privacy POLICY

Privacy statement of Studio POKS Oy Customer Register

1 Data Controller

Controller of the register: Studio POKS Oy
Business ID: 3481324-5
Contact person for register matters: Liisa Hyyrynen
Address: Kirstinkatu 2A6, 00530 Helsinki, Finland
E-mail: liisa@studiopoks.com
Tel: + 358 (0)40 836 1116

2 Name of the register

The name of the register is “Studio POKS customer register”

3 Basis and purpose of processing personal data

Personal data is processed for purposes related to the management, administration and development of customer relationships, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for purposes required to investigate possible complaints and other claims.

In addition, personal data may be used for direct marketing (including newsletter subscriptions), marketing contests, opinion and market surveys and customer profiling. The customer has the right to prohibit direct marketing targeted at him/her. The controller processes the data itself and utilises subcontractors acting on behalf of the controller in the processing of personal data.

4 Legal basis for processing

The legal basis for processing personal data is in accordance with the EU general data protection regulation (hereinafter also referred to as the GDPR):

  1. The data subject has given consent to the processing of his or her personal data for one or more specific purposes. (Art. 6 1a. GDPR )

  2. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (Art.6 1.b GDPR)

  3. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. (Art. 6 1.f GDPR)

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which results from the fact that the data subject is a customer of the controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time of collection of the personal data and in connection with the relevant relationship.

5 Data contents of the register (categories of personal data processed)

As a rule, the register contains the following personal data of all data subjects:

1. basic information and contact details of the person: [first name, last name, postal address, telephone number, email address)

2. information related to the person's company or other organisation and the person's position or job title in said company or organisation.

3. the person's direct marketing permissions and prohibitions.

6 Regular sources of data

Personal data is collected from the data subject himself/herself, consisting of data gathered from the customer’s use of services and the online service or other business conducted with Studio POKS, as well as data gathered from and during making an agreement.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources related to the implementation of the customer relationship between the controller and the data subject and through which the controller fulfils its obligations related to maintaining customer relationships.

7 Retention period of personal data

The data collected in the register is stored only for as long and to the extent that is necessary in relation to the original or compatible purposes for which the personal data was collected, with storage times prescribed by laws such as the Consumer Protection Act, the Accounting Act and the Prepayment Act taken into consideration.

The controller assesses the necessity of storing data regularly in accordance with its internal code of conduct. In addition, the controller shall take all possible reasonable measures to ensure that personal data that are inaccurate, incorrect or outdated in relation to the purposes of processing are erased or rectified without delay.

8 regular disclosure of data

Personal data will not be disclosed to third parties.

9 Transfer of data outside the EU or EEA

The register is hosted on Squarespace's servers, which may be located outside the EU or EEA. Squarespace adheres to  the Privacy Shield standard when processing personal data.

10 Principles of protecting the register

Materials containing personal data are stored in locked premises that can only be accessed by designated persons authorised to do so due to their duties.

The database containing personal data is located on a server that is stored in a locked space that can only be accessed by designated persons authorised to do so due to their duties.  The server is protected by an appropriate firewall and technical protection.

Access to databases and systems is only possible with separately granted personal usernames and passwords. The controller has restricted access rights and authorisations to information systems and other storage platforms so that data can only be viewed and processed by persons necessary for their lawful processing. In addition, database and system usage events are registered in the log data of the controller's IT system.

The controller's employees and other persons have undertaken to observe professional secrecy and to keep confidential the information received in connection with the processing of personal data.

11 rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:

(i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations;(iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; vii. where the personal data are not collected from the data subject, any available information as to their source; (Art. 15 GDPR).

2. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (Art. 7 GDPR)

3. The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (Art. 16 GDPR)

4. The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:

(i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased in order to comply with a legal obligation under Union or national law to which the controller is subject. (Art. 17 GDPR)

5. The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:

(i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing on grounds relating to his or her particular situation, pending verification whether the legitimate grounds of the controller override those of the data subject (Art. 18 GDPR).

6. The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent within the meaning of the Regulation and the processing is carried out by automated means. (Art. 20 GDPR)

7. Without prejudice to any other administrative or judicial remedy, every data subject shall have the right to lodge a complaint with a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement if the data subject considers that the processing of personal data relating to him or her infringes this Regulation. (Art. 77 GDPR)

Requests concerning the exercise of the rights of the data subject should be addressed to the controller's contact person mentioned in section 1.

12 Web analytics

The services below collect anonymizes information about site visits without personal data:

  • Squarespace


13 Targeted marketing

Based on your visit to the website, we may carry out targeted advertising on the following services [Facebook, Instagram, LinkedIn, Pinterest]