Privacy statement

On this page, you will find the register descriptions of the customer and marketing register in accordance with the Privacy Policy. Links to other Privacy Notices below.

Recruitment Privacy Notice

Customer and Marketing Register Privacy Notice of Comatec Group, Insinööritoimisto Comatec Oy and its subsidiaries

1. Controller and contact details

Insinööritoimisto Comatec Oy (Business ID: 0946936-6) and its subsidiaries (“Comatec”, the “controller”, “we”).

Information about Comatec Group and its group companies: Comatec Group (www.comatec.fi/comatec-group/)

Address: Kalevantie 7 C, 33100 Tampere, Finland

Comatec Group has shared data protection operations and a Data Protection Officer who acts as the contact person for data protection matters:

Email: dpo@comatec.fi

Tel.: +358 29 000 2000 (switchboard)

2. Scope of this privacy notice

This privacy notice describes how Comatec and its subsidiaries process personal data within Comatec Group in connection with our websites and the management of our customer relationships, the products and services we provide, and the processing of personal data related to marketing.

The controller is the Comatec Group company that, in each case, is responsible for the relevant customer relationship, products and/or services and/or marketing measures. Regarding the Comatec Group websites, the controller is Insinööritoimisto Comatec Oy.

3. Purposes and legal basis for processing personal data

The purposes (and the legal bases in parentheses) for processing personal data are:

  • delivery of products and services, entering into customer agreements and handling orders (legitimate interests of the controller)
  • customer service and customer communications, responding to enquiries and customer satisfaction surveys (legitimate interests of the controller or the data subject’s consent)
  • invoicing, credit decisions and debt collection (legitimate interests of the controller)
  • marketing and direct marketing measures, such as delivering newsletters and informing about services, as well as related statistics and monitoring (legitimate interests of the controller or the data subject’s consent)
  • customer satisfaction and feedback surveys (legitimate interests of the controller or the data subject’s consent)
  • development of the controller’s products and services (legitimate interests of the controller)
  • organising events and functions
  • improving the user experience of our website and other services and monitoring user traffic (data subject’s consent)
  • internal and group-level reporting and other administrative measures (legitimate interests of the controller and, in certain respects, compliance with a legal obligation)
  • handling warranty and liability matters, processing complaints and managing litigation and authority proceedings (legitimate interests of the controller and, in certain respects, compliance with a legal obligation)
  • preventing and investigating misuse, and ensuring the operation of the website, information security, and the safety of persons and property (legitimate interests of the controller)
  • fulfilling other statutory obligations (e.g. accounting and taxation related measures) and reporting obligations (compliance with a legal obligation)

When we process personal data on the basis of legitimate interests, we assess the benefits of the processing and the potential adverse impact on the data subject, and we have assessed that the rights and interests of the data subjects do not override our legitimate interests. As a rule, our legitimate interests are based on conducting, promoting and developing our business and ensuring the security of our company. Upon request, we will provide further information on the processing of personal data based on legitimate interests.

4. Content of the register (categories of personal data processed)

We may process the necessary identification data of the data subject as well as other data necessary for the purposes of processing, such as:

  • contact details of a customer / potential customer and its representative, such as name, address, phone numbers, email addresses, position in the company and native language
  • information related to managing the customer relationship and delivering products /services, such as customer number and invoicing details and history
  • information related to implementing marketing and communications, such as consents given, historical data on campaigns or newsletters sent (applies to customer organisations, newsletter subscribers and potential customer organisations) and related monitoring and statistical data
  • responses to surveys and feedback (insofar as they can be linked to the data subject)
  • event registrations and other necessary information concerning events, such as information on special diets
  • data collected by cookies used on our website, such as IP address and other data collected by cookies (to the extent enabled by the cookie choices made).

In addition, in certain cases the data processed may include personal data of Comatec employees and employees acquired through subcontracting insofar as they relate to customer relationship management, sales, contracts and customer work.

Providing personal data is not a statutory or contractual requirement; however, providing certain personal data is a prerequisite for entering into an agreement between us and the organisation represented by the data subject and for delivering our products and services.

With regard to cookies on our website, further information is available in the cookie notice on our website.

5. Regular sources of data

Data concerning the data subject are collected from representatives of customer organisations, potential customer organisations or stakeholders themselves when the data subject purchases or orders our products or services on behalf of the organisation they represent, or in connection with other contact, for example by phone, via the internet, by email, or in connection with marketing measures such as events.

On a case-by-case basis, data may also be collected from Posti’s address information system, contact information registers of telephone companies, and other corresponding private and public registers.

In addition, data concerning the data subject may be collected via external service providers. Comatec may use an external calling service to contact potential customer organisations. The external service provider contacts potential customers on behalf of Comatec and delivers the data collected in connection with the contact to Comatec in a separate file. Comatec stores the received data in its own CRM system. The external service provider does not use Comatec’s CRM system but acts as a source of personal data.

If the data subject visits our website, data are collected via cookies used on our website to the extent enabled by the cookie choices made by the data subject.

