CAPS EXTRANET – PRIVACY POLICY Last updated 25 April 2018

This Privacy Policy informs about processing of personal data by CapMan Plc (“CapMan”). It answers the questions what personal data CapMan collects, uses or shares, for what purposes the personal data is collected and what rights Users have. The Users can be contact persons of CaPS member companies and CaPS vendors (“Users“). CaPS member companies and CaPS vendors are jointly referred to as business partners (“Business Partners“).

  1. Controller

CapMan Plc
0922445-7
Ludviginkatu 6, 00130 Helsinki Finland
+358 207 207 500

  1. The person in charge of the data protection

Tiina Halmesmäki
General Counsel
+358 40 590 1043
tiina.halmesmaki@capman.com

  1. Name of the register

CaPS Extranet business contact register

  1. Legal basis and purposes of processing personal data

CapMan processes personal data for various purposes, which are explained below.

4.1 Service provision

The main purpose of processing personal data about Users is to provide CapMan Procurement Services and CaPS Extranet to Business Partners. This processing of personal data is primarily based on contract between CapMan and Business Partner, including necessary data processing prior to entering into the contractual relationship. The Users’ personal data are used to manage communication with Business Partners.

4.2 Marketing

The Users’ personal data may be used for marketing purposes, including regular newsletters and information on upcoming events. In this respect, the processing is based on CapMan’s legitimate interest to provide Business Partners and Users with relevant and up-to-date information regarding new contracts, price decreases under current contracts, contract continuations and other issues that bring added value to the Business Partners.

4.3 Service development

The goal is to provide competitively priced services to Business Partners. For that reason, CapMan may use personal data to analyze the market, User groups, use of Extranet for the purpose of developing and improving the quality of CapMan Procurement Services and CaPS Extranet. This processing is based on CapMan’s legitimate interest to provide Business Partners with high quality services.

4.4 Information security

CapMan processes technical data, such as IP-addresses, device IDs and time stamps, for information security purposes and fraud prevention. CapMan maintains information security measures to safeguard business information and business assets, to protect personal data, to avoid criminal activities and to ensure the availability of the CaPS Extranet. This processing is based on CapMan’s legitimate interest to ensure an appropriate level of network and information security.

  1. Content of the register

CapMan collects personal data through different means, which are explained below.

5.1 Contractual relationship

CapMan processes personal data for the purpose of maintaining a good business relationship with Business Partners and Users. The personal data is collected directly from Business Partners or Users. CapMan may collect the following personal data:

  • Basic information about User(s), such as name, title, work phone number and email address;
  • Basic information about Business Partner, such as company name, business ID, postal address, email address and phone number;
  • Information relating to contractual relationship between CapMan and Business Partner; contract in place, starting and end time of contractual relationship;
  • Communications between CapMan and User

5.2 Interaction with CaPS Extranet

CapMan collects personal data, among others, when User contacts CapMan via customer service, signs up for an event, subscribes to newsletter, and/or participates in surveys or competitions on CaPS Extranet. The following information is collected directly from Users:

  • Basic information about User(s), such as name, title, work phone number and email;
  • Basic information about Business Partner, such as company name, business ID, postal address, email address and phone number;
  • Reasons for contacting CapMan and details related to contact; and
  • Events, surveys and competitions participated in.

5.3 Automatically collected data of the use of service

CapMan automatically collects and processes the following technical data about Users and the use of CaPS Extranet:

  • IP address, device ID, device type, operating system used and application settings;
  • User’s activity such as pages viewed and items ‘clicked’ on;
  • timestamps and log data relating to the use of CaPS Extranet; and
  • location/country of origin.

This technical data is collected automatically through the use of CaPS Extranet.

5.4 Data collected from other sources

CapMan may, from time to time, also collect information from publicly available sources and third parties, such as social networks and marketing companies.

  1. Sharing of personal data

CapMan may share personal data to the following third parties:

  • Business Partners for the purpose of co-operation in the context of CaPS Procurement Services. CapMan shares only the contact details of Business Partner’s contact person when such information is provided on CaPS Extranet;
  • trusted services providers, such as IT service provider, for the purposes listed in section 4. However, at all times, these trusted service providers act on CapMan’s behalf and CapMan are responsible for processing of personal data;
  • when permitted or required by law to comply with requests by competent public authorities such as subpoenas or similarly binding acts;
  • if CapMan is involved in a merger, acquisition, or sale of all or a portion of its assets; and
  • when CapMan believes in good faith that disclosure is necessary to protect CapMan’s rights, protect Users’ safety or the safety of others, investigate fraud, or respond to a government request.
  1. Transfer of data to countries outside the European Union or European Economic Area

The data will not be transferred to countries outside the European Union or European Economic Area.

  1. Storing of the data

The personal data will be retained only for as long as necessary to fulfill the purposes defined in section 4 of this Privacy Policy. After that personal data will be removed except when retention is required by law or contractual rights or obligations of either party.  The main rules for the retention periods are as follows:

  • Personal data collected for contractual purposes will be retained during the contractual relationship and after that as long as required by law, for example accounting laws, or contractual rights or obligations by either party, for example, for billing purposes;
  • Personal data collected in connection with customer service and other interaction with Extranet, such as participation in surveys and competitions, will be retained only as long as necessary to manage and handle the matter in question and deleted after that.
  • CapMan will delete or anonymise personal data used for marketing purposes after a reasonable period of time has lapsed from last contact between the User and CapMan, unless retention is required by law or contractual rights or obligations by either party. Should Users have concerns about data retention for marketing purposes, Users should refer to section 11 below for further information about Users’ rights in this respect.
  1. The principles for security of the register

In order to best serve the needs of the Business Partners the following parties have the access to the register:

  • CaPS vendors and their contact persons have access to the name, title and email address of the CaPS member companies’ contact persons
  • CaPS member companies’ contact persons have access to the name, title, email address and phone number of the CaPS vendors’ contact persons
  • CaPS team members, who are required to have access to the personal data due to their work tasks (need-to-know principle)

Individuals who have access to the register are required to provide credentials to confirm their identity (at a minimum).

In CapMan transportable computers/devices are required to be secured with anti-theft devices, placed in locked files or cabinets or otherwise secured. Also, practices will be implemented to prevent introduction of malware and/or other destructive elements that would impair normal and expected system operation with antivirus software with automatic updates enabled.

  1. Data Subjects’ Rights

A User (“data subject“) is entitled to have access to personal data concerning him or her in the register.   A User has a right to request data portability, i.e. the right to receive the personal data in a structured, commonly used machine-readable format and transmit the personal data to another controller, to the extent required by applicable data protection law. This applies only for personal data provided by the User on the basis of contractual relationship or User’s consent. A User has the right to request to correct, update or removal of personal data at any time. However, please note that certain information is strictly necessary in order to fulfil the purposes defined in this Privacy Policy and may also be required by law. Therefore, the deletion of such data may not be allowed by applicable law, which prescribes mandatory retention periods.

A User has a right to object to processing, that is based on legitimate interest of CapMan on grounds relating to their particular situation at any time. A User may at any time contact CapMan and opt-out of receiving marketing messages. To the extent required by applicable data protection law, a User has a right to restrict data processing.

If the User finds violation to his or her legal rights, he or she has the right to file a complaint with the national Data Protection Authority or another Data Protection Authority within the European Union or the European Economic area.

The Data Protection Ombudsman acts as the supervising authority in Finland. You can find the contact information of the Data Protection Ombudsman through this link. Please send any requests regarding the above-mentioned rights to the contact person at CapMan whose contact details can be found in item 2.