Privacy statement

On this page, you will find the register descriptions of the customer and marketing register in accordance with the Privacy Policy.

Privacy statement regarding Comatec Group, Insinööritoimisto Comatec Oy and the customer register of subsidiaries

1a Controller

Controller name: Insinööritoimisto Comatec Oy (Business ID: 0946936-6)
Address: Kalevankatu 7 C, 33100 Tampere, Finland
Other contact information: Tel. +358 29 000 2000

2 Contact person

Controller name: Janne Lammela, Chief Information Officer
Address: Kalevantie 7 C, 33100 Tampere, Finland
Other contact information: Tel: +358 40 621 3156, email: janne.lammela@comatec.fi

3 Register name

This privacy statement describes how Comatec Group, Insinööritoimisto Comatec Oy and its subsidiaries (hereinafter referred to as “Comatec” or “the controller”) process personal data. This privacy statement is applied to all processing of personal data, whether data is processed in connection with maintaining Comatec’s website, tending to customer relationships, or the products and services Comatec offers.

4 Purpose and basis of processing personal data

The purposes (and legal grounds, given in brackets) for processing personal data are as follows:

Delivery of products and services, concluding contracts with customers, order management (contractual relationships or preparation thereof)
Customer service and communications, customer satisfaction surveys (legitimate interest)
Invoicing, making decisions regarding credit, debt recovery (legitimate interest)
Marketing and direct marketing, see marketing privacy statement for more information
Development of the controller’s products and services (legitimate interest)
Managing stakeholder relations and collaborating with subcontractors and service providers (legitimate interest, contractual relationship or preparation thereof)
Improving the user experience of Comatec’s website and other services, monitoring traffic (user consent)
Internal and group-level reporting and other administrative work (compliance with legal obligations)
Managing warranty and product liability matters, handling complaints, managing legal and administrative procedures (compliance with legal obligations)
Preventing and investigating misuse, ensuring the security of information, persons and property (legitimate interest)
Meeting other legal obligations (e.g. accounting- or taxation-related obligations) and compliance with reporting obligations

When processing data on the basis of legitimate interest, Comatec assesses the potential advantages and disadvantages the processing may cause to the data subject and ensures that the rights and interests of the data subject do not override the legitimate interest. Upon request, Comatec will provide more information on how information is processed based on legitimate interest.

5 Content of the register

The register may contain the following data or information that is necessary for identifying data subjects, as well as other data or information regarding contact persons of customer organisations necessary for fulfilling the purpose of the register:

contact details, such as names, addresses, phone numbers, email addresses, information regarding a persons’ position in the company, and native language.
Information on communications, meetings and participation in events (customer organisations).
In addition to the information listed above, the following data or information regarding customers who have purchased a product and/or service may be processed in the register: invoicing and payment information, order information, customer feedback, other communications and complaints.

6 Regular sources of information

Data and information on the data subjects is collected from customer organisations, potential customer organisations or stakeholders themselves when a data subject purchases or orders Comatec’s products or services for themselves or on behalf of the organisation they represent, in connection with other communication by telephone, using the internet or via email in connection with marketing activities, such as events. Sometimes information may also be collected from Posti’s address information system, contact lists of telephone companies and other corresponding private or public registers.

7 Regular disclosure of data

Personal data may be transferred with the controller between companies belonging to the group in accordance with the applicable data protection legislation and for the purposes described in this privacy statement.

Various service providers and other third parties, such as providers of technical solutions, server space or accounting and financial services, may also be contracted to process personal data. Group companies may also process personal data on each other’s behalf.

Comatec ensures that all processing parties sign relevant agreements as required by the applicable data protection legislation.

Personal data may be disclosed to third parties if so required by law or by a public authority, or in situations where disclosure is necessary to prevent or investigate any misconduct or ensure security. Personal data may also be disclosed to third parties in connection with trials or other legal proceedings. If an invoice is left unpaid, individual data may be disclosed to debt collection companies.

