PRIVACY STATEMENT - CONSUMER CUSTOMERS
This Privacy Statement (‘Privacy Statement’) applies to the processing of consumer customers’ personal data by Inderes Oyj (“Inderes” or “us”) when these customers use Inderes' consumer services (together “Service”) through the Inderes.fi website or Inderes’ mobile app (“mobile app”) downloadable from Apple App Store and Google Play. In this Privacy Statement, the consumer customer also refers to any natural person who uses the Service via a user account that is acquired by their employer or who uses the Service based on an agreement between Inderes and their employer.
In this Privacy Statement, “User” refers to a customer using the Service through their user account.
We may update this Privacy Statement when necessary due to changes in the processing of the information or for any other reason. For an up-to-date version, visit Inderes.fi.
CONTROLLER AND CONTACT INFORMATION
Inderes Oyj, Business ID 2277600-2
Itämerentori 2, 00180 Helsinki
+358 40 4110887
PROCESSED PERSONAL DATA AND THEIR SOURCES
The personal data we process are the User’s email address, name, and user name. These personal data are obtained when the User creates a user account for the Service. If the User has a Premium account, their address will also be processed.
Inderes stores User profile data based on User responses to voluntary queries on inderes.fi and processes analytics related to User behavior to develop the Service's user experience.
In addition, the mobile app collects both personalized and unspecified data about the User. What concerns personalized data, the mobile app processes the User's email address. Personalized data is used to personalize the mobile app (displaying content on companies followed by the User in a separate view) and in the functionalities of the app (login and following companies and programs).
What concerns unspecified data, the mobile app processes the User’s approximate location (city and country), identifier and device ID (unspecified analytics and app functionalities), usage data (downloads, clicks, listening times and other app interaction data) and diagnostics (app’s crash, performance and other diagnostics data). These data cannot be linked to the User.
The mobile app does not collect precise location data, biometric data or sensor data. Only Inderes Oyj and its partners like Pubfront ApS and application platforms Apple App Store and Google Play have access to the data collected by the mobile app.
PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
Inderes processes personal data in accordance with this Privacy Statement for the following purposes and the with the processing criteria mentioned here:
To offer services (legal basis: enforcing the contract and, in some cases, legitimate interest).
To handle and fulfill our legal obligations (legal basis: fulfillment of legal obligations).
We may process data to fulfill our accounting obligations, for example, and to provide data to competent authorities such as tax authorities.
Processing of claims and legal proceedings (legal basis: legitimate interest).
Inderes may process personal data in the processing of claims and in connection with legal processes. We may also process personal data to prevent fraud and misuse of our Service, and to maintain the cyber security of the data we collect, the systems we use, and the data network.
Customer communication and marketing (legal basis: legitimate interest).
Inderes processes personal data to communicate with Users regarding issues related to providing the Service. Personal data can also be used in marketing the Service and other services we provide to the Users.
Improving the quality of the Service and compiling trend analysis (legal basis: legitimate interest).
We may also use data about your Service use to improve the quality of our Service by, for example, analyzing changes in the way the Service is used. However, for these purposes, we only use composite data that does not identify individuals.
To ensure that our services meet the needs of a single User, personal data can also be used to carry out customer satisfaction surveys, for example.
INTERNATIONAL DATA TRANSFERS OUTSIDE EUROPE
Inderes stores personal data primarily within the European Economic Area. However, we and/or our service providers may also transfer personal data or have access to such data in countries outside the European Economic Area.
We will ensure that personal data is properly protected in all countries where they are processed. We provide adequate protection for the transfer of personal data to countries outside the European Economic Area through agreements with our service providers based on standard contractual clauses adopted by the EU Commission, or through other similar arrangements.
We will only share personal data within our organization and only as reasonably necessary for the purposes set out in this Privacy Statement.
