Privacy policy of the customer and supplier register of DIETA GROUP OY and its subsidiaries, including ASSI AS

Introduction

The careful and prudent processing of your personal data is of paramount importance to Dieta Group Oy and its subsidiaries (hereinafter referred to as “Dieta”). We process personal data so that we can operate effectively as an organization and fulfill our obligations as a supplier. Personal data is processed for administrative, legal, support, health and security purposes. We process personal data in accordance with the fundamental principles set out in the Personal Data Protection Act and the General Data Protection Regulation, as well as good data management and processing practices, and ensure that your privacy is not compromised.

This privacy policy is not part of the customer agreement. We will update it as necessary.

In practice, this means:

The processing of customers’ personal data is regulated by the Privacy Protection Act. According to the law, the supplier may, among other things, process only personal data necessary for the implementation and/or performance of a contract or customer relationship, which is related to the company’s business activities and/or the provision and/or sale of services/products.

We always follow the fundamental principles defined in the Data Protection Regulation when processing personal data:

-personal data must be processed lawfully, appropriately and transparently from the perspective of the data subject (“lawfulness, reasonableness and transparency”)

-personal data must be collected for specified, explicit and legitimate purposes and not subsequently used in a manner incompatible with those purposes (“purpose-relatedness”)

-personal data must be relevant, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)

-personal data must be accurate and, where necessary, kept up to date; all reasonable steps must be taken to ensure that personal data that are inaccurate or misleading, having regard to the purposes of the processing, are erased or rectified without delay (“accuracy”)

-personal data must be stored in a form which permits identification of the data subject only for as long as is necessary for the purposes of the processing (‘storage limitation’)

-personal data must be processed in a manner that ensures appropriate security of personal data, including protection against unauthorized and unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (“integrity and confidentiality”)

For what purpose do we collect your personal data?

We process your personal data based on law, contract, legitimate interest and your consent to enable us to fulfil various obligations and tasks imposed by law as a supplier. In addition to arranging contracts and correspondence, we need your personal data for several other reasons, such as developing cooperation, providing services, quality management and informing about events, etc.

We collect personal data from past and current customers, as well as from individuals who consent to the processing of their data in connection with events and the use of online services.

In practice, this means:

The purposes of processing customer personal data include, but are not limited to, the following:

(the list includes processing based on law and/or contract and/or legitimate interest and/or consent):

• Tasks related to services, orders and statistics
• Management of services provided by the Dieta Group
• Managing participation in development programs
• Training management
• Feedback and complaint investigation
• Management of customer complaints and compensation claims
• Management of obligations arising from customer contracts
• Managing information technology and data transmission systems, such as company email, web conferencing or internet survey systems, and company directories
• Ensuring the physical and IT security of clients
• Logins, scans, camera surveillance and access control in commercial premises
• Managing audits and other operations and processes
• Data generation for stakeholders (including Statistics Estonia)

What data do we collect?

Our register contains data about individuals who have customer and marketing relationships with Dieta, including customers, partners, subcontractors, Dieta personnel, key company contacts, event participants, and website visitors.

Personal data is any characteristic describing a person or his/her characteristics or living conditions that can be linked to him/her or his/her family. In order for data to be considered personal data within the meaning of the law, they must be recorded manually, mechanically or electronically. Thus, among others, notes taken by hand during work meetings with the employer, data stored in the memory of a computer, data stored in the register of an access control device and data generated when using a telephone are considered personal data. On the other hand, purely verbal data is not considered personal data if it is not based on data stored in a register or issued from a register.

We collect the following personal data about you, among other things:

• Data related to the identification and verification of a person, such as name and position/function
• Contact information such as address, email address and phone number
• Data related to maintaining customer relationships
• Personal credit information (for certain positions)
• Data required to fulfill legal obligations
• Usage data of IT services and systems
• Data collected by surveillance and management systems

In practice, this means:

We store the following data in the registry:

• Basic personal information (including name, date of birth, contact details and job title)
• Customer relationship data (including order history and correspondence)
• Pre-contractual negotiation data
• Information about training courses
• Project allocation data
• Data related to the introduction of products and services
• Product and service usage data, e.g. we collect service usage and browsing data from the website and mobile services
• Guest network usage log data
• Access control data in commercial premises
• Camera surveillance data in commercial premises

How do we collect your personal data?

We mainly collect your personal data directly from you, either verbally or in writing. This may be data collected by us or by our partners on our behalf.

Data may also arise from monitoring the use of services and systems, e.g. when you use services and programs provided to you, including electronic communication, email and Internet applications.

Data may also be collected by the administrative and security services we use.

In addition, we receive data from registers managed by authorities, the Credit Information and Payment Default Register, and other reliable registers.

We may also use cookies (small text files stored on your device) on our website to help our services work as well as possible.

In practice, this means:

The company should collect personal data primarily from the customer themselves, as this is how the customer best understands what data is being collected about them. If the company collects data from elsewhere, consent must be obtained and must be ensured as to the purpose of use.

Consent is not required if the authorities transfer data to the company to perform a task arising from the law or if the company obtains a person’s credit information or criminal record information to determine the reliability of the client. The client’s credit information may be necessary in positions where the person is directly materially responsible for the employer’s property or if the business relationship to be concluded requires special trust for other reasons. The Criminal Record Act and Regulation in turn stipulate for what purpose and to whom criminal record information may be transmitted.

