EN
Privacy Notice
Updated 3 February 2023
Kamux Corporation and its subsidiaries (“Kamux” or “we”) respect your privacy and are committed to protect your personal data. This Privacy Statement outlines your rights to privacy and our commitment to safeguard your personal data.
If you have any questions or inquiries concerning this Privacy Statement and/or your personal data, please contact privacy@kamux.fi
Organisation of contact in privacy matters:
Kamux Corporation / Privacy Matters
Parolantie 66
FI-13130 Hämeenlinna, Finland
Contact details of Data Protection Officer: privacy@kamux.fi
Kamux processes your personal data in accordance with applicable data protection laws. This privacy statement and privacy notices provide you comprehensive information about personal data processing activities conducted by Kamux. Information may be supplemented by specific privacy notices and additional local documentation. Notice also that your rights as a data subject may also vary from country to country depending on the applicable data protection laws. Our privacy statement presents the rights according to the EU’s general data protection regulation (“GDPR”). Any mandatory laws or regulations will take precedence in the event that it conflicts and has stricter requirements than this statement or the privacy notices.
This privacy statement is divided into privacy notices that relate to the different personal data processing functions in Kamux.
Privacy Notice: Customer relations, sales and marketing
Updated 30.1.2023
This Privacy Notice describes how Kamux Group (later “we” or “Kamux”) processes personal data; what personal data Kamux collects, how the data is used and to whom the data is disclosed, and how the data subject can control the processing. The Privacy Notice also informs about the obligations Kamux follows when processing personal data.
Kamux’s business concept is to focus on used car sales. This Privacy Notice applies to all products and services offered by Kamux in the stores, showrooms, online and through marketing (later “Products” and “Services”), and the video surveillance at Kamux premises. This Privacy Notice covers all persons whose personal data are processed (later “data subjects”, “you”) in connection to the Products and Services described above or the video surveillance. It applies also, where applicable, to the partners and stakeholders involved in the business.
Kamux is dedicated to protecting the privacy of the data subjects and commits to process their personal data in compliance with the European Union’s General Data Protection Regulation (2016/679), (later “GDPR”) and other applicable privacy laws and regulations.
Personal data refers to information, which allows a person to be directly or indirectly identified as an individual person, as defined the GDPR. Examples of personal data: name, email address and date ofbirth.
2. Controller and contact information and data protection officer
2.1. Controller
Kamux Group
Address: Parolantie 66, 13130 Hämeenlinna, Finland Contact Details: Email: privacy@kamux.fi
Kamux Group is a group of companies whose parent company is listed on the Nasdaq Helsinki. Companies belonging to the Kamux Group: Kamux Oyj, Kamux Suomi Oy, Suomen Autorahaksi Oy, KMX Holding AB, Kamux AB and Kamux Auto GMbH.
2.2. Data protection officer
Contact Details: Email: privacy@kamux.fi
3. Purpose and legal basis of the processing of personal data
We only process personal data that are relevant for the purpose it has been collected or obtained for, and we process the data in compliance with laws and regulations.
Sales, purchase, customer services and administration
Personal data are processed for the sales/purchase of our products and services including orders/purchases, delivery, invoicing, warranties, complaints and quality assurance.
Personal data of customers and potential customers are also processed for customer services, customer relationship management, customer communications (including customer feedback and satisfaction surveys), quality assurance, analysis, generating statistics and administrative purposes such as consent and rights management.
The legal bases of the processing are fulfilment of requests of the data subject prior to entering into a contract, e.g. requests for information or quotation or purchase orders, the performance of a contract or preparation of a contract with Kamux and the legitimate interests of Kamux. The legitimate interests include administration of the Products and Services, and operations which are necessary for carrying out pre-contractual measures such as inquiries concerning our Products or Services.
Marketing
Personal data is used by Kamux and its partners to various kinds of marketing including promotional events, competitions, surveys and market research. Legal basis of the processing is the legitimate interest of Kamux for developing and promoting the business, and your consent when it is required for certain processing. You have the right to object to the processing of your Personal data to marketing purposes (opt-out).
