Turku Chamber of Commerce processes personal data in a careful and appropriate manner. We value our customers’ privacy and strive to be as transparent as possible in terms of privacy protection. The operations of Turku Chamber of Commerce are regulated by the Finnish Act on Chambers of Commerce (878/2002). Turku Chamber of Commerce processes personal data to perform duties assigned to it in the Act on Chambers of Commerce and to produce services, such as training and communication services, and events related to memberships or customer relationships.

Our privacy statement describes how Turku Chamber of Commerce processes personal data.

The statement lays out our principles for collecting, using, disclosing, transferring, and storing customer data.

PRIVACY STATEMENT IN COMPLIANCE WITH THE GENERAL DATA PROTECTION REGULATION (EU)

Created 16 May 2018

Data controller

Turku Chamber of Commerce, including its branches in Loimaa, Salo and Uusikaupunki (business ID 0142262-7), and

Turun Viestintäkamari Oy (business ID 1000161-3) hereinafter “the data controller”

Puolalankatu 1, 20100 TURKU

02 2743400, kauppakamari@turku.chamber.fi

Contact person

Satu Lehenberg

Puolalankatu 1, 20100 TURKU

02 2743400, kauppakamari@turku.chamber.fi

Name of register

Member, customer and marketing register

Purpose of processing personal data and legal basis for processing referred to in article 6 of EU GDPR

The member and customer register maintained by Turku Chamber of Commerce, its branches and subsidiary Turun Viestintäkamari Oy, a provider of training and communication services, contains information on the contact persons of Turku Chamber of Commerce’s member companies and customers. “Member” refers to the contact persons of Turku Chamber of Commerce’s member companies or communities.

“Customer” refers to the contact persons of companies or communities with whom the data controller has a customer relationship or other appropriate relationship.

“Potential customer” refers to the contact persons of companies or communities with whom the data controller is aiming to establish a customer relationship.

“Stakeholder” refers to the contact persons of companies or communities with whom the data controller has a cooperative relationship or other appropriate relationship, for example, media representatives.

The Chamber of Commerce processes personal data to perform duties assigned to it in the Act on Chambers of Commerce. Personal data are processed in order to execute a membership agreement concluded between the data controller and the data subject and to maintain and analyse the member relationship. Personal data may be processed in order to provide member benefits and training and communication services. The data controller may use personal data to communicate with its members and to communicate about and develop its services.

The data controller may also use personal data to manage or develop its customer or stakeholder relationships and to manage orders, registrations, contact requests, customer service, marketing, reporting, and other tasks related to the management of customer relationships. The purpose of processing personal data is to manage contact details and other communication and marketing measures. In addition, the purpose of processing personal data is to pay or collect payments, rewards, and compensations and to carry out surveys, statistics, and studies.

The legal basis for processing personal data is the execution of agreements and fulfilment of business-related legitimate interest, including direct marketing and sales as well as customer service for non-customers.

Personal data may also be processed on the basis of the consent given by the person concerned.

The processing of personal data is necessary in order to carry out the legitimate interests of the data controller or a third party, except when the interests or fundamental rights of the data subject requiring the protection of personal data surpass such interests.

In order to fulfil their membership-related contractual rights, the data controller must be allowed to process personal data. If Turku Chamber of Commerce is not allowed to process the necessary personal data, it is unable to offer member benefits to its members or their contact persons.

Service transaction data processed in the register may be used in profiling and targeted marketing and customer communication.

Data retention period

Personal data is retained until the expiry of the basis for processing personal data referred to in the privacy statement and for a reasonable time after the expiry, taking into account binding legislation, for example, accounting legislation. Personal data is retained until the end of the member or customer relationship or other similar relationship.

Data subject categories, data content and personal data categories in the register

The data controller processes the data of the contact persons of the data controller’s member organisations who have used the services or attended events or contact persons of non-members who have purchased the services or who are potential customers.