Use of cookies:

We use cookies (small text files stored on your device) to provide and develop our services. We also use cookies to personalize content and target advertisements. Cookies help us, among other things, to provide more up-to-date and personalized services by displaying content based on the user’s interests. They also enable, for example, login and authentication, saving personalized settings and choices, analyzing website performance, and preventing fraud. Our online services collect, for example, the following usage data: IP address, which links you use, which advertisements or other content you have viewed, which websites you enter from and which ones you visit, browsing time, browser or application type, and other relevant data. Our website and services may contain third-party cookies.

We use session-based and persistent cookies. Session-based cookies only exist during a session, i.e. a single visit, and are automatically deleted when you close your browser. Persistent cookies exist for a specified period of time and remain on your computer even after the session ends, unless you delete them yourself first. Cookies do not harm your device or files. You can control the use of cookies, for example, in your browser settings. For more information about cookies, see the data protection and guidance documents of each browser.

How do we process your personal data?

We process your personal data in accordance with the General Data Protection Regulation in a manner that respects your rights and freedoms. We ensure that privacy principles are followed at all stages of the processing of personal data.

Your data will only be processed by our employees or those of our partners who are authorized to process personal data. We have ensured that our staff are aware of and knowledgeable about data protection through ongoing training and up-to-date instructions.

Your personal data may be processed in several different data systems managed by us or our partners.

In practice, this means:

We have valid Data Protection Agreements (DPA) with our partners, which ensure that we have received sufficient assurances from our data processors that their processing of personal data complies with the requirements of the GDPR.

In relation to the processing of personal data, we have implemented and ensured the necessary technical and organizational measures to comply with the privacy principles. Technical and organizational measures include security measures such as staff training, guidelines and instructions given to staff, confidentiality obligations, premises surveillance, usage monitoring through self-monitoring,

data security of data systems, data encryption, data anonymization, data pseudonymization, auditing, remote access connections, technical limitations, control and surveillance systems, performing data audits, introduction of a code of conduct and certificates.

Who do we share your data with?

We purchase certain personal data processing services from our partners. We have selected only those personal data processors as partners who follow good personal data processing practices through appropriate technical and organizational measures, comply with the requirements of the General Data Protection Regulation, and are able to guarantee your rights.

A written agreement has been concluded with all partners, which defines the purpose, purpose and duration of the processing of personal data and agrees on the personal data to be processed.

In addition, personal data is shared in connection with the following activities: Notifications to insurance companies, statistical data to ministries, other legal transmissions, tax data to banks and accounting.

We process data primarily within the European Union and the European Economic Area.

Do we transfer your personal data outside the European Union or the European Economic Area?

We process your personal data mainly within the European Union and the European Economic Area. In certain exceptional cases, including in connection with international business trips or the use of some services, it may be necessary to transfer your personal data outside the European Union or the European Economic Area. In such cases, we will ensure an adequate level of protection for your personal data in the manner required by law, e.g. by using standard contractual clauses approved by the European Commission.

How long do we retain your personal data?

The retention periods for personal data are based on the law and the General Data Protection Regulation (GDPR). In accordance with the data protection plan and privacy principles, we do not retain outdated or unnecessary data.

Data systems and sources in use

Dieta has an extensive system package at its disposal, which includes diverse data systems and is managed by specialists and partners in accordance with the above-mentioned conditions.

We have prepared special maps of data systems and data flows, which show their composition and logical structure in relation to their intended use. In addition, there are technical measures for critical systems, which ensure rapid recovery in the event of possible failures. Recovery is also practiced together with partners.

The data systems and data flow map is managed by the data management manager together with specialists and partners. For more information, please contact tietosuojavastaava@dieta.fi

Right to access your data

Under the General Data Protection Regulation, you have the right to receive a copy of the personal data we hold about you. There is no specific form for making a request. If necessary, we may ask you for additional information to enable us to identify you.

If you submit a request regarding this right electronically, we will transmit the data in a commonly used electronic format. The fulfillment of requests is free of charge, but under certain circumstances we may charge administrative costs related to carrying out the requested action or refuse to carry out the requested action.

According to the Data Protection Regulation, the deadline for responding to your request is one month. The deadline may be extended by a maximum of two months, if necessary, taking into account the complexity and volume of requests.

The right to correct your data and to be forgotten

The Data Protection Regulation guarantees you, with certain exceptions, the right to have your data corrected and removed, or the so-called right to be forgotten.

You have the right to withdraw any consent on which the processing of your personal data is based. If you submit a request for erasure, we will delete the data relating to you from the system if there is no legal basis or obligation to process the personal data.

If the data to be corrected or removed is in the possession of our partner, we ask them to act accordingly.

The right to transfer your data from one system to another

Under the Regulation, you have the right to data portability. In practice, you have the right to receive your personal data in a commonly used format and to transmit it to another controller. The right requires that the processing is based on consent or a contract and that the processing is carried out by automated means.

Right to object to processing, automated decision-making and profiling

You have the right to prohibit the processing of personal data concerning you, unless the processing is based on legal obligations or unavoidable business needs.

You have the right not to be subject to a decision based solely on automated processing, such as profiling, which produces legal effects concerning you or significantly affects you.

The right to be notified of a personal data security breach

We are obliged to notify the data subjects whose data is affected by the breach personally if the breach is likely to result in a significant risk to the rights and freedoms of individuals, e.g. in the form of identity theft, payment fraud or other criminal activity.

Who can you contact?

Please submit inquiries and requests regarding the processing of personal data in the first instance to the registrar at: tietosuojavastaava@dieta.fi