The new EU General Data Protection Regulation, GDPR, which was enacted the 14th of April 2016, is about to enter in force on the 25th of May 2018. From that day forward this regulation will be applied in all member countries of EU. This regulation replaces the 1995 Data Protection Directive.
Data Controller and Data Processor
Granlund Oy (“Provider”) acts, based on the Contract, as Data Processor in all of its customerships, for the Customer acting in the role of Data Controller.
The aim of the registry is to enable 1) Access to the processes of the software being used by the customer; 2) Creation, display and maintenance of the data in the system as agreed with the Customer; 3) additional analysis of the aforementioned defined by the Customer and for a purpose that is aligned with legislation.
The data subjects have the right to deny usage, or demand correction of incorrect personal data. Regarding the aforementioned, they should be in touch with the Data Controller;
- When the Customer acts in the role of Data Controller; contact the main user
- When Granlund acts in the role of Data Controller; contact email@example.com
Personal Data collected
Data collected from the data subjects as following: company, phone number (office), e-mail (office), fore- and surname.
Rights and responsibilities of users
Users of the Granlund Manager software are able to check their own personal data recorded in the registry by logging in to the system.
The user is responsible for all actions conducted by their user account in the Granlund Manager software.
The user is responsible for assuring that their personal username and password will not be known by others.
Access to the Granlund Manager-service is granted by the Customer or an actor assigned by the Customer.
The user commits to the use of the personal data found in the system only for the initial purpose, and avoids the misuse of it.
Granlund has the permission to use data found in the Granlund Manager system to maintain and develop the service. Data is not transmitted to third parties or for marketing purposes.
All personal data being collected and processed is contractual and legal. Personal data is updated when required and misleading or incorrect data is corrected or deleted. Personal data is not being kept for an unnecessary long period of time, and is strived to be deleted as soon as allowed by the contract/the law. Passive user accounts, including the linked personal data, are deleted on a regularly basis. Initially the user account will be locked, and after being locked for a period of three (3) years, it will be deleted. Personal data is stored for three (3) years due to integrity and traceability. Backup copies are saved, and kept for a period of six (6) months after the contract has expired.
By filing a request, the personal data is saved in the Granlund Manager software for a period of five (5) years, after which this data will be deleted in case the personal information has been deleted. In case the person in focus has an active user account in Granlund Manager, then the personal data will remain elsewhere in the software as long as the user account exists.
Definition of data processing
The data processing activity is based on the agreement made between the Customer and the Provider. The data processing activities are defined in the data protection policy. The data is used to facilitate the service and maintain the crucial personal data. In case the data protection policy and the supplementary notes differ, the processing of personal data is defined by the supplementary notes. The provision of new written instructions concerning the processing of personal data require a written agreement to be created.
The use of personal data
Personal data in the Granlund Manager system is used based on the definition provided by the Customer, in the following parts; contact information for properties, service requests and in maintenance tasks. The data is being used to enable the provision of the service as well as maintaining crucial personal data. The data is not transmitted to third parties or used for marketing purposes. Neither is the data transmitted outside of the EU/EEA area.
Each user gives consent to the processing of their personal data. The user is required to accept the terms and conditions when logging into the Granlund Manager software. This is done by acknowledging a notification visible in the software interface. The usage of the personal data is based on an agreement made by the Customer and the Provider.
The Customer defines what data is to be collected. The Provider maintains and processes the personal data provided by the customer in accordance to the required security measures. Personal information found in the system includes the following: fore- and surname, company and e-mail address and possible additional information. The minimum information required is fore-and surname, company and e-mail address.
Data processed in the system is contractual and based on employment.
Rights of the data subjects
As Data Processor, Granlund guarantees the lawful rights of the registered to be fulfilled, to the degree that it is possible. These rights include the right to know what personal data is found in the system. The user is able to do this on her own, by logging into the system.
The rights also include the possibility to forbid the use, or request the correction, of personal data. Regarding this, the registered should be in contact with the data controller.
The personal data is pseudonymized and deleted regularly.
The Provider complies with the proper processing customs for secure processing. The security of the software is ensured and it is used through a secured browser connection. Partners used by Granlund have a good reputation and the security of these is being monitored through regular inspections. The servers are kept at a secured server room at a third party provider.
The Provider is obliged to give the Customer a notice of data breaches without any unnecessary delay. When informing about a data breach, the following information will be provided; a description of the data breach including categories and data registries that are in question as well as the amount of these. The responsible person handling the breach including the name and contact information. A description of the consequences the breach has caused and possible latter effects. A description of the measures that have been, and will be, taken due to the data breach.
The Customer is also obliged to give the Provider a notice in case there is a data breach suspected. This notice should also be done without unnecessary delay, so that the Provider is able to conduct the required measures to keep the personal data secured.
All contact concerning data security or data breaches should be sent to firstname.lastname@example.org
Upon request, the actions of the Provider can be audited, for the Customer to be ensured that the requirements of the data protection policy are being fulfilled. The auditing is being conducted on the cost of the Customer and by an actor that is not a competitor of the Provider. The Customer ensures that this third party is functioning in accordance to the confidentiality obligations regarding the confidential information received during the audit. The Provider also has the right, but not the obligation, to conduct an audit on own cost and provide the Customer with the report. The auditor should also in this case be an actor that has proven its knowledge, professionalism and experience.