When Personal data are used to electronic direct marketing (such as contacting you via SMS and email), the marketing will be based on your consent (opt-in) which you can withdraw at any time. However, Kamux can send direct marketing regarding similar product and services you have acquired from us, and using the electronic contact information provided by you. You have the right to object to this kind of marketing too, and it is possible to do it also in advance (opt-out).
We arrange promotional events and competitions where we collect information provided by you. Participation is voluntary and thus the processing related to the event or competition is based on your consent which you can withdraw at any time.
Tracking and automated decisionmaking including profiling
We track service usage and behaviour on our web pages for service development and to offer you better service and customer experience. We also utilise the data for marketing and internal development. See separate Cookie Policy (www.kamux.fi/cookiepolicy, www.kamux.se/cookiepolicy, www.kamux.de/cookiepolicy, www.kamux.com/cookiepolicy).
Information security, physical security including video surveillance and vehicle and tax fraud prevention
Personal data, including video surveillance recordings, are processed for preventing, detecting and remediating fraud or other potentially prohibited or illegal activities. They are also processed for protecting data and property. Personal data can be used for investigating possible security incidents, crimes or damages.
The purpose of the video surveillance is also to ensure personal safety of people working or visiting the premises. The video cameras are located at Kamux premises. They record people working and visiting the areas covered by the cameras. The premises have signs that inform people of the video surveillance.
Processing related to security and safety is a legal obligation, but some of the security measures are done in the legitimate interests of Kamux such as protection of our property.
Legal obligations
We also process personal data when required by applicable law and/or to comply with the laws and regulations (e.g. accounting or other specific legislation). The legal obligation is the basis for the processing.
Purposes that require your consent
Your consent is required for certain types of processing of your personal data such as electronic direct marketing (newsletter order) and processing of sensitive data. We do not intend to collect sensitive personal data, but data subjects may submit it voluntarily, and then we process it based on consent.
For the processing of personal data that you have given your consent you can withdraw your consent at any time regarding further processing of your personal data. See instructions further down (0 Rights of the data subjects and the Supervisory authority). We will comply with such request unless there is another legitimate ground to process the data.
4. Personal data processed and sources of information
We collect and processes only personal data which is relevant and necessary for the purposes outlined this Privacy Notice.
We collect the following categories of data:
|
Categories of data |
Examples of personal data |
|
Identity and contact information |
name, personal identification code / date of birth, address, phone number, email, country, driver’s license identification data |
|
Customer relation data and contract details |
Term of customer relationship and the way of creation and termination of the relationship, data of product or service contracts, purchase orders, cancellations and deliveries, customer feed-back and claims, callback and chat service data, responses to customer, market surveys and research and other interactions, banking data, invoice and payment data, debt collection, possible credit application information including creditworthiness and specific contract terms |
|
Vehicle data |
Licence number, owner, model, vehicle identification number (VIN), vehicle service history |
|
Insurance application data |
Damage history, trade-in car data, drivers and driving habits |
|
Consent and objections |
Consent or objection to electronic direct marketing or to other processing activities |
|
Images, recordings |
Copy of the driver’s license, video surveillance recordings |
|
Electronic identification and behaviour data |
Browsing data, search data and cookie data, see separate Cookie policy |
|
Marketing data |
Marketing efforts performed, preferences and interests of the data subject, other information provided by the data subject, marketing permissions and consents (opt-in), restrictions and bans (opt- out) Information relevant to the marketing event or scope of the marketing such as preferences |
|
"Know your customer” data |
The required information under the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017). |
When you order/purchase our Products and Services or otherwise enter into a contract with us, or when we have a legal obligation to ask for your data, we need your personal data to fulfil the contract and/or our legal obligations. We will inform you at the time which personal data are mandatory to be provided by you. Personal identification codes are processed only for purposes permitted by law when it is important to identify the data subject for example in the sales or purchase of the products, granting of credit or debt collection. Only contact information (excluding personal identification code) and marketing data as defined above are processed for the purposes of direct marketing to potential and former customers.
We collect the information from the following sources:
· Information you provide e.g. when contacting us, visiting us, utilising our Products and Services (including web services and social media), participating in our marketing activities and when entering into a contract with us / ordering our Products and Services.
· Automatically gathered information when you use our Products and Services e.g. when you use our online services.