6. Regular disclosures of data

Personal data may be disclosed between companies belonging to the same group as the controller in accordance with the requirements of data protection legislation for the purposes described in this privacy notice. In these situations, the basis for disclosure is legitimate interests (improving business efficiency and reducing overlapping processing activities).

We may also use various service providers and other third parties (so-called processors), such as providers of technical solutions or server capacity, or accounting and financial administration service providers, for the processing of personal data. Group companies may also process personal data on behalf of another group company.

We agree with our processors on the matters required by data protection legislation by way of contracts.

Personal data may be disclosed to third parties where required by law or by an authority, or for the purposes of investigating misuse and ensuring security. In addition, personal data may need to be disclosed in connection with court proceedings or similar legal proceedings. For debt collection measures related to unpaid invoices, individual data may be disclosed to the company carrying out the collection based on an assignment for that service.

If the controller or a company belonging to the same group is involved in a merger, acquisition, business transfer or other corporate arrangement, personal data may be disclosed to the parties to the arrangement or parties assisting in the arrangement.

Upon request, we will provide further information on recipients of personal data.

7. Transfers of data outside the EU or EEA

As a rule, data are not transferred or disclosed outside the EU or the European Economic Area. However, service providers involved in the processing of personal data may be established outside the European Union or the European Economic Area, or they may transfer personal data to so-called third countries.

When data are transferred outside the European Union or the European Economic Area, the controller ensures an adequate level of protection for personal data, among other things, by agreeing on matters related to the processing of personal data in the manner required by data protection legislation, such as by using standard contractual clauses approved by the European Commission or based on an adequacy decision of the European Commission.

Upon request, we will provide further information on transfers of personal data and the safeguards used.

8. Retention of personal data

Personal data are retained only for as long as necessary to fulfil the processing purposes described in this privacy notice or to comply with statutory obligations applicable to the controller.

Personal data related to customer relationships, sales and marketing are generally retained for a maximum of ten (10) years from the most recent sales transaction or other contact. Data may be retained for longer only if justified due to managing the customer relationship, continuity of sales, a legal claim or another statutory obligation, and provided that such retention is not in conflict with data protection legislation.

If the processing of personal data is based on the data subject’s consent, such personal data (e.g. personal data of newsletter subscribers) are retained for as long as the data subject’s consent remains valid.

Data collected for events and functions, such as information on special diets, are retained for a maximum of one year after the end of the event.

Personal data related to surveys and feedback are retained for a maximum of one year after the response is given.

Personal data that are no longer necessary for the purpose of processing are deleted or anonymised without undue delay, however no later than within 12 months from the date when there is no longer a basis for the processing.

Cookie-related data are retained as stated in the cookie notice on our website.

Upon request, we will provide further information on personal data retention practices.

9. Automated decision-making and profiling

We do not use automated decision-making, and we do not profile our customers.

10. Data subject’s rights

Data subjects have the rights regarding their personal data provided by data protection legislation. However, the applicability of these rights in each individual situation depends on the legal basis and purpose of processing and the circumstances.

Right of access. The data subject has the right to obtain confirmation as to whether personal data concerning them are being processed and the other information required by data protection legislation about the processing. The data subject has the right to obtain a copy of their personal data.

Right to rectification. Subject to certain limitations, the data subject has the right to request that inaccurate or incomplete data be corrected or erased.

Right to erasure. The data subject has the right, in accordance with the conditions of data protection legislation, to request the erasure of their personal data. Upon request, we will erase personal data unless legislation or another applicable exception under data protection legislation requires us to retain the personal data.

Right to restriction of processing. The data subject has the right, in accordance with the conditions of data protection legislation, to request restriction of the processing of personal data in certain situations.

Right to data portability. The data subject has the right to request that their personal data be transferred to another controller. As a rule, the right to data portability applies to personal data that the data subject has provided to the controller in a structured, commonly used and machine-readable format, where the processing is based on the data subject’s consent or a contract and/or where the processing is carried out by automated means.

Right to object. The data subject has the right, in accordance with the conditions of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for the purposes of compelling and legitimate interests pursued by the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.

Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent to the processing of personal data concerning them. Withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

Exercising your rights

We hope you will contact us if you have any questions regarding the processing of your personal data.

You may submit a request relating to your rights as a data subject by post or by email using the contact details provided in this privacy notice.

The identity of the requester may be verified before the request is processed. We will respond within a reasonable time and, as a rule, within one month from the submission of the request and the verification of identity. If the request cannot be granted, we will notify you separately of the refusal.

11. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent data protection supervisory authority if the data subject considers that their personal data have been processed in violation of data protection legislation.

Contact details of the Finnish data protection authority can be found here: www.tietosuoja.fi/yhteystiedot

12. Updating this privacy notice

We may update the content of this privacy notice and our practices related to the processing of personal data if there are changes in our operations or in applicable legislation.

This privacy notice was last updated on 6.5.2026.