Privacy Statement

Jyväskylä Fair Ltd Business Customer register

Personal Data Act (523/1999) 10 and 24§
General Data Protection Regulation (679/2016)
Updated 21.12.2023

1. Controller

Jyväskylä Fair Ltd
PL 127, 40101 Jyväskylä
info@jklmessut.fi
p. 014 334 0000
Business ID: 0626505-0

2. Name of the register

Jyväskylä Fair Ltd Business Customer register

3. Purpose of personal data processing

The purpose of the processing is to communicate with customers, managing the customer relationship, implementing the rights and obligations of the customer and the data controller, as well as electronic direct marketing and profiling of customer data for targeting sales and marketing.

4. Legal basis of personal data processing

The legal basis for processing of personal data are contract, consent and legitimate interest of the controller. When the data subject is a party to the contract, his personal data may be processed to implement the contract.

The legitimate interest of the data controller is the basis for processing when there is a valid connection between the data subject and the data controller. Such a factual connection is formed e.g. when the data subject is in contact with the data controller on his own initiative, or when the data controller processes the personal data in connection with activities between the employer of the data subject and the data controller.

In addition, the data controller may, based on a legitimate interest, record in the business customer register the information of contact persons and representatives of potential business customers whom the data controller can reasonably expect to be interested in acquiring services or products offered by the data controller. Direct marketing can be sent to such potential business customers of the data controller, for which the data controller can reasonably consider that the marketed products or services have an essential connection to the potential business customer’s area of ​​responsibility or work role.

5. Data content of the register

The following information necessary for the aforementioned purposes of use is processed:

• Name
• Email address
• Mobile phone number
• Company and position
• The company’s address and basic information

6. Regular information sources

Personal information has been obtained from the following data sources:

• Directly from the data subject (in connection with making an offer/agreement, from messages sent via www forms, contacts, customer meetings and other situations where the customer discloses their information)
• From public/generally available sources (internet, trade registers)
• From a representative of the registered employer of the data subject (contact persons for business customers)

7. Regular hand-over of personal data

Information from the business customer register can be handed over to subcontractors who are used to provide the service to the customer.

A written data processing agreement has been concluded with partners who process personal data on behalf of the data controller, which ensures that the service providers process personal data under the data controller’s responsibility in accordance with the data controller’s instructions.

8. Transfer of personal data outside the EU or the European Economic Area

Personal data will not be handed over outside the EU or the European Economic Area.

9. Retention period of personal data

The controller processes and stores data only as long as is necessary for the predefined purpose of use of the personal data. Personal data that has become unnecessary and that the controller no longer has grounds to keep or process is deleted at regular intervals in accordance with the controller’s own data protection policies. The registered person has the right to request the deletion of their data at any time.

10. Principles of register protection

Care is taken when processing the register and the information processed with the help of information systems is properly protected.

The data of the register is stored in the system of the controller, which is protected by the security software of the operating system. Only designated employees and the system supplier have access to the register’s data, and the use of the data is protected with a username and password. Employees handling visitor register data are bound by the duty of confidentiality. Information is shared or disclosed to outsiders only due to a statutory reporting obligation, such as the customer’s own request or an authority’s statutory request.

11. The right of data subjects to check data

The data subject has the right to check the personal information stored in the register and to receive copies of it. The inspection request must be made in writing and addressed to the controller.

12. The right to have the data rectified

The controller corrects, deletes or completes personal data in the register that is incorrect, unnecessary, incomplete or outdated in terms of the purpose of the processing, on its own initiative or at the request of the data subject. The data subject must contact the controller in writing to correct the information.

13. The right of data subjects to restrict processing

The data subject has the right to prohibit the controller from processing personal data concerning him. The prohibition must be made in writing and addressed to the controller.