Privacy Policy

Delfoi Oy’s policy on the processing of personal data

This privacy policy has been updated 6.3.2024

1. CONTROLLER
   Delfoi Oy, Business ID 0832412-2 (“Delfoi”)
   Address: Linnoitustie 11, 02600 Espoo
2. DATA PROTECTION OFFICER
   Antti-Pekka Viljakainen, CFO (<firstname>.<lastname>@ delfoi.com)
3. PURPOSE OF POLICY
   3.1 This policy applies to the processing of personal data of persons who are representatives or employees of Delfoi’s customers and customer prospects, when their personal data is processed by Delfoi for the purposes set out in this policy. Each such person is defined in this policy as a “person”.
   3.2 Provision of the personal data to Delfoi is voluntary. If Delfoi does not have the personal data it requests, it may not be however able cooperate with the customer or the customer prospect as intended.
   3.3 In order for Delfoi to comply with legislation, Delfoi and its customer might have entered into a data processing agreement or a data processing annex/appendix regarding Delfoi’s processing of customer’s personal data as the Customer’s processor (“DPA”). In case Delfoi is a processor, the person shall contact his/her employer or other organization regarding matters related to his/her personal data.
4. PURPOSES OF PROCESSING AND LEGAL BASIS FOR PROCESSING
   4.1 The purposes of the processing and the legal basis for the processing of personal data are the following:
   (a) To take steps prior to entering into a contract. Use of Delfoi’s contractual rights. “The legitimate interests pursued by Delfoi” is the legal basis for the processing of personal data for these purposes.
   (b) Marketing and sale of Delfoi’s products and services and delivery of newsletters and bulletins, production of targeted advertising, communications and content and optimization of marketing activities. When consent is required for these activities according to legislation, “consent” is the legal basis for processing of personal data for these purposes. When legislation does not require a consent for these activities, “the legitimate interests pursued by Delfoi” is the legal basis for the processing of personal data for these purposes. The person has the right to object at any time to the processing of personal data concerning him or her for direct marketing purposes.
   (c) Development of Delfoi’s products, services and business. “The legitimate interests pursued by Delfoi” is the legal basis for the processing of personal data for this purpose.
   (d) Taking care of data security. “Legal obligations” is the legal basis for the processing of personal data for this purpose.
   (e) Preventing fraud. “The legitimate interests pursued by Delfoi” or “legal obligations” is the legal basis for the processing of personal data for this purpose.
   (f) For managing the customer relationship. “The legitimate interests pursued by Delfoi” is the legal basis for processing of personal data for this purpose.
   4.2 The legal basis for the processing of the personal data:
   (a) “Consent”. Consent to the processing is the legal basis for the processing of personal data to the extent mentioned above in Section 4.1. If a person withdraws a consent given to the processing of the personal data when the legal basis of the processing is “consent”, the withdrawal of the consent does not affect the lawfulness of the processing based on consent before its withdrawal.
   (b) “Legal obligations” is the legal basis for the processing of personal data to the extent mentioned above in Section 4.1.
   (c) “The legitimate interests” is the legal basis for the processing of personal data to the extent mentioned above in Section 4.1. Delfoi has considered that its legitimate interests are not overridden by the interests or fundamental rights and freedoms of the persons.
   Such legitimate interests exist as there is a relevant and appropriate relationship with the person and/or its organization, such as a customer, trial customer, orcooperation relationship with Delfoi. It is also typical that companies market their services and products to other businesses. The interests and fundamental rights and freedoms of the persons are respected, no special categories of personal data are processed, and the persons can expect Delfoi’s processing activities.
5. CATEGORIES OF PERSONAL DATA
   5.1 Personal data means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
   5.2 The following data is processed. Whether or not the data actually constitutes personal data depends on whether the data can be considered as personal data according to the definition above. For example, if the data identifies only an organization (such as a company), the data is not personal data.
   5.3 The register includes the following data:
   (a) name;
   (b) title;
   (c) position;
   (d) address;
   (e) employer or other organization;
   (f) language;
   (g) email address;
   (h) phone number;
   (i) interests and preferences (including marketing preferences);
   (j) feedback and survey responses; and