· Information from service providers such as vehicle repair services, vehicle information services and marketing service providers
· Information from third parties such as population register services, local vehicle registration services and other public and private registers
o Publicly accessible sources such as contact data services, vehicle data services and credit data services
· Video surveillance recording in our premises
5. Retention of Personal data
The personal data we collect are retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law (e.g. accounting or reporting obligations), or we need it to protect our legal rights. Thereafter, the personal data will be deleted within a reasonable timeframe or rendered anonymous.
The retention periods depend on the purpose of the processing and type of the information.
Personal data and retention periods are listed in the table below:
|
Categories of personal data |
Retention period or criteria used to determine the period |
|
Test drive permit data |
9 months (to be able to respond to fines or other consequences) |
|
Prospect customer data |
4 weeks if no offer/contract is established |
|
Contact customer data |
6 months if no contract is established |
|
Contract customer data (including complaints, instalment contract data) |
10 years after the financial year/accounting period (legal obligation) |
|
Insurance confirmation data, Insurance document data, data of approved credit |
6 months |
|
Kamux callback and chat service data |
1 month |
|
Requests for using the rights of the data subject |
Until the request has been submitted |
|
Video surveillance recordings |
Max 12 months (depending on the capacity of the recorder) |
|
Marketing consents |
Until unsubscribing |
|
Cookies/analytics data |
(see Cookie Policy) |
|
Marketing data |
Deleted within 90 days |
6. Recipients of Personal data
Your personal data will be accessible by companies included in Kamux Group.
Personal data are also shared with service providers and third parties. We will only share personal data to the extent necessary for performing the service (e.g. to provide, maintain and secure the service).
We disclose your personal data to the following recipients:
|
Category of recipients |
Recipients |
|||
|
Registration - Registration authorities (except for Germany) - Registration partner, Germany |
Local Vehicle registration (Trafi, Bilvision, Transportstyrelsen)
Astorga, Holger Slabik |
|||
|
Insurance companies |
IF, Folksam, Lähi-Tapiola, Nordea, OP, POP-vakuutus, Fennia, Pohjantähti, Turva, A-vakuutus, Car Garantie, Länsförsäkringar |
|||
|
Credit companies |
Santander, OP, Nordea, Nordean Joustoluotto, AKF, BDK, DNB, Lähi- Tapiola, SVEA Ekonomi, SAV-rahoitus, Handelsbanken joustorahoitus, Danske Bank, Ecster |
|||
|
Car repair/service companies |
About 4000 totally in the whole Group |
|||
|
IT/web partners |
service |
providers |
/ |
Houston, IT4B, Cloupoint, Fiarone, Decens, Mediam, Amazon AWS, Four Components, Digia, Leanware, Innofactor, Lekane, Investis |
|
Banking |
Basware, Analyste Oy, Clausion Oy |
|||
|
Video surveillance |
Securitas |
|||
|
Insider information, share owners, AGM register |
Euroclear, Ticker |
|||
|
Release distribution |
Cision |
|||
|
Consulting |
PWC |
|||
|
Arkivbolaget |
Safebox |
|||
|
Marketing service providers including advertising and personalized content |
Google AdWords, Adform Display network, Google Display Network, Facebook, MailChimp / Mailparser.io, Cybot (Cookiebot service provider), Otavamedia, Instagram, LinkedIn, Custobar, Frosmo |
|||
|
Statistics |
Google Analytics, Hotjar |
|||
Transfer outside EU/EEA
When Personal data are transferred outside EU/EEA, the transfer is secured by legal measures, appropriate safeguards. The following recipients may process data outside EU/EEA:
|
Recipient |
Transfer safeguard |
|
Investis Inc, Investis Corporate Communications Private Limited |
European Commission’s Standard Contractual Clauses with Investis in accordance with Data Protection Legislation |
|
InsiderLog |
European Commission’s Standard ContractualClauses |
|
Google (including YouTube) |
European Commission’s Standard Contractual Clauses |
|
Meta (Facebook and Instagram) |
European Commission’s Standard Contractual Clauses |
|
|
European Commission’s Standard Contractual Clauses |
|
|
European Commission’s Standard Contractual Clauses |
The customer may, on his or her own initiative, use WhatsApp as the means of communication, in which case the WhatsApp Privacy Policy applies. Use of WhatsApp is only possible if the customer has installed it on his or her terminal and accepted the terms of use and privacy policy of WhatsApp. Kamux also offers its customers a standard mobile phone number.
