Privacy Statement

Data protection is a fundamental right that safeguards the rights and freedoms of data subjects when personal data is processed. Personal data basically means any information relating to an identified or identifiable natural person. This is a statement on the processing of personal data in accordance with the EU General Data Protection Regulation (679/2016) which explains how we collect, handle, process and respect our users’ personal data. Here we specify the type of information we collect, how we collect it, and what we do with it.

In general, we often work as a marketing service in the role of a processor of personal data on behalf of our customers who act as data controllers. In these circumstances, the principles of processing personal data are described in our customers’ privacy statements, so please check it out if necessary. The processing of our customer’s personal data is always based on a data protection agreement (DPA) between us and our customer.

Purpose and legal ground for processing your personal data?

We process, collect and store our customers’ personal data for predefined lawful purposes. We ensure that the processing is always based on the law. The purposes for which we process personal data and the applicable processing grounds are set out in more detail below.

In order to provide you services. The processing of customer personal data is necessary to provide services to our customers, to identify their target audience and to understand their business needs. In addition, we process our customers’ data for billing, payment monitoring and, where necessary, collection purposes. The legal basis for this processing is the provision of the services requested by the customer in accordance with contract and our legitimate interest in fulfilling any pre-contractual measures that the customer may have requested before accepting the contract.

In order to ensure the necessary functionality of the website. Internet Protocol has the task of delivering packets from the source host to the destination host solely based on the IP addresses in the packet headers, which has a direct impact on the functioning of the Website. The processing of a user’s digital identity is therefore necessary for the execution of requests in order to ensure the functionality of the website. In this case, the processing is based on our legitimate interest.

Ensuring the security of the website. The General Data Protection Regulation requires controllers to document the facts relating to the personal data breach, its effects and the remedial action taken. If the personal data breach was targeted at an information system, the documentation obligation also includes the information system’s log data from the time of the breach. The processing is necessary to ensure the security of the website.

We save to log data a chronological record of events and their causes in information systems, which contain personal data. This information does not allow us to identify an individual person, but it allows the telecommunication operator providing the user’s internet connection to identify their customer. We keep the log files for six (6) months, after which it is automatically deleted. The main basis for processing is our legitimate interest and compliance with a legal obligation.

In order to measure and improve the use of the website. We process information about the recent visits and movements of website users to different parts of the website for data analysis purposes, to understand how visitors use our website and to make it more intuitive. This information does not allow us to identify an individual person. The basis for processing for this purpose is our legitimate interest.

In order to deal with general enquiries and feedback. We process both the personal data of the contact person and the personal data provided by the contact person when a potential client or customer contacts us, for example via the forms on the website. The processing of personal data is necessary to answer the questions asked and to obtain feedback. In this regard, the legal basis for processing personal data is consent and our legitimate interest.

Compliance with legal obligations. We process customers’ personal data for accounting and tax purposes directly related to our business as required by applicable law.

Marketing and customer communications. We carry out digital marketing, email marketing, targeted marketing content and social media advertising to potential and existing customers and to us, so business contact data is also processed for marketing and communications purposes and to target marketing messages and content. Marketing may be based on automated decision-making and customer profiles generated in social media advertising campaigns, search engine marketing and content on our website. For these, the lawful basis for processing personal data is mainly our legitimate interest. However, individuals have the absolute right to object to the processing of their personal data for direct marketing purposes. It is also possible that some direct marketing is based on consent (e.g. subscription to newsletters). The data subject then has the right to withdraw consent at any time.

What personal data may we process?

We only collect personal data from data subjects that are relevant and
necessary for the purposes described in this Privacy Statement. In the main, we obtain personal data from the data subjects themselves by telephone, e-mail, contact form or other similar means. We may also collect information from public filing systems located in the EU/EEA. We do not knowingly collect or process any Personal Identifiable Information from children under 13.

We maintain a customer filing system that contains information about customers and potential customers. It is containing the following personal information:

  1.   Name of the contact person
  2.   E-mail address
  3.   Phone number
  4.   Company/entity
  5.   Other information about the company
  6.   Correspondence, if any
  7.   Other information provided by the data subject
  8.  The digital identity of the website user

The provision of information to us is mainly voluntary. However, sometimes the provision and processing of personal data is mandatory for the purposes of managing a customer relationship, ensuring the validity of a contract or for invoicing purposes.

How long do we collect your data?

We will not keep your personal data for longer than is necessary for the purpose for which it is used or as required by law or a contract. Retention periods for personal data may vary depending on the purpose of the use, the legal basis for the processing and the situation. At the end of this period, we will delete all unnecessary data in accordance with our deletion procedures. The retention period may also be affected, for example, by the possibility for the establishment, exercise or defense of legal claims. We may be required to process some personal data on the filing system for longer than stated above in order to comply with legislation (e.g. Accounting Act 1336/1997) or regulatory requirements.

How do we keep your personal data safe?

We process personal data in a manner designed to ensure appropriate security, including protection against unauthorized processing and accidental loss, destruction or damage.

We use appropriate technical and organizational safeguards to ensure this objective, including the use of firewalls, encryption technologies and secure equipment rooms, appropriate access control, careful management of user IDs for information systems and training of staff involved in the processing of personal data.

In connection with the provision of our services, we may use trusted service providers who may process personal data on behalf of the controller for the purposes of providing those services, subject to the requirements of data protection legislation. As a general rule, our staff will have access to material containing personal data. In addition, we are committed to absolute confidentiality and secrecy with regard to any information that may come to our knowledge in the context of our customer relationship or the processing of the filing system.


Do we transfer Personal Data to Third Countries?

We don’t transfer data outside the EU and the European Economic Area (EEA).

If the customer relationship requires the transfer of data outside the EU or EEA, we will ensure that the transfer is carried out as required by law, for example using the standard contractual clauses (SCC) adopted by the Commission.

Your rights regarding your personal data?

You can exercise your rights described above by contacting us using the contact details below. At the same time, we will ask you to provide proof of your identity.

Data subjects have the following rights in relation to the processing of their data:

  •   of access to their data
  •   to rectification of their data
  •   to the erasure of their data and to be forgotten
  •   to restrict the processing of their data
  •   to data portability
  •   to object to the processing of their data
  •  not to be subject to a decision based solely on automated processing
  •  to lodge a complaint with a supervisory authority

Who can you be in touch with your questions about your personal data?

Planna Oy (3207194-6)
Address: 20520 Turku, Tykistökatu 4 B