   (k) information on usage of Delfoi’s website (usage data, cookies data, online navigation data, browser data)
6. SOURCES OF PERSONAL DATA
   6.1 The primary source of the personal data is the person or the person’s organization.
   6.2 Other sources wherefrom the personal data can be collected are:
   (a) Marketing data sources and marketing partners.
   (b) Resellers of Delfoi’s products and services.
7. RECIPIENTS OR CATEGORIES OF RECIPIENTS OF PERSONAL DATA
   7.1 Personal data may be processed by Delfoi’s sub-processors who process the personal data on Delfoi’s behalf to provide services to Delfoi. The current processors are:
   (a) Microsoft, collaboration and communication services, such as Teams and Office 365.
   (b) Providers of web platforms, CRM systems and hosting services.
   (c) Accountants.
   7.2 Personal data may be transferred to the following third parties who process the personal data as controllers:
   (a) Resellers of Delfoi’s products and services, for the purpose of their direct marketing of Delfoi’s products and services .
   (b) Auditor.
8. TRANSFERS OF PERSONAL DATA TO THIRD COUNTRIES
   8.1 Delfoi does not itself transfer EEA residents’ personal data to countries outside the European Economic Area (EEA) or the European Union (EU) (“Third Country”), without having the legal right to do so (such as the adequacy decision of the European Commission).
   8.2 Delfoi’s sub-processors defined in Section 7 could transfer the personal data to Third Countries. The legal basis for the transfer of the personal data to Third Countries is the Binding Corporate Rules, the European Commission’s Standard Contractual Clauses for the transfer of personal data to processors established in third countries (“Standard Contractual Clauses”), the EU-U.S. Data Privacy Framework, alternative data export mechanisms for the lawful transfer of personal data (as recognized under EU data protection laws) or another legal basis. The Standard Contractual Clauses are available here.
   8.3 For example, please see Microsoft’s data protection addendum here 
   8.4 Other controllers defined in Section 7 could transfer the personal data to Third Countries according to their own privacy policies and practices.
9. PERIOD FOR WHICH PERSONAL DATA WILL BE STORED
   9.1 The personal data will be processed by Delfoi as long as necessary to fulfil the purposes defined in Section 4 above, in accordance with the legislation in force from time to time. For instance, the personal data of the representatives of past contracting parties will be processed until the cooperation has ceased and thereafter until the debt relationship and liabilities directly relating to the personal data have expired and claims can no longer be made against Delfoi. Pursuant to Finnish legislation, the main rule for expiry of debt is three (3) years.
   9.2 The personal data is processed for longer than the above-mentioned time periods, if the personal data in question is necessary for the establishment, exercise or defence of legal claims.
10. METHODS HOW REGISTER IS SECURED
    10.1 The personal data processed by Delfoi is secured by using the following methods and principles:
    (a) locks at Delfoi’s premises;
    (b) firewall, anti-malware and spam filtering systems of Delfoi’s communication networks and other software and hardware that protect the security of communication networks;
    (c) mandatorily required high quality passwords;
    (d) personal user rights that can be traced in the systems;
    (e) limited number of superusers;
    (f) professional knowledge of Delfoi’s personnel;
    (g) training of Delfoi’s personnel; and
    (h) Delfoi’s policies and guidelines relating to personal data matters.
11. RIGHT OF ACCESS
    11.1 The person has the right to obtain from Delfoi confirmation as to whether or not personal data concerning him or her is being processed by Delfoi.
    11.2 Where such personal data is being processed by Delfoi, Delfoi shall provide the person with a copy of the personal data and the legally required information.
    11.3 For any further copies requested by the person, Delfoi may charge a reasonable fee taking into account the administrative costs.
12. RIGHT TO DATA PORTABILITY
    At the person’s request, if Delfoi processes the personal data based on the person’s consent or based on a contract with the person and if the processing is carried out by automated means:
    (a) Delfoi shall provide the person with the personal data which he or she has provided to Delfoi, in a structured, commonly used and machine-readable format;
    (b) At the person’s request and if technically feasible, Delfoi shall transmit the personal data in the same format directly to another controller.
13. RECTIFICATION AND RIGHT TO LODGE COMPLAINT WITH SUPERVISORY AUTHORITY
    13.1 Delfoi shall, at the person’s request, without undue delay correct, erase or supplement the personal data in case of erroneous, unnecessary, incomplete or obsolete personal data taking into account the purpose of the processing, including by way of supplementing a corrective statement.
