PRIVACY NOTICE With this Privacy Notice we provide you information about why and how we process your personal data in our business operations. Please note that we process personal data both as a controller and a processor (see Section 3 of this Privacy Notice for more information of our data processing activities as a processor). We process your personal data for the following purposes as a controller: a) Customer relationships b) Strategic analysis of customer data to develop services and fulfil customer needs c) Business partner relationships d) Communications e) Social media f) Cookies g) Recruiting I. WHAT TERMS ARE USED IN THIS PRIVACY NOTICE? Controller means the party responsible for processing the personal data of the data subject. Customer means our customer who uses our Service. Data subject is a term for a human being in accordance with data protection laws. Legal basis for processing means the legal ground on which the controller processes the data subject's personal data. The lawfulness of processing is described in Article 6 of the GDPR. Personal data means any information concerning the data subject or information by which the data subject can be identified. Privacy notice means a document drawn up in accordance with Articles 13 and 14 of the EU General Data Protection Regulation (hereinafter ”GDPR”), through which the controller informs data subjects of the ways their personal data is processed. Processor means the party who processes personal data on behalf of the controller. Purpose for processing means the reason why the controller processes the data subject's personal data. II. OUR CONTACT DETAILS iconicchain Oy (Business ID: 2875875-3) Lodenkuja 2 J, 02450 Sundsberg, Finland If you have any questions regarding the privacy notice, please contact our DPO at dpo@iconicchain.com. III. WHEN ARE WE A PROCESSOR? We are a processor and our Customers are controllers for the personal data of our Customers’ customers. We process the personal data of Customer’s customers on behalf of our Customers when the Customers use our Compliance Services. When we process personal data of Customer’s customers on behalf of our Customer, we comply with the provisions of relevant data processing agreements. IV. WHY DO WE PROCESS YOUR PERSONAL DATA? We process your personal data in accordance with the processing purposes listed below. In the sections on processing purposes, you will find information on what personal data we process and on what legal basis we process your personal data. a) Customer relationships Explanation: Personal data is processed to conclude and carry out customer relationships. Category of data subjects: Customers. Categories of personal data: Contact details and customer relationship data. Legal basis for processing: Performance of our contractual obligations with the Customers. b) Strategic analysis of customer data to develop services and fulfil customer needs Explanation: Personal data is processed to develop our services and better fulfil customer needs. Category of data subjects: Customers. Categories of personal data: Contact details and customer relationship data. Legal basis for processing: Our legitimate interests, according to which we develop our services and better fulfil customer needs. Our interests override those of the Customers, as we need to be able to analyze our data to enhance our services. NB! You may have a right to object data processing for these purposes (see section concerning your rights). c) Business partner relationships Explanation: Personal data is processed to conclude and carry out business relationships. Category of data subjects: Business partners (contact persons). Categories of personal data: Contact details and data related to our relationship. Legal basis for processing: Performance of our contractual obligations with our business partners. d) Communications Explanation: Personal data is processed to carry out communications. Category of data subjects: People who contact us. Categories of personal data: Contact details and possible other data disclosed to us by the data subject. Legal basis for processing: Our legitimate interests, according to which we carry out our communications. Our interests are in line with those of the people who contact us, as they expect us to process their data for communications purposes. NB! You may have a right to object data processing for these purposes (see section concerning your rights). e) Social media Explanation: Personal data is processed in our social media sites and accounts. Category of data subjects: People who contact us. Categories of personal data: Contact details and possible other data disclosed to us by the data subject. Legal basis for processing: Our legitimate interests, according to which we manage our social media. Our interests are in line with those of the people who contact us, as they expect us to process their data for communications purposes. NB! You may have a right to object data processing for these purposes (see section concerning your rights). f) Cookies Explanation: Personal data is processed in cookies of our websites. Category of data subjects: People visiting our websites. Categories of personal data: IP addresses. Legal basis for processing: Consent based on the Act on Electronic Communications Services of Finland (917/2014). Please have a look at our Cookie Notice for more information about cookies used in our websites. g) Recruiting