The purpose of this privacy policy statement is to provide data subjects with the information required by the information obligation of the EU General Data Protection Regulation (2016/679).

Date of creation 17 September 2019.

1. Controller
Kopiosto ry (0414755-2)
Hietaniemenkatu 2, FI-00100 Helsinki
tel. +358 (0)9 431 521, kopiosto(at)kopiosto.fi

Contact person in matters concerning the registry
Kirsi Salmela
Hietaniemenkatu 2, FI-00100 Helsinki
tel. +358 (0)9 431 521, kirsi.salmela(at)kopiosto.fi

Contact person in matters concerning data protection
Sami Kokljuschkin
Hietaniemenkatu 2, FI-00100 Helsinki
tel. +358 (0)9 431 521, sami.kokljuschkin(at)kopiosto.fi

2. Name of the registry
Customer registry of the ©-info icon

3. Data subjects
Customer communities of the ©-info icon and their contact persons.

4.  The purposes of the processing of personal data and the legal basis for the processing
The personal data are processed only for the following pre-defined purposes.

The personal data recorded in this registry is used for the establishment and maintenance of the customer relationship as well as other management of the customer relationship.

The processing of a data subject’s personal data is based on the customer relationship (subscription to the ©-info icon).

5. Data content of the registry
The following information on the customer communities can be stored:

  • community’s name, contact person’s name and email address
  • address of the website on which the ©-info icon is uploaded
  • information on the authors and copyright holders of the website’s contents
  • terms of use for different types of contents on the website

The following data can be stored as personal data:

  • contact person’s first and last name and email address

6. The retention period of the personal data
The personal data will be stored for the duration of the customer relationship of the customer community. The personal data will be deleted when the customer community stops using the ©-info icon and notifies Kopiosto or if Kopiosto notices that the customer community is no longer using the ©-info icon.

7. The rights of a data subject
Data subjects shall have the right to inspect any personal data on them stored in the registry and request the controller to rectify or complete any inaccurate or incomplete data.

Data subjects shall have the right to have any personal data on them removed from the registry. However, this shall not apply to such personal data that are necessary for performing the purposes of this privacy policy statement as defined by the controller or personal data the storage of which is required by law.

Data subjects shall have the right to object or restrict the processing of their personal data by the controller if the data subject considers this to violate the data protection law or occur without the authorisation to process certain personal data.

Data subjects shall have the right to receive the personal data submitted to the controller in a structured, commonly used and machine-readable format. Data subjects shall have the right to transfer these data to another controller if the legal basis of the processing of personal data is a consent or an agreement and the data are processed automatically.

If a data subject is of the opinion that the controller has processed personal data on them in violation of the data protection law, the data subject shall have the right to lodge a complaint with the competent supervisory authority (Office of the Data Protection Ombudsman).

Data subjects may exercise the rights defined in this chapter personally in the controller’s premises or by sending a letter signed in person to the contact person defined in chapter 1.

8. Regular sources of information
The data stored in the registry is obtained from the customer community and the data subject themselves.

9. Transfers of personal data to third parties and the processors of personal data
Kopiosto shall not transfer the personal data to third parties.

The controller may outsource the processing of personal data to a third party in part, in which case we shall enter into an agreement that guarantees that the processing of personal data is performed appropriately and in compliance with the current data protection law.

Kopiosto has entered into agreements with certain service providers that contain clauses concerning the processing of personal data on behalf of Kopiosto. Such agreements are typically related to software development, maintenance, server and ICT support services, for instance.

10. Transfers of personal data outside the EU or EEA
The personal data shall not be transferred outside the EU or the European Economic Area.

11. Automated decision-making and profiling
Kopiosto shall not use the personal data for the purposes of automated decision-making or profiling.

12. Registry protection principles
The data stored in the registry shall always be processed confidentially and in compliance with the current data protection law.

Data stored in the registry in electronic form shall be stored in the controller’s systems that are secured from unauthorised access by means of firewalls, access control systems and other technical measures. Access to the personal data in the registry is restricted to only those employees and administrators who require access due to their tasks. Using the systems requires at least entering a personal user ID and password. The employees of the controller shall be bound by a commitment to observe confidentiality concerning the personal data. The systems are located in locked premises within the European Economic Area that are inaccessible for unauthorised persons.

The manual materials to be processed shall be stored in a locked and guarded area.

13. Amendments to the privacy policy statement
Kopiosto reserves the right to amend this privacy policy statement. Amendments may be necessary due to the improvement and development of our services or changes in legislation, for example.