Privacy policy

This is Ylva’s privacy policy compliant with the EU’s General Data Protection Regulation (GDPR). Drafted 21 September 2022. Last revision 21 September 2022.

1. Data controller
Ylva, Kaivokatu 10 A 3rd floor, 00101 Helsinki

2. Data protection officer
Kimmo Penninkilampi, kimmo.penninkilampi@ylva.fi, +358 50 355 9697

3. Filing system name
Ylva customer filing system

4. Legal basis and purpose of processing personal data
Data subject’s consent (documented, freely given, specific, informed and unambiguous).
The purposes of processing personal data are maintaining contact with customers and marketing. Personal data are not used for the purposes of automated decision-making or profiling.

5. Data content of the filing system
The following personal data are stored in the filing system: name, contact details (telephone number, email address), website addresses, IP address, information concerning ordered services and any changes therein, billing information and other information concerning the customer relationship and ordered services. Data are stored in the system for no more than 3 years. The IP addresses of website visitors and cookies that are essential to the function of the service are processed based on legitimate interest for purposes such as ensuring adequate data security and collecting statistical data concerning website visitors when such data can be considered to be personal data. In the event third-party cookies are used, visitors will be asked separately to accept said cookies.

6. Regular data sources
The data stored in the filing system are collected from the customer using email, telephone, social media services, contracts, messages sent via web form and during meetings with customers and other situations in which the customer discloses their data. Personal data belonging to the contact persons of companies and other organisations may also be collected from public sources, such as websites, directory services and other companies.

7. Regular disclosure of data and transfer of data outside the EU or EEA
Personal data are not regularly disclosed to third parties. Personal data may be published where such has been agreed upon with the customer. Personal data are not transferred to the United States without the express consent of the data subject.

8. Filing system protection principles
When processing data in the filing system, due care is observed and data processed using information systems is appropriately protected. Where data in the filing system are stored on web servers, appropriate measures are taken to ensure the physical and digital data security of the devices thereof. The data controller ensures that stored data, server access rights and other information critical to the security of personal data are processed confidentially and solely by personnel whose duties include such processing.

9. Right of access and right to rectification
All data subjects have the right to access their personal data stored in the filing system and demand to have any inaccurate or incomplete personal data rectified. In the event a data subject wishes to access their personal data in the filing system or demand to have it rectified, the request must be submitted in writing to the data controller. If necessary, the data controller may require the person submitting the request to prove their identity. The data controller shall respond to the customer within the timeframe prescribed by the General Data Protection Regulation (generally within one month).

10. Other rights related to the processing of personal data
The data subject has the right to have their personal data erased from the filing system (“right to be forgotten”). Likewise, the data subject has all other rights granted under the General Data Protection Regulation, such as the right to have the processing of their personal data restricted under certain circumstances. Please send any requests in writing to the data controller. If necessary, the data controller may require the person submitting the request to prove their identity. The data controller shall respond to the customer within the timeframe prescribed by the General Data Protection Regulation (generally within one month).

This content is published under the following terms: CC Attribution License

Back to top