Register Description

1 Controller

Name: RTE Group Oy
Contact details:
Kuvansintie 27
78850 VARKAUS
Phone: +358 44 355 3902
Email: info(at)rtemotorsport.net

Person in Charge of Register Matters:

Name: Janne Eronen
Phone: +358 10 581 9021
Email: janne.eronen(at)rtegroup.fi

2 Name of the Register

RTE Group Oy customer register.

3 Purpose of the Processing of Personal Data

Personal data is processed for purposes related to the management, administration, and development of the customer relationship, for the provision and delivery of services, for the development of services, and for billing. Personal data is also processed for purposes required in the investigation of any complaints and other claims.

Additionally, personal data is processed in communications directed at customers, such as for information and news, as well as for marketing. As part of marketing, personal data is also processed for purposes related to direct marketing and electronic direct marketing.

The customer has the right to prohibit direct marketing targeted at them.

The controller processes the data itself and also utilizes subcontractors acting on behalf of and for the controller in the processing of personal data.

4 Legal Bases for Processing

The legal bases for the processing of personal data are the following grounds under the EU General Data Protection Regulation (hereinafter also “GDPR”):

1. The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a));
2. Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
3. Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Article 6(1)(f)).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which arises because the data subject is a customer of the controller, and when the processing is carried out for purposes that the data subject could reasonably have expected at the time of collection of the personal data and in connection with the appropriate relationship.

5 Content of the Register (Categories of Personal Data Processed)

The register primarily contains the following personal data about each data subject:

1. Basic and contact information: [first name, last name, address, phone number, email address, bank account number];
2. Information related to the person’s company or other organization and the person’s position or job title in the relevant company or organization;
3. The data subject’s direct marketing consents and prohibitions.

6 Regular Sources of Information

Personal data is collected from the data subject themselves.

Personal data is also collected and updated, within the limits of applicable legislation, from generally available sources that are related to the implementation of the customer relationship between the controller and the data subject, and through which the controller fulfills its obligations related to maintaining customer relationships.

7 Retention Period of Personal Data

Data collected in the register is retained only as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to retain personal data is assessed every five years. In any case, data concerning a data subject will be deleted from the register five years after the data subject’s customer relationship with the controller has ended and once the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for six years from the end of the financial year.

The controller regularly evaluates the necessity of data retention according to its internal code of conduct. In addition, the controller takes all reasonable measures to ensure that data that is inaccurate, incorrect, or outdated in relation to the purposes for which it is processed is erased or corrected without delay.

8 Recipients (Recipient Groups) of Personal Data and Regular Disclosures of Data

Personal data is not disclosed to external parties.

9 Transfer of Data Outside the EU or EEA

Personal data contained in the register is not transferred outside the EU or EEA.

10 Principles for Protecting the Register

Materials containing personal data are stored in locked premises to which only designated persons authorized to access them by virtue of their duties have entry.

The database containing personal data is located on a server kept in a locked facility, accessible only to designated persons authorized by virtue of their duties. The server is protected by an appropriate firewall and technical safeguards.

Access to databases and systems is granted only with separately assigned personal usernames and passwords. The controller has restricted usage rights and authorizations to data systems and other storage platforms so that data can only be viewed and processed by individuals who need the data for legally required processing. Additionally, the usage events of databases and systems are recorded in the controller’s IT system logs.

The controller’s employees and other individuals are bound by a duty of confidentiality and are obligated to keep secret any information they receive in connection with the processing of personal data.

11 Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation:

1. The right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; (v) the data subject’s right to request from the controller rectification or erasure of personal data concerning them or restriction of processing of personal data or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Article 15). The basic information described in points (i)–(vii) is provided to the data subject in this document;
2. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
3. The right to obtain from the controller without undue delay the rectification of inaccurate and incorrect personal data concerning them, and to have incomplete personal data completed, including by means of providing additional information, taking into account the purposes for which the data were processed (GDPR Article 16);
4. The right to obtain from the controller the erasure of personal data concerning them without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation and there is no overriding legitimate ground for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased for compliance with a legal obligation under Union or national law applicable to the controller (GDPR Article 17);
5. The right to obtain from the controller restriction of processing if (i) the data subject contests the accuracy of the personal data, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to the processing on grounds relating to their particular situation pending verification whether the legitimate grounds of the controller override those of the data subject (GDPR Article 18);
6. The right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on the data subject’s consent as referred to in the regulation and the processing is carried out by automated means (GDPR Article 20);
7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Article 77).

Requests concerning the exercise of the data subject’s rights should be addressed to the contact person specified in section 1.