Other transfers
In addition, we may share your information in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similararrangements.
Personal data are also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the Products and Services as well as to guarantee the safety of the Products and Services.
7. Protection of Personal data
We commit to follow to the security provisions of applicable data protection regulations, as well as to process personal data in compliance with good processing practices.
Personal data are protected with appropriate technical and organizational measures. We store the information in locked environments with limited physical access rights and secure IT-environments. The IT-environments are protected with firewalls and other adequate security technics, and advanced monitoring is done 24/7. Our personnel and processors that process personal data are obliged to keep personal data strictly confidential. Access to personal data is only granted to those employees that need the information to perform their work tasks. Employees and processors have personal IDs and passwords.
The digital camera recordings are kept in a locked space with limited access. The recordings can only be accessed by authorized personnel and can only be shared when required by authorities according to laws and regulations. Old recordings are regularly destroyed when a new recording overwrites them. However, recordings related to damages or crimes are saved as long as necessary for the investigation and other legal measures.
We inform the authorities and users/data subjects of data breaches according to applicable information security and data protection regulation(s).
Rights of the data subjects and the Supervisory authority
The data subjects have the rights set out in the applicable data protection legislation.
Right to access and verify
You have the right to have confirmed if we process your personal data.
You have the right to verify and access your personal data and to request us to provide you the data in writing or electronically.
Right to correct and erase (right to be forgotten)
You have the right to have corrected any incorrect or incomplete personal data. You have also the right to request us to remove data.
We also remove, correct and complete incorrect, unnecessary, incomplete or outdated data on our own initiative when we notice such data.
Right to data portability and to object and restrict processing
You have the right to transmit your data to anothercontroller.
You have the right to request us to restrict processing of your personal data in accordance with the conditions set out in the data protection legislation. We will also restrict the processing of your personal data if we cannot correct or remove incorrect data, or if there is any uncertainty related to request to erase yourdata.
You have the right to object to processing of your personal data for certain purposes. You have the right to deny any processing or transferring of data for direct marketing.
Right to withdraw consent
If the processing of your personal data is based on consent, you have the right to withdraw consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
You can deny any direct marketing and withdraw your consent regarding electronic direct marketing by following the instructions received in connection to the marketing communication (e.g. in the marketing email or SMS).
You can always withdraw any consent including parental consent by contacting Kamux using the contact information provided in the beginning of this document (1 General information
How to exercise the rights of the data subjects
After receiving all the required information of your request (incl. confirmation of identity), we will start the processing of your request. We will do our best effort toprocess your request within a period of one (1) month.
We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
Right to access, correct and erase your personal data
You can make a request for data subjects' rights by contacting our customer service via e-mail asiakaspalvelu@kamux.fi or phone +3589 8560 4000, or by sending a request to the address mentioned in section 2.
Right to object and restrict processing, data portability, object to direct marketing and withdraw consent
You can exercise these rights by using the contact information in the beginning of this privacy notice.
Right to lodge a complaint with the supervisory authority
In case you consider our processing activities of your Personal data to be inconsistent with the General Data Protection Regulation (GDPR) (EU) 2016/679, you have the right to complain to the local data protection supervisory authority.
Data Protection Official
Local data protection officials in Finland, Sweden and Germany.
8. Changes to this Privacy Notice
We may change this Privacy Notice from time to time, whenever necessary. All changes hereto will be made available on our websites (kamux.fi/kamux.se/kamux.de/kamux.com) where we publish this Privacy Notice.
This Privacy Notice has been first published on 24.5.2018.