Register data content: basic information, company/organisation name, first and last name, position, contact details (telephone number, email address, address) and employment history of the contact person, start and end date of the person’s appointment as a contact person, website addresses, IP addresses, social media credentials, information of ordered services, invoicing addresses and other information related to the customer relationship and ordered services, event participation information, information on sent and opened messages and invitations, content of discussions, interests, and posting bans.

The data controller may process the basic information of data subjects who have signed up for events or training courses: first and last name, position, contact details, and, if necessary, date of birth and other relevant information provided by the data subject, such as allergy information.

Regular sources of personal data

Personal data is collected directly from the data subject when they submit their membership application or order a service, and the data in question is collected via online forms, email, telephone, agreements, registrations, and other places where the customer discloses their data.

Personal data is also collected from public authorities, public registers and personal data directories, the media, and other sources, including online search engines and social media.

Disclosure of personal data

Personal data stored in the register may be disclosed within the Chamber of Commerce Group organisation and among stakeholders, for example, to Finland Chamber of Commerce. At the discretion of the data controller, personal data may be disclosed to our partners within the constraints imposed by the existing legislative framework, unless the data subject has prohibited the disclosure of their data. Data is only disclosed to our partners for purposes that support the basic principles of the register. Participant lists and participants’ contact details may be shared at events organised by the data controller.

Personal data stored in the register are also transferred to a named processor of personal data pursuant to a service agreement. The service agreement may concern, for example, technical management of personal data, analysis services, communication and campaigns, debt collection or direct marketing. The service agreement includes the required privacy protection appendices, and the data controller ensures that the processor protects the transferred personal data in compliance with the General Data Protection Regulation.

Transfer of personal data to countries outside the EU or EEA

In principle, the data controller will not transfer personal data to countries outside the EU or EEA and it strives to use service providers within the EU. If personal data is transferred to countries outside the EU or EEA, the data controller shall ensure that there are legal grounds for the transfer of data and that the data are protected by implementing standard agreements approved by the competent authorities and appropriate technical measures.

Register protection

The register is used with care, and appropriate measures are taken to protect any data processed using information systems. Electronically processed personal data are protected by implementing firewalls, passwords, and other technical measures universally acceptable in the data security industry. Manually maintained material is stored in secure rooms that can be locked and accessed only by authorised persons.

Only specified employees representing the data controller or a company commissioned by and acting on behalf of the data controller may access data stored in the register. Backup copies are made in a secure manner and all data is always retrievable.

Rights of data subjects

A data subject has the right to:

Access the personal data collected of the data subject. The data subject may send the data collector a written request for their data. The data controller must provide a report of the collected data within one (1) month.
Request the rectification of their data in writing
Request the erasure of their data. The data controller is obliged to erase the data if one of the following applies:

*the personal data is no longer needed for the purposes they were originally collected for

*the data subject withdraws their consent

*the data subject objects to the processing of their data and there are no reasonable grounds for the processing or the data subject objects to the processing of their data for direct marketing

*the personal data have been processed contrary to law

*the personal data must be erased in order fulfil a legal obligation

*the personal data have been collected in connection with information society services

Request the restriction of the processing of personal data
Transfer personal data to another system
In so far as personal data are processed on the basis of the consent of the data subject, the data subject shall always have the right to withdraw their consent without it having an impact on the legality of the processing of data performed before the withdrawal of consent.
Complain about the processing of their data to the Office of the Data Protection Ombudsman

This privacy statement is available online.

PRIVACY STATEMENT/Member representatives and experts Data controller

Turku Chamber of Commerce, including its branches in Loimaa, Salo and Uusikaupunki

Turun Viestintäkamari Oy, hereinafter “the data controller”

Puolalankatu 1, 20100 TURKU

02 2743400, kauppakamari@turku.chamber.fi

Contact person

Satu Lehenberg

Puolalankatu 1, 20100 TURKU

02 2743400, kauppakamari@turku.chamberfi.fi

Name of register

Member representative and expert register

Purpose of processing personal data and legal basis for processing referred to in article 6 of EU GDPR

“Member representative” refers to the members of the board, council and committees of Turku Chamber of Commerce and its branches who represent the data controller’s member companies. “Expert” refers to external experts who have given lectures or facilitated training sessions at the data controller’s events.

