Information Security Policy

Controller

FinMobility ry (business ID 3084285-8)

Nuijamiestentie 7, 00400 Helsinki, Finland or Rond-Point Schuman 6, B. 5, 1040 Brussels, Belgium

Contact person: Pasi Moisio

Name of the register

Purpose and legal basis for processing personal data

Personal data are processed for the purposes of the performance of the contract between the Controller and the data subject and, where applicable, on the basis of the data subject’s consent, in connection with and for the purposes of registration, contact, administration, marketing, reporting and other activities related to the management of the customer relationship.

The transaction data and location data processed in the register may also be used for profiling and to target marketing measures and customer communications to the data subject. Personal data will also be processed in connection with the sending of newsletters, participation in events and other marketing activities.

If the data subject fails to provide the requested information insofar as it relates to registration for an event, the Controller cannot accept the registration of the data subject and cannot be bound by any contract between the Controller and the data subject for participation in the event.

Retention period of personal data

Personal data will be kept for as long as necessary to enable the Registrars to register and the related event. In addition, data will be kept for similar events after the event. The data will be deleted when the data subject so requests in writing.

Categories of persons, data content and categories of personal data in the register

The categories of persons whose data may be processed are the participants in an event organised by the Registrar, or those who have given their marketing consent.

The register may process, among other things, the first and last name of the data subject who registered for the event organised by the controller, as well as any contact details and any necessary information provided in connection with the event. Registration data entered by the data subject himself/herself for an event may include, for example, the following information: email, telephone number, address, date of birth, identity card details or allergy information.

Regular data sources

Information provided by the participant and the database of the customer information system.

Regulatory disclosures of data

Data may be shared within the organisation, as well as between stakeholders of the event. Data will not be transferred outside the EU or EEA.

Principles of register protection

The data will be stored in a technically secure manner. Physical access to the data is prevented by access control and other security measures. Access to the data requires adequate rights and multi-factor authentication. Unauthorised access is also prevented by firewalls and technical protection. Only the controller and specifically designated technical staff have access to the register data. Only the designated persons are entitled to process and maintain the data in the register. Users are bound by confidentiality. The register data are backed up securely and can be restored if necessary. The level of security is audited at regular intervals, either through external or internal audits.

Rights of the data subject

A person on the register has the right to, among other things:

– Request from the Controller access to personal data concerning him or her and the right to request the rectification or erasure of such data or the restriction or objection of processing, as well as the right to data portability;

– to check and, if necessary, have corrected the data relating to him/her contained in the register. The request must be made in writing to the controller. The person concerned shall have the right to obtain the amendment of any data relating to him or her which have been incorrectly recorded in the register.

– in so far as the processing of personal data is based on the data subject’s consent, the right to withdraw consent at any time, without prejudice to the lawfulness of the processing carried out on the basis of consent before its withdrawal

– to lodge a complaint about the processing of personal data with a supervisory authority