Updated on 28 October 2020
1 Controller
SRV Group Plc and all companies belonging to the group (hereinafter ‘SRV’).
SRV Group companies:
SRV Group Plc, business ID FI-17071868
SRV Construction Ltd, business ID FI-17282446
SRV Russia Ltd, business ID FI-22791261
SRV Infra Oy, business ID FI-05909379
Each SRV Group company is responsible for the processing of personal data conducted under its own business operations for the purposes and with the legal basis set out in this Privacy Statement and may use the necessary personal data collected by other group companies for the same purposes, for example in marketing, sales, performance of contracts between the Group and its customers and partners and managing the relationship between these.
2 In matters relating to this register, please contact
SRV Group Plc
Privacy
P.O.Box 555
02601 Espoo
privacy@srv.fi
Tel. +358 20 145 5200
3 Register name
SRV’s business customer, partner and decision-maker register
4 Purpose and basis for processing personal data
The processing of personal data is based on the execution of a contract between SRV and its business customer, contractor, supplier or other cooperation partner and on fulfilling the requests that the data subject makes prior to concluding a contract, for example, in relation to matters such as newsletter subscriptions and RFPs. The processing of personal data is also based on SRV’s legitimate interest in managing its customer and partner relationships and on SRV’s legitimate interest in directly marketing its products and services to the contact persons of its business customers and potential customers.
The processing of personal data is based on the consent provided by data subjects for the collection of data related to their use of SRV Group companies’ websites with cookies or other similar technical monitoring methods for the purposes set out in this Privacy Statement.
The purposes for which personal data is used include the following:
- managing, maintaining, developing, analysing and collecting statistics on the relationship between SRV and its business customers, contractors, suppliers and other partners
- selling, marketing, offering, providing and developing SRV’s products and services
- communication based on the relationship between a business customer, contractor, supplier or other partner and SRV, including feedback collection and customer satisfaction surveys
- direct marketing via mail, phone and electronic channels as well as online advertising and targeting it
- conducting customer and market surveys, organising marketing-related competitions and other events
- planning and developing SRV’s business, products and services
- detecting, preventing and investigating misuse, fraud and other crimes
- analysis, profiling, segmentation and statistics compilation for the purposes listed above
5 Register content and data subject categories
The register contains the following information on current and potential decision-makers and contact persons of business customers, contractors, suppliers and other partners, as well as other stakeholders:
- Name, title, company, postal address, email address, phone number
- Age, year of birth, native language
- The areas of professional interest as provided by the data subject and the marketing activities targeted at the data subject
- Public information concerning tasks and status in business life or in a public office
- Customer feedback and contacts
- Access details such as data on service and website use, for example browsing and search data, cookies and IP addresses
- Customer/user and marketing segments and profiles created based on analyses and profiling carried out by using the data described above
- Refusals and consent related to direct marketing and
- Any other information the data subjects themselves have provided
6 Data sources
As a rule, the information in the filing system is collected from the data subjects themselves on the basis of service and website use, contact requests or the filling of other forms or based on information obtained in connection with the use of other services, event participation, contract conclusion and contract execution.
In addition, personal data can be collected and updated from the population register, business register and other similar public and private registers.
7 Disclosure and transfer of data and data transfers to countries outside the EU or EEA
As a rule, SRV does not disclose the data in the filing system to external parties unless it is required in order to fulfil the legal or contractual obligations of the controller.
However, data can occasionally be disclosed in accordance with law, for example, to cooperation partners selected by SRV for direct marketing purposes if the data subject has not refused to consent to such processing and disclosure.
SRV uses external service providers (subcontractors) to implement and provide its services. Such subcontractors include, for example, providers of ICT, marketing and communication services. In this case, personal data can be transferred to subcontractors to the extent that is necessary in order to provide services. These subcontractors process personal data on behalf of the controller in accordance with the controller’s instructions. To ensure privacy protection, SRV signs data processing agreements with all subcontractors that process personal data.
Personal data is not transferred to outside the EU or EEA. However, if such transfer of personal data is necessary, SRV will ensure an adequate level of data protection, e.g. by using standard contractual clauses approved by the European Commission.
8 Principles for securing the filing system and the period for retaining data
Only employees who are authorised to process customer data due to their work tasks have access to the system that contains customer data. Each user has a unique user ID and password for the system. Data is stored in databases that are protected with firewalls, passwords and other technical means. Databases and their backups are located in locked premises, and data can be accessed only by pre-appointed persons.
After the customer relationship has ended, personal data is retained until all warranty obligations and other contractual or legal obligations between the parties have been fulfilled and the retention and liability periods set out in legislation, for example, the Accounting Act and the Act on Prepayment of Tax, have ended. As a rule, personal data is retained for one year after the warranty period of a site has ended and for five years from the end of the validity of the works contract and/or principal-contractor agreement.
After the customer relationship and cooperation has ended, SRV can retain basic information on the data subject, as defined above in this privacy statement, for direct marketing purposes to the extent permitted by law. SRV regularly assesses the necessity to retain personal data, in addition to which it takes reasonable measures to ensure that the filing system does not include personal data that is incompatible with the purpose of the processing or that is outdated or incorrect.
9 Data subjects’ rights
Data subjects have the right to prohibit SRV from processing the data subject’s personal data for purposes related to direct marketing, market research, opinion polls and any profiling related to these. Such a refusal of consent can be provided at any time to the contact person of the filing system or, for example, by unsubscribing to messages in the manner described in marketing messages.
Data subjects have the right to check their own information stored in the filing system, and they have the right to demand that data is corrected or erased. Such requests must be submitted in person or in writing to the address provided in Section 2.
In accordance with the General Data Protection Regulation, data subjects have the right to object to the processing of their data, request that the processing of their data be restricted, withdraw at any time any consent they have given and lodge a complaint to the supervisory authority concerning the processing of personal data.