Data protection

Privacy notice of the marketing and feedback register

1. Controller

GRK Infra Oyj (business ID: 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi

2. The name of the register

Marketing and feedback register

3. Purposes and legal grounds to processing personal data

This privacy notice applies to all GRK Group companies, GRK Infra Oyj, GRK Suomi Oy, GRK Sverige AB and GRK Eesti AS (hereinafter referred to as “Controller” or “GRK”).

The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.

The controller processes personal data on the legal basis of Article 6 of the EU General Data Protection Regulation:

Consent given by the data subject
Legitimate interest of the controller

The controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. It is possible to withdraw consent easily and at any time. In addition, in compliance with applicable data protection legislation, electronic direct marketing may also be sent to recipients for whom the controller can reasonably consider that the products or services marketed are substantially related to the responsibilities or functions of the potential customer.

Consent to direct marketing may be withdrawn by notifying the controller or by clicking on the opt-out option (“unsubscribe” function) in each marketing communication, in which case the data subject’s personal data will be removed from the controller’s electronic direct marketing subscriber list.

The controller processes personal data for the following purposes:

Selling and marketing GRK’s services.
Receiving and processing feedback
Processing sponsorship applications

4. Categories of personal data processed

The register contains personal data on the following data subjects.

Persons receiving marketing
Persons giving feedback
Persons who have requested to be contacted
Persons who have applied for sponsorship

The personal data processed include:

Name
E-mail
Phone number
Details of the subject of the request for proposal or sponsorship
Content of any feedback or sponsorship application or other communication
Name of the organisation, organisation’s business ID or equivalent and contact details

5. Regular sources of personal data

The information is collected from the data subject through forms sent via the website, by phone or e-mail..

6. Disclosure and transfer of personal data

Personal data will not be disclosed to third parties or transferred outside the EU/EEA.

7. Retention of personal data

Personal data will be retained for 2 years from the last contact.

8. Protection and security of personal data

Access to the register of personal data is only granted to representatives of the controller who are bound by the obligation of confidentiality and who have a legitimate need to process the data of the register for the exercise of their duties.

The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.

The security of information systems is adequately ensured, including through encryption and other technical safeguards.

We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.

9. Automated processing of personal data and profiling

The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.

10. Rights of the data subject

The data subject has rights under the EU General Data Protection Regulation.

Right	Description
Right of access to personal data	The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access.
Right to request rectification, erasure or restriction of processing	The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law.
Right to object	The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest. Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning him or her for such marketing, including profiling where it relates to such direct marketing. If the data subject objects to the processing of personal data for direct marketing purposes, they may no longer be processed for that purpose.
Right to withdraw consent	Where personal data of the data subject is processed on the basis of his or her consent, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent prior to its withdrawal.
Right to data portability	The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a commonly used and machine-readable format and the right to transmit such data to another controller without the controller’s interference, where the processing is based on consent or on a contract and the processing is carried out automatically. The data subject shall have the right to obtain the transfer of personal data directly from one controller to another, where technically possible.
Right to file a complaint to the supervisory authority	Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi.

Exercising the rights

The data subject may exercise his or her rights by contacting the controller’s representative using the contact details provided in section 1. The controller will endeavour to respond to the request as soon as possible and, if necessary, provide further instructions or ask further questions about the request.

Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.

If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.

11. Further information

For further information on the processing of personal data, please contact us using the contact details provided in section 1 of this privacy notice.

The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.