Suomen Yrityskaupat Oy

Privacy policy

1. DATA CONTROLLER

The data controller is Suomen Yrityskaupat Oy (business ID 1056245-3).

The contact person of the privacy policy is:

Juha-Petteri Rantanen, CEO

Suomen Yrityskaupat Oy
Address: Kauppiaskatu 9 B a
Phone: 010 2864 002
Email: info@yrityskaupat.net

2. NAME OF THE REGISTER

The register’s name is the Suomen Yrityskaupat online service register.

3. PURPOSE OF PROCESSING PERSONAL DATA

The data controller processes personal data for purposes related to maintenance, management and developing the data controller’s online service, which includes processing data for statistic purposes and management of customer, partner and stakeholder relationships related to the online service.

For the aforementioned purposes the data controller processes personal data to produce a service for their customers, partners and stakeholders and in communication related to this.

In addition, the data controller processes personal data for other communication purposes with customers, such as information and reporting purposes, a part of which is to process personal data for purposes related to direct marketing and electronic direct marketing.

A registered person has the right to prohibit direct marketing aimed at them.

4. LEGAL BASIS FOR PROCESSING PERSONAL DATA

The following list, which complies with the Personal Data Act, defines the legal basis for the processing of personal data:

    the unambiguous consent of the data subject,
    the data subject has given an assignment for the same, or this is necessary in  order to perform a contract to which the data subject is a party or in order to take steps at the  request of the data subject before entering into a contract,
    there is a relevant connection between the data subject and the operations of the  controller, based on the data subject being a client or member of, or in the service of, the  controller or on a comparable relationship between the two (connection requirement),
    the unambiguous consent of the data subject to process their national identification number.

The following list, which complies with the General Data Protection Regulation of the EU, defines the legal basis for the processing of personal data:

    the data subject has given consent to the processing of his or her personal data for one or more specific purposes,
    processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract,
    processing is necessary for compliance with a legal obligation to which the controller is subject,
    processing relates to personal data, including data belonging to a specific personal data group, which are manifestly made public by the data subject,

The aforementioned legitimate interest of the data controller is based on the relevant and appropriate relationship between the data subject and the data controller, which is a consequence of the data subject or their organization being a client or partner of the data controller, and the processing is done for purposes the data subject could reasonably expect to involve the collection of personal data and in the context of an appropriate relationship.

5. DATA CONTENT OF THE REGISTER (PROCESSED CATEGORIES OF PERSONAL DATA)

The register contains personal data of the following persons (data subjects):

    Seller (private person) or representative, contact person or employee of a seller organization using the service,
    Buyer (private person) or representative, contact person or employee of a buyer organization using the service,
    Representative, contact person or employee of a brokering organization using the service,
    Representative, contact person or employee of a bank/financier organization using the service.

The register contains the following personal data of all data subjects:

    the basic information and contact information of the data subject: first name, last name, address, phone number, email address,
    information related to the data subject’s work and position: the business’ name and the data subject’s function,
    the log files of the information system created as a result of using the service,
    possible direct marketing consent or prohibition given by the data subject.

The register contains the data subject’s username and password for those data subjects granted access to Suomen Yrityskaupat’s data room.

In addition, the register contains photographs of representatives, contact persons and employees of the brokering organization using the service.

In addition, the register contains the national identification number of those data subjects, who are part of a brokering assignment and have signed a non-disclosure agreement in the service.

The register also contains information about which target businesses data subjects from buyer organizations have requested additional information about in the service.

The register also contains notes on the brokering process made by data subjects from the brokering organization.

Giving the personal data described above to the data controller is prerequisite for providing the data controller’s service, and if the data controller does not receive the personal data in question, the data controller cannot provide the service for the data subject and fulfill their obligations related to it.

6. STANDARD SOURCES OF INFORMATION

The data subject discloses their own basic information, contact information and national identification number. The data controller gives data subjects granted access to Suomen Yrityskaupat’s data room, their username for the data room. The data subjects selects a password that is connected to the username in question, and which is saved to the data room. Logfiles of the data subjects use of the service are saved to the information system. Information about which target businesses data subjects from buyer organizations have requested additional information about in the service are saved to the service when the data subject uses the service. Direct marketing consent and prohibition of the data subject is saved to the service when the data subject uses the service and states their consent or prohibition.

