investigate possible complaints and other demands. In addition, personal data is processed in communications addressed to the customer, such as for information and news message purposes, as well as in marketing, where personal data is also processed for direct mail and electronic direct mail. The customer has the right to prohibit direct marketing directed at him or her. The data controller processes the data itself and uses subcontractors who act on behalf of the data controller for the processing of personal data.
The legal grounds for the processing of personal data are the following grounds in accordance with the EU's General Data Protection Regulation (hereinafter also "GDPR"):
The data subject has given his consent to his personal data being processed for one or more specific purposes (GDPR 6 art. 1.a);
The processing is necessary to fulfill an agreement to which the data subject is a party or to take measures at the request of the data subject before entering into such an agreement (GDPR 6 art. 1.b);
The processing is necessary for the legitimate interests of the controller or a third party (GDPR 6 art. 1.f).
The above-mentioned data controller's legitimate interest is based on a significant and relevant relationship between the data subject and the data controller, and which is a consequence of the data subject being a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time when the personal data was collected and in connection with the relevant relationship.
As a starting point, the register contains the following personal data about all registered persons:
Personal data is collected from the registered person himself.
The personal data is collected and updated within the framework of applicable legislation also from publicly available sources that are related to realizing the customer relationship between the data controller and the registered person, and with the help of which the data controller realizes its obligations in connection with maintaining customer relations.
Data collected for the register is stored only for as long and to the extent necessary in relation to the original or corresponding purposes for which the personal data has been collected.
The need to store the personal data is assessed [description here of the intervals at which the need to store the data shall be assessed, for example at five-year intervals or similar]; and in any case, the data of a registered person is deleted 6 years after the registered person's customer relationship with the data controller has ended, as well as obligations and measures in connection with the customer relationship have been completed. For example, accounting records are stored for five years after the end of the accounting period.
The data controller regularly assesses the need to retain the data according to its internal practice. In addition, the data controller takes all possible reasonable steps to ensure that any personal data that is imprecise, incorrect or outdated in relation to the purpose of the processing is deleted or corrected without delay.
Personal data is not transferred to external parties.
Personal data in the register is not transferred to outside the EU or EEA
[Materials containing personal data are stored in locked areas to which only named persons who need this for their tasks have access.
The database containing personal data is stored in locked areas to which only designated persons who need this for their data have access. The server is protected with an appropriate firewall and technical protection.
Access to databases and systems requires personal usernames and passwords, which are granted separately. The data controller has delimited the user rights and authorizations to information systems and other storage platforms so that only persons who are necessary for the lawful processing of the data can see and process them. In addition, the user events of the databases and systems are noted in the log data in the controller's IT system.
The data controller's staff and other persons have undertaken to observe the duty of confidentiality and to keep secret the information they receive in connection with the processing of the personal data.
A data subject has the following rights according to the EU General Data Protection Regulation:
The data subject shall have the right to receive confirmation from the data controller as to whether personal data concerning him or her are being processed and, if so, to have access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data to which the processing relates; (iii) the recipients or categories of recipients to whom the personal data has been disclosed or is to be disclosed; (iv) if possible, the anticipated period during which the personal data will be stored or, if this is not possible, the criteria used to determine this period; (v) the existence of the right to request from the data controller the correction or deletion of the personal data or restrictions on the processing of personal data concerning the data subject or to object to such processing; (vi) the right to file a complaint with a regulatory authority; (vii) if the personal data is not collected from the data subject, all available information about where this data comes from (GDPR Article 15). The above-described basic information (i)–(vii) is provided to the registered person with this form;
i) the right to withdraw consent at any time. The withdrawal of consent shall not affect the legality of processing based on consent, before this is withdrawn (GDPR Article 7);
ii) the right to have inaccurate personal data concerning him or her corrected by the data controller without undue delay. Taking into account the purpose of the processing, the data subject shall have the right to supplement incomplete personal data, including by providing a supplementary statement (GDPR Article 16);
iii) the right to have their personal data deleted by the data controller without undue delay if any of the following applies: (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing; (iii) the data subject objects to the processing due to his particular personal situation and there is no legitimate reason for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data has been processed in an illegal manner; or (v) the personal data must be deleted in order to fulfill a legal obligation in Union law or in the national law of the Member States to which the controller is subject (GDPR Article 17);
iv) the right to require the data controller to limit the processing if (i) the data subject disputes the correctness of the personal data, during a time that gives the data controller the opportunity to check whether the personal data is correct; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data and instead requests a limitation of their use; (iii) the data controller no longer needs the personal data for the purposes of the processing but the data subject needs them to be able to establish, assert or defend legal claims; or (iv) the data subject has objected to the processing due to his special personal situation pending verification of whether the controller's legitimate reasons outweigh the data subject's reasons (GDPR Article 18);
v) the right to obtain the personal data concerning him or her which he or she has provided to the data controller in a structured, commonly used and machine-readable format, and the right to transfer this data to another data controller without the data controller providing the personal data hindering this, if the processing is based on consent and the processing is automated (GDPR Article 20);
vi) the right to submit a complaint to a supervisory authority if the data subject considers that the processing of personal data concerning him or her contravenes the EU General Data Protection Regulation (GDPR Article 77).
The request regarding the exercise of the data subject's right is sent to the data controller's contact person stated in point 1.