Privacy Statement for Smartum Oy’s Marketing Register, 18.5.2022

1 General information

Smartum Oy (hereinafter referred to as “the Company” or “We”) is committed to ensuring the confidentiality and privacy of any personal data it holds. This privacy statement is applicable to the personal data We collect in our marketing register (hereinafter the “Register”). This privacy statement describes the personal data that We collect and how We process it. Further information on how We process your personal data can be obtained via email at tietosuoja@smartum.fi.

We may update this privacy statement from time to time, for example as the related legislation changes. We will inform you of any essential changes to the Privacy Statement and their implications on our website or by email. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it. This privacy statement was last updated on 18 May 2022.

2 Data controller

Name: Smartum Oy
Address: Yrjönkatu 11 B, FI-00120 Helsinki, Finland
Phone: +358 600 149 88
Business ID: 2780101-9

3 Whose personal data do we collect?

We process the personal data of our existing and potential business customer representatives (employers and service providers). Furthermore, We process the personal data of beneficiaries of Smartum Payment instruments (hereinafter also “You”).

4 What types of personal data do we collect?

Regarding existing business customer representatives and beneficiaries, We process the following personal data in the Register:

Basic information:

  • first and last name
  • position in company (for business customer representatives)
  • name of employer (for business customer representatives)
  • mobile phone number
  • e-mail address.

Other data:

  • personal data provided by customers themselves, on topics such as areas of interest
  • direct marketing permissions and prohibitions
  • data based on behaviour and location.

Regarding potential business customer representatives, We process the following personal data in the Register:

Basic information:

  • first and last name
  • position in company
  • name of employer
  • mobile phone number
  • e-mail address.

Other data:

  • personal data provided by customers themselves, on topics such as areas of interest
  • direct marketing permissions and prohibitions
  • data based on behaviour and location.

5 From which sources is personal data collected?

Primarily, We collect personal data from

  • our customer register
  • the data subject him or herself (e.g. via a contact form)
  • registers disclosed by our collaboration partners
  • public sources, such as from Suomen Asiakastieto Oy, Vainu Finland Oy, Leadfeeder Oy, companies’ own websites, the Business Information System (YTJ), Fonecta and Kauppalehti Yrityshaku.

6 Grounds for, and uses and effects of, processing your personal data

Your personal data is processed on the grounds of our legitimate interests mentioned below or on the consent of the data subject.

The purpose of personal data processing is

  • managing and developing customer relationships
  • executing electronic and traditional direct marketing
  • targeting marketing at existing and potential business customers and current beneficiaries
  • sending invitations to occasions and events.

7 Regular transfers of your personal data and transfers to third parties

Our partner and subcontractor may only process your personal data with regard to tasks performed for marketing purposes belonging to us.

We may transfer your personal data to third parties involved in the provision of Smartum payment instrument services, which are partners and subcontractors such as:

  • data and communications system providers
  • printing services
  • logistics services.

In every case, We ensure that our partners do not process transferable personal data for any purpose other than the above.

We will not disclose any personal data in our marketing Register to third parties.

8 Transfers of your personal data outsode the EU or the European economic area

We will transfer your personal data (name, address, company, e-mail address) outside the European Union or the European Economic Area in accordance with the legislation on the processing of personal data for marketing and, in the case of business representatives, for the submission of tenders. Data is only transferred to the following organisations located in the United States complying with the EU-US Privacy Shield Framework:

  • the Rocket Science Group (all data subjects)
  • HubSpot, Inc. (business representatives only, does not apply to beneficiaries)
  • PandaDoc, Inc. (business representatives only, does not apply to beneficiaries).
  • Zapier, Inc. (business representatives only, does not apply to beneficiaries)
  • Twilio Sendgrid (business representatives only, does not apply to beneficiaries)
  • Typeform, questioneer tool. Transferred data: email address

In all situations, We will only transfer your personal data outside the EU or the European Economic Area on one of the following grounds:

  • the European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned;
  • We have implemented the appropriate safeguards for the transfer of your personal data by using the standard privacy statements approved by the European Commission. In such a case, You have the right to a copy of the standard statements by contacting us in accordance with the “Contacts” section; or
  • You have given your explicit consent to the transfer of your personal data, or there are other legitimate grounds for transferring your personal data from outside the EU or the European Economic Area.

9 Principles for retaining personal data

Personal data is retained for the time being unless the data subject has exercised his or her opt-out right. Personal data will be regularly updated, and it will be deleted based on business rules related to the purpose for processing.

10 Rights of the data subject with regard to personal data processing

In accordance with the applicable data protection legislation, You have the right at any time to:

  • have access to your personal data;
  • have access to your personal data and inspect any personal data that We are processing concerning You;
  • demand the correction and supplementing of any inaccurate and incorrect personal data;
  • require the deletion of your personal data;
  • object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data;
  • obtain your personal data in machine-readable format and transfer the data to another data controller, provided that You have personally submitted the personal data to us, We are processing the personal data on the basis of a contract and it is being processed automatically; and
  • demand the restriction of your personal data.

To exercise the above right, You must submit a request to us in accordance with the Contacts section of this privacy notice. We may ask You to specify your request in writing and to verify your identity before the processing of your request. We may refuse to implement your request on the basis of the applicable legislation.

In any case, you have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if You believe that We have not processed your personal data in accordance with data protection legislation.

11 Principles of data protection of the register

We respect the confidentiality of your personal data. Materials recorded on paper are kept in a locked space accessible only to the persons required for the task in question. Digitally processed personal data is stored in our information system and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords. Personal identity codes are not unnecessarily entered in documents printed out or drawn up on the basis of the personal Register.

Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the marketing Register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or feeding data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS) security.

We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third-party system must be provided on a need-only basis.

Smartum’s web pages, online service and mobile apps utilise cookies and related tracking pixels. A cookie is a small text file that is saved on the user’s computer, smartphone or tablet. A visitor cannot be identified based on cookies alone, and cookies do not harm the user’s device or files. Most big websites generally utilise cookies.

Essential cookies are necessary for the functionality of the website. These cookies are typically installed only upon your using functions that create service requests, such as selecting data protection settings, logging in or filling in forms.

Functionality cookies enable us to provide better and more personalised functionalities, such as videos (Vimeo and YouTube) and a real-time chat (Intercom). The cookies are set by us or any third-party service providers whose services we have added to our site.

With analytics cookies, we can monitor the number of page and service visits and traffic sources to measure and improve the performance of our website. Google Analytics and HubSpot use cookies for this purpose, which means that the site access data created by the cookies is transferred to and stored by Google and HubSpot.

Social medial and advertising cookies (Facebook, Instagram, LinkedIn, Adform, Google) can be used to create personalised recommendations and identify interests. The information collected by means of cookies can also be linked to data collected from the users in other contexts to provide a better user experience.

Site visitors can manage the use of cookies via a banner provided on the Smartum website. It also enables blocking all but the essential cookies. However, disabling cookies may impact the functioning of the Smartum services. If you decide to block the cookies, you may not be able to fully take advantage of the online services provided by Smartum.

13 Contacts

All requests related to exercising the above-mentioned rights, questions about this privacy statement and other contact information should be sent by email to: tietosuoja@smartum.fi or call number +358 600 149 88. In privacy matters, select option 1 (employer) from the call menu, upon which the cost of the call will be the local network charge or mobile phone charge.