PRIVACY POLICY FOR CUSTOMER AND STAKEHOLDER REGISTER
Data Controller
Taratest Oy
Business ID: 0939835-0
Address: Turkkirata 9A, 33960 Pirkkala, Finland
Phone: +358 3 368 3322
Email: taratest@taratest.fi
Register Name
Customer and Stakeholder Register
Person Responsible for Data Protection Matters
Tero Mäkinen
tero.makinen@taratest.fi
Phone: +358 40 562 8693
Purpose of Processing Personal Data and Legal Basis
The Data Controller processes personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (EU 2016/679) and the Finnish Data Protection Act (1050/2018).
The purposes of processing personal data include
– Managing and developing customer relationships, customer service, and other cooperation
– Fulfilling the rights and obligations of the customer/stakeholder and the Data Controller
– Processing personal data of stakeholders (such as suppliers, subcontractors, and partners) for cooperation and business purposes
– Processing personal data related to the Data Controller’s products and services, such as development, delivery, marketing, and communication
– Other similar purposes
The legal bases for processing personal data include statutory obligations, contracts, consent, and legitimate interest of the Data Controller.
Legitimate interest applies when a relevant relationship exists between the Data Controller and the data subject. Such a relationship may arise, for example, when:
– The data subject contacts the Data Controller on their own initiative
– The Data Controller processes personal data in connection with a business or cooperation relationship involving the data subject’s employer
In addition, under legitimate interest, the Data Controller may store information on potential customers and their representatives where it is reasonable to expect interest in the Data Controller’s products or services.
Electronic direct marketing is sent only to individuals who have given their consent, or where permitted by applicable law where there is a relevant connection to the recipient’s role or responsibilities.
Consent can be withdrawn at any time by contacting the Data Controller or by using the “Unsubscribe” link included in each marketing message.
Categories of Personal Data
The register contains information about:
– Customers and their representatives/contact persons
– Representatives and contact persons of subcontractors and suppliers
– Potential customers, subcontractors, suppliers, and their representatives
– Other stakeholders
The following personal data may be processed:
– Name
– Email address
– Phone number
– Company name, Business ID, contact person, position
– Order, contract, quotation, invoicing, and payment information
– Customer feedback and communications
– Customer relationship data (e.g., contact history and follow-up information)
– Additional information provided by the data subject
Sources of Personal Data
Personal data is primarily obtained from:
– The data subject directly (customer or cooperation relationship)
– Public sources (such as websites, social media, and trade registers)
– The data subject’s employer or related business partner
– Credit information providers such as Suomen Asiakastieto Oy (may include data on company representatives)
Recipients and Processing of Personal Data
The Data Controller uses reliable service providers in the technical implementation of its services. These providers process personal data on behalf of the Data Controller under data processing agreements required by applicable data protection legislation between the Data Controller and each service provider. Service providers process personal data under the responsibility of the Data Controller in accordance with the data processing agreement and the documented instructions of the Data Controller.
On a case-by-case basis, as agreed separately with the data subject or as otherwise permitted by data protection legislation, the Data Controller may also disclose personal data to another data controller or to a third party.
In addition, where permitted under data protection legislation, the Data Controller may disclose contact details of the data subject in individual cases to its partners, for example when organizing joint customer events or training sessions with a partner. The partner is responsible for the processing of personal data for its own part.
Personal data may be transferred outside the European Union or the European Economic Area in accordance with data protection legislation and within its limits. The Data Controller ensures an adequate level of data protection in accordance with applicable data protection legislation also when transferring personal data outside the EU/EEA, by complying with adequacy decisions issued by the European Commission and, where necessary, by using standard contractual clauses approved by the European Commission together with any required supplementary safeguards.
Cookies
The Data Controller uses cookies on its website to improve user experience. Some cookies are necessary for the website to function. According to legislation, the Data Controller may store cookies on the data subject’s device if they are strictly necessary for the operation of the website. The use of all other cookies requires the data subject’s consent.
The data subject can make choices on the website regarding the purposes for which cookies are collected. In accordance with these choices, the Data Controller may also use cookies to customize the website, analyze visitor numbers, for marketing purposes, and to support social media features. Some cookies are set by third parties.
More information about cookies can be found in the cookie settings on our website.
Data Retention
The Data Controller processes and retains personal data only for as long as required by law or as necessary for the predefined purpose of processing. Personal data that is no longer needed and for which the Data Controller no longer has a legal basis or obligation to retain or process will be deleted at regular intervals in accordance with the Data Controller’s data protection practices.
Rights of the Data Subject
The data subject has rights under the EU General Data Protection Regulation.
Right of Access
The data subject has the right to obtain confirmation from the Data Controller as to whether or not their personal data is being processed. If personal data is being processed, the individual has the right to access the data.
Right to Rectification, Erasure, or Restriction
The data subject has the right to request the Data Controller to correct inaccurate data concerning them, as well as to delete personal data or request restriction of processing on the grounds provided by law.
Right to Object
The data subject has the right to object to the processing of their personal data based on their particular situation when processing is based on legitimate interest.
If personal data is processed for direct marketing, the data subject has the right to object at any time to the processing of personal data for such marketing, including profiling related to such direct marketing. If the data subject objects, the personal data may no longer be processed for this purpose.
Right to Data Portability
The data subject has the right to receive the personal data concerning them, which they have provided to the Data Controller, in a commonly used and machine-readable format, and to transfer this data to another controller without hindrance, if the processing is based on consent or contract and carried out by automated means. The data subject also has the right to have the personal data transferred directly from one controller to another, where technically feasible.
Right to Withdraw Consent
Where personal data is processed based on the data subject’s consent, the data subject has the right to withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.
Right to Lodge a Complaint
In Finland, the supervisory authority is the Office of the Data Protection Ombudsman. Contact details and instructions are available at: www.tietosuoja.fi
Exercising Your Rights
You may exercise the above rights by contacting the Data Controller by phone or email using the contact details provided at the beginning of this privacy policy. We aim to respond as quickly as possible and will provide further instructions or request additional information if necessary.
Please note that before fulfilling a request, we have the right and obligation to verify your identity and must be able to identify you sufficiently.
If your request is manifestly unfounded or excessive, we may charge a reasonable fee based on administrative costs or refuse to act on the request.
Processing of Personal Data and Profiling
The Data Controller does not use automated decision-making, such as profiling, as part of its processing activities.
General Description of Technical and Organizational Security Measures
Access to the personal data register is granted only to representatives of the Data Controller who have signed appropriate confidentiality agreements and who have a justified need to process the data for their work duties.
The Data Controller has provided binding written instructions and policies to its employees and service providers regarding the processing of personal data and data protection, which they have committed to following.
Information systems are protected appropriately, including through encryption and technical access restrictions.
The Data Controller regularly reviews its data processing activities, systems, and equipment and assesses risks related to the processing of personal data, for example when implementing new technologies.
Changes to the Privacy Policy
The Data Controller may update this Privacy Policy as necessary.
This Privacy Policy was last updated on May 12, 2025.