2. Person in charge of register
3. Data Protection Officer
4. Purpose of the Register
Personal data is processed for purposes related to managing, administering, and developing customer relationships, providing and delivering services, and billing. Personal data is also processed for the purpose of handling potential complaints and other claims.
In addition, personal data is used in customer communications such as information and news updates, as well as marketing, including direct marketing and electronic direct marketing purposes. Customers have the right to refuse direct marketing targeted at them.
5. Basis for Collecting and Processing Data
The legal bases for processing personal data are as follows under the EU General Data Protection Regulation (GDPR):
- the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6 (1.a))
- processing is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6 (1.b))
- processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party (GDPR Article 6(1.f)).
The legitimate interest of the data controller is based on the relevant and appropriate relationship between the data subject and the data controller, arising from the data subject’s status as a customer of the data controller. Processing takes place for purposes that the data subject could reasonably expect at the time of data collection in connection with the relevant relationship.
6. Content of the Register
The register contains the following personal data for all registered individuals:
- personal and contact information: first name, last name, address, phone number, email address
- information related to the person’s business or other organization and the person’s position or title in the organization
- permissions and restrictions related to direct marketing.
7. Data Retention Period
Data collected in the register is retained only as long and to the extent necessary for the original or compatible purposes for which the personal data was collected.
The need to retain personal data is assessed every five years, and in any case, the data concerning the data subject will be removed from the register five years after the end of the data subject’s customer relationship with the data controller, and when the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for five years from the end of the financial year.
The data controller regularly assesses the necessity of data retention in accordance with its internal guidelines. Additionally, the data controller takes all reasonable measures to promptly correct or erase inaccurate, erroneous, or outdated personal data in relation to the purposes of processing.
8. Regular Data Sources
Personal data is collected directly from the data subject.
Personal data is also collected and updated within the limits of applicable legislation from publicly available sources related to the implementation of the customer relationship between the data controller and the data subject. Information is also collected through the Google Analytics analytics tool.
9. Regular Disclosures of Data and Transfer of Data Outside the EU or the European Economic Area
Data is not regularly disclosed outside the company. Some external service or software providers used by the company may store data outside the EU or the European Economic Area.
If a user visiting our website does not want us to collect the above-mentioned information through cookies, most browser programs allow the disabling of the cookie function. This is usually done through the browser settings.
However, it should be noted that cookies may be necessary for the proper functioning of some of the pages we maintain and the services we provide.
11. Principles of Register Protection
Materials containing personal data are stored in locked premises accessible only to designated individuals authorized for access due to their tasks.
The database containing personal data is stored on a server located in a locked space accessible only to designated individuals authorized for access due to their tasks. The server is protected by an appropriate firewall and technical security measures.
Access to databases and systems is granted only through individually assigned personal usernames and passwords. The data controller has restricted access rights to information systems and other storage platforms so that only individuals necessary for the lawful processing of the data can access and handle the data. Additionally, usage events of databases and systems are logged in the data controller’s IT system logs.
The data controller’s employees and other personnel are committed to observing confidentiality and keeping confidential the information obtained in connection with the processing of personal data.
12. Automated Decision-Making
Automated individual decision-making (Article 22 of the EU General Data Protection Regulation) is not performed.
13. Rights of the Data Subject
The data subject has the following rights in accordance with the EU General Data Protection Regulation:
- the right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and if so, the right to access personal data and certain information (GDPR Article 15). The aforementioned basic information (i)-(vii) is provided to the data subject on this form;
- the right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
- the right to obtain without undue delay the rectification of inaccurate personal data concerning them and to have incomplete personal data completed, including by means of providing a supplementary statement (GDPR Article 16);
- the right to erasure of personal data concerning them without undue delay where one of the grounds specified in the regulation applies, such as when the data is no longer necessary for the purposes for which it was collected or otherwise processed (GDPR Article 17);
- the right to restriction of processing where one of the specified circumstances applies, such as when the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the data (GDPR Article 18);
- the right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where processing is based on consent and is carried out by automated means (GDPR Article 20);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Article 77).
Requests for the exercise of the data subject’s rights should be addressed to the contact person specified in section 1.