The purpose of this privacy notice is to provide the persons subscribed to the newsletter, maintained by TBWA \ Helsinki Oy and/or TBWA\North Helsinki Oy (hereinafter referred to as the ”Company”), a comprehensive understanding on what personal data the Company collects of them, on for which purposes the data is used and to whom the data may be disclosed.
This privacy notice is applicable to any person who has subscribed to or will subscribe to the Neste newsletter on Journey to Zero website (hereinafter referred to as “data subject”).
Personal data refers to any information about data subjects, which allows a person to be directly or indirectly identified as an individual person, as defined in the General Data Protection Regulation (2016/679), (hereinafter referred to as “GDPR”).
Controller: TBWA \ Helsinki Oy and TBWA North Helsinki Oy
Contact details: GDPR@tbwa.fi
- Personal data processed
The Company collects and processes the data subjects’ personal data which is necessary for delivering the newsletter. This concerns data which is collected from the data subjects themselves and from other sources.
Data provided by the data subjects:
- Name, e-mail, the possible company represented and title of the person subscribed to the newsletter
- The thematic preference for the newsletter (Journey to Zero, Nolla mökki or Zero Island) and the role of the person (Reason for browsing the website) subscribed to the newsletter
- Purpose and legal basis of processing of personal data
Purpose of the processing of the data subjects’ personal data is to deliver marketing communications, such as newsletter, which the data subject has subscribed to, as well as any other customer and marketing communication and to develop business. Additionally, data may be used to ensure compliance with legislation applicable to the relationship between the Company and the data subject. Legal basis for the processing of the data subjects’ personal data is the data subject’s consent.
- Sources of data
Mainly, the personal data is collected from the data subjects themselves, and without a prior consent, the personal data is not collected from a third party, unless otherwise required by law.
The data subjects have provided the data by filling in an electronic newsletter order on the website neste.com/journeytozero or neste.fi/journeytozero.
- Retention of the personal data
The Company will retain the personal data for as long as is necessary to fulfil the purposes outlined in this privacy notice unless a longer retention period is required by law (for example regarding obligations and responsibilities related to sector-specific legislation or reporting obligations) or unless the data is needed for drafting or presenting a claim or for legal defence.
After the campaign, the personal data will be retained for two (2) years, after which the personal data will be deleted within a reasonable time.
The data subject may unsubscribe to the newsletter at any time on Journey to Zero website or received newsletter, in which case the personal data will be deleted immediately.
- Processors of the personal data and other recipients
TBWA \ Helsinki Oy and other entities belonging to TBWA Group may process the personal data in accordance with data protection legislation.
The Company may also use external service providers and subcontractors when processing personal data, for example, IT systems service providers.
The personal data may also be disclosed to the authorities to fulfil statutory obligations.
The Company may also have to disclose data subjects’ personal data if the Company is part of legal proceedings or other dispute resolution proceedings.
If the Company is involved in a merger, business acquisition or other transaction, it may be required to disclose the personal data of the data subjects to third parties.
- Transfer of personal data outside EU/EEA
Personal data shall not be transferred outside the European Union or the European Economic Area.
- Protection of personal data
The Company processes the personal data in a manner that seeks to ensure in every situation the proper security and privacy of personal data, including the protection against unauthorized processing and accidental loss, destruction or damage. The Company uses appropriate technical and organizational protective measures to ensure this, including the following measures.
The Company’s network and servers are protected with a firewall and other technical safeguards. Data readout, transmission and deletion rights are limited by access rights and passwords. The staff have received instructions on the safe use of passwords.
Mainly, the Company retains data subjects’ personal data in an electric form. Data is printed only when needed, and printouts are securely destroyed immediately after processing.
Personal data of data subjects is processed by the Company’s client managers and corresponding responsible persons. All persons processing personal data have a confidentiality obligation on matters pertaining to the personal data processing of data subjects.
In accordance with this privacy statement, the Company may outsource processing of personal data to service providers or subcontractors, but the Company through adequate contractual obligations, shall ensure that personal data is processed properly and lawfully.
- Rights of data subjects
The data subjects have the rights set out in the applicable data protection legislation.
Right to audit and right of access
The data subject has the right to access the personal data about himself/herself and to request to receive the data in a paper copy or in an electronic form.
Right to correct and erase data
The data subject has the right to demand to correct any incorrect or incomplete personal data. The data subject has also the right to request to remove his/her data under the current data protection legislation.
The Company also erases, on its own initiative or at the request of the data subject, and completes any incorrect, unnecessary, incomplete or outdated personal data.
Right to data portability and to restrict and object processing
The data subject has the right to request to transmit his/her data to another controller under the applicable data protection legislation. The data subject has the right to request to restrict processing of personal data in accordance with the conditions set out in the data protection legislation. Additionally, in case where the personal data is suspected to be incorrect and cannot be corrected or removed or there is confusion about the removal request, the Company will restrict access to the data.
The registered has the right to object processing personal data for certain purposes, such as direct marketing.
Right to withdraw consent
If the processing of personal data is based on data subject’s consent, the data subject has the right to withdraw consent at any time. The withdrawal does not affect the process based on consent before the withdrawal.
How to exercise the rights of the data subjects
The identity shall be confirmed prior providing the data, and therefore, we may have to inquire additional information. The request shall be answered within a reasonable time, within one (1) month from presenting the request and confirming the identity at the latest.
If the data subject’s request is denied, the data subject shall be informed about the refusal in writing. The Company may refuse the request (such as deleting the data) because of the statutory obligation or the statutory right of the Company.
- Right to lodge a complaint to the supervising authority
The data subject shall have the right to lodge a complaint to the to the local data protection supervisory authority if the data subject considers that his/her personal data has been processed against the current applicable data protection legislation.
- Changes to the Privacy Notice
The Company may, if necessary, amend and update this privacy notice. The changes might also be based on the amendments of the legislation. Data subjects will be informed of essential changes.
This privacy notice has been published 10.7.2018.