Personal data refers to any information relating to a natural person (“data subject”) that can identify him/her directly or indirectly. Personal data, data subject, controller and other key terms are defined in the General Data Protection Regulation (2016/679, “GDPR”). Roima complies with the GDPR in all processing of personal data in conjunction with other applicable national data protection legislation (“data protection legislation”).
Controller and Contact Information
Controller: Roima Intelligence Inc.
Business ID: 0765368-8
Address: Säterinkatu 6, FI-02600 Espoo, Finland
Controller representative: Heli Jelonen (General Counsel & Director of HR, Roima Intelligence)
Purposes and Legal Bases for Processing Personal Data
Personal data will be processed for the following purposes based on the defined legal bases:
- Provision of our services (contract or its preparation, legitimate interest)
- Processing and replying to contact requests, e.g., website contact forms, phone calls, emails (contract, legitimate interest)
- Provision and improvement of customer service and customer communications (legitimate interest)
- Direct marketing (legitimate interest)
- Direct electronic marketing, such as sending newsletters and event invitations related to the registered person’s profession (consent)
- Monitoring the effectiveness of our sales promotion and marketing campaigns (legitimate interest)
- Recognition of potential customers: lead generation (legitimate interest)
- Promoting our brand and increasing brand awareness (legitimate interest)
- Advertising and offering our services, e.g., contacting leads or customers directly, targeted marketing and advertising (consent, legitimate interest)
- Monitoring the use of our website and to improve the site functionality and user experience and to present the content of our website in a manner ideal for the visitor’s device (consent)
- Providing marketing on our website using cookies (consent)
- Enabling social media services such as videos and sharing buttons (consent)
- Developing and improving our services and events, e.g., customer NPS surveys, feedback on events (consent)
- Organizing events and communication (consent, legitimate interest)
- Ensuring security of our services and preventing abuses based on statutory obligation or our legitimate interest
- Complying and fulfilling our legal duties and obligations such as tax law and accounting related obligations based on statutory obligation
- Establishing, exercising, or defending against legal claims based on statutory obligation or our legitimate interest.
For processing activities that are based on a legitimate interest, we have carefully balanced such legitimate interest with the data subjects’ right to privacy and concluded that our interest outweighs the data subjects’ rights and freedoms.
Where the processing is such that a consent is required by the applicable legislation, we will state so and obtain the consent, and this will be the legal basis for the processing. However, you have the right to withdraw that consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal. If such withdrawal means that we are no longer able to provide our services, we may cease to provide the services.
What Data is Collected, Stored and Processed?
The following personal data from the data subjects will be processed:
|Categories of personal data||Examples of personal data|
|Information related to communication|
|Business relationship data|
|Event registration information|
|Email recipient behavior information|
|Information related to customer surveys|
|Information related to contact request forms and gated content forms|
|Other information provided by data subjects|
The personal data is mainly collected directly from the data subjects themselves, for example, at the time of using our services or during a customer or a partner relationship. Personal data can be collected through the website via contact request forms, mailing list subscription forms, gated content forms and LinkedIn subscription forms and lead generation as well as through Hubspot Marketing Hub service.
HubSpot Marketing Hub collects personal data directly from data subjects through website forms (contact, mailing list, gated content, and lead generation), and through marketing communications and automation within the platform. HubSpot centralizes marketing efforts to provide audience insights, track campaign performance, and personalize marketing.
In addition, personal data can be collected through direct contact and cooperation activities, such as face-to-face and online meetings, phone calls, and direct email communications.
The personal data may also be collected automatically when the data subject uses our services or visits our website where personal data may be collected via cookies.
In addition, and with the permission of the data subject, data may be collected in other ways in a marketing context.
Personal data may be updated and supplemented by collecting data from private and public sources.
Retention of Personal Data
We retain personal data only for a period that is necessary to achieve the purposes for which personal data is processed, unless there is a legal obligation to retain personal data for a longer period of time (for example, responsibilities and obligations under specific legislation, accounting or reporting obligations). Roima may retain information for a longer period of time if it is required, for example, to exercise a legal claim, to defend a legal claim, or to settle a similar dispute. In general, we observe the following criteria for retaining and deleting personal data:
- Persons’ event registration information is retained prior to and during the event and thereafter for a maximum of two years in order for us to fulfil our legitimate interest in evaluating the event and following up on event participation, as well as to plan any future events.
- Personal data processed based on the person’s consent is retained until the person withdraws their consent.
- In relation to the personal data of our external business partners’ or customers’ contact persons or potential customers’ contact persons, personal data is stored for the duration of the relationship, after which unnecessary personal data will be deleted. However, we may store some of the personal data for a longer period of time if it is necessary in order to fulfil our legitimate interest in managing and defending legal claims or to comply with our legal obligations.
- In relation to the security of our services and preventing abuses, personal data is processed for the duration of the investigation of abuses or other harmful user experiences. In addition to this, however, we may store the necessary personal data for a longer period where it is necessary in relation to managing and defending a legal claim or in order to comply with legal obligations.
