Processing of customer data of Asuntoyhtymä Oy
Asuntoyhtymä Oy, PL 196, 00101 Helsinki, Finland
Tel. +358 (0)20 766 1390
Asuntoyhtymä Oy (controller) processes personal data in compliance with applicable data protection legislation.
2. The purposes of processing the personal data of customers and potential customers
Asuntoyhtymä Oy processes personal data related to the management of customer or lease relationship, marketing, communications and the electronic locking system, and the personal data submitted in the eWhistleblowing system.
The purpose of the processing of personal data is the acquisition, management, administration and maintenance of customer relations related to rental housing as well as the development of rental housing services, and regarding electronic locking systems, the recording video surveillance and sensor monitoring system or other technical system installed in the apartment by the contractor for the protection of people and property. The purpose of the processing of personal data obtained from the whistleblowing system is to investigate suspected wrongdoing in more detail. Reports can, however, also be submitted anonymously.
The controller also stores and evaluates information regarding visits to the controller’s website and uses the information to target advertising. This information is also used to develop advertising and housing services provided by the controller.
3. Legal basis for processing personal data
The processing of personal data by the controller is based on a contract between the customer and the controller, the consent of the customer or a potential customer, or the legitimate interest of the controller.
The processing of personal data related to the establishment and management of customer and lease relationships is based on a contract. The processing of personal data regarding the electronic locking system, recording video surveillance and sensor monitoring or other technical system is based on a contract or a legitimate interest of the controller to protect property.
The processing of personal data used for the quality control and development of the controller’s housing services is based on the legitimate interest of the controller.
In addition, data can be collected from potential customers for sales and marketing purposes. The processing is then based on the legitimate interest of the controller or the consent of the data subject, depending on the source of the information. The legal basis for processing personal data submitted to the whistleblowing system is the data subject’s consent and, regarding the object of the report, the statutory obligation of the controller.
4. Categories of personal data that are processed
Asuntoyhtymä Oy collects the following personal data:
Tenants as customers and those living with them, including their possible representatives or contact persons
- Name and date of birth
- Contact details: telephone number, address and email
- Personal identity code of the tenant or the business ID of a company for invoicing, etc.
- Language for communications
- Information on the tenant’s guardianship, when necessary
Customers who have lodged an application for an apartment and their representatives
- Name, personal identity code or business ID
- Contact details and previous address
- Regarding private persons: information on employment or study as well as possible default data (yes/no) in credit information
Potential customers, for example, people contacted through online services or campaigns
- Name and contact data (telephone number, email and address)
- Information regarding the need for an apartment
- Data collected from the website, such as via cookies
People using the electronic access control system
- Name, apartment number and keycode
- Date, time and place registered by the electronic access control system
Recording video surveillance footage (Note: Data is not collected in all buildings. If your housing company has a video surveillance system in place, information thereof is given in your rental agreement, amongst others.)
- Video footage with time and location codes
The temperature and humidity sensor monitoring system or other corresponding technical system installed in the apartment by the contractor (only in some buildings)
- Apartmentspecific recorded values to monitor the condition of the buildings.
- Name and contact details (telephone number, email address and street address) and other data submitted by the whistleblower that may contain data on the object of the report.
5. Regular sources of data
Personal data is collected from the following sources:
- The information necessary for the management of the customer relationship is collected directly from the data subject
- The information from the whistleblowing system is collected from the whistleblowers.
- The credit information of potential tenants can be checked from Suomen Asiakastieto Oy’s credit information register
- The electronic locking information is collected from the locking system, information from the video surveillance is collected from video footage, and information from the sensor monitoring system is collected directly from the measurement device.
- The data related to potential customers is collected from online services, social media services, and participants in customer meetings, campaigns or events.
Asuntoyhtymä Oy may, if necessary, also check and update contact details and other personal data from other reliable sources of information provided by public or private parties.
6. The recipients of personal data/disclosure and transfer of personal data
The data controller does not, as a rule, disclose the personal data of the data subjects to third parties.
The controller may disclose registered data to the authorities for the investigation of suspected criminal offences. The data may also be disclosed to other authorities subject to a specified legal basis.
However, the controller may transfer personal data in such a way that the processor uses the transferred data on behalf of and for the account of the controller, for example a housing manager, a security services supplier, a locksmith, a contractor, a debt collection agency or law firm, or the whistleblowing system service supplier in the performance of their contractual duties. In these cases, the data processor undertakes to comply with the terms and conditions of data processing as the controller.
The controller shall not transfer the data outside the European Union or the European Economic Area. The controller’s data processor may transfer data outside the European Union or the European Economic Area if an express written agreement is made thereof in advance and the data protection legislation valid at a given time is complied with in the transfer.
However, the controller may not prevent the possible transfer of third-party cookie data from the website outside the European Union or the European Economic Area.
7. The storage period of personal data
The controller shall process and store the data only for as long as is necessary for the purpose. The retention period varies depending on the type of personal data, depending on the specific purpose of processing thereof.
The personal data of customers, that is, tenants and those who have applied for rental housing, will be retained for the period required by the assignment and any tenancy, but may also be retained and used for the duration and to the extent necessary for invoicing, recovery and legal action. The personal data of the customer relationship will be deleted no later than three years after the end of the said customer relationship.
Data from potential customers, such as those who have given their consent in online services or events, will be kept for the time being; that is, until the consent is withdrawn or for as long as such personal data can be used for customer communication or marketing. Whistleblowers’ personal data collected from the whistleblowing system will be kept for as long as is necessary from the viewpoint of law; that is, unnecessary personal data must be deleted.
Electronic access control data and recording video surveillance footage will be stored on the same bases as other data based on the rental agreement. Data collected from the humidity sensor or other corresponding technical system will be used and stored for the entire lifespan of the building.
More detailed information on the storage periods of cookie data regarding the controller's website can be found in the information on cookies.
8. Data subjects’ rights
Data subjects have the right to:
- Withdraw their consent to the processing of personal data at any time.
- Receive information on the processing of their data, unless exempted by law.
- If such personal data is processed, the data subject has the right to access the data.
- Check their personal data; that is, data subjects have the right to request the controller to correct any inaccurate and incorrect personal data without undue delay.
- Have their personal data deleted without undue delay
- provided the data subject withdraws their consent and there is no other legal basis for the processing of their personal data.
- Object to the processing of their personal data.
- Restrict the processing of their personal data.
- Obligation to notify about the rectification or deletion of personal data or the restriction of the processing of their personal data.
- Transfer their personal data from one system to another.
- Notify the Office of the Data Protection Supervisor (www.tietosuoja.fi) if the data subject considers that the controller is in breach of data protection legislation.
9. Processing and profiling of personal data
The controller does not process personal data by means of automated decisionmaking.
10. Further processing of personal data
Should the controller process personal data for other purposes, the controller is obliged to inform the data subjects of this purpose before further processing.
11. General description of the appropriate technical and organisational measures of the controller
The registers are accessible only to those employees of the controller who have committed to the company’s written data protection instructions and confidentiality provisions.
The security of information systems is organised by appropriate measures: encryption and technical restrictions, as well as security software and firewalls. The systems can only be accessed with passwords. Personal data is only processed in premises with access control. Materials containing any personal data are disposed of securely.
If you have any questions regarding our data processing, we kindly ask you to contact us by means of sending an email to info(at)asuntoyhtyma.fi or calling us on +358 (0)20 766 1390.