Creative Union as the processor
When Creative Union provides services to its customers, Creative Union processes certain personal data of data subjects on behalf of and for the account of the customer. This means that Creative Union acts as the processor in relation to such personal data, and therefore we do not process that data for our own purposes. Creative Union receives the personal data being processed as part of our services from our customer, who is respectively the controller in relation to that personal data. To ensure that the processing is being carried out in accordance with applicable data protection laws, we have put in place sufficient safeguards by way of executing data processing agreements with our customers as necessitated by the data protection laws, and we are committed to abide by them.
Creative Union as the controller
1. Identity of the controller and contact details
2. Types of personal data processed
Creative Union only processes such personal data that is necessary for predefined purposes. We typically process the following types of personal data about you:
- Information about our business customers and their contact persons. In case you are the contact person for our business customer, we may collect and process the following information about you and your company, which we will combine and process together for as long as you are the contact person for that company:
- Information concerning the company and the customer relationship, such as name, business number, address, invoicing and payment details (including possible payment failures), order/purchase history, possible direct marketing opt-outs
- Information about you as the contact person, such as name, title and role in the company, contact details (such as email, phone number and address), details and contents of correspondence with us, possible direct marketing opt-outs
- Information we use for marketing purposes (potential customers). We also collect certain information about companies and their contact persons that have expressed their interest in the products and services Creative Union provides or who we otherwise believe would be interested in receiving information about our products and services. In this relation we may collect and process the following information about you:
- Your name, details of the company you represent, title and role in the company, contact details (such as email, phone number and address), topics of interest, details and contents of correspondence with us, possible direct marketing opt-outs
3. Where we obtain your data
We obtain the data we process principally from you when you are in contact with us through our website or in other ways such as by email or calling us. We also obtain your data when our business customer enters into an agreement with us or submits requests for proposal, or in other business connections. We may also collect and update your information from publicly available sources (such as company websites, databases of authorities etc.), campaigns, publications, fairs, from business cards and otherwise.
4. Purposes of processing
Creative Union uses your personal data for the following purposes:
- Performance of agreement and management of customer relationship. We process your personal data to perform the agreement that you or your company has made with us, or to negotiate such an agreement, and to enforce the rights and obligations relating to that agreement.We also process your data to manage and develop the customer relationship, such as to contact you in matters relating to the services provided by Creative Union and the general business relationship between Creative Union and your company, for invoicing and debt collection and invite you to customer surveys.The processing of your personal data is in these cases based on an agreement or necessary to take steps prior to entering into such agreement.
- Direct marketing and other communication. We process your personal data also for direct marketing purposes and to send you updates relating to our products, services and business (such as newsletters), and other content you may have requested. We may customise our marketing and other content by creating profiles and customer segments based on your title and role, order history and your interactions with us in order to serve you with content that is more relevant to you.We process your data for the abovementioned purposes based on an agreement you/your company has with Creative Union or our legitimate interest if we consider your company as a potential customer or if the agreement between us has ended and you have not opted out of direct marketing. If we have requested your consent for the foregoing activities, we process your personal data based on that consent.
- Development and analysis. We process your personal data as well as the data we collect automatically to analyse and develop our products, services and business, and to better understand how our services are used. We will not use your information in an identifiable form if it is not necessary for the abovementioned purposes.
- Processing based on a legal obligation. We may be obligated to process certain of your personal data based on a legal obligation under the Finnish accounting and other mandatory laws, also after the customer relationship has ended. In these cases, the processing is based on that legal obligation.
5. Disclosures of personal data
Creative Union may disclose and transfer your information to third parties in the following circumstances:
- Authorities. We may disclose your information to authorities when we have a legal obligation or other legitimate interest to do so under applicable law.
- Consent. Based on your consent we may disclose your information within the limits of the specific consent you have given. Information on revoking your consent is provided below.
- Business transactions. We may disclose your personal data in connection with a business transaction (such as a transfer of undertaking) to the other party/parties of the transaction, if and to the extent necessary.
- Our legitimate interests. We may disclose your personal data if it is necessary in order to protect or defend our legitimate rights and interests, or those of our other customers, employees, directors or shareholders, and/or to ensure the safety and security of our services.
The principal place of processing of your personal data is in the EU/EEA. In certain occasions we may use service providers located outside the EU/EEA in the provision and technical implementation of our services, in which case your personal data may be transferred outside the EU/EEA. In case we transfer your personal data outside the EU/EEA we have ensured that your personal data is afforded adequate level of protection by way of contractual obligations or by using other safeguards available under the EU data protection laws.
6. Your rights as the data subject
As the data subject, you have the following rights you can exercise in relation to the processing of your personal data:
- Right of access, rectification and erasure. You have the right to request access to your personal data we process. At your request we will also rectify any inaccurate, incomplete or outdated personal data relating to you. You also have the right to request your personal data to be erased (right to be forgotten) in accordance with applicable law.
- Right to object to direct marketing (including related profiling). In case you do not want to receive further marketing or other updates from us or wish to opt out of profiling we do in order to offer you tailored direct marketing, you have the right to object to processing of your personal data for those purposes. Should you use your right to object, you will no longer receive direct marketing from us. You can use your right to object either by contacting us or through the unsubscribe link on electronic messages we send you.
- Right to object to data processing and right of restriction. You have the right to object to processing we carry out based on legitimate interest on grounds relating to your particular situation, unless we have compelling legitimate interests for the processing which override those interests. You also have the right to request the restriction of the processing of your personal data, for example, in case you object to processing as described above or contest the accuracy of your personal data.
- Revocation of consent. You may revoke a consent you have given at any time by contacting us. Please note that revoking your consent does not affect the legality of the processing we have carried out prior to the revocation.
- Data portability. You have the right to receive the personal data concerning you, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller when we process your data automatically and based on an agreement or your consent.
7. Data retention
Creative Union will only retain your personal data in identifiable form as long as is necessary to fulfil the abovementioned purposes or as long as we have a statutory obligation to keep your information, after which it will be deleted or anonymised. We retain the personal data of our customers contact persons for at least the time they are current, and the customer relationship exists. After the customer relationship ends, the retention period depends on the data and its purpose of use. For example, we retain your personal data for direct marketing purposes until you have objected to it, and retain invoicing and payment information for 7 years after the customer relationship has ended. As a rule, we retain data on potential customers until that customer has objected to direct marketing, and we have no other grounds for retaining the personal data. We comply with any statutory obligations in retaining data that may apply. If you have exercised your right to object to direct marketing, we may still keep certain information about you to comply with that request.
9. Data security principles
We employ sufficient technical and organizational measures to protect your personal data against accidental and/or unlawful access, alteration, destruction or other processing (including unauthorized disclosure and transfer). These measures include proactive and reactive risk management, use of firewalls, encryption techniques and secure IT areas as well as access control and security systems, security planning, controlled granting and monitoring of access/user rights, ensuring skills through training for personnel involved in processing personal data and through assessments as well as careful selection of subcontractors and other suppliers. We are continuously updating our in-house practices and guidelines in an appropriate manner.
10. Changes to this policy