Explanation: Personal data is processed to carry out recruiting. Category of data subjects: Job applicants. Categories of personal data: Contact details, CV data, videos and pictures and possible other data disclosed to us by the data subject. Legal basis for processing: Our legitimate interests, according to which we carry out our recruiting. Our interests are in line with those of the job applicants, as they expect us to process their data for recruiting purposes. NB! You have a right to object data processing for these purposes (see section concerning your rights). V. FROM WHERE DO WE COLLECT YOUR PERSONAL DATA? We collect your personal data from different sources, depending on our purposes for processing personal data. a) Customer relationships / b) Strategic analysis of customer data to develop services and fulfil customer needs / d) Communications / e) Social media / g) Recruiting We collect your personal data for these purposes from yourself. c) Business partner relationships We collect your personal data for these purposes from yourself, our business partners and different public sources (e.g. trade register and social media). f) Cookies We collect your personal data by using cookies. VI. DO WE TRANSFER YOUR PERSONAL DATA? We may transfer personal data to third parties as a normal course of our business. When personal data is transferred to third parties, we ensure that the transfers are carried out in a secure way and in accordance with adequate data protection agreements. We may also transfer personal data to third countries. When doing so, we ensure an adequate level of data protection, e.g. by using standard contractual clauses issued by the European Commission, and other similar arrangements. All personal data may be transferred to data storage and communications services providers. Accounting related data may be transferred to financial management services providers. VII. HOW LONG DO WE RETAIN YOUR PERSONAL DATA? The retention period of your personal data depends on the purposes for which we process your personal data. We inspect the necessity of the personal data stored regularly and keep records of the inspections. a) Customer relationships / c) Business partner relationships We process and retain personal data for as long as our contractual relationship is in effect. b) Strategic analysis of customer data to develop services and fulfil customer needs We process and retain personal data for as long as it is necessary to fulfil the purpose of data processing. d) Communications We will process and retain the necessary personal data for three (3) years after the contact. e) Social media We will process and retain social media information until individuals remove their information from our social media channels. f) Cookies The retention period depends on each cookie used. g) Recruiting We will process and retain the necessary personal data for a maximum of twelve (12) months from the receival day of your job application. VIII. WHAT DATA PROTECTION RIGHTS DO YOU HAVE? You may have the right to use the below listed data protection rights. The contacts concerning the rights shall be submitted to the controller’s contact person. Your rights can be put into action only when you have been satisfactorily identified. You may also have a right to lodge a complaint to the supervisory authority, if you think that the processing of your personal data infringes the data protection laws. Right to inspect The data subject has a right to inspect what data the controller has stored of him/her. Right to rectify and erasure The data subject has a right to request the controller to rectify or erase the personal data concerning the data subject on the grounds provided by law. Right to restriction of processing The data subject can request the controller to restrict the processing of the personal data concerning the data subject on the grounds provided by law. Right to data portability The data subject shall have a right to receive the personal data concerning him/her, which he/she has provided to the controller, in a structured, commonly used and machine-readable format where the processing is performed automatically and based on consent or a contract. Right to object Where personal data are processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning him/her for such marketing. Where personal data are processed on the basis of the legitimate interests of the controller, the data subject shall have the right to object the processing of personal data concerning him/her for such purposes in accordance with the law. Automated individual decision-making, including profiling The data subject shall have a right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him/her or similarly significantly affects him/her. Right to withdraw consent Where the legal basis for the processing of personal data is the consent of the data subject, the data subject shall have the right to withdraw his/her consent. IX. CAN THIS PRIVACY NOTICE BE AMENDED? We may unilaterally amend this privacy notice. We update the privacy notice as necessary, for example, when there is a change in legislation. Amendments to this privacy notice will take effect immediately when we post an updated version on our website. If we make significant changes to the privacy notice, or if there is a significant change in the way it is used, we will notify the data subjects. (Last update 25 March 2021)
