Citec Group Privacy Policy

Last updated 05 July 2021

This Privacy Policy explains how we at Citec Group Oy Ab process the personal data of our customers and supplier representatives, web site users and visitors to our office premises (“you”, “your” or “data subject”) as per the General Data Protection Regulation (EU) 679/2016. We also inform you of your rights as data subject and the exercise thereof.

1. Name and address of the controller

Citec Group Oy Ab
Business identity code: 2406561-8
Address: Silmukkatie 2, 65100 Vaasa, Finland
Contact person for data protection related matters: Harri Viertola, IM/IT Manager, Information Security
Contact: privacy@citec.com

Should you have any questions regarding data protection don’t hesitate to be in touch with our contact person mentioned above.

2. Personal data processed

We process the following categories of personal data

A) For Citec website visitors:

  • Name and contact details (phone number, company address and e-mail address) of the data subject in case such information is disclosed by filling in the contact request form
  • Name and contact details (phone number, company address and e-mail address) and work title of the data subject in case such information is disclosed by filling-in the supplier registration form
  • Name and contact details (phone number, company address and e-mail address) of the data subject in case such information is disclosed by filling in the sponsorship request form
  • Information concerning www.citec.com and other Citec web site and service-related visit behaviour, such as how the user has found the website, which sites have been visited and the duration of each visit
  • Technical data and cookies which the registered have sent to the browser and information connected to this

B) For customer and supplier representatives:

  • Name and contact details (phone number, company address and e-mail address)
  • Work title and role in organization

C) For potential customer representatives:

  • Name and contact details (phone number, company address and e-mail address) and work title of the data subject in case the organization the data subject is representing, is identified as a potential customer of Citec
  • Name and contact details (phone number, company address and e-mail address) and work title of the data subject in case the data subject has ordered a Citec Newsletter

D) For Citec office premises visitors:

  • Name and employer company, time of visit
  • Camera surveillance data in certain office locations

3. Purposes of processing and legal basis for processing

Below is a general overview of the purposes your personal data is processed for and their corresponding legal basis. The overview follows three categories of data subjects:

A) Citec website visitors

Processing your personal data is necessary for our legitimate interest based on your visits at our websites:

  • For analyzing and for compilation of statistics
  • To follow and analyze the website traffic
  • To develop the user experience of the website

Your personal data is processed for the following purposes, provided that you have given your consent for the processing:

  • For contacting the data subject
  • For marketing purposes, including direct marketing
  • Internal and external presentations, public marketing campaigns, in collections for the press marketing and for similar purposes e.g., on the company website

B) Customer and supplier representatives

Processing your personal data is necessary for the performance of the service contract your employer is a party to for the following purposes:

  • To perform engineering and technical documentation services to Citec’s customers and business partners, and to ensure good cooperation and communication
    between Citec and its business partners
  • Managing the contractual relationship and the rights and obligations of the parties to the contract
  • IT purposes, such as granting access rights to our data systems

Processing your personal data is necessary for our legitimate interest based on the contractual relationship your employer has concluded with us for the following purposes:

  • Invoicing purposes
  • IT purposes, such as collecting log data for the protection of our IT systems or maintaining IT-infrastructure and end user services
  • Customer surveys, such as pulse surveys and other customer opinion surveys
  • To develop the customer service and business
  • For follow-up and for compiling statistics and lessons learned regarding e.g., nonconformities
  • For marketing purposes, including direct marketing
  • Support services, such as responding to inquiries, providing information and assistance, and resolving disputes
  • Other business purposes such as corporate governance and compliance

Processing your personal data is necessary for complying with legal obligations we are subject to for the following purposes:

  • Administration of possible insurance claims
  • Handling processes required by law or for compliance with legally mandated policies and procedures, such as administrating a whistleblowing and other compliance channels

C) Potential customer representatives

Processing your personal data is necessary for our legitimate interest

  • To make offers on Citec’s services
  • For marketing purposes, including direct marketing

D) Citec office premises visitors

Processing your personal data is necessary for our legitimate interest for the following purposes:

  • Securing the office premises by issuing employee identification cards or by camera surveillance

Processing your personal data is necessary for complying with legal obligations we are subject to for the following purposes:

  • Administration of possible insurance claims
  • Other safety reasons such as verifying the amount of people present at the building in cases of emergency

 4.  Information sources of personal data

As a rule, personal data is collected directly from the data subject. However, some personal data is collected from third parties, such as:

  • From the organization represented by the data subject for example in connection of an offer request
  • Data is also collected when ordering newsletters, when downloading manuals, when leaving a contact request, and when using web services (e.g., the websites and social media of the Registrar) and cookies or from data collected when participating in other events. Data may be collected also from public resources such as media, exhibitions or similar events, as well as from market intelligence tools and services
  • From other Citec companies in case the data subject has given the data to one Citec company, but the data is used for the same commercial purposes of processing in another Citec company
  • Camera surveillance in certain Citec office locations

In addition, personal data is collected via processes that are required by law or for compliance with legally mandated policies and procedures, such as via whistleblowing and other compliance channels.

