1 Controller and point of contact
2 On what basis do we process data?
3 What data do we collect, from where, and for what purpose?
3.1 Data collected from the data subject and use of the data
3.2 More information about data collected from and in connection with online services
3.2.1 Information about our public online services and cookies
3.2.2 Community plugins and other website content
3.3 Collection and use of data collected from job applicants and work experience applicants
3.4 Collection and use of data collected from partners in collaboration
4 Personal data processors, i.e. who may access personal data and how such people are authorised to act
5 Personal data storage, recipients and disclosure practices, i.e. how data is stored and to whom it is disclosed
6 Exercising the rights of the data subject, i.e. your rights concerning your personal data
7 Notification of data breaches
8 Changes to data security practices
9 Limitations of liability
10 Version history
In the policy, we also outline how our website and online store collect data from site visitors.
Kiinteistö Oy Jyväskylän Kaupunkilaispiha (hereinafter also “Toivola Old Courtyard”, ”Toivola”, ”Controller”)
Business ID: 2317713–2
Registered office: Jyväskylä
Point of contact with Controller for data security matters:
Kiinteistö Oy Jyväskylän Kaupunkilaispiha
+358 41 466 7982
Visiting address: Cygnaeuksenkatu 2, FI-40100 Jyväskylä
Postal address: Kärpänkuja 5 B 2, FI-40400 Jyväskylä
Our right to use personal data is based on one or more of the following:
Some or all of the following data will be collected from the data subject in connection with online activities, e-commerce, use of the online store and any bookings placed online, and in certain situations in brick-and-mortar stores where required:
Toivola Old Courtyard uses data to manage customer relationships and to identify users. The data is used where necessary to handle, deliver, exchange, refund and archive orders and bookings. In addition, data enables the monitoring of a customer’s orders in any potential problematic situations, plus contact with the customer concerning orders and bookings. Using data in customer services enables the provision of the best possible service relating to our products, services and deliveries. Personal data may also be used in warranty-related matters.
Personal data may be used for targeted marketing to data subjects that have provided consent to marketing or other clear consent. Marketing procedures may include e.g. email marketing, direct marketing and digital marketing.
Personal data may be disclosed to third parties to the extent required by Toivola Old Courtyard’s activities. Examples of such situations include:
Data disclosed for the purposes outlined in the previous paragraph does not entitle the third party to use the disclosed data for anything other than the purpose for which the data was disclosed.
The grounds for personal data processing are the fulfilment of an agreement (e.g. an online purchase) or the data subject’s consent.
Toivola Old Courtyard also has the following public online services:
The public online services we offer primarily use SSL encryption to protect the data connection between the user’s terminal device and the online service. SSL encryption also helps to ensure the authenticity of the website. You can identify an online service that uses SSL encryption from the HTTPS at the start of the URL and the lock icon in the address bar of your browser.
Visitors arriving on our website are able to choose which cookies to allow. In addition, most browsers allow cookies to be disabled and deleted. However, it is worth noting that some cookies may be necessary in order for the webpages we maintain and services we provide to function correctly.
Our website may contain links and connections to third-party websites, such as e.g.
LinkedIn, Facebook, Twitter, Instagram and other community services. Content provided via these sites is downloaded from third-party servers. In such situations, the content behaves primarily as if in a situation wherein you visit the page in question and third parties could potentially collect data from the user’s visit in accordance with their own valid terms.
We collect personal data submitted to us by job applicants in order to complete recruitment processes relating to employees and interns. We process the personal data submitted to us in order to fill the vacant position and, for open applications, to fill any upcoming positions and to assess the requirements of the employment relationship. Processing is based on our legitimate interest to process data submitted by the data subject themselves in the recruitment processes.
Data submitted by applicants for a job and/or internship may include e.g. a name, address, telephone number, email address, date of birth, education and training information, work history, a self-assessment of language proficiency, the applicant’s own wishes concerning the content of the job or internship, contact details for references, and any attachments, such as information provided in a CV.
In situations relating to recruitment, the primary data source is the applicant themselves. The information provided by the applicant may be supplemented with the applicant’s consent using information provided by e.g. referees or previous employers. In addition, the supervisor at Toivola Old Courtyard responsible for recruitment and other persons participating in Toivola’s recruitment process may also supplement the data during the recruitment process.
Data may be disclosed, with the applicant’s consent, to a third party in order to carry out a recruitment-related personal assessment. In addition, data may be disclosed to an actor operating in connection with Toivola Old Courtyard, if it is beneficial for the applicant and/or necessary in order to process the application appropriately.
We collect personal data from our suppliers and our other partners’ contact persons and other representatives in order to maintain our collaboration partnership and to fulfil our contractual obligations. The right to process suppliers’ and other partners’ personal data is based either on an agreement with the party in question or on grounds of legitimate interest in processing the party’s employees’ or other representatives’ personal data.
As controller, Toivola Old Courtyard processes personal data in its own operations. In such cases, Toivola Old Courtyard staff process personal data for the purposes and to the extent required by their tasks.
This section outlines in more detail the situations wherein Toivola uses subcontractors in its activities as Controller. In this context, subcontractor refers to a personal data processor that processes personal data in accordance with this agreement either wholly or partially on behalf of the Controller and commissioned by the Controller.