Change history
|
Version number |
Change description |
Date |
|
2nd |
Updated the list of 1. Marketing service providers including advertising and personalized content and 2. Statistics |
19.7.2019 |
|
3rd |
Updated the list of 1. Marketing service providers including advertising and personalized content and 2. Insider information and 3. retention period of test permits |
11.12.2019 |
|
4th |
Purpose and legal basis of the processing of personal data |
6.2.2020 |
|
5th |
Updated the list of marketing service providers |
17.09.2020 |
|
6th |
Updated data protection officer, vehicle data, Consent and objections, Transfer outside EU/EEA |
24.02.2022 |
|
7ht |
Updater the list of recipients |
26.9.2022 |
Privacy Notice: Recording Camera Surveillance
Updated 17 May 2023
The purpose of this privacy notice is to give you information on how we at Kamux Group process personal data relating to recording camera surveillance
1. Data controller
Kamux Corporation (business ID 2442327-8)
Each Kamux Group company is responsible for the processing of personal data in its own activities for the purposes and on the legal basis set out in this privacy notice and may use personal data collected by other Kamux Group companies for the same purposes as necessary.
2. Contact details in privacy matters
As a data subject you may contact Kamux in all privacy matters using following contact information:
Kamux Corporation / Privacy matters
Parolantie 66
FI-13130 Hämeenlinna, Finland
Contact details of Data Protection Officer: privacy@kamux.fi
3. For what purposes and on what basis do we process your personal data?
The processing of data is based on the legitimate interests of Kamux. The purpose of camera surveillance is:
• protect property, prevent vandalism and crime
• to help detect and prevent crime that has already occurred and situations that endanger property and security
• ensuring the safety of persons and areas within the area.
Additionally, the records of the camera surveillance may be used for the following purposes:
• verifying the ground for the termination of employment
• investigating or verifying harassment or molesting in accordance with the Act on Equality between Women and Men or harassment or inappropriate behavior in accordance with the Occupational Safety and Health Act, if there is a reasonable ground for suspecting that the employee is guilty of harassment, molesting or inappropriate behavior
• investigating an occupational accident or other situation, which has caused danger or risk, in accordance with the Occupational Safety and Health Act.
4. What type of information is collected and where do we collect personal data from?
The register contains footage of people moving around the company's premises and areas.
Areas and premises subject to camera surveillance are marked with camera surveillance signs. In addition to the image, the date and time of the events are recorded.
The personal data recorded in the register is collected in the context of the recording camera surveillance. Other data sources are used within the limits set by law.
5. Do we share your personal information and may information be transferred outside the EEA?
We do not regularly transfer your personal data outside the Kamux Group, neither do we transfer it outside the EEA. Data may be disclosed to authorities, such as the police, for the purpose of investigating criminal offences.
We use external service providers to carry out camera surveillance. We make data processing agreements with service providers acting as processors and ensure that our partners process personal data only to the extent that is necessary for the provision of the service in question.
6. How your personal information is protected and how long we process information
The data is stored in systems that use both technical and software means to ensure data security and control access to the data.
The recordings are kept for as long as they are necessary to fulfil the purpose of the camera surveillance. In principle, records are kept for two months. Recordings that are needed, e.g. as evidence, are kept until the case has been concluded, e.g. until a final judgement has been obtained.
7. Your rights as a data subject in relation to data processing
You can make a request for data subjects' rights by contacting our customer service via e-mail asiakaspalvelu@kamux.fi or phone +3589 8560 4000, or by sending a request to the address mentioned in section 2.
As a data subject, you have the following rights according to the data protection law.
• Right of access, rectification and erasure
o As a data subject you are entitled to obtain information of your personal data processed by Kamux. You have also a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of your data.
• Right to ask for the restriction or object the processing
o You have the right to ask for the restriction or object your personal data processing.
• Right to lodge a complaint with a supervisory authority
o If you consider that the processing of personal data relating to you infringes the data protection regulation, you have the right to lodge a complaint with a supervisory authority. You may lodge your complaint in the EU Member State of your habitual residence, place of work or place of the alleged infringement.
Privacy Notice: Investor relations
Updated 27 April 2023
1. Purpose of this notice and data controller
The purpose of this notice is to give you information regarding how we process personal data related to investor relations whether you are investor or prospective investor and/or interested in our business and solutions. The data controller of your personal data is Kamux Corporation (business ID 2442327-8).
If you have any questions related personal data processing and/or this notice, please contact Data protection Officer: privacy@kamux.fi
2. Contact details in privacy matters
As a data subject you may contact Kamux in all privacy matters using following contact information:
Kamux Corporation / Privacy matters
Parolantie 66
FI-13130 Hämeenlinna, Finland
Contact details of Data Protection Officer: privacy@kamux.fi
3. For what purpose is your personal information collected and what type of information is collected and where?
We publish a range of reports to share information about Kamux’s business and solutions such as financial news to media, analysts, investors and shareholders. You can order releases and publications such as our stock exchange or press releases.
