Aurora protects the privacy of data subjects and observes EU’s General Data Protection Regulation (2016/679) as well as other applicable data protection legislation (“data protection legislation”) and good data processing practices in all processing of personal data. Ensuring data protection is part of all of the Company’s business operations.
“Personal data” refers to all information concerning a natural person (“data subject”), which can be used to directly or indirectly identify him/her, in accordance to what has been set out in the data protection regulation. Information, which cannot be used to directly or indirectly identify a data subject, is not personal data.
2. Data controller and person responsible for data protection
Data controller: Aurora Infrastructure Oy (Business ID: 2587886-4)
Address: Riihitontuntie 7C, 02200 ESPOO
Contact details: email@example.com, tel. +358 44 3134169
3. Purposes and legal reason for processing personal data
Personal data is processed for the following purposes:
- For ordering and producing the Company’s services.
- For customer relationship management, such as a customer satisfaction survey.
- For the maintenance, development and quality assurance of services.
- For planning business operations and product development.
- For marketing and targeting marketing to customers and potential customers.
- For ensuring the safety of services and to prevent and investigate misuse.
- For the management of regulatory obligations.
- For risk management and the prevention of misuse
Legal basis for processing personal data:
The legal basis for processing personal data of data subjects is primarily a contractual relationship between the Company and the data subject, which is based on the ordering of mandates. The processing of personal data is also based on regulatory obligations, such as accounting obligations, regulatory reporting obligations, the obligation to ensure data security and protection, obligations concerning risk management and due diligence, such as the prevention of misuse.
Processing for the management of customer relationships, management of services and business operations, as well as marketing, is based on Aurora’s legitimate interest.
In addition, electronic direct marketing to personal, private personal details (not e.g. a person’s corporate email address) is based on consent.
4. Processed personal data groups and data content and data sources
The following information is processed about the data subject:
- Identification and contact details, such as name/company representative’s name, address, phone number, email address, nationality, title or field of duties within the company, business ID, photo, name of person’s representative and date of birth/social security number
- Payment and financial data, such as account number, billing and payment details, collection details, credit history details and customer ID or other data that identifies a customer account
- Customer account-related transaction details, contractual and service details, contacts and communication details.
Details on the agreement concluded between the Company and the data subject, service and order details and customer feedback, as well as contacts and reclamations between the data subject and the Company
- Consents and refusals provided by the data subject
- Due diligence details such as the details defined in the Act on Preventing Money Laundering and Terrorist Financing (444/2017), e.g. social security number and statement on the origin of funds related to the business, a copy of a passport or driving license
- Details related to training, customer relationship management and marketing activities
- Participant details and wishes of training and other customer/marketing activities, customer satisfaction surveys and other feedback
- Personal data, which provision is essential for managing the obligations based on the agreement concluded between the Company and the data subject, as well as for producing the Company’s services, are notified in each case to the data subject.
In principle, personal data is collected from the data subject him-/herself, for example, in connection with making an offer, concluding a customer agreement or during the customer account period, in connection with marketing or via online forms.
Personal data can also be collected from the community on behalf of who the data subject operates for. In addition, data can also be collected and updated in situations permitted by legislation from registers maintained by third parties, such as from the Population Registration Office, the trade register, Suomen Asiakastieto, the Business Information System and credit institutions’ credit history registers or other equivalent public or private registers.
5. Storage of personal data
The retention period and retention criteria of data depends on the personal data group, according to the purpose of the specific personal data group.
Personal data shall be processed for the duration of the customer and agreement relationship and for the necessary time after the end of the customer and contractual relationship.
Due to regulatory and contract-based obligations and responsibilities, contract-related material is stored for 11 years from the last relevant transaction, unless otherwise stated by law.
Consents and refusals are stored for their term of validity.
Details concerning due diligence shall be stored for a period of time required by legislation.
Details concerning training and customer events, as well as marketing activities, shall be stored for up to 12 months from the relevant event, unless the data is later utilised for a similar event or activity that is organised.
In terms of communities, the retention of personal data of a data subject is bound to, how long such data subject operates as the community representative for Aurora. Personal data is removed within reasonable time after the end of the role.
