Dated: 25.02.2025

1. Data Controller
   Sapin Oy
   Kivikonkierto 10
   05460 Hyvinkää
   Finland
   mika.lindstrom(at)sapin.fi

2. Contact Person for the Register
   Mika Lindström
   mika.lindstrom@sapin.fi
   Tel. +358 40 730 6444

3. Name of the Register
   Sapin Oy Customer Register

4. Legal Basis and Purpose of Processing Personal Data The processing of personal data is based on the EU General Data Protection Regulation (GDPR). The legal basis for the processing may be the data subject’s consent or a contract established with the data subject. We collect data primarily from companies, organizations, and individuals who use our services or are otherwise connected to the company. Data is collected from, among others, our website, public sources, and other available data sources. The purpose of processing personal data is to maintain customer relationships, provide information, comply with legal obligations, or other similar purposes.

5. Contents of the Register The register stores the following information: name, position, company/organization, contact details (phone, email, address), website addresses, IP address, social media accounts and profiles, information on services ordered and any changes, billing details, and other customer-related information. For job applicants, we also store date of birth, personal identity number, and any unemployment information, and for students, we store date of birth, personal identity number, and study-related information. Personal data will be deleted or anonymized within 10 years from the last customer event unless legislation or other obligations require a longer retention period.

6. Regular Sources of Information Information stored in the register is collected from the customer through forms sent via the website, emails, phone calls, social media services, contracts, customer meetings, and other situations in which the customer provides their information. Additionally, personal data may be collected and updated for the purposes described in this privacy statement from publicly available sources or other third-party data within the limits of applicable legislation.

7. Regular Disclosures of Data and Transfers Outside the EU/EEA Data is not regularly disclosed to third parties, nor is it transferred outside the EU/EEA. In exceptional cases, contact information may be disclosed to selected partners.

8. Principles of Register Security The processing of the register is carried out with care, and data is protected appropriately through information systems. When register data is stored on internet servers, their physical and digital security is ensured accordingly.
   The data controller ensures that stored data, server access rights, and other critical data security measures are handled confidentially and only by those employees whose duties include such tasks. Paper-based documents containing personal or confidential information are stored in locked areas to protect them from unauthorized access or illegal processing. Each data processor may access only the personal data necessary for their work.

9. Right of Access and Right to Rectify Data Each data subject has the right to check the information stored about them and to request correction of incorrect data or completion of incomplete data. Requests should be sent in writing to the data controller, and the controller may request proof of identity if necessary.
   The data controller will respond to the customer within the time frame specified by the EU data protection regulation (usually within one month).

10. Other Rights Related to Personal Data Processing A person registered in the register has the right to request the deletion of their personal data from the register (right to be forgotten). Registered persons also have other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. Requests should be sent in writing to the data controller. The data controller may request proof of identity from the person making the request if necessary. The data controller will respond to the customer within the time frame specified by the EU data protection regulation (usually within one month).

2025 © Sapin Oy