MySong.store - Customer Registry Privacy Statement
1. Data Controller
The data controller for the register is Tmi MardeX7 (Business ID 2278045-8)
The contact person for registry matters is: Markku Korkiakoski, owner
MySong Suomi (Tmi MardeX7)
Address: Lauttakatu 22, 33400 Tampere, Finland
Phone: +358 400 434244
Email: info@mysong.store
2. Name of the Register
The name of the register is the MySong Finland customer register.
3. Purpose of Processing Personal Data
Personal data is processed for purposes related to the management, administration, and development of the customer relationship, provision and delivery of services, and development and billing of services. Personal data is also processed for purposes necessary for resolving potential complaints and other claims.
Additionally, personal data is processed for customer communications such as information and news as well as marketing, including direct marketing and electronic direct marketing purposes.
The customer has the right to prohibit direct marketing targeted at them.
The data controller processes the data itself and utilizes subcontractors acting on behalf of and for the account of the data controller in the processing of personal data.
4. Legal Basis for Processing
The legal bases for processing personal data are the following grounds under the EU General Data Protection Regulation (hereinafter also "GDPR"):
- The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
- Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
- Processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Art. 6(1)(f)).
The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, which arises from the fact that the data subject is a customer of the data controller, and when processing is conducted for purposes that the data subject could reasonably expect at the time of collecting the personal data and in connection with a relevant relationship.
5. Content of the Register (Categories of Personal Data Processed)
The register contains the following personal data primarily about all registered individuals:
- Basic and contact information of the person: [first name, last name, address, phone number, email address];
- Information related to the person's company or other organization and the person's position or job title in the said company or organization;
- Direct marketing consents and prohibitions of the person.
6. Regular Sources of Information
Personal data is collected from the data subject themselves.
Personal data is also collected and updated from publicly available sources, within the limits of applicable legislation, related to the implementation of the customer relationship between the data controller and the data subject and enabling the data controller to fulfill its obligations related to maintaining customer relationships.
7. Retention Period of Personal Data
The data collected in the register is retained only as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.
The need for retention of personal data is assessed every five years; in any case, the data concerning the registered individual is removed from the register 15 years after the termination of the customer relationship between the data subject and the data controller, and once the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for five years after the end of the financial year.
The data controller regularly assesses the necessity of data retention according to its internal codes of conduct. Additionally, the data controller implements all reasonable measures to ensure that inaccurate, incorrect, or outdated personal data, in relation to the purposes of processing, is removed or rectified promptly.
8. Recipients of Personal Data (Recipient Categories) and Regular Disclosures of Data
Personal data is not disclosed to external parties.
9. Transfer of Data Outside the EU or EEA
Personal data contained in the register is not transferred outside the EU or EEA.
10. Principles of Register Protection
Materials containing personal data are stored in locked facilities accessible only to designated and authorized individuals due to their duties.
The database containing personal data is on a server stored in a locked facility, accessible only to designated and authorized individuals due to their duties. The server is protected by an appropriate firewall and technical safeguards.
Access to databases and systems is granted only with individually assigned user IDs and passwords. The data controller has restricted access rights and authorizations to data systems and other storage platforms so that only necessary individuals can view and process data for lawful processing purposes. Additionally, usage events of databases and systems are logged in the IT system's log records.
Employees and other individuals of the data controller are committed to confidentiality and to keep confidential the information they receive during the processing of personal data.
11. Rights of the Data Subject
The data subject has the following rights under the EU General Data Protection Regulation:
- The right to obtain confirmation from the data controller as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to their source (GDPR Art. 15). These described fundamental information (i)-(vii) is provided to the data subject in this form;
- The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
- The right to obtain from the data controller without undue delay the rectification of inaccurate and incorrect personal data concerning them and the right to have incomplete personal data completed, including by means of providing a supplementary statement, considering the purposes of the processing (GDPR Art. 16);
- The right to obtain from the data controller the erasure of personal data concerning them without undue delay, provided that (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing based on personal particular circumstances, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data has been unlawfully processed; or (v) the personal data must be erased for compliance with a legal obligation under Union or Member State law to which the data controller is subject (GDPR Art. 17);
- The right to obtain from the data controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to processing based on personal particular circumstances, pending the verification of whether the legitimate grounds of the data controller override those of the data subject (GDPR Art. 18);
- The right to receive the personal data concerning them, which they have provided to a data controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another data controller without hindrance from the data controller to which the personal data has been provided, where the processing is based on consent as referred to in the Regulation and the processing is carried out by automated means (GDPR Art. 20);
- The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the GDPR (GDPR Art. 77).
Requests for the exercise of data subject rights are addressed to the contact person of the data controller mentioned in section 1.
12. Web Analytics
The following services collect anonymized data about visits to the site without personal information.
- Google Analytics - https://analytics.google.com/analytics/web
13. Targeted Marketing
Based on visits to the site, we may conduct targeted advertising on the following services:
- Facebook Remarketing: https://www.facebook.com/business/a/facebook-pixel
- Google Remarketing: https://support.google.com/adwords/answer/2453998?hl=en