7. RETENTION PERIOD OF PERSONAL DATA

The data collected in the register is only stored as long and to the extent it is necessary in relation to the original or compatible purposes, for which the personal data has been collected.

The personal data collected in the register is stored in accordance with the following retention periods:

    The data subject’s basic information, contact information and information related to their organization and position, the data subject’s search history regarding the service’s businesses for sale, the data subject’s consent or prohibition regarding direct marketing and the notes on the brokering process made by a data subject from the brokering organization are stored for the period required in accounting legislation (a maximum of 10 years) and in addition for a period necessary for the data controller’s statistic purposes and for the purpose of developing the data controller’s operation and for storing information in order to contact clients. Data is stored for the period mentioned above, except if storing the data for a longer period is justifiably in the best interest of the data subject.
    The national identification number of the data subject is stored for the period necessary to complete the business transfer.
    The data subject’s username, password and logfiles related to the use of the service and other technical information collected and processed to produce the service are removed from the service immediately after storing them becomes unnecessary for producing the service.

The necessity of storing personal data is evaluated every five years and all data concerning the data subject is nevertheless removed from the register 10 years after the data subject’s customer relationship or partnership with the data controller ends and the obligations of the customer relationship or partnership have been completed.

8. THE RECIPIENTS OF PERSONAL DATA (CATEGORIES OF RECIPIENTS) AND STANDARD DISCLOSURE OF INFORMATION

The data subject’s name, national identification number, phone and telefax number and email address are disclosed, with the data subject’s unambiguous consent for the purpose of producing the data controller’s service, to the following recipients:

    The disclosure of a seller’s (private person) or seller organization’s data subject’s personal data to potential buyers after the signing of a non-disclosure agreement,
    The disclosure of a buyer’s (private person) or buyer organization’s data subject’s personal data to seller organizations after the signing of a non-disclosure agreement,
    The disclosure of a seller’s (private person), buyer’s (private person) or a seller or buyer organization’s data subjects’ personal data (including national identification number) to a business broker after the signing of a non-disclosure agreement,
    The disclosure of a seller’s (private person), buyer’s (private person) or a seller or buyer organization’s data subjects’ personal data (including national identification number) to a bank/financier registered in the service.

After the aforementioned data has been disclosed to a recipient, i.e. another data controller, the other data controller processes the personal data and might e.g. disclose the data to third parties.

The data controller uses contractors, i.e. personal data processors, to process personal data on behalf of the data controller.

9. THE TRANSFER OF DATA OUTSIDE THE EU OR THE ETA

Data in the register is not transferred outside the EU or the ETA.

10. PRINCIPLES OF REGISTER PROTECTION

Material containing personal data is stored in locked spaces, which can only be accessed by designated and due their position authorized persons.

The database containing personal data is on a server stored in a locked space, which can only be accessed by designated and due their position authorized persons. The server is protected by an adequate firewall and technical protection. The firewall prevents access to unnecessary resources in terms of the service. The access to services used for maintenance is restricted to a specific web address.

The databases and systems can only be accessed with separately issued personal usernames and passwords. The data controller has limited the access rights to the information systems and other platforms where information is stored, so that the data can only be viewed and processed by necessary persons in terms of legal processing. In addition, the use of databases and systems is registered to the data controller’s IT system’s log information.

The data controller’s employees and other persons are bound to secrecy and to keeping information they’ve received during the processing of personal data secret.

11. RIGHTS OF THE DATA SUBJECT

The data subject can contact the data controller and request to access their own personal data, request the correction or removal of this data and the limitation of the processing. In addition, the data subject object to the processing and request the data be moved from one system to another. The data controller processes the data subject’s request and responds to it within the time frame required in the data protection legislation.

In addition, the data subject has the right to retract their consent if the processing of personal data is based on consent. However, the retraction does not affect the legality of the processing preceding the retraction.

The data subject also has the right to make a complaint to a supervisory authority.

The requests of the data subject are directed to the data controller’s contact person stated in point 2.




Suomen Vahvimmat - Platina Avainlippu TranSeo SYVL Ketju.fi Perustayritys.fi Firmakauppa.fi
Suomen Vahvimmat - Platina