EasyHomes Helsinki Oy PRIVACY NOTICE
Combined privacy and information notice in compliance with the Finnish Personal Data Act and the General Data Protection Regulation (2016/679/EU) of the European Union.
1.0 Controller, company ID and contact information
EasyHomes Helsinki Oy
Iso Roobertinkatu 1
Contact person in database and data protection related matters
0400 444 220
2.0 NAME OF THE DATABASE
EasyHomes Helsinki Customer Database
3.0 LEGAL BASIS FOR PROCESSING PERSONAL DATA / WHY DO WE COLLECT PERSONAL DATA?
3.1 General principles of processing personal data
The processing of all personal data saved in the Customer Database complies with the Finnish Personal Data Act and other applicable acts, decrees, provisions and regulatory guidelines. Personal data means data that can be connected to a particular individual. This document describes the methods of collecting, processing and sharing personal data and the rights of the Customer i.e. data subject.
3.2 Purpose of collecting personal data
a) a) Contractual/customer relationship or comparable other relationship
The purposes of using the Customer Database are the following: contractual or customer relationship between the Controller and the Customer (tenant/guest); relationship concerning the implementation of the customer relationship (e.g. tenant/guest); accommodation-related contractual relationship with a party using the accommodation.
The Controller may collect information on the persons using its accommodation services to prevent, monitor for and detect criminal or harmful acts, to find out what potential customers are interested in, to establish customer relationships, or to offer and market services.
In this Privacy Notice, the person defined in Section a) is referred to as “Customer”.
b) The Act on Accommodation and Food Service Activities (3008/2006) and the Real Estate and Rental Agency Act (1074/2000), customer relationship management based on the Acts and the analysis of the Customer’s own searches require the saving, use and retention of data referred to in Section “Data Content of the Customer Database” below. Easy Homes Helsinki Oy has a customer database in which the personal, reservation, rental and transaction data related to each customer relationship and relevant documentation are saved.
c) Legal obligation to monitor for money laundering
In compliance with Chapter 3, Section 3 of the Act on the Prevention of Money Laundering and Terrorist Financing (444/2017), hereinafter ”Anti-Money Laundering Act”, the Customer’s identification data and other personal data based on the Act are saved and retained, and the data may be used to prevent, monitor for and detect money laundering and terrorist financing and to ensure that money laundering and terrorist financing and the criminal act through which assets or proceeds from money laundering and terrorist financing have been obtained are submitted for investigation. The identification data or other personal data that has been obtained solely for the prevention of money laundering and terrorist financing is not used for purposes that do not fall under the anti-money laundering category.
d) Saving consent-based data
If the data collection rights based on the above acts or circumstances do not apply, or if no other legal basis exists, the Customer’s consent is requested separately for saving, processing and retaining his/her personal data.
3.3 Purpose of using personal data
The information in the Customer Database may be used for the following purposes:
- Maintenance and development of customer relationships; production, provision, development, improvement and protection of services
- Invoicing, debt collection and verification of customer transactions
- Targeted advertising
- Service analysis and statistics
- Customer communication, marketing and advertising
- Protection and securing of the rights and/or assets of the Controller and other persons and parties involved in assignments to provide services
- Management of the Controller’s legal obligations and other similar purposes.
3.4 Consequences of non-provision of data
If the Controller is not provided with the information referred to in sections 3.2 a), b) and c), it will not be possible for the Controller to start or continue a customer relationship, establish contracts or participate in legal transactions with the Customer. If the Controller is not provided with sufficient information for the identification of the Customer before an accommodation or a rental relationship is established, the person concerned may not necessarily be admitted into the premises.
4.0 DATA CONTENT OF THE CUSTOMER DATABASE / WHAT INFORMATION DO WE COLLECT?
The following data categories are processed or may be processed in our Customer Database and its appendices:
- Basic customer information, such as full name, address and language
- Personal identity code of a person acting on behalf of a company and possibly company ID for the purpose of reliable identification
- Information related to invoicing or debt collection
- Information related to customer and contractual relationships, such as services offered to the Customer and the date on which they are used, date on which a rental or a business contract is entered into and related information, reservation information including its value, information on the person that has sold the service, and other similar information
- Information on permissions and restrictions, such as direct marketing permissions and restrictions
- Objects of interest and other information provided by the Customer
- Information on complaints and their handling
- Tenant’s credit information and other financial information for the purpose of assessing the tenant’s ability to pay rent
The processing of data related to monitoring transactions in compliance with the Anti-Money Laundering Act includes or may include the following information on the Customer:
- Name, date of birth and personal identity code
- Name, date of birth and personal identity code of the Customer’s representative
- Legal person’s full name, registration number, registration date and registration authority
- Full names, dates of birth and nationalities of the members of a legal person’s Board of Directors or corresponding decision-making organ
- Name, number or other identifier of the document used for identity verification and the issuer of the document or a copy of the document, or in case of non-face-to-face identification, information on the method and sources used in verification
- Information on the Customer’s business activities, the quality and extent of the activities, the Customer’s financial position and information on the origin of the assets, the grounds for the use of the service concerned, and any other information that needs to be obtained for customer due diligence purposes as referred to in Section 4, Sub-section 1 of the Anti-Money Laundering Act
- Information related to the establishment of the origin of the assets as referred to in Section 4, Sub-section 3 of the Anti-Money Laundering Act and information required to meet the enhanced customer due diligence requirements concerning politically exposed persons as referred to in Section 13 of the Act
- Information on the Customer’s citizenship and on his/her travel document in case of a foreign customer who does not have a Finnish personal identity code
5.0 DATA RETENTION PERIOD
The Customer Database data is retained for ten (10) years from the expiration of a service assignment.
