Privacy Policy

Personal Data Act (22.4.1999/523) 10 and 24 §

Modified: 4.5.2017

1. Register holder

Superskills Oy

Business ID: 2792288-1
Kalevankatu 31 A 14

2. Contact person

Anne Aikala

Superskills Oy
Kalevankatu 31 A 14

3. Name of the register

Superskills customer and marketing register

4. The purpose for the use of a register and content of the register

Personal data is handled for customer communications, other customer relationship management, management and development, business development of the register controller, development, analysis, and statistics purposes. The customer data contained in the register may be used for direct mail, sales or other direct marketing, opinion or market research or other comparable addressed deliveries by the controller or other affiliated or partnered companies. Benefits and offers or other marketing and communication may be targeted to the user based on likely interests in different kinds of information (e.g. the use of information services and advertised interests) and by analyzing the profiles created based on usage. Registered user shall not obliged to disclose the information mentioned in the prospectus, but a failure to provide certain personal information may cause the service provided by the controller to be partly unavailable.

The register can handle the following categories of information:

  • basic information of the user such as name, age, language, job title, postal address, e-mail addresses and telephone and fax numbers, occupation, position in the company;
  • username or contact name;
  • name, contact information and business ID of the employer;
  • customer relationship, other relevant links and contractual information, such as acquired products and services with start and end dates, contractual sales information, service identifiers, and information on the use of services and the benefits offered;
  • beginning and termination information of the relationship;
  • customer history (e.g. customer / client contact, service changes), complaints, feedback, and other contact, communication and actions related to customer relationships and contexts, including activity in the social media channels of the Controller;
  • information relating to the invitation to tender;
  • bidding information;
  • application data relating to marketing credit or loans;
  • investor information;
  • information obtained and provided in connection with marketing campaigns, such as participation information and content produced by a registered promotional program, relating to purchases, billing and bill collection;
  • cookies sent to the browser and related information, as well as technical information sent by the browser to the server of the controller (such as IP addresses, and browser and browser version data);
  • event, review and user analysis data;
  • interests and other information provided by the registered person;
  • information on the services sold;
  • information on direct marketing permits and direct marketin bans.

In addition, the register contains details of changes to the the above mentioned data.

5. Basis of keeping the register

Personal information is processed based on the customer relationship, membership or other relevant relationship.

6. Regular sources of information, right to resist processing, automatic decision making and profiling

Personal data is collected from the registered person when the registered person uses the service. Personal data can also be updated by obtaining appropriate data services from the companies and authorities providing them. An appropriate system can be used to verify the customer's credit information when the client's consent is obtained.

Data can also be collected from the user’s devices using cookies or other similar technologies. Information can also be collected from third parties, such as social media service providers, with means provided by law. Data can also be collected and updated by the Controller and the companies belonging to the same group of companies.

The user has the right, at any time, to oppose the automatic decision-making and profiling of personal data processing, unless the Controller can demonstrate that there is a substantial and well-founded reason for processing that overrides the rights, privileges and immunities of the registered person, or if it is for the purpose of building, presenting or defending a lawsuit. If the user objects to the processing of personal data for direct marketing, they may no longer be processed for this purpose. User profiling shall be based on their explicit consent.

7. Regular destinations of disclosed data and whether the data is transferred to countries outside the European Union or the European Economic Area

Personal data may only be transferred outside the territory of the Member States of the European Union or to the European Economic Area if the country concerned provides sufficient level of data protection. Information shall not be disclosed to third parties for any other purposes than service related processing.

8. Data protection principles and disclosure of information

A. Manual materials

Manual materials are kept in a locked space and are available only to those entitled to the materials.


B. Digitally stored data

The personal data contained in the register will be kept confidential. The use of the register is controlled by the controller in the organization and access to the personal register is restricted so that the information contained in the register stored in the computerized system is accessible and entitled to use only by the registrar's employees who have the right to do so.

The computer system is protected by security software. Access to the system requires each user from the register to enter a username and password. The computer network and hardware in which the register is located are protected by a firewall and other appropriate technical measures such as encryption. Information on the website is protected by SSL or TLS 1.2 secure connection.

The processing of personal data can be outsourced to a third party, Superskills Oy guarantees by contractual arrangements that personal data is processed in accordance with Personal Data Act and applicable EU regulations.

More information on adequate data protection states can be found on the European Commission's website:
9. Right of access and realization of the right of access

In accordance with Section 26 of the Personal Data Act, the registered person has the right to check what information about them has been stored in the personal register.

The registrar must send an inspection request pursuant to Section 26 of the Personal Data Act as a separate signed document to:

Superskills Oy
Kalevankatu 31 A 14

OR by email to:

10. Rectification and the realization of the rectification

According to the Personal Data Act, registered person has the right to influence their personal data processing.

Pursuant to Article 29 of the Personal Data Act, the controller must rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing. The controller may also repair such information on their own initiative.

A claim under section 29 of the Registered Personal Data Act shall be sent as a separate signed document to:

Superskills Oy
Kalevankatu 31 A 14

OR by email to:

11. Duties of the controller, transferring rights of the registered, right to be forgotten

The controller shall, without undue delay, either on their own initiative or at the request of the Registered person, rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete relating to the purpose of the processing. The registrar shall also prevent the spread of such information if the information may compromise the privacy of the registered person or his rights.

The controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. The controller shall inform repair of data to the party whom the controller has disclosed or from which controller has received incorrect personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Personal data shall only be retained as long as there is a valid purpose for the processing. When there is no valid purpose for processing, the data will be erased appropriately. The registered person has the right to withdraw consent for the processing of data. If the registered person withdraws consent, registered person may file a written request to the controller for the deletion of data, for which there is no other legitimate purpose for processing. The request must be presented in written form as a separate signed document and shall be sent to:

Superskills Oy
Kalevankatu 31 A 14

OR by email to:

12. Supervisory authority

The registered person may bring the matter to the attention of the supervisory authority (Data Protection Ombudsman).