This is a privacy policy in accordance with the Finnish Data Protection Act (1050/2018) and the EU General Data Protection Regulation (GDPR).

Prepared on November 25th 2020. Last modified on November 25th 2020.


DEFINITIONS

The service provider is Secapp Oy, later the Provider.

The master agreement is an agreement between the customer organization and Secapp Oy for the provision of the service, later the Agreement.

The Secapp system is used by various organizations e.g. companies, communities and governmental entities. With regard to the processing of personal data, a separate agreement is always made between the Provider (Secapp Oy) and the Customer Organization. As a general principle, the following applies in the agreement: The customer is responsible for the collection of the register (material), the related consents and obligations, and the maintenance of the register. The customer therefore acts as the actual data controller. The register (material) is always owned by the Customer and the Provider acts as a data processor. The Provider shall process personal data for as long as the provision of the contracted service to the Customer requires it. Personal data will not be disclosed to third parties.

The purpose of this privacy policy is to serve as a basis for the customer organizations’ own privacy policies and to define the data protection principles in those cases where personal data other than the Customer Organizations are processed by the Provider.


REGISTRAR

In those cases where the Provider acts as a registrar, the responsible registrar is:

Secapp Oy
Business ID 2411828-1
Viitaniementie 21 E 47, 40720 JYVÄSKYLÄ

As a rule, the Provider acts as a data processor and the customer organization as the actual data controller.


CONTACT PERSON RESPONSIBLE FOR THE REGISTER

On the Provider’s side, the data protection officer is Niko Tuomi-Nikula, tietosuoja@secapp.fi.

For customer organizations, the contact person should be verified with the nearest supervisor or manager responsible for administering the Secapp service.


NAME OF THE REGISTER

Secapp Oy’s Secapp service customer database


LEGAL BASIS AND PURPOSE OF PROCESSING OF PERSONAL DATA

The legal basis for the processing of personal data in accordance with the EU General Data Protection Regulation is the processing of personal data with the consent of the data subject or on the basis of a customer relationship.

The purpose of processing personal data is to deliver and provide the Secapp service, maintain customer relations and to communicate with customers.

The customer is responsible for collecting the register (material), related consents and obligations, and maintaining the register. When processing the customer’s material, the Provider complies with good data management practices, good data processing practices required by data protection legislation, other data protections and data protection legislation. The personal data of the data subject is processed for the maintenance, management and development of customer relationships related to the service, analysis, statistics and for the production, provision and further development of the service. Personal data will not be disclosed to third parties.

Secapp Oy only registers the information provided by the user or the customer organization itself.


TYPE OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

The type of personal data and categories of data subjects are specified as follows:

Service users:

  • Usernames and other identification information
  • Basic information including, but not limited to name, telephone number, email, address, and affiliated organizations
  • User’s group, skill and certificate information
  • Authorizations, preferences, settings and restrictions, for instance for location history and tracking
  • User’s location information to be used to target messages to users based on geofencing and to locate the user if the situation requires so
  • Phone or any other device operating systems and identifiers
  • Any other information entered into the system by the Customer or the user where permission has been granted by the user

Customer’s admin users and contact persons:

  • Billing and debt collection information of the organization
  • Information on customer and contractual relations, such as products and services, their opening, and termination date, vendor information and implementation of communications.
  • Customer organization usernames and other identification information. 

REGULAR SOURCES OF INFORMATION

Personal information is collected at the beginning of the customer relationship and registration, when using the service or otherwise directly from the registrant.

The information stored in the register is obtained from the customer via e.g. web forms, e-mail, telephone, contracts, customer meetings and other situations in which the customer discloses their information. Personal data can also be collected and updated from the customer’s own corresponding registers. As a rule, Secapp Oy only acts in the role of data processor and the actual customer organization as the data controller. In this case, the customer organization compiles a more detailed data protection and register description of its own operations.

Secapp Oy does not obtain personal data from a commercial or third party. Secapp Oy also does not disclose personal data to third parties.


DISCLOSURE OF INFORMATION

Secapp Oy does not disclose the information in the register to third parties. However, Secapp Oy may disclose personal data within the limits permitted and required by applicable legislation, e.g. when responding to requests for information from the authorities. The data will not be processed or transferred outside the European Union or the European Economic Area.


PROTECTION OF THE REGISTER AND DATA RETENTION PERIOD

Data is collected in common databases of the service, which are protected by firewalls and other technical means. The databases are located in locked and guarded premises and the data can only be accessed by certain predefined persons.

To access the system, the minimum requirement is to enter a username and password. Only certain predefined employees of the data controller have access to and are entitled to use the data contained in the register stored in the system. The information contained in the register is located in locked and guarded premises.

The Customer has access to personal data concerning his or her own operations through the Provider’s system, access to which requires a minimum of entering a username and password and having the appropriate access right. Thus, only certain predefined persons have access to and are entitled to use the information contained in the register stored in the system. Communications between the user and the system are encrypted and the use of the system is generally protected by firewalls and other technical means. 

Everyone who handles the information in the register has signed a non-disclosure agreement.

The object and duration of the processing of personal data is defined as follows: The Provider shall process personal data only as long as the providing service pursuant to the Agreement to the Customer requires it. 


RIGHT OF INSPECTION AND DELETION

The data subject has the right to inspect the personal data stored in the personal register and the right to request the rectification and deletion of the data (“right to be forgotten”).

Relevant requests should primarily be addressed to the principal data controller, which is the customer organization in all other cases, except in matters directly related to Secapp Oy’s internal internal register. Inquiries related to Secapp Oy’s internal register must be submitted in writing and signed to the address:  

Secapp Oy
Viitaniementie 21 E 47
40720 JYVÄSKYLÄ

or electronically to the contact person mentioned in the “Registrar” section. 

The data controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).


OTHER RIGHTS

Data subjects also have other rights under the EU’s general data protection regulation, such as restrictions on the processing of personal data in certain situations. Relevant requests should primarily be addressed to the principal data controller, which is the customer organization in all other cases, except in matters directly related to Secapp Oy’s internal register. Inquiries related to Secapp Oy’s internal register must be submitted in writing and signed to the above address. The controller will respond to the customer within the time limit set by the EU Data Protection Regulation (generally within one month).

In accordance with the Data Protection Regulation, the data subject has the right to lodge a complaint about the processing of personal data with the supervisory authority.