Version: 2023-10-01. 7ac87c7d93a61dc030055ffbb0206590265f675c
1. General
This data protection policy (“Privacy Policy”) applies to all activities of Seravo Oy (“Company”). However, a separate Privacy Policy has been prepared for job applicants and employees of the Company.
This Privacy Policy explains how the Company collects and processes personal data, the purposes for which the data is used, to whom the data is disclosed, how long it is kept and the rights of data subjects in relation to personal data. In addition, this Privacy Policy provides information on the obligations that the Company has with regard to the processing of personal data.
The Company complies with the EU General Data Protection Regulation (2016/679) (“GDPR”) and other applicable data protection legislation when processing personal data.
Personal data means data from which a natural person (“Data Subject”) can be identified, directly or indirectly, as defined in the GDPR. Data referring to a person representing or acting on behalf of the Company, such as the CEO, is also considered personal data. Information about the Company that does not in any way refer to a natural person is not considered personal data.
2. Data Controller
Seravo Oy
Kauppakatu 3 A 4
FI-33200 Tampere
Finland
Website: https://seravo.com
E-mail: dpo@seravo.com
Phone: +358 (0)44 777 0020
Business identifier: FI2392019-2
3. Collection of Personal Data
The Company may collect personal data in multiple ways. The Data Subject may provide the information themselves when they contact the Company, or the information may be collected when the Data Subject uses the Company’s services or customer service channels. Information may also be collected through the Company’s website by the Data Subject providing information through the order form or contact form on the Company’s website. The Company may also derive information about the Data Subject from personal data held by the Company. Personal data may also be obtained from external third parties, such as public sources (e.g. trade registers), where permitted by law.
We may combine personal data about the Data Subject which we have obtained from public sources and through various interactions, for example in connection with the provision of services or marketing communications.
The person/Data Subject is not obliged to provide the Company with his/her personal data that may be requested when ordering the Company’s services, but refusal may have different consequences depending on the situation. For instance, in some such situations where personal data is not provided, the Company may not be able to provide the service or act on the request of the Data Subject.
Customer service and sales calls may also be recorded either when calling the Company or when a representative of the Company calls the Data Subject.
The Company may use third-party service providers to process the contact information of data subjects for marketing purposes. This information is not permanently stored in the Company’s records.
Personal data may also be collected from the entity on whose behalf the Data Subject is acting.
4. Personal Data Categories
The Company collects and processes different types of personal data depending on the situation. The type and scope of personal data is always limited to the information necessary for the purpose of the processing. For example, the Company collects and processes the following categories of personal data that are relevant and necessary for the purposes of the processing of personal data described in this Privacy Policy:
- basic information about the Data Subject, such as name, professional title and relationship with the Company represented, contact details (e-mail, address and telephone number), language of service and, in exceptional circumstances, personal identification number, if its collection is necessary to identify the customer;
- information related to the customer relationship, such as service and order information, payment information, billing information, marketing permissions and prohibitions;
- customer contacts and related correspondence and records of Data Subjects’ rights;
- Personal data generated in connection with the use of the Company’s service or data collected in connection with the use of the website, e.g. identification data, log data relating to the use of the service, data collected from the website using cookies or similar technologies (device ID and type, operating system and application settings); and
- other information provided by the Data Subject to the Company’s service, as determined on a case-by-case basis.
- any consents and prohibitions given by the Data Subject (e.g. information on the Data Subject’s consent to the processing of personal data and information on the withdrawal of consents and prohibitions given by the Data Subject).
5. Purposes and Legal Grounds for Processing Personal Data
The Company only collects, processes and uses such personal data that is necessary for the Company’s business operations, efficient customer service and relevant commercial activities, including the processing of personal data to make them anonymous.
The Company processes personal data only for legitimate and specified purposes and does not process the data in a way incompatible with those purposes. Personal data is processed, for example, for the following purposes:
Service delivery and customer relationship management
The Company processes personal data primarily to provide and deliver as well as to maintain and manage the customer relationship between the Data Subject or the Company represented by the Data Subject and the Company. In this case, the processing of personal data is based on a contract between the Data Subject or the Company represented by the Data Subject and the Company.
The processing of personal data for customer relationship management and direct marketing is based on the Company’s legitimate interest.
Marketing
The Company may contact the Data Subject to inform them of new features of the Service or to market and sell other services to the Data Subject. The Company may also process the Data Subject’s personal data for marketing research and customer surveys. The processing of Personal Data is based on the Company’s legitimate interest in providing information as part of the service and to enable the Company to market our other services to Data Subjects. The Data Subject is entitled to object at any time to the processing of personal data for direct marketing purposes.
In addition, direct marketing by e-mail/telephone and subscription to the Company’s newsletter as well as the storage of personal data collected through the Company’s website for direct marketing purposes is based on consent.
Service development, information security and internal reporting
The Company also processes personal data to ensure the security of the service and website, to improve the quality of the service and website and to develop the service. The Company may also use personal data to compile internal reports for management for the proper management of the business. In such cases, the processing of personal data is based on the Company’s legitimate interest in ensuring the proper information security of the services and website and in obtaining sufficient and appropriate information for service development and business management.
Compliance with the law
The Company may process personal data in order to fulfil legal obligations, e.g. for accounting purposes or to comply with legal requests for information from public authorities.
Other purposes for which the Data Subject has consented
The Company also processes personal data for other purposes, provided that the Data Subject has given his or her consent to such processing.