If the controller or a company belonging to the same group as the controller is involved in a merger, asset purchase or other business arrangement, personal data may be disclosed to other parties of the arrangement or parties that provide assistance for the purposes of the arrangement.

Additional information on the recipients of personal data can be provided upon request.

8 Transfer of data outside the EU or EEA

Data is not regularly transferred or disclosed outside the European Union or the European Economic Area. However, service providers involved in the processing of personal data may be established outside the European Union or the European Economic Area and may therefore transfer personal data to third-party countries.

When data is transferred outside the EU or the EEA, Comatec will ensure that it is adequately protected. This is done by agreeing on matters related to the processing of personal data in accordance with the applicable data protection legislation, e.g. using standard contractual clauses approved by the European Commission or other measures based on the adequacy decision given by the European Commission, among other things.

Comatec will provide additional information on the transfer of personal data and associated data protection mechanisms upon request.

9 Retention of personal data

Comatec will only retain personal data for as long as is necessary to fulfil the purposes set out in this privacy statement. In addition to this, data will always be retained for the period required by law (e.g. legislation regarding accounting or reporting obligations), or any period of time required for the purposes of ongoing litigation or a similar dispute resolution process. As a general rule, Comatec will retain customer data for a period of 10 years after the latest sale or other form of contact with the customer. After this, the personal data will be either deleted or anonymised without unreasonable delay.

Additional information on the retention of personal data is provided upon request.

10 Automated decision-making and profiling

Comatec does not use automated decision-making, nor does it profile its customers.

11 Data protection principles

Manual data

Comatec does not collect manual data on its customer organisations, potential customer organisations or other stakeholders.

Electronic data

Only employees who are permitted to process the data as a part of their duties are permitted to use the register. Personal data stored in an electronic form is protected on an adequate level with firewalls and other technical measures, such as usernames and passwords.

12 Rights of the data subject

Additional information on the rights of data subjects can be found in the marketing privacy statement below.

Privacy statement regarding Comatec Group, Insinööritoimisto Comatec Oy and subsidiaries’ marketing register

1a Controller

Controller name: Insinööritoimisto Comatec Oy (Business ID: 0946936-6)
Address: Kalevankatu 7 C, 33100 Tampere, Finland
Other contact information: Tel. +358 29 000 2000

2 Contact person

Controller name: Janne Lammela, Chief Information Officer
Address: Kalevantie 7 C, 33100 Tampere, Finland
Other contact information: Tel: +358 40 621 3156, email: janne.lammela@comatec.fi

3 Register name

4 Purpose and basis of processing personal data

Group of data subjects	Data used to	Basis for data processing
Newsletter subscribers	Deliver newsletters and provide information on services, for marketing purposes and for generating statistics regarding newsletters.	Legitimate interest
Contact persons for customer organisations (including potential customers)	Deliver newsletters, for generating statistics regarding newsletters, for customer satisfaction surveys and other surveys, as well as communicating information regarding services and for marketing purposes.	Legitimate interest
Stakeholders	Communicate information on issues related to Comatec or Comatec’s services, for marketing purposes, as well as for surveys and for generating statistics regarding communications.	Legitimate interest
Event participants	Communicating information related to events organised by Comatec, as well as for the technical organisation of these events. The data is also used for communicating information regarding services, for conducting surveys, and for generating marketing-related and communication-related statistics.	Legitimate interest

5 Content of the register

The register may contain the following data or information that is necessary for identifying data subjects, as well as other data or information necessary for fulfilling the purpose of the register, including but not limited to the following:

Contact details, such as names, addresses, phone numbers, email addresses, information regarding a persons’ position in the company, and native language.
Data related to marketing and communications activities, such as consent given, historical information on previous campaigns or newsletters (customer organisations, newsletter subscribers, potential customer organisations, stakeholders).

6 Regular sources of information

7 Regular disclosure of data

Various service providers and other third parties, such as providers of technical solutions or server space, may also be contracted to process personal data. Data may be transferred to an external service provider for the purposes of conducting customer and market surveys or other similar surveys on behalf of Insinööritoimisto Comatec Oy and its subsidiaries, for example. Group companies may also process personal data on each other’s behalf.