5. Retention of personal data

We store your personal data only for as long as necessary for achieving the purposes defined above and to comply with applicable mandatory legislation. The retention time is defined with the following outset, but you can always be in touch with our contact person mentioned in section 1:

  • Data from Citec website users: if you disclose your personal data at Citec websites, this is stored as long as the data is needed for fulfilling your requests and after that as long as permitted by applicable law
  • Customer and supplier representatives’ personal data: as long as the contract between Citec and Citec’s customer/supplier demands retention of your personal data and after that as long as permitted or required by applicable law
  • Potential customer’s representatives’ personal data: as long as you are ordering Citec Newsletter and after that as long as the personal data is registered in Citec CRM tool as an active data, however not exceeding the permitted retention time under applicable legislation
  • Data from Citec office premises visitors: 90 days where an electronical recording system is in use. Otherwise, the data is not stored

Outdated and unnecessary information will be destroyed in a data secure manner. We evaluate regularly whether the data is up to date.

6.  Automated decision-making and profiling

We do not use automatic decision-making or profiling in the processing of your personal data.

7. Recipients of personal data

We use service providers that assist us in achieving the purposes for processing your personal data mentioned above. For this reason, they receive personal data to the extent necessary for fulfilling these purposes. Such service providers are our contractual partners that process personal data on our behalf, and to ensure safe processing of personal data we have Data Processing Agreements in place with them. These partners provide us with:

  • Leadfeeder (Liidio Oy)
  • Google Analytics (Google LLC)
  • MailChimp (Rocket Science Group LLC)
  • Microsoft Corporation
  • eCraft Oy Ab
  • IT services, such as Fujitsu Finland Oy
  • Epicor Software Finland Oy and their service providers
  • Insurance services, such as IF, AIG in case any claim is made in connection with the operations described in this privacy policy
  • Invoicing services, such as Basware Plc

In some cases, personal data is disclosed to those that process it as data controllers for their own purposes instead of on our behalf. Appropriate agreements are in place with such parties:

  • Citec group companies
  • In some cases, personal data may be requested by judicial authorities or law enforcement agencies in the context of legal investigations.

8. Transfer outside EU/EEA

In some exceptional cases we transfer personal data outside the EU/EAA. These transfers adhere to the standard contractual clauses drafted by the European Commission. You can find the copy of such clauses here: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en

9. Your rights as data subject

Under the General Data Protection Regulation, you are granted the rights listed below. The rights granted to you in each specific case depend on the legal basis used for each of the processing activities.
Should you wish to use your rights as a data subject, please contact the contact person mentioned in section 1. We may have to request some additional information in order to confirm your identity before fulfilling your rights.

A) Right to access

You have a right to know whether we process your personal data and if we do, you have the right to access your data. However, the right of access can be limited by legislation or to protect the privacy of other people.

B) Right to have inaccurate personal data rectified

Should your personal data be inaccurate or incomplete, you have a right to have it rectified. If your data has been shared with third parties, we will take reasonable steps to inform them of the rectifications where possible.

C) Right to erasure

In certain cases, you have a right to request erasure of your personal data. However, such right can be limited by legislation.

D) Right to object processing of personal data

You have a right to object the processing of your personal data when it is processed based on our legitimate interest or public interest grounds. The right can be restricted by overriding compelling legitimate grounds.

E) Right to restrict processing

In certain circumstances, you have the right to restrict the processing of your personal data which means that we will not be using your data but only storing it. This right is alternative to erasure, and it applies e.g., when you have contested the accuracy of your personal and we are verifying the accuracy of your data.

F) Right to data portability

You have a right to receive a copy of the personal data you have provided to us in a commonly used electronic format. The right applies only to personal data we process based on your con-sent or performance of a contract.

G) Right to withdraw your consent

You may, at any time, withdraw your consent to processing of your personal data.

H) Right to lodge a complaint with a supervisory authority

You have a right to lodge a complaint with a supervisory authority in the Member State of your habitual residence, place of work, or place of the alleged infringement if you consider that the processing of your personal data infringes the EU General Data Protection Regulation. For data protection authority in Finland see www.tietosuoja.fi

10. How we protect your personal data

Protecting your personal data is paramount for us. We apply appropriate technical and administrative safeguards to prevent any loss, misuse or unlawful access to your data. All manual material is stored in a locked space and can be accessed only by authorized people.
Data stored in electronic systems is protected by firewalls, passwords and other technical solutions. Access to personal data is limited by access control measures and those involved in processing personal data are bound by confidentiality obligations. Special categories of data are subject to stricter access controls and security measures.

12. Changes in the privacy policy

We are constantly developing ourbusiness and therefore reserve the right to make changes to this privacy policy by informing about this on this website. Changes may also need to be made because of changes in the applicable legislation. We recommend the users to familiarise themselves with the privacy policy on a regular basis.