Privacy statement of the customer and stakeholder register

Updated: 13 October 2022

This statement describes how we process the personal data of our customers, suppliers and other stakeholders’ contact persons as well as the visitors to our website.

1 Controller

Z-Forest Oy (3177669-6)

Address: Suonsaarentie 8 A, 50170 MIKKELI, FINLAND

(hereinafter referred to as “we”)

2 Contact details in matters regarding the register

Address: Suonsaarentie 8 A, 50170 MIKKELI, FINLAND

Email: tietosuoja@zertiforest.com

All contacts and requests regarding this statement must be submitted in writing or in person to the contact point indicated hereinabove.

3 Personal data to be processed, purpose and legal basis of the processing

TYPES OF PERSONAL DATAPURPOSE OF THE PROCESSINGLEGAL BASIS
The data subject’s basic details, such as name, date of birth, customer number and language of communication as well as property register information

The data subject’s contact details, such as email address, telephone number and postal address information

Information about the company and the company’s contact persons, such as contact persons’ names, titles and contact details
Provision, organisation and development of our services

Fulfilment of our contractual and other promises and obligations

Electronic direct marketing (including electronic surveys)

Management of our customer relationship
Legitimate interest

Execution of contract

Consent (individuals) or legitimate interest (companies).

Legitimate interest
Direct marketing consents and prohibitionsElectronic direct marketing (including electronic surveys)Consent (individuals) or legitimate interest (companies).
Information related to the customer relationship and contracts, such as information on past and current contracts and mandates, information related to communication as well as invoicing informationFulfilment of our contractual and other promises

Customer relationship management and maintenance
Execution of contract

Legitimate interest
Information regarding the technical connection and the terminal device you use, such as IP address, device ID or other identifying information and cookiesAnalysis of behaviour, profilingConsent

4 Data sources

We receive information primarily from the following sources: the person themselves, the population register, authorities, credit reference agencies, contact information service providers and other similar trusted parties.

In addition, personal data may be collected and updated for the purposes described in this privacy statement also based on the information obtained from publicly available sources or other third parties within the limits of the applicable legislation. Such updating of data is carried out manually or by automatic means.

5 Who we disclose data to and whether we transfer data outside the EU or EEA

We may disclose personal data within the limits allowed and required by the current legislation to our associated companies participating in the provision of services and to legal and financial or other similar consultants who act as independent controllers with regard to the data.

We use subcontractors acting on our behalf in the processing of personal data, with personal data stored on the servers managed and protected by such subcontractors. We use subcontractors in the following areas of our operations: marketing and communications, financial administration and IT management.

We cannot name each of our subcontractors due to projects that are in the development phase and, therefore, we have opted to only name the types of subcontractors. When we use subcontractors, we have ensured through contractual arrangements, among other things, that the subcontractor processes personal data only in accordance with our written instructions and only for the purposes of processing as specified in this statement.

We process data primarily in the EU/EEA area. However, the IT management systems necessary to implement our services enable the transfer of data outside the EU/EEA area, such as to the United States. When personal data is processed outside the EU or EEA, we make sure that the subcontractor is committed to safeguards in accordance with the General Data Protection Regulation, such as the EU Commission’s model clauses regarding the processing of personal data.

6 Protection of data

Only those persons who have the right to process customer data in their duties are entitled to use systems and databases containing personal data. Each user has their own username and password for the system. Data is collected in databases that are protected by firewalls, passwords and other technical means. The databases and their backups are located in locked rooms and only certain predesignated persons can access the data.

7 Storage period

We store the personal data of customers and other stakeholders for the duration of the customership or contract as well as the necessary period for filing claims and suits thereafter. We store the data of potential customers for 5 years.

We regularly assess the necessity of data retention, taking into account the applicable legislation. In addition, we take reasonable steps to ensure that no personal data that is incompatible, outdated or inaccurate with regard to the purposes of the processing is stored in the register. We rectify or delete such data without delay.

8 Your rights as a data subject

You have the right to review the data concerning you in the person register and to demand the rectification or erasure of inaccurate, outdated, unnecessary or unlawful data. If you yourself have access to your data, you can edit your data yourself. Insofar as the processing is based on consent, you also have the right to withdraw or amend your consent at any time. Withdrawal of consent does not affect the lawfulness of the processing that took place prior to the withdrawal of consent.

You have the right to object to or request the restriction of the processing of your data and to lodge a complaint about the processing of personal data with the supervisory authority.

For particular personal reasons, you also have the right to object to processing operations targeting you when the basis for the processing of data is a legitimate interest. In connection with your claim, you must specify the particular situation based on which you object to the processing. We can refuse to implement a request for objection only on the grounds provided by law.

To the extent that you yourself have provided data to the customer register, which is processed automatically based on your consent or mandate, you have the right to receive such data for yourself, generally in a machine-readable format, and the right to transmit this data to another controller.