When you wish to subscribe for information from us, such as Kamux’s press releases and reports, we ask you to provide such personal data as is required to fulfill the particular service. Examples of the categories of personal data that we collect and process include name, contact details (such as email address, postal address), details of the company or organization that you represent, your position and other professional details. Personal data is used to distribute press releases, reports, invitations to seminars and similar events. We process personal data on the basis of a legitimate interest of conducting our business and maintaining contacts with you and the companies and organizations that you represent and on the basis of subscription of releases.
Personal data is collected from you by webpage forms, by phone, in meetings, or by other equivalent means.
4. Who do we share your personal information and may information be transferred outside the EEA?
We use services of external service providers for, e.g. investor relation tool to maintain mailing lists and for processing information. In accordance with data protection agreements, each service provider can only process personal data to the extent that is necessary for the provision of the service in question. Where your personal data is transferred outside of the EEA we will ensure that appropriate mechanisms are in place to ensure the protection of your personal information, including the use of specific contracts approved by the European Commission giving your personal data the same protection as it has in Europe.
We use investor relation tool to maintain information and send releases and publications. Some the data processing functions of the service are performed outside the EEA area, e.g. from the UK and the United States. The transfer of data to the UK is carried out based on the adequacy decision issued by the EU Commission. The level of data protection may be lower outside the EEA. Unless the country to which the data is transferred, such as the United States, has received the EU Commission's adequacy decision, we apply other appropriate protective measures to ensure the protection of personal data, for example by applying standard contract clauses in accordance with the European Commission's decision on the transfer of personal data to third countries. Available: https://commission.europa.eu/publications/standard-contractual-clauses-international-transfers_en
5. How your personal information is protected and how long we process information
We apply physical, technical, and administrative protection measures to protect personal data. Only those parties who have the right to process personal data for their work performance are authorized to use the systems containing data. We make data processing agreements with all subcontractors that process personal data in order to ensure appropriate data protection.
We store personal data for as long as it is necessary to initiate, maintain or manage a professional relationship with you, the company or organization that you represent or as long as the individual requests the erasure of the data. In this case we will store the data that legislation obligates us to store and the data about the erasure. You may unsubscribe from our subscription services and similar distributions at any time, following which your personal data will not be saved for these purposes.
We assess the necessity of retaining data regularly. In addition, we take care of such reasonable measures which ensure that no incompatible, outdated or inaccurate personal data, taking into account the purpose of the processing, are stored in our registers.
6. Your rights as a data subject
You can make a request for data subjects' rights by contacting our customer service via e-mail asiakaspalvelu@kamux.fi or phone +3589 8560 4000, or by sending a request to the address mentioned in section 2.
As a data subject, you have the following rights according to the data protection law:
• Right of access, rectification and erasure
o As a data subject you are entitled to obtain information of your personal data processed by Kamux. You have also a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of your data.
• Right to object the processing
o You have the right to object your personal data processing.
• Right to lodge a complaint with a supervisory authority
o If you consider that the processing of personal data relating to you infringes the data protection regulation, you have the right to lodge a complaint with a supervisory authority. You may lodge your complaint in the EU Member State of your habitual residence, place of work or place of the alleged infringement.
Privacy Notice: Whistleblowing channel
Updated 27 March 2023
The purpose of this privacy notice is to give you information on how we at Kamux Group process personal data relating to our whistleblowing scheme.
1. Data controller
Kamux Corporation (business ID 2442327-8)
Each Kamux Group company is responsible for the processing of personal data in its own activities for the purposes and on the legal basis set out in this privacy notice and may use personal data collected by other Kamux Group companies for the same purposes as necessary.
