Privacy statement of Edita Publishing Customer Filing System

 

Created:              25.5.2018
Replace:              12.6.2017 created privacy statement

Edita Publishing is committed to protecting your privacy and personal data. This privacy statement ("Privacy Statement") explains how Edita Publishing as part of Nordic Morning group and its authorised partners and affiliates ("Edita") process personal data in connection with the Customer filing system.

Content

1 Controller
2 Contact person of the controller
3 Name of filing system
4 Definitions
5 Purpose of processing
6 Data content of the filing system
7 Regular sources of data
8 Regular data disclosure
9 Data transfer to outside of EU or EEA
10 Data security principles
11 Implementing rights of the data subject
11.1 Right of access
11.2 Right to rectification
11.3 Other rights concerning personal data processing
12 Denying consent for marketing

 

1 Controller

Edita Publishing Oy, Y-tunnus 0654634-6
PL 700 / Verkkosaarenkatu 5
00043 NORDIC MORNING / 00580 HELSINKI
Puh. 020 450 00

 

2 Contact person of the controller

Arto Salminen
arto.salminen@nordicmorninggroup.com
Nordic Morning Group
Verkkosaarenkatu 5
00580 HELSINKI
Puh. 020 450 00

 

3 Name of filing system

Edita Publishing Customer filing system

 

4 Definitions

Privacy statement uses terminology:
Data subject = customer
Edita Publishing = Edita = Controller
Personal data = Data

 

5 Purpose of processing

  • Personal data collected through the eLearning system is processed for the purpose of
  • customer management
  • delivery, handling and archiving of product or service orders,
  • customer communication and improving customer experience,
  • user access management and offering services on our Webshop or other registration requiring digital services,
  • developing business and services of the processor
  • providing marketing information via targeted e-mails or interpersonal communication
  • statistical purposes
  • preventing misuse

Based on the customer consent data may be used for advertising and marketing, sales, opinion and marketing polls as well as direct marketing.

Personal data of children is processed with extreme care. Their data is not used for advertising, marketing or sales.

Personal data is held as long as needed for customer management, at minimum time defined in accounting and taxation legislation.

Data may be processed alone or combined with data from Controller’s or Nordic Morning Group’s other data filing systems. Data may be processed in the other companies of the Nordic Morning Group.

Data may be processed in direct marketing after customer relationship ending unless the Customer has banned it.

 

6 Data content of the filing system

Filing system contains data related its data processing purposes, like:

Customer basic data like

  • Name,
  • Title or position,
  • Address, telephone number, e-mail address and other necessary contact information
  • Employer name if customer is acting as a representative of the organisation
  • Other data may be added to organization customers, e.g. line of business,, number of employees, turnover, top level managers

Customer relationship and other context related data, like

  • Start and end dates of customer relationship
  • Information on purchases made as an authenticated customer (e.g. purchases from an online shop or online service) and the various phases and transactions involved in the purchase process
  • Use of services (e.g. free newsletters)
  • Offers and campaigns, both general and those targeted at the data subject, and their use
  • Areas of interest and other information provided by the data subject
  • Customer history: contacts and communications related to the customer relationship or other link with Edita, regardless of the channel or media (e.g. complaints and other feedback)
  • Other data collected with the data subject’s consent

Using Online shop or digital service as an authenticated user

  • User IDs and encrypted passwords
  • Content produced by the data subject, such as customer feedback, wishes related to the customer relationship, satisfaction data or other corresponding data

Payment and purchase data, like

  • The chosen payment method and identifying details of the payment instrument
  • Bank account information
  • invoicing and collection data
  • data provided for possible discounts, like memberships of certain associations or organizations

Customer given consents like

  • direct marketing consents and bans 
  • targeting data for marketing 

Data received from using Online shop and digital services, like

  • behavioral data based on data collected with cookies

 

7 Regular sources of data

Registered person i.e data subject (customer) or the party that placed the order or joint order on the data subject’s behalf gives her/himself the data as (s)he uses the Online shop or other services.

The data is collected on persons who have ordered and used the controller’s products or services.

The data can be complemented with information obtained from other data filing systems of the controller or other members of the Group, or data filing systems maintained by address, update or other service providers.

Data may be collected from credit rating registers for credit checking.

Information on membership in specific trade unions or occupational groups given by the data subject may be checked from external partners.

 

8 Regular data disclosure

If the customer has registered with an Online shop, so-called observed information collected with cookies and other comparable techniques can be combined with personal data obtained from the customer in another connection.

Unless prohibited by the data subject, the controller may, within the scope permitted and obligated by valid law, disclose data to parties such as the controller’s partners for controller’s product and service selling and marketing purposes.

Data may also be transferred and disclosed between companies belonging to the same Group as the controller for product and service marketing and sales purposes.

If data will be transferred or disclosed outside of the Group the controller will make contractual arrangements to ensure a sufficient level of data protection in the manner required by legislation.

 

9 Data transfer to outside of EU or EEA

Data from the filing system is not regularly transferred to countries outside the European Union (EU) or European Economic Area (EEA), unless deemed necessary for the technical implementation of a service or for other justified reasons.

If data will be transferred or disclosed to countries outside the European Union (EU) or European Economic Area (EEA), the controller will make contractual arrangements to ensure a sufficient level of data protection in the manner required by legislation.

 

10 Data security principles

All data related to the controller’s customers is handled in confidence and only disclosed to persons who require the data for the performance of their duties. Such recipients of the data are bound by a non-disclosure obligation. Only those employees of the controller or other members of its Group or partners with a Data Processing Agreement (DPA) who require the data for carrying out their duties have access to the data contained in the file. Outsiders do not have unsupervised access to the premises on which the data is stored.

The databases and other data stores in which the filing system’s data is stored are protected with firewalls, passwords and other technical measures. Only employees of the controller or other members of its Group with the appropriate user IDs and passwords have access to the system.

 

11 Implementing rights of the data subject

In cases of implementing rights of the data subject the Data Protection Officer (DPO) of the controller is the contact person.

11.1 Right of access

Data subjects have the right to check their data stored in the filing system. The access request shall be made to the controller with a personally signed letter or other document verified in an equivalent manner. The controller needs to verify the identity of the data subject so that information is not delivered to a wrong person. The person shall present a valid official identity card or driver’s license. The controller will deliver the information to the data subject within 30 days of receipt of the inspection request.

11.2 Right to rectification

Data subjects have the right to rectify any errors or missing data in their data stored in the filing system. The rectification request shall be made to the controller in writing and prove her or his identity.

11.3 Other rights concerning personal data processing

The data subject has a right to ask his or her data in a structured, commonly used and machine-readable format.  The request shall be made to the controller with a personally signed letter or other document verified in an equivalent manner. The controller needs to verify the identity of the data subject so that information is not delivered to a wrong person. The person shall present a valid official identity card or driver’s license. The controller will deliver the information to the data subject within 30 days of receipt of the inspection request.

During an active customer relationship with the controller the data subject may not ask to be forgotten. The active customer relationship continues from the last activity to the end of time defined in accounting and taxation legislation.

 

12 Denying consent for marketing

Data subjects have the right to prohibit the controller from processing their data for the purpose of direct advertising, distance selling or other direct marketing, polls and market surveys, and the development of the operations of the controller or other members of its Group. The prohibition can be made by contacting the controller's customer service.

Data subjects can delete or block the cookies used in the controller’s services from their browser settings. It is good to know that the service in question might not work without cookies.