- Personal data is stored for as long as a certain legal obligation requires. For example, the Accounting Act imposes an obligation to maintain information on the accounting’s supporting material for 6 years following the end of the financial year in Finland and 7 years following the end of the financial year in Sweden.
We evaluate the necessity and accuracy of the personal data on a regular basis and endeavor to ensure that the incorrect and unnecessary personal data are corrected or deleted.
Detailed retention times can be provided upon requests.
Disclosures, Transfers and Recipients of Personal Data
In addition, we may share the personal data in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.
The personal data is also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the products and services as well as to guarantee the safety and usability of the products and services. In the event of emergencies or other unexpected circumstances, Roima may be required to disclose the personal data of registered persons in order to protect human life, health and property.
List of the processors and other recipients:
- Lyyti Oy (event invitations, event registrations, mailing list / newsletter distribution)
- eTony Oy (WordPress admin services)
- Microsoft (MS Office)
- In exceptional situations, the data may be shared with partner companies
Data Transfers outside the EU/EEA
Roima’s main principle is that personal data is processed within the European Union (EU) or the European Economic Area (EEA).
In case personal data is transferred outside the EU/EEA, such transfers are either made to a country that is deemed to provide a sufficient level of privacy protection by the European Commission or transfers are carried out by using appropriate safeguards such as Standard Contractual Clauses (SCC) adopted, including any supplementary measures, where assessed to be necessary, or otherwise approved by the EU Commission or competent data protection authority in accordance with the GDPR.
The following recipients may transfer personal data outside the EU/EEA:
- Microsoft (USA)
- Facebook (USA)
- Twitter (USA)
- LinkedIn (USA)
- Instagram (USA)
Protection of Personal Data
Securing the integrity and confidentiality of personal data is important to Roima. We have taken appropriate technical and organizational measures in accordance with industry standards in order to keep personal data safe and to secure it against unauthorized access, loss, misuse or alteration by third parties, such as by firewalls, physical security measures, access controls, assignment of access rights, encryption and active monitoring of the aforementioned measures.
Nevertheless, considering the cyber threats in modern day online environment, we cannot give full guarantee that our security measures will prevent illegally and maliciously operating third parties from obtaining access to personal data or absolute security of the personal data during its transmission or storage on our systems.
All parties processing personal data have a duty of confidentiality in matters related to the processing of personal data. Access to personal data is restricted to those employees and parties who need it to perform their duties. We also require our service providers to have appropriate methods in place to protect personal data.
Automated Decision-Making and Profiling
Roima does not use any automated decision-making nor any profiling pursuant to the Article 22 GDPR.
Rights of the Data Subjects
The data subject has several rights under applicable data protection laws.
Right of access and right of inspection
The data subject has the right to obtain confirmation as to whether or not personal data concerning them is being processed.
The data subject has the right to inspect and view data concerning them and, upon a request, the right to obtain the data in a written or electric form. This applies to information that the data subject has provided to Roima insofar the processing is based on a contract/consent.
Right to rectification and right to erasure
The data subject has the right to demand the rectification of incorrect personal data concerning them and to have incomplete personal data completed.
The data subject has the right to require Roima to delete or stop processing the data subject’s personal data, for example where the data is no longer necessary for the purposes of processing.
Right to data portability
The data subject has the right to receive the personal data that he or she has provided to Roima in a structured, commonly used, and machine-readable format and, if desired, transmit that data to another controller. The right to data portability applies on the processing of the personal data based on consent or a contract.
Right to restriction of processing
The data subject has the right, under conditions defined by data protection legislation, to request the restriction of processing of his or her personal data. In situations where personal data suspected to be incorrect cannot be corrected or removed, or if the removal request is unclear, Roima will limit the access to such data.
Right to object to processing
The data subject has the right to object to the processing of his or her personal data where Roima is relying on its legitimate interests as the legal ground for processing. For example, the data subject may object to his or her personal data being used for marketing purposes.
Right to withdraw consent
In cases where the processing is based on the data subjects’ consent, the data subject has the right to withdraw his or her consent to such processing at any time.
Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a competent data protection authority if the data subject considers that the processing of personal data relating to the data subject infringes current legislation.
However, we request that the matter will be dealt with Roima in the first instance.
The relevant authority in Finland is the Data Protection Ombudsman (http://www.tietosuoja.fi).
Identity will be checked before the information is given out, which is why we may have to ask for additional details. The request will be responded to within a reasonable time and, where possible, within one month of the request and the verification of identity.
If the data subject’s request cannot be met, the refusal shall be communicated to the data subject in writing. Roima may refuse the request (for example erasure of data) due to a statutory obligation or a statutory right of the company, such as an obligation or a claim relating to our services. Please note that Roima may charge a reasonable fee where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character.
If you have any questions relating to our data protection policies or wish to exercise your rights, please do not hesitate to contact us.
|Version number||Change description||Date|
|1.0||Document created||April 11, 2022|