Privacy Policy

Data Controller

Name of the Register

Wildfrost Oy customer and stakeholder register

Purpose and Legal Basis for Processing

• Managing customer relationships and customer service
• Invoicing and e-invoicing
• Purposes related to the data controller's products and services, such as developing, offering, delivering and marketing products and services
• Fulfilling the rights and obligations of the customer and the data controller
• Managing the relationship between a partner and the data controller

The legal bases for processing personal data are, depending on the purpose, the data controller's statutory obligations, contract, consent, and the data controller's legitimate interest.

The legitimate interest of the data controller serves as the legal basis when there is a relevant connection between the data subject and the data controller. Such a connection may arise, for example, when the data subject contacts the data controller on their own initiative, or when the data controller processes personal data in connection with business or cooperative activities between the data subject's employer and the data controller.

Personal data is processed on the basis of the data subject's consent. The data subject has the right to withdraw their consent to the processing of personal data at any time by contacting the data controller using the contact details provided in this privacy policy.

Data Contained in the Register

The register contains information about the data controller's customers, customer representatives and contact persons, as well as their contact details. At most, the following data may be processed for each purpose as necessary:

• Name
• Email address
• Phone number
• Organisation and position
• Organisation's billing and address details
• Organisation's e-invoicing addresses
• Information related to the customer relationship and subscription
• Website behaviour and analytics
• Participation in events

Retention Period of Personal Data

The data controller processes and retains personal data only for as long as is necessary for the predefined purpose of the personal data.

Personal data that has become unnecessary and for which the data controller no longer has grounds to retain or process will be deleted at regular intervals, at least once a year without prompting from the data subject, in accordance with the data controller's own data protection practices.

Sources of Personal Data

• Personal data has been obtained from the data subject themselves for the purpose of managing a customer or cooperative relationship
• From public and generally available sources such as the internet, the e-invoicing address directory, the Finnish Business Information System, and the Trade Register
• From a representative of the data subject's employer or another party in a customer, cooperative, or contractual relationship with the data controller

Disclosure and Transfer of Personal Data

As a rule, the data controller does not disclose personal data to third parties, unless authorities lawfully require it or mandatory legislation demands it. In addition, in connection with the technical implementation of its services, the data controller uses trusted service providers who process personal data on behalf of the data controller.

Personal data is not transferred outside the European Union or the European Economic Area. Any possible transfers of personal data are always carried out in compliance with applicable data protection legislation.

Protection and Data Security of the Register

Access to the register is restricted to those individuals who need the information in their work. Access management to information systems containing register data is implemented using MFA login, strong authentication, or both. Personal data may be processed in various information systems managed by either Wildfrost Oy or its partners.

The data controller is responsible for ensuring that the data controller's partners comply with data protection legislation.

Rights of the Data Subject

The data subject has the following rights, applied on a case-by-case basis:

• The right to access personal data
• The right to request rectification, erasure or restriction of processing
• The right to object to the processing of personal data in relation to their specific situation, when the data controller processes personal data on the basis of legitimate interest
• The right to lodge a complaint with the Office of the Data Protection Ombudsman, the supervisory authority for registers

Exercising Rights

The data subject may exercise their rights by contacting the data controller using the contact details provided in this privacy policy.