1. Data Controller
The controller of the register is Meril Viitanen.
The contact person responsible for matters concerning the register is: Meril Viitanen.
Location: Turku
Email: info@merilterapia.com
2. Name of the Register
The name of the register is Meril Viitanen’s customer register.
3. Purpose of Processing Personal Data
Personal data are processed for purposes related to the management, administration, and development of the customer relationship, for the provision and delivery of services, as well as for the development of services and for invoicing. Personal data are also processed for purposes required in handling possible complaints and other claims.
In addition, personal data are processed in communications directed to customers, such as for information and news purposes, and in marketing, including direct marketing and electronic direct marketing.
The customer has the right to prohibit direct marketing targeted at them.
The controller processes the data itself and also makes use of subcontractors acting on behalf of and for the account of the controller in the processing of personal data.
4. Legal Basis for Processing
The legal bases for the processing of personal data are the following, in accordance with the EU General Data Protection Regulation (hereinafter also “GDPR”):
– the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
– the processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
– the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).
The aforementioned legitimate interest of the controller is based on the relevant and appropriate relationship between the data subject and the controller, which results from the data subject being a customer of the controller, and where the processing takes place for purposes that the data subject could reasonably expect at the time of the collection of the personal data and in the context of the relevant relationship.
5. Data Content of the Register (Categories of Personal Data Processed)
The register contains the following personal data in principle for all data subjects:
– basic personal data and contact information: [first name, last name, address, phone number, email address];
– information related to the person’s company or other organization, and the person’s position or title within said company or organization;
– the person’s direct marketing permissions and prohibitions.
6. Regular Sources of Data
Personal data are collected from the data subject themselves.
Personal data are also collected and updated, within the limits of applicable legislation, from publicly available sources related to the fulfillment of the customer relationship between the controller and the data subject, and by means of which the controller fulfills its obligations relating to the maintenance of customer relationships.
7. Storage Period of Personal Data
The data collected in the register are stored only as long and to the extent as is necessary in relation to the original or compatible purposes for which the personal data were collected.
The data concerning the data subject are deleted from the register once the data subject’s customer relationship with the controller has ended, and the obligations and measures related to the customer relationship have been completed.
The controller regularly assesses the necessity of data retention in accordance with its internal codes of practice. In addition, the controller undertakes all possible reasonable measures to ensure that inaccurate, incorrect, or outdated personal data, with respect to the purposes of processing, are erased or rectified without delay.
8. Recipients of Personal Data (Categories of Recipients) and Regular Disclosures
Personal data are not disclosed to external parties.
9. Transfer of Data Outside the EU or EEA
The personal data included in the register are not transferred outside the EU or EEA. However, some external service or software providers may store data outside the EU or the European Economic Area.
10. Principles of Register Protection
Access to databases and systems is restricted by means of personal user IDs and passwords, granted individually. The controller has limited access rights and authorizations to data systems and other storage platforms so that the data can only be viewed and processed by those persons who need them for lawful processing.
The employees of the controller and other persons are bound by confidentiality obligations and by a duty to keep secret all personal data obtained in the course of processing.