Home Data protection Privacy notice for customers

Privacy notice for customers

The customers of the Careeria Group referred to in this Privacy Notice include:

  • The customers of services offered in the fields of education (e.g. customers of massage and podiatry services or vehicle maintenance services)
  • Customers/students in brief training courses (e.g. first aid training)
  • Other Careeria customers who have subscribed to Careeria’s newsletter or given their contact details to Careeria at an event, fair or social media in a form or in connection with a draw/competition, for example.
  • Corporate customers (companies and their contact persons)
  • Persons filling in a competence survey (employees in customer/partner companies)

Controller

Careeria Oy, Perämiehentie 6, 06100 Porvoo, Finland

  • Controller’s Contact Person: Rector, CEO Pasi Kankare
  • Data Protection Officer: Joonatan Saarinko, tietosuoja@careeria.fi

For any issues related to data protection, you may contact tietosuoja@careeria.fi. Reviewing personal data or the rectification of errors also always requires the appropriate identification of the data subject.

Why are we processing personal data and what is the legal basis of processing?

All customer groups

  • Protecting the property of Careeria (camera surveillance in the monitored area)
  • Preventing crimes and supporting the investigation of offences (camera surveillance in the monitored area)
  • Ensuring and improving the safety of individuals (camera surveillance in the monitored area)
  • Demonstrating compliance with the rights of data subjects under the provisions laid down in the EU’s General Data Protection Regulation (only when the customer submits a data request)
  • Ensuring high-quality customer service, for example, assisting a visitor at Careeria’s website (only with the customer’s consent as they provide their contact details via the chat feature)
  • Developing marketing and image based on recommendations (only with the customer’s consent)

The legal basis of our right to process personal data as a controller:

  • Compliance with a legal obligation to implement the rights of data subjects (Article 6.1 c of the General Data Protection Regulation)
  • Consent when the data subject provides their contact details using the chat feature or gives recommendations (Article 6.1 a of the General Data Protection Regulation)
  • For camera surveillance, the legal basis is the legitimate interests pursued by the controller (Article 6.1 f of the General Data Protection Regulation)
    • The legitimate interests include the protection of property, investigation of misconduct and exceptional circumstances and aiding of criminal investigation

Customers of services offered in fields of education

We process personal data for the following purposes:

  • Implementing safe and high-quality customer services
  • Managing scheduled appointments
  • Preparing quotations and contracts
  • Drawing up statutory inspection records on electrical installations (only for electrical installations)
  • Invoicing services and work (only specific services)

The legal basis of our right to process the personal data of the customers of services offered in fields of education as the controller:

  • Compliance with a legal obligation (Article 6.1 c of the General Data Protection Regulation)
  • Performance of a contract (Article 6.1 b of the General Data Protection Regulation)
  • The data subject’s consent in specific situations (Article 6.1 c of the General Data Protection Regulation)
  • Consent, if necessary for health data (Article 9.2 a of the General Data Protection Regulation)

Students/customers completing brief training courses

We process personal data for the following purposes:

  • Managing and implementing brief training courses

The legal basis of our right to process the personal data of students completing brief training courses as a controller:

  • Compliance with a legal obligation (Article 6.1 c of the General Data Protection Regulation)
  • Performance of a contract (Article 6.1 b of the General Data Protection Regulation)
  • The data subject’s consent in specific situations (Article 6.1 c of the General Data Protection Regulation)

Other Careeria customers (e.g. newsletter subscribers or people who have given their contact details to Careeria at an event, fair or on social media)

We process personal data for the following purposes:

  • Implementing customer services and communications
  • Carrying out direct marketing and market surveys
  • Targeting communications and marketing
  • Developing services and products related to our business
  • Carrying out a draw or a competition

The legal basis of our right to process customers’ personal data as a controller:

  • The data subject’s consent (Article 6.1 a of the General Data Protection Regulation)

Corporate customers and their contact persons

We process personal data for the following purposes

  • Direct marketing for companies and their contact persons (marketing our services and products and finding partners)
  • Organising events and inviting companies’ contact persons to events

The legal basis of our right to process company representatives’ personal data as a controller:

  • The legitimate interests pursued by the controller (Article 6.1 f of the General Data Protection Regulation)
    • The legitimate interest of direct marketing for companies and their contact persons
  • The data subject’s consent in specific situations (such as registration to an event; Article 6.1 c of the General Data Protection Regulation)

Persons filling in a competence survey (the company’s employees)

We process personal data for the following purposes:

  • Surveying competence needs to offer companies training that meets their needs

The legal basis of our right to process the personal data of persons filling in competence surveys:

  • The data subject’s consent (Article 6.1 a of the General Data Protection Regulation)

The following legislation on the processing of personal data in general:

  • General Data Protection Regulation (EU 679/2016)
  • Data Protection Act (1050/2018)

Which personal data do we process?