We will not share personal data with third parties outside our organization unless one of the following situations prevail:
· Personal data is used for the purpose described in this Privacy Statement or is shared with an authorized service provider. To the extent that we need to give third parties access to the User’s personal data to enable us to provide our Services to Users, we will provide such third parties with User data for processing on our behalf. In addition, we may share personal data with authorized service providers providing services to us (including data storage services, accounting services). For example, when Inderes organizes events for its stakeholders, Inderes may share the event participants’ personal data to third parties providing the event service (such as Flik Helsinki Oy).
o Inderes has taken appropriate contractual and organizational measures to ensure that, when third parties process personal data on behalf of Inderes, they are used only for the purposes specified in this Privacy Statement and are processed in accordance with the laws and regulations in force and in accordance with our instructions, applicable secrecy obligations and necessary security measures.
· Data are used for legal purposes or in legal proceedings. We may share personal data with third parties outside Inderes if we believe that access to and use of personal data is reasonably necessary in order: (i) to comply with existing laws and regulations and/or with a court order; (ii) to detect and prevent misuses, criminal offenses, technical disruptions, and security problems; and/or (iii) to ensure the safety and property protection of Inderes and the Service Users and fulfillment of public interest. We will inform the User directly of such data processing, if possible, in the case in question.
· If Inderes is a party to a merger, business acquisition or other business transaction, we may transfer your personal data to a third party involved in the process. However, we will continue to ensure the confidentiality of all personal data we transfer. We will inform any registered Users separately whose personal data will be transferred in such a situation or whose personal data are transferred to be covered by another privacy statement.
· The data are used with your express consent. We may share personal data with third parties outside Inderes if we have explicit consent from the User to do so. The User has the right to withdraw their consent at any time.
· Other legitimate reasons.
Inderes does not store personal data for longer than is permitted by law and necessary for the purposes of this Privacy Statement. The length of the storage period depends on the nature of the personal data and the purpose for which it is processed. The maximum time may therefore vary depending on the purpose of use.
Right to check data
You have the right to have access or to receive a copy of the personal data we process about you. We may refuse to provide you with a copy of your personal data if such a procedure would jeopardize the rights and freedoms of others.
Right to withdraw a consent
If processing of your personal data is based on your consent, you may at any time withdraw your consent. The withdrawal of consent shall not affect the legality of the processing of personal data carried out prior to the withdrawal.
Right to rectify data
You have the right to correct or complement incorrect or incomplete personal data we have stored.
Right to delete data
You can also ask us to completely delete personal data about you from our systems. We will complete such a request unless we have a legal basis for not deleting the data.
Right to object to processing of data
You have, based on special personal circumstances, the right to object to the processing of your personal data on the basis of our legitimate interest. We will comply with your request unless we have a legal basis to act differently. When you object to further processing of your personal data, your ability to use the Service may be reduced.
Right to restrict processing of data
You may require us to restrict the processing of your personal data, for example, during the deletion or correction of your data and/or when we do not have a legal basis for processing your data. This can also reduce your ability to use the Service.
Right to transfer data
You have the right to receive all your personal data in a commonly used format. You then have the right to independently transfer this data to a third party.
How to exercise your rights
The above rights can be exercised by sending a letter or e-mail to the above-mentioned addresses that includes the following information: Full name, address, e-mail address and telephone number. We may request any additional information necessary to confirm your identity. We may reject requests that are too frequent, excessive or clearly appear unfounded or unreasonable.
REFERRAL TO AN AUTHORITY
If you believe our processing processes of personal data to be contrary to applicable data protection legislation, you can file a complaint with your local supervisory authority. In Finland the controlling authority is the Finnish Data Protection Ombudsman (https://tietosuoja.fi/en/home).
We take administrative, organizational, technical, and physical precautions to protect the personal data we collect and process. These measures include, where possible, e.g., encryption, pseudonymization, firewalls, safe storage facilities, and systems that are protected with restricted access rights. Our security is designed to ensure the continuous confidentiality, integrity, availability and fault tolerance of our processing systems, and the ability to recover data with appropriate security.
If, despite our security efforts, there is a security breach that is likely to have a negative impact on your privacy, we will inform the relevant registered subjects as well as the appropriate authorities if required by applicable data protection regulations as soon as possible of the security breach.