6. Transfer of Personal Data Outside the European Union or the European Economic Area
Some of the service providers or subcontractors used by the Company operate outside the European Union (EU) or the European Economic Area (EEA), so when they process personal data of the Data Subject , the data must be transferred outside the EU or EEA. In such cases, the Company will provide the necessary safeguards as required by applicable law, such as using standard contractual clauses approved by the European Commission.
7. Storing Personal Data
Personal data is stored only for as long as necessary for the purposes for which it is processed, unless there is a legal obligation to store personal data for a longer period (for example, for accounting obligations) or unless the Company needs the data for the establishment or defence of a legal claim or for the settlement of a dispute.
Personal data processed on the basis of a contractual relationship with the Data Subject or a Company represented by the Data Subject is usually stored for the duration of the contractual relationship or the provision of services and for a period necessary after the customer relationship has terminated. When the customer relationship or the provision of the service ends, the personal data will be stored to the extent necessary, inter alia, to respond to any claims or actions, taking into account the statute of limitations. We may also store personal data to the extent necessary to comply with a direct marketing ban you have given us.
Personal data processed on the basis of legitimate interest will be processed for as long as there are grounds for such processing.
If personal data is processed for the fulfilment of legal obligations, it is stored in accordance with the requirements of the law. The obligation to store personal data is, for example, provided for in accounting legislation.
The retention period of personal data processed on the basis of consent is determined by the processing purpose.
Examples of retention periods:
- billing information: 10 years
- data supplied with the order: 1 year
- data accumulated in log files: 3 years
- job applications: 1 year
- employee data: 10 years
- customer service contacts: 10 years
8. Sharing and Disclosure of Personal Data
The Company may transfer personal data internally between companies within the group.
The Company may outsource the processing of personal data to service providers or subcontractors as described in this Privacy Policy. Through adequate contractual obligations, the Company will ensure that personal data is processed fairly and lawfully.
The Company does not disclose personal data to so-called third parties for direct marketing purposes, for market research, etc.
Personal data may be disclosed to public authorities in specific cases where required and justified by law.
The Company may need to disclose personal data of the Data Subject in emergencies or other similar situations in order to protect human life and health as well as property. Similarly, personal data may need to be disclosed if the Company becomes involved in litigation or any other similar dispute resolution procedure.
If the Company is involved in a business transaction or other business arrangement, it may be required to disclose personal data of the Data Subject to third parties. The Data Subject’s privacy will also be safeguarded in such arrangements, and Data Subjects will be duly informed where necessary.
Personal data may also be disclosed in situations where the Data Subject has given consent to the disclosure. In such cases, the data will be disclosed in accordance with the consent.
9. Rights of Data Subjects
Right to inspect data
The Data Subject is entitled to obtain confirmation as to whether the personal data of the Data Subject is being processed. The Data Subject has the right to inspect and view the data concerning him or her and, upon request, to receive the data in writing or electronically.
Right of rectification
The Data Subject is entitled to have inaccurate data rectified and, in some cases, to have incomplete personal data completed.
Right to object to processing
The Data Subject is entitled to object to the processing of personal data on the basis of a legitimate interest of the Company or a third party, where the Data Subject’s particular personal situation overrides such legitimate interest. However, the Company may refuse the request if the processing is necessary for the exercise of compulsory and legitimate rights. The Data Subject shall have the right to object at any time to the processing and disclosure of his or her personal data for direct marketing purposes and for related profiling.
Right to transfer data from one system to another
The Data Subject is entitled to obtain the personal data that the data subject has provided to the Company for processing based on consent or the performance of a contract. In such a case, we will disclose the data to the Data Subject or to a third party of your choice in a structured, commonly used and machine-readable format.
Right to be forgotten
The Data Subject may request the Company to delete personal data if there is no valid reason for their continued processing, if the Data Subject considers, for example, that the processing of his or her personal data is no longer necessary for the purposes described above or if the Data Subject wishes to withdraw his or her consent.
Right to restriction of data processing
In certain circumstances, the Data Subject is entitled to request the Company to restrict the processing of his or her personal data, for example for a period of time needed to verify the accuracy of the personal data.
Right to give and withdraw consent
If the processing of personal data is based on the consent of the Data Subject, the Data Subject has the right to withdraw his or her consent at any time.
The Company may need to request certain information from the Data Subject to confirm the identity of the Data Subject and to ensure that the Data Subject is entitled to exercise these rights.
10. Exercising Rights
The Data Subject may exercise his or her rights by sending the above request to dpo@seravo.com. The request must be accompanied by sufficient identifying information and the Company has the right to request additional information from the applicant, if necessary, for the purpose of processing the case. The request will be answered within a reasonable time and, if the Data Subject’s request cannot be granted, the Data Subject will be informed. If the Data Subject considers that the processing of his or her personal data is unfair, the Data Subject may also contact the Data Protection Officer.
11. Information Security
The Company will take appropriate measures (e.g. technical and administrative measures) to ensure that personal data is protected as far as possible against loss, destruction, misuse, unauthorised access or disclosure. For example, the Company limits access to personal information only to authorized employees, subcontractors and service providers who need the information for their work. They are obliged to process personal data only in accordance with the instructions given by the Company and under the obligation of confidentiality.
As noted above, the Company may outsource the processing of personal data to subcontractors or service providers in accordance with this Data Protection Policy. In such cases, the Company will ensure through contractual obligations that personal data is processed lawfully.
12. Changes to this Privacy Policy
The Company may update this Privacy Policy as necessary to reflect changes in its processing practices or changes in data protection legislation. This as well as other general terms and conditions can be found at https://seravo.com/en/terms .