Platform of Trust Oy | Data Marketplace
1. Controller and contact details
Platform of Trust Oy (business ID 2980005-2)
c/o Vastuu Group Oy
Tarvonsalmenkatu 17 B
Data Processing Officer’s contact details:
Platform of Trust Oy
Data Protection Officer
c/o Vastuu Group Oy
Tarvonsalmenkatu 17 B
2. Data subjects
Data subjects are customers or users of Data marketplace service.
3. Basis and purpose of personal data processing
The legal basis for personal data processing is the legitimate interest of the controller or the fulfilling of a contract made with the controller.
We use personal data in the delivery of Data Marketplace service, its marketing and sale, and for customer relationship management, invoicing, provision of customer support services, user rights monitoring, and service development. Personal data processing also includes processing and analysing the data concerned for targeted marketing and service production. For example, we can show you targeted messages or content on our website, or channels based on your previous interests.
4. Which personal data is collected and from what sources?
We mainly collect personal data from you directly when you contact us and use Data Marketplace service. We may also collect data on our customers and their contact persons from public sources and registers.
We use web analytics services to collect visitor data on our website in order to analyse and develop our web resources, as well as target relevant marketing and customer communications to visitors.
The personal data files contains the following types of data on the natural persons as well as contact persons for our customers and potential customers:
- name, email address, telephone number, job title
- name and contact details of the company/organisation linked to the contact person together with organisation number, VAT number, contact details (email, phone, contact person, visiting address, mail address) and website
- delivery address and billing address
- the selected payment method (billing/e-payment/credit card). If the user selects credit card as a payment method, users cardholder data will be transmitted through a secured connection directly to the payment service provider’s (Checkout Finland Oyj) payment systems. Data Marketplace will not store any other data than the type of credit card, last 4 digits of the payment account number and card expiry date.
- user profile
- user ID and password for the Data Marketplace service
- information how and when a user has been authenticated
- log files concerning logging into the service and the use of the service
- purchase history on purchases completed in the Data Marketplace including parties of the transaction, traded items, vendor’s Terms of Sale, paid fees and provisions
- items transferred into the shopping cart
- items recorded in user’s wishlist
- messages sent to customer support and processing data on the related customer support ticket
- consents and bans on direct marketing and customer communications
- newsletter subscription data
- other information related to the purpose of the register that can be linked to the data subject, such as data collected on the use of the website during the use of the service (e.g. the user’s IP address, time of the visit, pages visited, browser type used, website that directed the user to the website, and the device and server that the user used to access the website).
5. Regular disclosure and transfer of personal data
We may disclose personal data to our payment service provider (Checkout Finland Oyj) for the purposes of the payment of purchase fees and provisions arising from transactions completed in the Data Marketplace.
We may disclose to the parties of a transaction information on the contracting parties, their contact persons and contact details and information on traded items and paid purchase fees and provisions.
We may use subcontractors for personal data processing.
We may transfer personal data to our partners for direct marketing purposes within the limits of applicable legislation.
We can disclose personal data to the authorities based on the mandatory requirement of a competent authority, or when we consider the inquiry of the authority to be justified in order to investigate suspected misuse of our services.
6. Transfers outside the EU and EEA
Personal data is not principally transferred outside the European Union (EU) or the European Economic Area (EEA), unless necessary for the technical implementation of data processing, e.g. when the data subject sends or receives messages by email or other online-based transmission service.
The controller may use in customer and marketing communications and in customer support ticket management third-party data systems and cloud services, the personal data processing of which can be partly implemented outside the EEA. To the extent that the controller’s subcontractors implement data processing outside the EEA, the controller will ensure that the transfer of personal data outside the EEA is completed in accordance with the applicable legislation.
7. Storage period of personal data
Personal data will be stored for as long as the Controller will need it for the above purposes.
Bookkeeping records of the transactions and related payments completed in the Data marketplace will be retained at least for the statutory minimum retention periods set out in the applicable laws.
8. Rights of data subjects
As a data subject, you have the right to inspect the personal data concerning yourself and demand that any incorrect data be corrected or deleted. However, we can, within the limits of law, restrict your right to access data that contains the personal data of others, is a business secret of ours or our customer, or is related to the safety features of the service.
You have the right to request that your personal data be deleted in situations specified in the General Data Protection Regulation (“GDPR”), if:
- you cancel your previous consent and there is no other legal basis for processing the data concerned besides your consent
- you object to the processing of your personal data, and there is no legal basis for continuing the processing
- processing the data is illegal
- you are under 18 and your personal data was collected in connection with providing information society services.
In situations specified in the GDPR, you have the right to object to the processing of your data or to request that the processing of your data is restricted or transfer your personal data in another system. If you consider the processing of your personal data to be illegal, you can submit a complaint on the processing to a competent authority.
9. Data security
The right to use the personal data files is restricted to appointed persons only, who need the information concerned in their work tasks. Each user has his/her own user name and password. Personal data is principally stored in databases and data systems located within the European Economic Area that have the appropriate technical and organisational measures in place, to protect the personal data against misuse and disclosure.
If you have questions regarding this privacy notice or you wish to exercise your rights, please contact the controller’s data protection officer by using the above email or postal address.
We may make changes to this privacy statement from time to time without a separate notice. Any changes made are listed in the “last update” section at the beginning of this privacy notice.