The data that is subject to the Anti-Money Laundering Act is retained for five (5) years unless continued retention of the data is necessary owing to pending legal proceedings or to secure the rights of the Controller or its staff members. In this case, the need for retaining data and documentation is reviewed within a minimum of three (3) years from the previous review (Section 4 of the Anti-Money Laundering Act, 444/2017)
Other personal data is erased when there is no need for retaining it. If the collection and retention of personal data is based solely on the Customer’s consent, the data is erased at his/her request.
6.0 REGULAR DATA SOURCES / FROM WHERE DO WE COLLECT PERSONAL DATA?
We collect personal data from customers in connection with accommodation contracts, rental contracts, rental offers and other accommodation-related transactions, from messages sent on web forms, through social media services, in connection with fulfilling the customer due diligence obligation and document preparation, or in other ways direct from customers. Personal data may also be collected and updated from the population register and other official registers, credit information services, etc.
Consent-based information is collected direct from the customers or, with their consent, from registers or sources maintained by various authorities or third parties.
7.0 DATA SHARING / FOR WHAT PURPOSES MAY WE SHARE YOUR PERSONAL DATA?
We may share your personal data with third parties within the limits allowed and obliged by applicable legislation when contracts are executed or when other professional connections are established between the parties.
In principle, we do not transfer personal data outside the European Union or the European Economic Area. However, personal data may be transferred or disclosed outside the European Union or the European Economic Area in ways allowed by law if the data is transferred to a country in which the level of data protection is considered sufficient by the European Commission, or if a sufficient level of data protection can be secured through contractual arrangements.
A transfer outside the European Union may also take place temporarily when various cloud services such as OneDrive, iCloud or Dropbox are used.
In cases required by law, personal data may also be shared with various authorities.
If the Controller outsources its data management, its sub-contractors may also process its personal data but on its account only. Such sub-contractors may include customer database service providers, marketing system providers and parties maintaining accommodation and rental advertising portals.
8.0 DATABASE PROTECTION PRINCIPLES / HOW DO WE PROTECT YOUR PERSONAL DATA?
The right to use the Customer Database requires a user ID assigned by the Administrator of the database. The Administrator also defines the user right level assigned to the users. The data is only accessible to those Controller’s and its sub-contractors’ staff members for whom access to the data is necessary to perform tasks related to their jobs. The data that is collected and saved in the Customer Database is protected by firewalls, passwords and other technical methods. The database is retained in locked, guarded facilities, and access to the data is restricted to certain previously defined persons.
The personal data processed by a sub-contractor on the Controller’s account is protected appropriately through agreements between the Controller and the sub-contractor concerned, ensuring that the personal data is processed in compliance with the requirements of the Personal Data Act.
9.0 CUSTOMER’S RIGHTS / WHAT CAN I DO TO ENSURE THAT MY PERSONAL DATA IS PROCESSED IN COMPLIANCE WITH LAW?
9.1 Access to, inspection and transfer of personal data
The Customer has the right to inspect what kind of information concerning him/her is retained in the Customer Database. A subject access request should be submitted to the Controller in writing, verified by signature or in a corresponding manner, or by email.
Notwithstanding the above, the Customer does not have the right to inspect data that has been obtained for the purpose of meeting the Controller’s reporting or customer due diligence obligation (Anti-Money Laundering Act, Chapter 4, Section 3). However, the Data Protection Ombudsman may verify the legality of processing this information at the Customer’s request.
The Controller will deliver the above information to the Customer within 30 days from receiving the subject access request.
The Customer has the right to have the personal data that he/she has provided to the Controller transferred to a third party in a structured and generally available machine-readable format. However, the Controller will retain the transferred data in accordance with this Privacy Notice.
9.2 Rectification of inaccurate data
The Customer has the right to rectify any inaccurate data saved on him/her in the Customer Database.
9.3 Objection or restriction to the processing of personal data and erasure of data
The Customer has the right to object to the processing of his/her personal data for the purpose of direct advertising, distance and other direct sales, market and opinion surveys or the development of the Controller’s business activities, to restrict the use of his/her personal data, and to have his/her personal data that has already been saved for the above purposes erased even if the processing of the data is otherwise justified.
9.4 Withdrawal of consent
If the data in the Customer Database is based on the Customer’s consent, the consent may be withdrawn at any time by notifying the representative of the Controller given in this Privacy Notice accordingly. Based on the Customer’s request, all the data that needs not or cannot be retained based on law or for another reason stated in this Privacy Notice will be erased.
9.5 Procedure in the use of the rights
The data subject may submit an inspection, rectification or another request by contacting the Controller’s Customer Service or by sending the request to the Controller at the addresses given in this Privacy Notice.
If the Controller does not comply with the Customer’s request, the Customer has the right to take the matter to the Data Protection Ombudsman for resolution.
10.0 PROFILING AND AUTOMATED DECISION MAKING
The Controller does not carry out customer profiling or use automated decision making.