All customers

  • Footage from surveillance area cameras.
  • If a customer submits a data request based on the rights of the data subject, their personal identity code will also be processed alongside contact details to verify the person’s identity.
  • Contact details (only based on consent if the customer wishes to submit their contact details on the chat feature on our website)
  • Customer’s consent (only with consent)

Customers of services offered in fields of education

  • Name
  • Address (only where necessary, not for all services)
  • Email address
  • Telephone number
  • Date of birth, long-term illnesses, allergies and medication and information about previous appointments and the customer’s special wishes (only customers of massage and podiatry services and cosmetology services if necessary)
  • Invoicing details and personal identity code (only when the customer is invoiced)
  • Vehicle register data (only vehicle maintenance services)
  • Vehicle owner’s and holder’s information (only vehicle maintenance services)
  • The brand and model of the vehicle (only vehicle maintenance services)

Students/customers completing brief training courses (e.g. first aid training)

  • Name
  • Personal identity code
  • Address
  • Email address
  • Telephone number
  • Training course completed
  • Other possible details given by the customer/student

Other Careeria customers (e.g. newsletter subscribers, participants at Careeria’s events or people who have given their contact details to Careeria at an event, fair or on social media)

  • Name
  • Email address and telephone number
  • Position or task at an organisation
  • Direct marketing bans
  • Information on interests and possible additional information provided by the data subject
  • Information on special diets for events (only with consent)

Companies targeted by direct marketing and their contact persons

  • Name
  • Email address
  • Company/organisation
  • Telephone number (only if necessary and based on consent, e.g. in connection with registration to events)

Persons filling in a competence survey (the company’s employees)

  • Name
  • Office
  • Language proficiency
  • Education background
  • Description of work tasks
  • Other information related to professional competence

How long will we store personal data?

  • Footage from camera surveillance will not be stored for more than 30 days after its capture unless there is a special reason for longer storage, such as an ongoing investigation of a suspected offence.
  • The data of customers of massage and podiatry services are stored for five years.
  • The data of customers of vehicle maintenance services are stored for ten years.
  • Information on data requests concerning the rights of data subjects is stored for two years.
  • The data in the recommendations given based on consent will be stored for as long as the recommendation is deemed valid for Careeria.

Where do we obtain personal data?

  • Directly from customers
  • From Traficom (only vehicle maintenance services, with the customer’s consent)
  • Public sources (only potential corporate customers and the contact details of their representatives)

Where is the personal data disclosed and transferred?

  • The data in the camera surveillance data file may only be disclosed to the police or other competent authority requesting the individualised data for a purpose laid down in valid legislation.
  • For brief training courses, the data are disclosed to the authorities (National Supervisory Authority for Welfare and Health and parties granting various certificates, including the Centre for Occupational Safety, Finnish Red Cross and Finnish National Rescue Association SPEK).

Transfer of data outside the EU or EEA

As a rule, the data shall not be transferred outside the European Union or European Economic Area. Certain companies processing the personal data for Careeria, such as companies producing Careeria’s IT services, transfer data outside the European Economic Area. Any transfer of personal data outside the European Economic Area will comply with the requirements set in the GDPR, for example using the standard data protection clauses adopted by the Commission.

How do we protect personal data?

In processing the data contained in the data file, we make sure that the privacy of our stakeholders will not be compromised without adequate justification. The processing of personal data shall comply with data protection legislation as well as Careeria’s instructions on information security and data protection. Personal data may be accessed only by those who need it for the performance of their tasks.

Manual data

  • Paper documents shall be stored in a locked cabinet that may only be accessed by those who need to process the data as a part of their work tasks. The data are stored as required by public organisations.
  • Any documents containing personal data shall be destroyed using an appropriate data-secure container.

Electronically processed data

  • The data may only be used by those employees of the controller who need to process the data as a part of their work tasks. The persons processing the data are bound by secrecy and non-disclosure obligations. The secrecy and non-disclosure obligations continue also after the termination of the person’s employment relationship.
  • Data file users are identified based on their ID and password and the information system is protected with the necessary solutions related to network and device technology.
  • The device used for storing camera surveillance footage is located in a locked space.

The rights of the data subject

A data request concerning the rights of the data subject may be submitted using the electronic form on the Careeria website. To submit the request, the person must identify themselves. Under exceptional circumstances, in which the electronic form is inaccessible for some reason, the request may be made with some other medium. In such situations, you may contact tietosuoja@careeria.fi.

Right of access

Data subjects have the right to know which of their personal data has been stored in the data file. Data subjects also have the right to know if the data file does not contain their personal data.

Rectification

Any personal data contained by the data file that is erroneous, unnecessary, inadequate or expired from the perspective of the purpose of processing must be rectified, deleted or supplemented. The data shall be rectified without delay. The person providing the erroneous data or for whom the data were disclosed will be informed about the rectification. If a request for rectification is rejected, the Data File Manager shall submit a written certificate stating the reasons for rejecting the request. The party concerned may submit the rejection to the Data Protection Ombudsman for decision.

The right to erasure, restriction of processing and the right to object to the processing of personal data and automated individual decision-making

The right of the data subject to erasure of personal data under Article 17 of the GDPR does not apply to personal data based on tasks laid down in legislation.

The data subject has the right to the erasure of personal data based on consent. In the connection of newsletters and marketing messages, the data subject may withdraw their consent for the processing of personal data.

Companies targeted by direct marketing and their contact persons have the right to object to the processing of personal data. The company’s representative may object to the processing of personal data in connection with a marketing message they have received.

In certain situations, the data subject has the right to obtain from the controller restriction of processing. The right is valid when the accuracy of the personal data is contested by the data subject, for instance. The data may continue to be stored but may not be processed without the consent of the data subject.

Data subjects also have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them. However, this prohibition shall not apply if the processing is based on the data subject’s explicit consent or if it is necessary for entering into or performing a contract between the data subject and the data controller. The personal data shall not be used for automated decision-making or profiling.

The Data Protection Officer is the contact person for inquiries related to the rights of the data subject.

The data subject has the right to lodge a complaint with the data protection authority (Data Protection Ombudsman).

Inquiries:

Data Protection Officer: Joonatan Saarinko, tietosuoja@careeria.fi