Updated on 18 June 2018
Controller
LVI-Numero Oy
Särkiniementie 3
00120 Helsinki
Person managing the personal data register
Magnus Sirén, Managing Director, magnus.siren@lvi-info.fi
This document describes the principles of processing personal data contained in the LVI-INFO product data bank. The product data bank can be found at https://port.lvi-info.fiand it is owned by LVI-Numero Oy.
System description
The LVI-INFO.fi service has three user groups: main users, users, and viewers. Main users are persons employed by Ambientia and LVI-Numero Oy. Users and viewers are persons employed by LVI-Numero Oy’s client companies. All users must sign in into the system in order to use the service.
Subscribers to the LVI-INFO.fi newsletter have either subscribed to the newsletter themselves or they have been added onto the mailing list based on a customer relationship.
Purpose of personal data
Personal data is used to manage and maintain the customer relationship of customers using LVI-Numero Oy’s online services (www.lvi-info.fi), to monitor the use and control the misuse of the online services, and to plan and develop the operation of the online services.
Categories of personal data processed within the system
The personal data register contains personal data of persons who have registered as users of the www.lvi-info.fi online services or have subscribed to the newsletter.
No special categories of personal data referred to in article 9 of the EU General Data Protection Regulation (GDPR) are processed within the service.
Main users have access to all views and data contained in the service. This user category includes persons employed by Ambientia and named persons employed by LVI-Numero Oy.
Users are data administrators within their company. They have access to the system in order to administer the products of their company and to manage the personal data of its staff and access of the staff to the system (as administrators or viewers). Viewers only have access to the product information of their company.
Users and main users of client companies can see the personal data of other users of their client company (name, telephone number, email address). Main users can also see the personal data on any deleted users. Viewers have no access to the personal data of other users.
The following personal data of users and subscribers to the newsletter are processed within the system:
Name
Telephone number
Email address
Company
These data are used for communication between LVI-Info’s main users and client companies, and for sending newsletters and bulletins. In addition, the data is used and processed in situations where the product history needs to be investigated.
In case of companies, the stored information includes their products and their detailed technical information, contact details, and invoicing addresses.
Data sources of the register
The register contains information provided by data subjects and data relating to the use of the service by data subjects that is saved into the system during use of the service.
Customer information is entered into the register during registration and will be removed from the register if requested by the client. Data will be updated where required.
Regular disclosure of data
Personal data contained in the register will not be disclosed to third parties.
Data security principles
The register is stored in a data system that can only be accessed by the staff of LVI-Numero Oy who need access to the said data system for their work. The data system is protected with a username and password.
All data traffic relating to the service passes through an encrypted HTTPS connection from the user’s browser to the Apache HTTP Server in front of the application. Personal data is saved in the database or in the newsletter application, and attachments are saved on the disc of the server. The application writes events in logs using the unencrypted name of the person. Only authorised persons have access to the server, the database, and the administration views of the application. Such access always requires signing in into the system.
The contact details of the contact person of the company is transferred to the party responsible for invoicing. Otherwise no data contained in the system is disclosed to third parties.
Personal data relating to an individual data subject cannot be removed from the service completely, as this data is needed for monitoring product history in accordance with article 17 of the GDPR.
The system is in Ambientia’s server environment. The operating system of the server is Red Hat Enterprise Linux 6. The server can only be accessed from Ambientia’s intranet and only by authorised persons.