Personal data of member representatives are processed to perform duties assigned to the Chamber of Commerce in the Act on Chambers of Commerce. Personal data may be processed to perform actions relevant to the duties of member representatives or experts, including registrations, contact requests, customer service, marketing and

reporting. The purpose of processing personal data is to manage contact details and other communication and marketing measures. In addition, the purpose of processing personal data is to pay or collect payments, rewards, and compensations and to carry out surveys, statistics, and studies.

The legal basis for processing personal data is the need to execute agreements or preceding measures. Personal data may also be processed on the basis of the consent given by the person concerned. In order to act as a member representative or expert, one’s personal data must be processed.

Data retention period

Personal data is retained until the expiry of the basis for processing personal data and for a reasonable time after the expiry, taking into account binding legislation, for example, accounting legislation. The name of member representatives and the start and end date of their position of trust shall be retained permanently.

Data subject categories, data content and personal data categories in the register

The data controller processes the data of the representatives of the data controller’s member companies who hold a position of trust. The data controller also processes the data of persons who act as experts at events organised by the data controller.

The data controller processes the basic data of data subjects, including: company/organisation name, first and last name, position, contact details (telephone number, email address, address) and employment history of the data subject, start and end date of the data subject’s position of trust, website addresses, IP addresses, social media credentials, meeting and event participation information, information on sent and opened messages and invitations, content of discussions, and posting bans.

The data controller may also process the social security number of experts and any information necessary for making payments, for example, an expert’s taxation information, bank account number and home address.

If a position of trust is recorded in a public register, a person’s social security number and home address may be processed as personal data.

Regular sources of personal data

Personal data is collected directly from the data subject via online forms, email, telephone, social media, agreements, registrations, and other places where the customer discloses their data. Personal data is also collected from public authorities, public company registers and directories, and other sources, including social media and websites.

Disclosure of personal data

Personal data stored in the register may be disclosed within the organisation and among stakeholders. At the discretion of the data controller, personal data may be disclosed to our partners within the constraints imposed by the existing legislative framework, unless the data subject has prohibited the disclosure of their data. Data is only disclosed to our partners for purposes that support the basic principles of the register. Personal data stored in the register are also transferred to a named processor of personal data. The service agreement may concern, for example, technical management of personal data, analysis services, communication and campaigns, debt collection or direct marketing.

Transfer of personal data to countries outside the EU or EEA

Register protection

Rights of data subjects

According to the General Data Protection Regulation (EU), data subjects have the right to access their data. All requests and complaints must be sent to the data controller in writing. The data controller is obliged to respond within one (1) month.

A data subject has the right to:

Access the personal data collected of the data subject. The data subject may send the data collector a written request for their data. The data controller must provide a report of the collected data.
Request the rectification of their data in writing
Request the erasure of their data. The data controller is obliged to erase the data if one of the following applies:

*the personal data is no longer needed for the purposes they were originally collected for

*the data subject withdraws their consent

*the data subject objects to the processing of their data and there are no reasonable grounds for the processing or the data subject objects to the processing of their data for direct marketing

*the personal data have been processed contrary to law

*the personal data must be erased in order fulfil a legal obligation

*the personal data have been collected in connection with information society services

Request the restriction of the processing of personal data
Transfer personal data to another system
In so far as personal data are processed on the basis of the consent of the data subject, the data subject shall always have the right to withdraw their consent without it having an impact on the legality of the processing of data done before the withdrawal of consent.
Complain about the processing of their data to the supervisory authority.