1. Registry holder

Tmi Milla Metsä-Tokila (3246514-4)
Asemantie 350, 23100 Mynämäki
Other contact information: www.kissakalapuikko.com, 0406789306

​

2. Contact person in matters concerning the register

Milla Metsä-Tokila
Asemantie 350, 23100 Mynämäki
Email address: millahovivuori@hotmail.com, 0406789306

​

3. Register name  ​

Tmi Milla Metsä-Tokila customer register

​

4. Purpose and legal basis of personal data processing​

Personal data is processed for purposes related to managing, managing and developing customer relationships, providing and delivering services, and developing and invoicing services.

Personal data is also processed for the purposes required to settle possible complaints and other claims.
In addition, personal data is processed in communications aimed at customers, such as for information purposes and in marketing, as part of which personal data is also processed for purposes related to direct marketing and electronic direct marketing.

The customer has the right to refuse direct marketing aimed at him.
The controller processes the data himself and uses subcontractors acting on behalf and on behalf of the controller in the processing of personal data.

The legal bases for the processing of personal data are the following bases according to the EU General Data Protection Regulation (hereinafter also "GDPR"):

- the data subject has given his consent to the processing of his personal data for one or more specific purposes (GDPR 6 art. 1.a);

- the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of pre-contractual measures at the request of the data subject (GDPR 6 art. 1.b);

- the processing is necessary to fulfill the legitimate interests of the controller or a third party (GDPR 6 art. 1.f).

The aforementioned legitimate interest of the data controller is based on a meaningful and appropriate relationship between the data subject and the data controller, which is a consequence of the fact that the data subject is a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in connection with the relevant relationship.

​

5. Data content of the register

​

The register contains the following information about the registrants: Surname, first names, postal address, phone number, email address, title or position, IP address, username, name of the company represented by the registrant and its company's contact and address information, as well as mailing lists. In addition, the register may contain information related to the provision, purchase, use and development of services as well as information related to marketing and sales and other information relevant to managing or developing the customer relationship.

​

6. Regular sources of information

Primarily, the personal data entered and stored in the register is based on the information provided by the company to be registered or the company represented by the registered person, or information provided by Tmi Milla Metsä-Tokila's stakeholders and external service providers.

​

7. Personal data retention period 

​

Personal data is kept in the register until the customer relationship between the registered person and the customer can be considered to have ended. The termination period is determined from the expiration of the customer's customer contract or from the latest service contact or contact, to which five years are added. The information used as a basis for invoicing is kept for the period required by accounting legislation.

​

8. Information on data transfer to third countries and information on use
protective measure

​

Data is not transferred outside the EU/EEA area.

​

9. Recipient groups of personal data

​

Tmi Milla Metsä-Tokila's own personal data processors for whom personal data is necessary in connection with the performance of work. Personal data can also be disclosed within the limits permitted and required by the legislation in force at any given time, for example to authorities that have the right to access the data.

​

11. Register protection principles

​
Materials containing personal data are stored in locked rooms, to which only designated and authorized persons have access due to their duties. The database containing personal data is on a server, which is kept in a locked state, to which only designated and authorized persons have access due to their duties. The server is protected by an appropriate firewall and technical protection. Access to databases and systems is only possible with separately issued personal user IDs and passwords. The registrar has limited access rights and authorizations to information systems and other storage platforms in such a way that the data can be viewed and processed only by the persons necessary for their legal processing. In addition, the usage events of databases and systems are registered in the log data of the controller's IT system. The employees and other persons of the registrar are committed to observe the obligation of confidentiality and to keep secret the information they receive in connection with the processing of personal data.

​

12. Rights of the data subject

​

The right to inspect, correct and delete data in accordance with Milla Metsä-Tokila's privacy policy. The registered person has the right to object to the processing of personal data concerning him at any time on the basis of his personal special situation. Objection requests are addressed in writing to the registry's contact person.

The registrant has the following rights according to the EU General Data Protection Regulation:

– the right to receive confirmation from the data controller that the personal data concerning him or her is being processed or that it is not being processed, and if this personal data is being processed, the right to have access to the personal data and the following information: (i) the purposes of the processing; (ii) the groups of personal data in question; (iii) recipients or groups of recipients to whom personal data has been disclosed or is intended to be disclosed; (iv) if possible, the planned retention period of personal data or, if it is not possible, the criteria for determining this period; (v) the right of the data subject to request from the controller the correction or deletion of personal data concerning him or her or to limit the processing of personal data or to object to such processing; (vi) the right to file a complaint with a supervisory authority; (vii) if personal data is not collected from the data subject, all available information about the origin of the data (GDPR art. 15). These described basic information (i) to (vii) are given to the registered person on this form;

- the right to withdraw consent at any time without affecting the legality of the processing carried out on the basis of consent before its withdrawal (GDPR art. 7);

- the right to demand that the data controller correct inaccurate and incorrect personal data concerning the data subject without undue delay, and the right to have incomplete personal data supplemented, for example by submitting an additional explanation taking into account the purposes for which the data were processed (GDPR art. 16);

– the right to have the controller delete the personal data concerning the data subject without undue delay, provided that (i) the personal data is no longer needed for the purposes for which it was collected or for which it was otherwise processed; (ii) the data subject withdraws the consent on which the processing was based, and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds related to his personal special situation and there is no justified reason for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) personal data must be deleted in order to comply with a legal obligation applicable to the data controller based on Union law or national legislation (GDPR art. 17);

- the right for the data controller to restrict the processing if (i) the data subject disputes the accuracy of the personal data, in which case processing is limited to a period during which the data controller can verify their accuracy; (ii) the processing is illegal and the data subject objects to the deletion of personal data and instead demands the restriction of their use; (iii) the controller no longer needs the personal data in question for the purposes of processing, but the data subject needs them to prepare, present or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds related to his personal special situation pending verification of whether the legitimate grounds of the data controller supersede the grounds of the data subject (GDPR art. 18);

- the right to receive the personal data concerning himself, which the data subject has provided to the data controller, in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without hindrance from the data controller to whom the personal data has been provided, if the processing is based on the consent referred to in the regulation and the processing is carried out automatically (GDPR 20 art.);

- the right to file a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him violates the EU's general data protection regulation (GDPR art. 77).