Customer register privacy statement (updated 17 May 2018)

1 Controller
Grano Oy (hereinafter referred to as ‘Grano’)
Business ID: 2197935-0
Vesikuja 4
02200 Espoo, Finland
Tel. +358 200 35 211

2 Contact person for register matters
Fernando Korpi
tel. +358 200 35 211
helpdesk@sokopro.fi
Vesikuja 4, 02200 Espoo
Finland

3 Name of the register

Grano (SokoPro) customer register

4 Basis and purpose of processing personal data
The processing of personal data is based on Grano’s privileged interest, agreement or other substantive connection. The purpose of the personal data is to take care of, maintain, develop, analyse and keep statistics of customer relationships between Grano and its customers. Furthermore, the data may be used for direct marketing (including newsletter subscriptions), organisation of marketing contests, profiling, distance sales as well as opinion and market surveys by Grano and its allied companies and co-operation partners. The data may also be used for planning and developing Grano’s business operations and services.

5 Data contents of the register
The register contains the following personal data regarding the decision-makers and contact persons of companies and communities:

  • Name, title, company, postal address, e-mail address, telephone number
  • Customer history (e.g. contacts, orders, feedback, information related to invoicing and debt collection)
  • Interest and profiling data
  • Usage data, e.g. information regarding the use of services, such as browsing and search information, cookies
  • Customer feedback and contacts
  • Direct marketing prohibitions
  • Any other data necessary for the purpose of the register

6 Regular sources of data
The data in the register is collected regularly directly from the customer, consisting of data gathered from the customer’s use of services and the online service or other business conducted with Grano, as well as data gathered from and during making an agreement.

Personal data can also be collected and updated from the population register, the credit information register and other similar public and private registers.

7 Regular disclosures of data and transfer of data outside the EU or the EEA
Grano does not regularly disclose data in the register to external parties. However, data may occasionally be disclosed in accordance with Finnish law.

Grano may transfer a registered person’s personal data to Grano’s direct marketing register after the substantive connection has ended.

In order to carry out its services, Grano utilises co-operation partners operating outside the EU and the EEA. For this reason, usage data and personal data related to using the service is partially transferred to the USA. A sufficient level of data protection in processing the data is ensured by using the European Commission’s standard contractual clauses.

8 Principles of protecting the register and storage time of the data
Only employees whose job description entitles them to process customer data are entitled to use the system containing customer data. Each user has a personal username and password for the system. The data is collected into databases that are protected with firewalls, passwords and other technical means. The databases and their back-ups are located in locked facilities, and the data can only be accessed by certain persons designated in advance.

Personal data is stored as long as necessary for its purpose, with storage times prescribed by laws such as the Consumer Protection Act, the Accounting Act and the Prepayment Act taken into consideration.

9 Right of access and the right to have data corrected
The data subject has the right to access and inspect his/her personal data recorded into the register, as well as the right to demand to have data corrected or removed. Requests concerning this matter must be submitted personally or in writing to the contact person mentioned in Section 2.

10 Other rights related to the processing of personal data
The data subject has the right to prohibit the controller from processing his/her data for direct marketing or marketing and opinion surveys. Such a prohibition can be submitted to the contact person mentioned in Section 2 at any time.

In accordance with the General Data Protection Regulation (starting from 25 May 2018), the data subject has the right to object or request restrictions to the processing of his/her personal data, as well as the right to file a complaint regarding the processing of personal data to the supervisory authority.

11 Register administrator and the administrator’s roles in the SokoPro system
The use of SokoPro enables the customer and the end user to collect and save personal data into the different features of the system. In this respect, the customer and the end user must comply with the applicable legislation. The service provider (SokoPro) may, as instructed by the customer, act as the processor of personal data of third parties submitted by the customer in accordance with existing legislation. As the controller, the customer and the end user are responsible for the correctness and lawfulness of the personal data. Furthermore, the customer and the end user are responsible for ensuring that they have the right to process data, deliver the data for processing and grant the service provider (SokoPro) the right to process the data.

12 Personal data storage time
In accordance with the General Data Protection Regulation, the data in the personal data register may only be stored for as long as is necessary for carrying out the purpose of the register. In SokoPro, the user profile data is stored for 10 years after the user’s last login in order to comply with the 10-year responsibility period for developers in accordance with the General Conditions for Building Contracts (YSE) 1998.

12.1 Removal of user account and the right to be forgotten
If requested by the customer, items of personal data related to the customer can be removed from the SokoPro systems or anonymised. The removal and anonymisation procedures are irreversible, and we are unable to restore any removed user profiles.

Any requests related to the aforementioned can be submitted by e-mail to:

helpdesk@sokopro.fi

or by mail to:

Grano Oy / Removal of user account and the right to be forgotten
Vesikuja 4, 02200 Espoo
Finland

13 SokoPro data security
SokoPro is a data security forerunner in the construction industry, and it has been granted a data security certificate. The leading data security consultant company in the Nordic countries, Nixu Oy, has granted Grano’s SokoPro system a data security certificate as a sign of the high level of protection in the product.

  • The connections used are protected with a reliable firewall solution, and all data communication is SSL encrypted. The SSL certificate is granted by DigiCert, Inc.
  • Regular data security checks and vulnerability management
  • Virus and malware protection
  • Secure administration and software development practices
  • Regular data security trainings for the administration staff
  • The data centres used comply with the requirements of Regulation 54 of the Finnish Communications Regulatory Authority and the PCI-DSS standard regarding the physical protection of premises
  • The data centres used are located in Finland

14 Ending and closing a project

Ending a project
After a project is completed, the orderer can close the project or archive the materials of the active project bank into an archive bank in accordance with the agreement. The assignment can only be made by the orderer of the project. When a project is closed, the SokoPro Helpdesk can submit a final record of the contents of the project. This record must be ordered separately. The final record is charged as maintenance work according to the agreement. Please note that the orderer is responsible for closing and ending a completed project in SokoPro.

Closing a project
On request by the orderer, the SokoPro Helpdesk can close a completed project from the SokoPro service. The project is closed after the invoicing period has ended or on a date agreed upon separately. If separately requested, the SokoPro Helpdesk will ensure that a final record has been made of the project on a flash drive or CD/DVD. The final record is charged as maintenance work according to the agreement. By default, the final record only contains the latest revisions of the files. If necessary, it is possible to have the entire revision history included in the record, but we will charge an additional fee for it based on the working hours and amount of data.

The materials of a closed project will be permanently removed from the SokoPro server 3 months after the closing of the project.

Any requests related to the aforementioned can be submitted by e-mail to:

helpdesk@sokopro.fi

or by mail to:

Grano Oy / Closing SokoPro project,
Vesikuja 4, 02200 Espoo
Finland