When personal data is no longer needed for the purposes defined above, the information is removed within reasonable time, unless legislation obliges the Company to store the information for a longer period.
6. Recipients of personal data
The following parties, among others, shall participate in the processing of personal data:
- Suppliers of accounting and debt recovery services. Payroll
– Finago Oy, Accounting Firm Kesti, Talenom Oy
- Suppliers of IT services (systems and maintenance)
– Microsoft 365, Turun Tietokeskus Oy, Elisa SantaMonica Oy, Netcontrol Oy, M-Technology, Ekonocap.
- Suppliers of communications services
– Microsoft / Cryptshare (email), Posti (letters)
- Access control and management of competency
– Neste / Enersense
- Access control and management of competency
– Outokumpu Tornio
Personal data shall not be disclosed for direct marketing purposes or opinion surveys and market research, or other similar purposes.
In addition, personal data can be disclosed to debt recovery companies and credit institutions, as well as other similar parties in connection with the customer account.
In special circumstances, personal data can be disclosed to authorities in situations obliged or entitled by legislation.
7. Transfer of personal data outside the European Union or the European Economic Area
Personal data shall, in principle, not be transferred outside the European Union or the European Economic Area.
If personal data is transferred outside the European Union or the European Economic Area (for example, if the customer account so requires), Aurora shall ensure the sufficient level of protection of the personal data, e.g. By agreeing on issues concerning the processing of personal data in accordance with the data protection legislation, such as by utilising the template contractual clauses approved by the European Commission.
8. Principles concerning the protection of personal data and the security of processing
The Company processes personal data in a way, which aims to ensure appropriate security of the personal data, including protection from unauthorised processing and accidental loss, destroy or damage.
The Company uses appropriate technical and organisational protection methods to safeguard this, including firewalls, encryption technologies, the use of secure device rooms, appropriate access control, guidance of staff and subcontractors that participate in the processing of personal data.
Agreements and other document material that must be stored as original copies shall be kept in locked facilities, and access control is limited to only authorised parties.
All parties that process personal data are subject to confidentiality in matters concerning the processing of data subjects’ personal data on the basis of confidentiality terms set out in the Employment Contracts Act and agreements.
9. Rights of data subjects
The data subjects have rights set out by data protection legislation.
Right to access data and review data. The data subject has the right to receive confirmation on whether the data subject’s personal data is processed.
The data subject has the right to review and see data concerning him-/herself, and upon request has the right to receive such data in writing or electronic format.
Right to correct and remove information.
The data subject has the right to demand incorrect or inaccurate data to be rectified. In addition, the data subjects have the right to request for their data to be removed.
The data controller shall remove, rectify and supplement any incorrect, unnecessary, incomplete or expired personal data that it observes at its own initiative in terms of the purposes of processing.
Right to transfer data as well as limit processing and deny processing.
The data subject has the right to request for his/her data to be transferred to another data controller.
In addition, the data subject has the right in accordance with requirements set out by the data protection legislation to request the limitation of personal data processing. In situations, where personal data that has been suspected to be incorrect cannot be rectified or removed, or there is uncertainty concerning the request to remove, the Company shall limit access to the data.
The data subject has the right to refuse the use of data for certain processing. The data subject has the right to deny the transfer and processing of his/her data for direct marketing purposes.
Right to withdraw consent
If the processing of personal data is based on a separate consent given by the data subject, the data subject has the right to withdraw his/her consent concerning the processing of personal data. Withdrawal shall not affect any processing that has been completed before the withdrawal.
Implementation of rights
Any requests concerning the data subjects’ rights shall be made in writing using the contact details mentioned above. Sufficient identification details must be included in the request. The request shall be responded to within reasonable time and according to opportunities within one month from presenting the request and verifying the identity. The Company may ask more additional information, where necessary, in order to fulfil the previously mentioned requests. If the data subject’s request cannot be accepted, denial shall be informed to the data subject in writing.
10. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a data protection officer, if the data subject considers that his/her personal data has been processed in violation of currently prevailing legislation.