2. Contact details in privacy matters
As a data subject you may contact Kamux in all privacy matters using following contact information:
Kamux Corporation / Privacy matters
Parolantie 66
FI-13130 Hämeenlinna, Finland
Contact details of Data Protection Officer: privacy@kamux.fi
3. For what purpose is your personal information collected?
The purpose of the whistleblowing scheme is to monitor the Kamux Group's activities and to ensure the protection of persons reporting breaches of European Union and national law. The processing of personal data is based on national laws enacted under the Whistleblowing Directive (e.g. in Finland, the Act on the Protection of Persons Reporting Breaches of European Union and National Law § 2 and § 10). and EU Market Abuse Regulation. The whistleblowing channel allows the company to monitor its compliance with the rules and laws governing its activities, to protect whistleblowers and to ensure the confidentiality of the processing of data. The information will be used to monitor and investigate wrongdoing and, if necessary, to prepare, present or defend a legal claim.
Through the whistleblowing channel, persons who, in the course of their work, have discovered or suspect that they have discovered an infringement of European Union or national laws may submit a report under the applicable law for activities in the public interest in areas such as: public procurement; financial services, money laundering and prevention of terrorist financing; product safety; transport safety; environmental protection; radiation and nuclear safety; food and feed safety; animal health and welfare; public health; consumer protection; protection of privacy and personal data; security of network and information systems; taxation; grants and state aid; competition rules and financial market rules and regulations.
4. What type of information is collected and where do we collect personal data from?
The register may contain the following types of personal data about the whistleblower and the subject of the report and other related persons, such as witnesses:
• Name of the whistleblower, email address, telephone number. The report may also be made anonymously.
• Name of the subject of the report, information related to the illegal activity (incl. place and time), information about witnesses
• Information related to the reporting and processing of the report and messages (including report code and status).
• Any other information provided by the whistleblower himself.
In addition, information is stored on the handlers of reports coming through the channel, such as name, job title, e-mail address, user IDs in the system, log information on the use of the system.
The primary data source for the information stored in the register is the whistleblower himself. In addition, the data will consist of information recorded during the process of handling whistleblowing reports. Other data sources are used within the limits set by law.
5. Who do we share your personal information and may information be transferred outside the EEA?
Kamux does not regularly disclose data to outside the Kamux Group and does not transfer data outside the EEA. However, personal data may be disclosed in accordance with the law, such as for police investigations.
Kamux uses a subcontractor to manage the whistleblowing system and to process reports. As such, personal data will be transferred to subcontractors only to the extent necessary to implement the whistleblowing channel and process reports.
6. How your personal information is protected and how long we process information?
Only persons who have the right to process the data for their work may use the system which contains personal data. The handlers of the reports are bound by the obligation of secrecy. Each user has a personal username and password for accessing the system. The data is collected in databases which are protected by firewalls, passwords, and other technical means. The databases and their backups are situated in locked premises, and only certain individuals who are named beforehand have access to the data. Kamux shall ensure the realization of data protection with data processing agreements concluded with the subcontractors that process personal data.
Data in the register is stored for as long as is necessary for the purpose of monitoring or to fulfil statutory obligations. In principle, the report data is retained for five years from the date of the report, unless further retention is necessary for the purposes of an ongoing criminal investigation, judicial proceedings or administrative enquiry or for the protection of the rights of the whistleblower or of the subject of the report. Personal data that is clearly irrelevant to the processing of the report will be deleted without delay.
7. Your rights as a data subject
You can make a request for data subjects' rights by contacting our customer service via e-mail asiakaspalvelu@kamux.fi or phone +3589 8560 4000, or by sending a request to the address mentioned in section 2.
As a data subject, you have the following rights according to the data protection law. In certain circumstances, the company may have the right to restrict the exercise of the rights set out below, for example if it is necessary for the investigation of a crime or to protect the identity of the whistleblower.
• Right of access, rectification and erasure
o As a data subject you are entitled to obtain information of your personal data processed by Kamux. You have also a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of your data.
• Right to object the processing
o You have the right to object your personal data processing.
• Right to lodge a complaint with a supervisory authority
o If you consider that the processing of personal data relating to you infringes the data protection regulation, you have the right to lodge a complaint with a supervisory authority. You may lodge your complaint in the EU Member State of your habitual residence, place of work or place of the alleged infringement.
Updates to Privacy Statement and Privacy Notices
Kamux drives to develop continuously its business and data protection tools and reserves the right to amend this Privacy Statement. When required by applicable laws Kamux may contact you in order to provide information about updates or changes that have effects on you.