Privacy policy

Controller

Lönnbergs Chiropraktik & Fysioterapi Öppet bolag
Bangränd 1, 10300 Karis
roger@brev.fi
1452630-2

Contact person in matters concerning the processing of personal data

Roger Lönnberg
Bangränd 1, 10300 Karis
roger@brev.fi

Register Name: Kofverhag Farm Customer Register

Personal data is processed to manage, administer, and develop customer relationships, provide and deliver services, and support service development and billing. It is also used to investigate complaints or other claims.

In addition, personal data is processed in communications directed to the customer, for informational and newsletter purposes, as well as in marketing, where personal data is also used for direct mail and electronic marketing.

The customer has the right to opt out of receiving direct marketing.

The data controller processes the information themselves and uses subcontractors who act on behalf of the data controller for the processing of personal data.

“The legal bases for processing personal data are as follows, in accordance with the EU General Data Protection Regulation (hereinafter also ‘GDPR’):

1. The data subject has given their consent for their personal data to be processed for one or more specific purposes (GDPR 6 art. 1.a);
2. The processing is necessary for the performance of a contract to which the data subject is a party, or to take steps at the request of the data subject prior to entering into such a contract (GDPR 6 art. 1.b);
3. The processing is necessary for the legitimate interests of the data controller or a third party (GDPR 6 art. 1.f).

The legitimate interest of the aforementioned data controller is based on a significant and relevant relationship between the data subject and the data controller, resulting from the data subject being a customer of the data controller, and where the processing is carried out for purposes the data subject could reasonably expect at the time the personal data was collected and in connection with that relevant relationship.

As a baseline, the register contains the following personal data about all registered individuals:

1. Basic and contact information: first name, last name, address, phone number, email address
2. The individual’s information related to a company or other organization, as well as their role or position within that company or organization;
3. The individual’s consent to and opt-out from direct marketing.

Personal data is collected from the data subject themselves.

Personal data is also collected and updated, in accordance with applicable law, from publicly available sources that are related to maintaining the customer relationship between the data controller and the data subject, and which help the data controller fulfill their obligations in connection with maintaining customer relationships.

Data collected in the register is stored only as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to store personal data is reviewed every five years, and in any case, the data is deleted 10 years after the customer relationship with the data controller has ended, and obligations and actions related to the customer relationship have been completed. For example, accounting records are stored for five years after the end of the reporting period.

The data controller regularly assesses the necessity of retaining data according to internal practices. In addition, the data controller takes all reasonable measures to ensure that any personal data that is inaccurate, incorrect, or outdated in relation to the purpose of processing is deleted or corrected without delay.

Personal data is not transferred to external parties.

Personal data in the register is not transferred outside the EU or EEA.

Access to databases and systems containing personal data requires individual usernames and passwords, which are granted separately. The data controller has restricted user rights and permissions to information systems and other storage platforms so that only persons necessary for the lawful processing of data can view and handle it. In addition, user activities in databases and systems are recorded in the log files of the data controller’s IT system.

The data controller’s staff and other individuals have committed to confidentiality and to keeping the information they access during the processing of personal data private.

A data subject has the following rights under the EU General Data Protection Regulation:

1. The data subject has the right to obtain from the data controller confirmation as to whether personal data concerning them is being processed and, if so, access to the personal data along with the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the data controller rectification or erasure of personal data, or restriction of processing concerning the data subject, or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source (GDPR Article 15). The above-mentioned basic information (i)–(vii) is provided to the data subject with this form;
2. The right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
3. The right to have inaccurate personal data concerning them corrected by the data controller without undue delay. Considering the purpose of processing, the data subject also has the right to complete incomplete personal data, including by providing a supplementary statement (GDPR Article 16);
4. The right to have personal data erased by the data controller without undue delay if any of the following apply: (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; (iii) the data subject objects to the processing due to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes; (iv) the personal data has been processed unlawfully; or (v) the personal data must be erased to comply with a legal obligation under EU or national law applicable to the data controller (GDPR Article 17);
5. The right to request that the data controller restrict processing if: (i) the data subject disputes the accuracy of the personal data, for a period allowing the data controller to verify its accuracy; (ii) the processing is unlawful and the data subject opposes erasure and requests restriction instead; (iii) the data controller no longer needs the personal data for the purposes of processing, but the data subject requires it to establish, exercise, or defend legal claims; or (iv) the data subject has objected to processing due to their specific personal situation while awaiting verification of whether the data controller’s legitimate grounds override those of the data subject (GDPR Article 18);
6. The right to receive the personal data concerning them that they have provided to the data controller in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the original data controller, where the processing is based on consent and carried out automatically (GDPR Article 20);
7. The right to lodge a complaint with a supervisory authority if the data subject believes that the processing of personal data concerning them violates the EU General Data Protection Regulation (GDPR Article 77).

Requests to exercise the data subject’s rights should be directed to the data controller’s contact person listed in section 1.