NORDIC QUANTUM ENERGY OY'S CUSTOMER REGISTER PRIVACY POLICY
1 Data controller
The controller of the register is NORDIC QUANTUM ENERGY OY (Business ID 3334493-4)
The contact person for register matters is: Karita Kuntsi, CEO.
​
​
NORDIC QUANTUM ENERGY OY
Tilkankatu 6 D, 00300 Helsinki
+358 50 5566861
info@nordicquantumenergy.com
2 Name of the register
The name of the register is NORDIC QUANTUM ENERGY OY's customer register.
3 Data content in the register
The following personal data is visible to all persons in the register:
-
basic contact details of the person: first name, last name, telephone number, email address;
-
the person's direct marketing prohibitions and permissions.
4 Purpose of processing personal data
Personal data is processed in connection with customer relationship management, customer
relationship management and development, service provision and invoicing. Personal data is also
processed in the case of product returns or complaints and for the purposes required to investigate
any other claims.
Personal data is also processed as part of information and news purposes and marketing aimed at
customers, as well as for purposes related to direct marketing and electronic direct marketing.
The customer has the right to prohibit direct marketing targeted at him/her.
The controller processes the data itself. In addition, the controller utilises subcontractors acting on
behalf of and on behalf of the controller in the processing of personal data.
5 Legal basis for processing personal data
Grounds in accordance with the EU General Data Protection Regulation (hereinafter also referred to
as the "GDPR"):
​
-
the data subject has given consent to the processing of his or her personal data for one or
more specific purposes (Art. 6 (1) a) GDPR); -
processing is necessary for the performance of a contract to which the data subject is party
or in order to take steps at the request of the data subject prior to entering into a contract
(Art. 6 (1) b) GDPR); -
processing is necessary for the purposes of the legitimate interests pursued by the controller
or a third party (Art. 6 (1) f) GDPR).
The data subject is the controller's customer and therefore the aforementioned right of the controller
is based on the relationship between the data subject and the controller.
6 Regulatory sources of information
The registered person has provided his/her personal data.
The updating of personal data by the Controller is possible within the limits of legislation when the
update is related to the implementation of the customer relationship between the controller and the
data subject and the related obligations.
7 Recipients of personal data (recipient groups) and regular disclosure of data
Personal data will not be disclosed to third parties.
8 Transfer of data outside the EU or EEA
Personal data contained in the register will not be transferred outside the EU or EEA.
9 Retention period of personal data in the Register
Personal data is stored only for as long and to the extent required by accounting legislation. Data
concerning the Data Subject will be removed from the register when the Data Subject has no longer
had subscriptions or purchases valid for at least six years, calculated from the end of the Controller's
financial year.
The controller shall ensure that all possible reasonable measures, such as inaccurate, incorrect or
outdated personal data, are erased or rectified without delay.
10 Principles of register protection
Electronic materials containing personal data are stored on a server that can only be accessed by
designated persons authorised to do so due to their duties. The server is protected by an appropriate
firewall and technical protection.
With the permission of lawful processing, only necessary persons, such as technical support persons
of the appointment booking system, have access to the log data of the controller's IT system.
The controller's employees and volunteers have undertaken to observe professional secrecy and to
keep confidential the information received in connection with the processing of personal data.
11 Rights of the data subject
The data subject has the following rights under the EU General Data Protection Regulation:
​
-
the right to obtain from the controller confirmation that personal data concerning him or her
are or are not being processed and, if such personal data are being processed, the right to
access the personal data and the following information: (i) the purposes of the processing;
(ii) the categories of personal data concerned; (iii) the recipients or categories of recipients
to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged
period for which the personal data will be stored or, if that is not possible, the criteria used
to determine this period; (v) the right of the data subject to request from the controller
rectification, erasure or restriction of processing of personal data concerning him or her, or
to object to such processing; (vi) the right to lodge a complaint with a supervisory authority;
(vii) where the personal data are not collected from the data subject, any available
information on the origin of the data (Art. 15 GDPR). This described basic information (i) to
(vii) is provided to the data subject using this form; -
the right to withdraw consent at any time, without affecting the lawfulness of processing
based on consent before its withdrawal (Art. 7 GDPR); -
the right to obtain from the controller without undue delay the rectification of inaccurate
personal data concerning the data subject and the right to have incomplete personal data
completed, including by providing a supplementary statement, taking into account the
purposes for which the data were processed (Art. 16 GDPR); -
the right to obtain from the controller the erasure of personal data concerning the data
subject without undue delay, provided that: (i) the personal data are no longer necessary in
relation to the purposes for which they were collected or otherwise processed; (ii) the data
subject withdraws the consent on which the processing is based and there is no other legal
basis for the processing; (iii) the data subject objects to the processing on grounds relating to
his or her particular situation and there are no overriding legitimate grounds for the
processing, or the data subject objects to the processing for direct marketing purposes; (iv)
the personal data have been unlawfully processed; or (v) the personal data must be erased in
order to comply with a legal obligation under Union or national law to which the controller
is subject (Art. 17 GDPR); -
the right to obtain from the controller restriction of processing where (i) the accuracy of the
personal data is contested by the data subject, for a period enabling the controller to verify
the accuracy of the personal data; (ii) the processing is unlawful and the data subject
opposes the erasure of the personal data and requests the restriction of their use instead; (iii)
the controller no longer needs the personal data for the purposes of the processing, but the
data subject needs them for the establishment, exercise or defence of legal claims; or (iv) the
data subject has objected to the processing on grounds relating to his or her particular
situation, pending verification whether the legitimate grounds of the controller override
those of the data subject (Art. 18 GDPR); -
the right to receive the personal data concerning him or her, which the data subject has
provided to the controller, in a structured, commonly used and machine-readable format and
the right to transmit those data to another controller without hindrance from the controller to
whom the personal data have been provided, if the processing is based on consent within the
meaning of the Regulation and the processing is carried out by automated means (Art. 20 GDPR); -
the right to lodge a complaint with a supervisory authority if the data subject considers that
the processing of personal data concerning him or her infringes the EU General Data
Protection Regulation (GDPR Art. 77).
The data subject may address requests concerning the exercise of his or her rights to the controller's
contact person mentioned in section 1.