Privacy policy

Date 9th January 2024

1. Controller

Sponda Ltd (business ID: 0866692-3)
Yrjönkatu 29 C, P.O. box 940, FI-00101 Helsinki
tel. +358 (0)20 43131

2. Contact details for register matters

Sponda Ltd
Yrjönkatu 29 C, P.O. box 940, FI-00101 Helsinki
tel. +358 (0)20 43131
e-mail: privacy@sponda.fi

3. Name of the register

Marketing register

4. Purpose and legal basis of the processing of personal data

Personal data is processed for the purpose of sending announcements, press releases and marketing messages from the controller and/or its group companies.

Personal data can also be processed in connection with the controller’s direct marketing, opinion and market surveys or other comparable addressed mail, including electronic direct marketing. Personal data may also be processed in order to create classifications, categories or profiles, and to create targeted marketing that is more interesting to the data subject.

The controller uses cookies for a variety of purposes. Cookies are small text files stored by the browser to the user’s computer or terminal when using the Internet. Firstly, cookies are used for collecting statistical data about use of the websites. The controller also uses cookies for marketing so that it can monitor the use of various different websites. These cookies are used for assembling profiles of the data subjects’ search and browsing behaviour. In addition, the controller uses cookies for monitoring the data subjects’ browsing habits and functions. The controller uses the collected data to show content targeted to the data subjects. The cookies on website may be used by and delivered to the data subject by the controller or by third-party web analytics services, such Google Analytics and Facebook. The data subject may refuse or accept cookies from websites.

The legal basis for the processing of personal data is an agreement with the controller, the controller’s legitimate interest and/or the data subject’s consent. In cases where the legal basis for the processing is a legitimate interest, the interest refers to the controller’s needs to market its products and services effectively and develop its services.

Processing tasks can be outsourced to external service providers, in accordance with and within the limits set by data protection law.

5. Data content of the register

The following data of data subjects can be saved:

  • Personal information and contact details: first name, last name, e-mail address, gender, address, postal code, telephone number age/year of birth, language, profession and/or title.
  • Information related to the order and feedback: newspaper subscription type, particular areas of interest, customer feedback, contacts and responses to competitions, and classification data related to facilities searches
  • Information related to the device and connection: device identifier, operating system IP address and cookies
  • Information related to the use of services: for example, browsing and search data
  • Other data that is collected with the data subject’s consent, if any.

6. Storage period of personal data

The data stored in the register may be stored for as long as necessary for the original purpose of the collection and processing, or for as long as required by the law and regulations.

7. Regular sources of data

The data subject and the data that is generated when the data subject uses the services. Other sources of data are tenants, the property owner and/or the representatives of these. Other possible sources of data are publicly-available or commercial external databases of decision-makers and enterprises.

8. Regular disclosure of data and recipient categories

Data may be disclosed between the group companies of the controller. Data may be disclosed in connection with the sale, transfer or other disposal of a site or business. Data may be disclosed to competent authorities, for example, in order to identify misuse.

9. Transfer of data outside the EU or the EEA

Personal data may be transferred outside the European Union or the European Economic Area in accordance with and within the limits of data protection law.

The controller, the controller’s subcontractors or partners may use companies that are located outside the EU or the EEA to assist in the processing of personal data, or they may use workforce or other resources that are located outside the EU or the EEA for processing personal data. It is also possible that a co-operation partner selected by the controller to which the controller decides to transfer data is located outside the European Union or the European Economic Area, for example, in the United States. The legislation of non-EU/EEA countries does not necessarily provide the same level of protection for personal data as the European Union. However, the controller tries to ensure the protection of personal data in these cases by using the safeguards required under data protection law, such as the standard contractual clauses of the European Commission.

10. Protection principles of the register

Manual material

Any manual materials are stored in a locked room that only authorized persons can access.

Electronically-processed data

The register is stored in electronic form, appropriately protected from outsiders with the help of firewalls and other technical measures. Only designated employees of the controller and representatives of partners have the right to process the data stored in the register.

The aim of the measures described above is to safeguard the confidentiality, availability and integrity of the personal data stored in the register and to permit the exercise of the data subject’s rights.

11. Automatic decision-making

Personal data is not used for automatic decision-making that would have legal or other similar effects on data subjects.

12. Right to object to the processing of one’s personal data

Where the ground for the processing of personal data is the legitimate interest of the controller, the data subject has the right to object to the profiling or other processing of any personal data relating to their particular situation.

The data subject may object to the processing of their personal data by submitting a request, as described in section 15 of this privacy policy. In the request, the data subject must specify the particular situation on the 3 (3) basis of which they object to the processing. The controller may refuse to satisfy the request under the criteria set out in legislation.

13. Right to object to direct marketing

The data subject may give their consent or refusal to direct marketing to the controller channel-specifically, and the content or refusal also covers profiling for direct marketing purposes.

14. Other rights of the data subject related to the processing of personal data

Right of access to personal data

The data subject has the right to access their personal data in the register. The access request must be made following the instructions set out in this privacy policy. The right of access can be refused on the grounds provided in legislation. In principle, exercising the right of access is free of charge.

Right to request rectification or erasure of personal data or restriction of processing

The data subject must, without undue delay and after noticing or becoming aware of the mistake, rectify, erase or complement any data in the register that violates the purpose of the register, is incorrect, unnecessary, in-complete or outdated, if the data subject can do this him- or herself.

If the data subject cannot rectify the data, the rectification request must be submitted as described in section 15 of this privacy policy.

In addition, the data subject has the right to request the controller to restrict the processing of their personal data, for example, while the data subject is waiting for the controller’s response to the rectification or erasure request.

Right to move data between systems

Insofar as the data subject has submitted data to the register that is processed on the basis of the data subject’s consent, the data subject has the right to receive such data in a form that is readable by a computer and to move them to another controller’s system.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a competent supervisory authority if the controller has not complied with applicable data protection regulations in its operations.

Other rights

If the legal basis for the processing of personal data is the data subject’s consent, the data subject is entitled to withdraw their consent by notifying the controller, as described in section 15 of this privacy policy.

15. Contacts

The data subject should contact the controller if they have any questions concerning the processing of personal data and the exercise of their rights. The data subject may exercise this right by sending a request to the controller via e-mail to privacy@sponda.fi or by mail to Sponda Ltd, Yrjönkatu 29 C, P.O. Box 940, FI-00101 Helsinki.