Subcontractors are primarily ICT partners and other partners who have technical access to the digital services, information systems or premises used by Toivola in order to maintain them, and in order to provide its own services to Toivola and partners, to whom personal data is collected for processing in situations such as those mentioned above. Such actors may be e.g. various system service providers, actors working with payment processing, logistics industry operators working with deliveries, and marketing agencies.
The personal data processor or anyone processing personal data on behalf of the Controller or personal data processor who has access to personal data, may not process this data in any other way besides in accordance with instructions issued by the Controller unless otherwise compelled by legislation or official regulation.
Where personal data is processed on the Controller’s behalf by a subcontractor, the agreements between the Controller and subcontractor must ensure the organisation of appropriate protective measures and make sure that personal data processing fulfils the requirements set by data protection legislation.
Data that is collected, the sources of the data, and key processing principles are outlined above. This section will outline our general practices and rights concerning the reception and disclosure of personal data in more detail.
The rule of thumb is that personal data is processed only by Toivola, in activities that immediately relate to Toivola’s business operations and/or by actors who are closely linked to Toivola’s business operations (personal data processors). Personal data is not sold, leased or disclosed to third parties for any other purposes.
The Controller may disclose personal data within the limits permitted and in accordance with obligations set in legislation, in order to fulfil an agreement between the parties, or if there is a factual connection. Personal data may therefore be disclosed e.g. on the basis of official legal requirements at various stages of the customer process, for example to actors operating in connection with Toivola Old Courtyard and to system providers and other providers who provide a service or part thereof.
Any joint events and campaigns between Toivola Old Courtyard and third parties may collect personal data that is disclosed to the third party in order to carry out practical arrangements for the event or campaign and to fulfil commercial objectives. In such cases, the data subject will be informed of any disclosure of personal data to third parties when data is collected.
Toivola does not primarily transfer data subjects’ data outside of the European Union, European Economic Area, or outside of other countries that the European Commission has deemed to have a sufficient level of data protection or which have guaranteed a sufficient level of data protection through agreement arrangements. Data from the systems, storage spaces (cloud solutions), email service, other communication solutions and software used for customer information and marketing communications utilised by Toivola can be stored in the European Union, European Economic Area or other countries that the European Commission has deemed to have a sufficient level of data protection or which have guaranteed a sufficient level of data protection through agreement arrangements. In practice, the personal data on Toivola Old Courtyard’s information systems and data files is stored in accordance with the associated service providers’ server solutions and locations.
Notwithstanding what is outlined elsewhere in this document, personal data can be disclosed to third parties in the following situations:
You have, among others, the following rights concerning your personal data:
Toivola Old Courtyard may gain the right and obligation to refuse to allow the Data Subject to exercise their rights as such, if other legislation sets restrictions. In such cases, other legislation may, on a case-specific basis, prevent the Data Subject from exercising their rights in full. Such situations may occur when e.g. accounting legislation restricts Data Subjects’ right to the full erasure of their personal data. In such situations, Toivola will inform the Data Subject clearly of the grounds for which their request was refused, and instruct the Data Subject on how to comprehensively exercise their rights.
Any requests from the Data Subject concerning information or procedures should be addressed to the point of contact specified by Toivola in this policy. Requests for information and procedures should include sufficiently detailed and individualising information to allow the procedure to be carried out. A precondition for the fulfilment of requests for information and procedures is for the Data Subject to be able to provide picture identification or to otherwise verify their identity in a manner that satisfies Toivola.
Primarily, the aforementioned information and procedures relating to the rights of the Data Subject are free of charge. If the Data Subject’s requests are clearly unfounded or unreasonable, especially if they are submitted repeatedly, Toivola may either charge a reasonable fee with consideration for the delivery of the information or messages, or costs relating to the implementation of the requested procedure; or decline to complete the requested procedure.
In such cases, Toivola will indicate the clear unfounded or unreasonable nature of the request to the Data Subject.
In any situation wherein Toivola acts as the personal data processor rather than Controller, responsibility for exercising the rights of the Data Subject always lies with the controller. In these cases, Toivola Old Courtyard does not have the right to disclose the data from the controller’s data file to the data subject without the consent of the controller in question, except on the basis of an official and statutory request for data.
“Personal data breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
If a personal data breach occurs and it poses a high risk to the rights and freedoms of a natural person, then:
Please note that this section applies to personal data processing. The matters in this section do not concern any product warranty, etc.
Toivola Old Courtyard is only responsible for immediate damages arising from deliberate acts or gross negligence that relate to data protection legislation. Toivola Old Courtyard is not responsible for indirect damages, such as a reduction in income or other detriment caused to the Data Subject.
In all situations, Toivola Old Courtyard’s liability is limited in all situations to informing the Data Subject, and in the case of a personal data breach, the competent supervisory authority, and where circumstances permit, Toivola Old Courtyard will undertake procedures to prevent subsequent risk and mitigate detriment. Toivola Old Courtyard is under no circumstances obligated to provide compensation for damages. A breach of contract, error, or negligence shall not incur any penalty for Toivola Old Courtyard outside of that which is mentioned above.
|Date||Version||Status||Classification||Edited by||Key changes|
|1.4.2021||V1.0||Approved||Public||Multiple editors||Publication of policy required by the GDPR|