Privacy policy

The purposes (and legal bases) for processing personal data are as follows:

• The VastuuKaista service enables a supplier's customer to provide partners with electronic information required by the contractual partner to fulfill the obligation under the Consumer Liability Act (22.12.2006/1233) toward the end user. The service facilitates compliance with statutory requirements and the transmission of data about the customer's responsible persons to third parties, e.g., in procurement and contract processes. (legitimate interest)
• Development of the controller's products and services (legitimate interest)
• Profiling of companies that use the service (legitimate interest)
• Customer service, communication, and customer satisfaction surveys (legitimate interest, consent, contractual relationship)
• Payment, invoicing, credit decisions, and debt collection (legitimate interest)
• Enhancing the user experience of our website and other services, and monitoring user behavior (consent)
• Internal reporting and other administrative tasks (compliance with legal obligations)
• Handling warranty and liability matters, processing complaints, and managing legal proceedings and authority procedures (compliance with legal obligations)
• Preventing misuse and investigating it, as well as ensuring information security, personal safety, and property security (legitimate interest)
• Fulfilling other statutory obligations (e.g., accounting and tax-related tasks) and reporting requirements

When processing personal data based on a legitimate interest, we assess the benefits and potential risks to the data subject. We have evaluated that the data subject's rights and interests do not override the legitimate interest. We provide additional information about data processing based on a legitimate interest upon request.

Data category	Data examples
Data about the responsible persons of the company related to the service	Name, Contact information, Date of birth, Personal identifier, Nationality, Place of residence, Position in the company, Tax information, and Information on potential business restrictions.
Data about the company related to the service	Business ID, liability insurance information and information about Transport License.
Other data related to the service	Data related to customer service and communications, as well as data related to payments and invoicing. Payment services for the service are provided by Stripe Payments Europe Ltd., whose processing of personal data is available at: www.stripe.com/fi/privacy
Data concerning the use of websites and other electronic services:	IP address, Identification data for electronic communication, Search and browsing data, and Browser and operating system data, Registration data

The Data is collected from external services, such as the business information service maintained by the Patent and Register Office and the business restriction register of the Legal Register Centre. We also obtain data directly from the tax authority.

We collect personal data directly from the data subject, for example, during transactions, or when a company joins our service or is otherwise in contact with us.

We retain personal data for as long as necessary to fulfill the purposes defined in the privacy policy and always for the time required by law. Personal data is stored in the service for up to three months from the date of submission, in accordance with the Contractor's Obligations Act. After this period, the data will be deleted or anonymized.

The customer may save the data required by the Contractor's Obligations Act within the service. According to the Act, the customer must retain the relevant documents and evidence for at least two years after the contract work has ended. The processing of the customer's personal data is subject to the customer's privacy policies.

We provide additional information about data retention practices upon request.

In the processing of personal data, we may use various service providers and other third parties, such as providers of technical solutions or server space, payment service providers, or accounting and financial management service providers. We ensure that agreements required by data protection laws are in place with the parties we use for processing personal data.

Reporting data related to the contractor's obligations of the VastuuKaista service may be shared with intermediary companies and transportation service provider organizations, such as wellbeing areas.

Personal data may be disclosed to third parties in cases required by law or by authorities, to investigate misuse, ensure security, or in the context of legal proceedings or similar legal processes.

If the data controller is involved in a merger, acquisition, or other business arrangement, personal data may be shared with the parties to the arrangement or with supporting parties in the arrangement.

We provide additional information about the recipients of personal data upon request.

Service providers involved in the processing of personal data may be established outside the European Union or European Economic Area or may transfer personal data to so-called third countries. When data is transferred outside the European Union or European Economic Area, the company ensures an adequate level of protection for personal data, for example, by concluding agreements on matters related to the processing of personal data in a manner required by data protection legislation, such as using standard contractual clauses approved by the European Commission or relying on the European Commission's decision on the adequacy of protection.

We provide additional information about data transfers and the safeguards used upon request.

Inferences and conclusions can be drawn from the data collected in the VastuuKaista service, such as a company's reliability, solvency, or other matters required by the Contractor's Obligations Act.

Data processing may also include profiling. In such cases, a company can be assessed based on data regarding its characteristics, operations, or financial situation. Profiling ensures that the service's operations comply with the requirements of the Contractor's Obligations Act and other applicable legislation.

Profiling and automated decision-making occurring in the VastuuKaista service apply only to the evaluation of companies that use the service. The processing of personal data is limited to identifying responsible persons and checking business bans, and individual registered persons are not profiled or subject to automated decisions.

Security and protecting personal information are of utmost importance to us. We employ appropriate technical and organizational measures to safeguard personal data. We also ensure the fault tolerance of our systems and the ability to recover data. Access to personal information is restricted to authorized parties only. Parties handling personal data are bound by confidentiality obligations regarding the processing of personal information.

Individuals have rights regarding their data by data protection legislation. The application of these rights in each specific situation depends on the purpose and context of the personal data processing.

• Right to access personal data: Individuals have the right to confirm whether their data is being processed and to obtain additional information about the processing, as per data protection legislation. Individuals have the right to receive a copy of their data.
• Right to rectify personal data: Individuals have the right, with certain restrictions, to request the correction or deletion of inaccurate or incomplete information.
• Right to erasure of personal data: Individuals have the right, by data protection legislation, to request the deletion of their data. We will comply with the request unless there are legal or other applicable exceptions that require us to retain the data.
• Right to restrict processing: Individuals have the right, by data protection legislation, to request the restriction of processing in certain situations.
• Right to data portability: Individuals have the right to request the transfer of their data to another controller. This right generally applies to data provided by the individual in a structured, machine-readable format, processed based on consent or a contract, and/or processed automatically.
• Right to object processing: The data subject has the right to object to the processing of personal data based on legitimate interests, including profiling, in accordance with the requirements of data protection legislation. We may refuse the request if there is a significant and justified reason that overrides the data subject's interests, rights, and freedoms. However, the data subject always has the right to object to processing for direct marketing purposes and to profiling related to direct marketing.
• Right to withdraw consent: If the processing of personal data is based on the individual's consent, they have the right to withdraw that consent at any time. Withdrawal of consent does not affect processing performed before the withdrawal.

Exercising your rights

We hope that you will contact us if you have any questions regarding the processing of your personal data.

You can submit a request regarding the data subject's rights by post or email using the contact details mentioned in this privacy notice.

The identity of the requester can be verified before the request is processed. The request will be answered within a reasonable time, typically within one month from the date of submission of the request and the verification of the identity. If the request cannot be granted, a separate notice will be sent regarding the refusal.

The data subject has the right to complain to the competent data protection authority if they believe that their data has been processed in violation of data protection legislation. You can find the contact information for the Finnish Data Protection Authority at https://tietosuoja.fi/yhteystiedot