Prepared on November 25th 2020. Last modified on November 25th 2020.
The service provider is Secapp Oy, later the Provider.
The master agreement is an agreement between the customer organization and Secapp Oy for the provision of the service, later the Agreement.
The Secapp system is used by various organizations e.g. companies, communities and governmental entities. With regard to the processing of personal data, a separate agreement is always made between the Provider (Secapp Oy) and the Customer Organization. As a general principle, the following applies in the agreement: The customer is responsible for the collection of the register (material), the related consents and obligations, and the maintenance of the register. The customer therefore acts as the actual data controller. The register (material) is always owned by the Customer and the Provider acts as a data processor. The Provider shall process personal data for as long as the provision of the contracted service to the Customer requires it. Personal data will not be disclosed to third parties.
In those cases where the Provider acts as a registrar, the responsible registrar is:
Business ID 2411828-1
Viitaniementie 21 E 47, 40720 JYVÄSKYLÄ
As a rule, the Provider acts as a data processor and the customer organization as the actual data controller.
CONTACT PERSON RESPONSIBLE FOR THE REGISTER
On the Provider’s side, the data protection officer is Niko Tuomi-Nikula, firstname.lastname@example.org.
For customer organizations, the contact person should be verified with the nearest supervisor or manager responsible for administering the Secapp service.
NAME OF THE REGISTER
Secapp Oy’s Secapp service customer database
LEGAL BASIS AND PURPOSE OF PROCESSING OF PERSONAL DATA
The legal basis for the processing of personal data in accordance with the EU General Data Protection Regulation is the processing of personal data with the consent of the data subject or on the basis of a customer relationship.
The purpose of processing personal data is to deliver and provide the Secapp service, maintain customer relations and to communicate with customers.
The customer is responsible for collecting the register (material), related consents and obligations, and maintaining the register. When processing the customer’s material, the Provider complies with good data management practices, good data processing practices required by data protection legislation, other data protections and data protection legislation. The personal data of the data subject is processed for the maintenance, management and development of customer relationships related to the service, analysis, statistics and for the production, provision and further development of the service. Personal data will not be disclosed to third parties.
Secapp Oy only registers the information provided by the user or the customer organization itself.
TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS
The type of personal data and categories of data subjects are specified as follows:
- Usernames and other identification information
- Basic information including, but not limited to name, telephone number, email, address, and affiliated organizations
- User’s group, skill and certificate information
- Authorizations, preferences, settings and restrictions, for instance for location history and tracking
- User’s location information to be used to target messages to users based on geofencing and to locate the user if the situation requires so
- Phone or any other device operating systems and identifiers
- Any other information entered into the system by the Customer or the user where permission has been granted by the user
Customer’s admin users and contact persons:
- Billing and debt collection information of the organization
- Information on customer and contractual relations, such as products and services, their opening, and termination date, vendor information and implementation of communications.
- Customer organization usernames and other identification information.
REGULAR SOURCES OF INFORMATION
Personal information is collected at the beginning of the customer relationship and registration, when using the service or otherwise directly from the registrant.
The information stored in the register is obtained from the customer via e.g. web forms, e-mail, telephone, contracts, customer meetings and other situations in which the customer discloses their information. Personal data can also be collected and updated from the customer’s own corresponding registers. As a rule, Secapp Oy only acts in the role of data processor and the actual customer organization as the data controller. In this case, the customer organization compiles a more detailed data protection and register description of its own operations.
Secapp Oy does not obtain personal data from a commercial or third party. Secapp Oy also does not disclose personal data to third parties.
DISCLOSURE OF INFORMATION
Secapp Oy does not disclose the information in the register to third parties. However, Secapp Oy may disclose personal data within the limits permitted and required by applicable legislation, e.g. when responding to requests for information from the authorities. The data will not be processed or transferred outside the European Union or the European Economic Area.
PROTECTION OF THE REGISTER AND DATA RETENTION PERIOD
Data is collected in common databases of the service, which are protected by firewalls and other technical means. The databases are located in locked and guarded premises and the data can only be accessed by certain predefined persons.
To access the system, the minimum requirement is to enter a username and password. Only certain predefined employees of the data controller have access to and are entitled to use the data contained in the register stored in the system. The information contained in the register is located in locked and guarded premises.
The Customer has access to personal data concerning his or her own operations through the Provider’s system, access to which requires a minimum of entering a username and password and having the appropriate access right. Thus, only certain predefined persons have access to and are entitled to use the information contained in the register stored in the system. Communications between the user and the system are encrypted and the use of the system is generally protected by firewalls and other technical means.
Everyone who handles the information in the register has signed a non-disclosure agreement.
The object and duration of the processing of personal data is defined as follows: The Provider shall process personal data only as long as the providing service pursuant to the Agreement to the Customer requires it.
RIGHT OF INSPECTION AND DELETION
The data subject has the right to inspect the personal data stored in the personal register and the right to request the rectification and deletion of the data (“right to be forgotten”).
Relevant requests should primarily be addressed to the principal data controller, which is the customer organization in all other cases, except in matters directly related to Secapp Oy’s internal internal register. Inquiries related to Secapp Oy’s internal register must be submitted in writing and signed to the address:
Viitaniementie 21 E 47
or electronically to the contact person mentioned in the “Registrar” section.
The data controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).
Data subjects also have other rights under the EU’s general data protection regulation, such as restrictions on the processing of personal data in certain situations. Relevant requests should primarily be addressed to the principal data controller, which is the customer organization in all other cases, except in matters directly related to Secapp Oy’s internal register. Inquiries related to Secapp Oy’s internal register must be submitted in writing and signed to the above address. The controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).
In accordance with the Data Protection Regulation, the data subject has the right to lodge a complaint about the processing of personal data with the supervisory authority.