    13.2 If Delfoi does not take such action at the person’s request, Delfoi shall inform the person without delay and at the latest within one (1) month of receipt of the request of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy. Please note that the person may bring the matter to be handled by the local supervisory authority.
    13.3 The person has the right to lodge complaints to the local supervisory authority. The contact details of the Finnish supervisory authority.
14. RIGHT TO OBJECT PROCESSING
    14.1 The person has the right to object, on grounds relating to the person’s particular situation, to the processing of the person’s personal data which is based on either of the following legal basis for processing: (i) when the processing has been found necessary for the purposes of the legitimate interests of Delfoi or (ii) when the processing has been found necessary in order to protect the person’s vital interests. The person however does not have the right to object if Delfoi demonstrates compelling legitimate grounds for the processing which override the person’s interests or fundamental rights and freedoms, or for the establishment, exercise or defence of legal claims.
15. RIGHT TO RESTRICTION OF PROCESSING
    15.1 ‘Restriction of processing’ means the marking of the stored personal data with the aim of limiting its use in the future.
    15.2 If the person requests, Delfoi must restrict the processing in the following situations:
    (a) the accuracy of the personal data is contested by the person, for a period enabling Delfoi to verify the accuracy of the personal data;
    (b) the processing is unlawful and the person opposes the erasure of the personal data and requests the restriction of its use instead;
    (c) Delfoi no longer needs the personal data for the purposes of the processing, but it is required by the person for the establishment, exercise or defence of legal claims; or
    (d) the person has objected to the processing, but verification whether the legitimate grounds of Delfoi override those of the person is still ongoing.
    15.3 In the situations listed above, Delfoi can only process the personal data:
    (a) with the person’s consent or for the establishment, exercise or defence of legal claims;
    (b) for the protection of the rights of another natural or legal person;
    (c) for reasons of important public interest of the European Union or of a European Union Member State; and
    (d) to store the personal data.
16. RIGHT TO BE FORGOTTEN
    16.1 The person has the right to have his/her personal data erased at his/her request if one of the following grounds applies:
    (a) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
    (b) the person withdraws the consent on which the processing is based and where there is no other legal ground for the processing;
    (c) the person objects to the processing in accordance with Section 14;
    (d) the personal data has been processed unlawfully; or
    (e) the personal data has to be erased for compliance with a legal obligation in the European Union law or in a European Union Member State law to which Delfoi is subject.
    16.2 However, Delfoi does not have to erase the personal data to the extent Delfoi still needs to process the personal data:
    (a) for exercising the right of freedom of expression and information;
    (b) for compliance with a legal obligation which requires processing by the European Union law or by a European Union Member State law to which Delfoi is subject, or for the performance of a task carried out in the public interest or in the exercise of official authority vested in Delfoi,
    (c) for reasons of public interest in the area of public health in accordance with legal requirements;
    (d) for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with legal requirements; or
    (e) for the establishment, exercise or defence of legal claims.
17. AUTOMATED DECISION-MAKING AND PROFILING
    17.1 The person has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
    17.2 Delfoi is not using such automated decision-making.

Cookies

What are cookies?

A cookie is a small piece of text sent to your browser by a website you visit. Cookies enhance the user experience, for example it helps the website to remember information about your visit, like your preferred language and other settings. Without cookies, using the web would be a much more frustrating experience.

Why is this website using cookies?

• Information of logged in user is kept in a cookie. Without this cookie, user would need to input credentials on every page view when browsing pages where authorization is required. Website will forget user login after website session is expired.
• When you confirm notification about cookies, that’s also saved to a cookie. Without this cookie, same notification would be visible in every page load.
• We are collecting information of browsing users, using Google Analytics -service.