This is a statement on the processing of your personal data pursuant to the EU’s General Data Protection Regulation (679/2016).
Morbid North Ltd.
Business ID: 3133127-5
Address: Linnavuorentie 26 B 7, 00950 HELSINKI
Tel. +358 40 147 5466
Communication regarding privacy matters
We request that data subjects contact the person listed hereinabove for all questions related to the processing of personal data and situations related to the exercising of your rights.
Basis and purpose of processing personal data
The legal basis for the processing of personal data is:
• The consent to the processing of personal data provided by the data subject
• The contractual relationship between the data subject and controller
• Fulfillment of the controller’s statutory obligations
The purposes of processing personal data include customer service contacting, possible third party marketing under customers' owns approval, to provide sold services.
Regular data sources
The personal data to be processed is regularly received from the following sources:
The data subject themselves
The Trade Register
Personal data being processed
The controller only collects personal data concerning the data subjects that are essential and relevant for the purposes explained in this privacy statement.
The following data concerning the data subjects are processed:
• Phone number
• Previous customer service contacts
• Purchase history
Disclosure of personal data
Personal data will not be disclosed to third parties unless the law imposes an obligation to do so. Data may, therefore, be disclosed in exceptional cases, such as to the authorities when so required by law.
Transfers of personal data to third countries
As a rule, personal data will not be transferred outside of the EU and the European Economic Area. However, if this is done for a special reason, the transfer will be implemented in accordance with the European Commission’s decision on the adequacy of privacy protection.
Protection of personal data
The controller processes personal data in a manner that aims to ensure the appropriate security of the personal data, including their protection against unauthorized processing and accidental loss, destruction or damage.
The controller uses appropriate technical and organizational safeguards in order to achieve this goal; these include the use of firewalls, encryption techniques and safe equipment rooms, appropriate access control, careful management of data system user IDs, and providing instructions to the person participating in the processing of personal data.
All employees processing personal data have a non-disclosure obligation for matters related to the processing of personal data of the data subjects based on the Employment Contracts Act (55/2001) and non-disclosure agreements that supplement it.
The retention period for personal data
The controller will process the personal data for as long as the customer account stays active (max 1-year limitation) or until the customer requests data to be deleted. At the end of this period, the controller will delete or anonymize the data within two weeks or the request in accordance with the deletion processes it follows.
The controller may have an obligation to process some personal data belonging to the filing system for longer than stated above in order to comply with the legislation or authority requirements.
The processing of personal data contains profiling. Profiling refers to the automatic processing of personal data wherein the data is used to assess specific characteristics of the data subject. The data subjects are profiled in order to better target direct marketing and other communications to suit their interests.
Rights of the data subject
Right to request access to personal data
The data subject has the right to receive confirmation regarding whether personal data concerning them is being processed and, if it is, the right to receive a copy of their personal data.
Right to rectification
The data subject has the right to request that inaccurate and erroneous personal data concerning them be rectified. The data subject also has the right to supplement incomplete personal data by submitting the required additional information.
Right to erasure
The data subject has the right to request the erasure of personal data concerning them if:
• The personal data is no longer required for the purposes for which they were collected;
• The data subject withdraws their consent which the processing of personal data was based on, and no other legal basis exists for the processing; or
• The personal data has been unlawfully processed.
Right to restriction of processing
The data subject has the right to restrict the processing of personal data concerning them if:
• the data subject contests the accuracy of their personal data;
• the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; or
• the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defense of legal claims.
Right not to be subject to a decision based solely on automated processing
The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them.
The above shall not apply if the decision is necessary for the creation or execution of an agreement between the data subject and the controller, or if it is based on the explicit consent of the data subject.
Right to withdraw consent
The data subject has the right to withdraw the consent they have provided for the processing, without affecting the lawfulness of processing based on consent before its withdrawal.
Right to data portability
The data subject has the right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller.
Right to lodge a complaint with a supervisory authority
The office of the Data Protection Ombudsman, operating under the Ministry of Justice, is the national supervisory authority for personal data matters. You have the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.
Amending the privacy policies
The controller is continuously developing its activities and may, therefore, be required to amend and update its privacy policies when necessary. The amendments may also be based on changes in legislation concerning data protection.
If the amendments include new purposes for the processing of personal data or otherwise introduce substantial changes, the controller will provide advance notification of them and, if necessary, request consent.