Comatec ensures that all processing parties sign relevant agreements as required by the applicable data protection legislation.

Additional information on the recipients of personal data can be provided upon request.

8 Transfer of data outside the EU or EEA

Comatec will provide additional information on the transfer of personal data and associated data protection mechanisms upon request.

9 Retention of personal data

Comatec will only retain personal data for as long as is necessary to fulfil the purposes set out in this privacy statement. In addition to this, data will always be retained for the period required by law (e.g. legislation regarding accounting or reporting obligations), or any period of time required for the purposes of ongoing litigation or a similar dispute resolution process. As a general rule, Comatec will retain marketing-related data for 10 years after the latest sale or other form of contact with the customer. After this, the personal data will be either deleted or anonymised without unreasonable delay.

Additional information on the retention of personal data is provided upon request.

10 Automated decision-making and profiling

Comatec does not use automated decision-making, nor does it profile its customers.

9 Data protection principles

Manual data

Comatec does not collect manual data on its customer organisations, potential customer organisations or other stakeholders.

Electronic data

Electronic files are stored on a server that is kept in a locked room, accessible only to designated persons who are authorised to access the room for the purpose of fulfilling their professional duties. Only persons who need the data to fulfil their professional duties are permitted to access the data stored in the system. The infrastructure is protected with firewalls and other adequate technical security measures, such as usernames and passwords.

10 Rights of the data subject

Data protection legislation awards all data subjects certain rights with respect to their own personal data. However, these rights are applied depending on the purpose for and context in which the personal data is used.

Right of access. Data subjects have the right to receive confirmation on if their data is being processed, as well as to receive other information regarding the processing of their personal data as laid down in the applicable data protection legislation. The data subject is entitled to receive a copy of the personal data being processed.
Right to rectification. Subject to certain limitations, data subjects have the right to request that any inaccurate or incorrect data be corrected or deleted.
Right to erasure. In accordance with the provisions of the applicable data protection legislation, data subjects have the right to request that their personal data be erased. Unless Comatec is required by law or other exceptional circumstance to retain the personal data, it will delete data subjects’ personal data upon request.
Right to restrict processing. Within the conditions laid down in the applicable data protection legislation, data subjects have the right to request that the processing of their personal data be restricted.
Right to data portability. Data subjects have the right to request that their personal data be transferred to another controller. The right to data portability generally applies to personal data that the data subject has given to the controller in a structured, machine-readable format and is processed on the basis of the data subject’s consent or on the basis of a contract or agreement, and/or data that is processed automatically.
Right to object. Under the conditions set out in the applicable data protection legislation, data subjects have the right to object to the processing of their personal data on the basis of legitimate interest, including profiling. Comatec may refuse such a request if the processing is necessary in order to fulfil the compelling legitimate interests of the controller or a third party. However, data subjects are always entitled to object to the processing of their personal data for the purposes of direct marketing or profiling in connection with direct marketing.
Right to withdraw consent. If personal data is processed on the basis of the data subject’s consent, the data subject is entitled to withdraw this consent. Withdrawal of consent has no retroactive effect on any processing previously implemented.

Exercising data subjects’ rights

If you have any questions regarding the processing of your personal data, do not hesitate to contact us.

If you wish to make a request regarding your rights as a data subject, you can do so by letter or email using the contact details provided in this privacy statement.

Please be aware that we may require you to verify your identity before processing your request. All requests are answered without undue delay. Generally, you can expect an answer within a month of submitting a request and verifying your identity. If for any reason we cannot comply with your request, we will notify you of this separately.

11 Right to lodge a complaint with a supervisory authority

If a data subject considers their rights to have been breached or their personal data to have been processed in breach of applicable data processing legislation, they are entitled to lodge a complaint with a supervisory authority.

The contact details of the Finnish data protection authority can be found here.