T & M GRAND OY CUSTOMER REGISTER

Data protection description about the T & M Grand OY customer register according to the General Data Protection Legislation.

Updated 19.5.2020

1. CONTROLLER
   T & M Grand Oy
   2285494-7
   Piispankatu 28, 06100 Porvoo
   019 581 771
   

2. CONTACT PERSON FOR REGISTER QUERIES
   The contact person regarding the register and the rights of the data subjects is
   Jere Närkki
   Piispankatu 28, 06100 Porvoo
   019 581 771 / jere@rafaels.fi
   

3. NAME OF THE REGISTER
   T & M GRAND OY customer register
   

4. LEGAL BASES FOR PROCESSING PERSONAL DATA
   The grounds for processing personal data in the direct marketing register is the legitimate interest of T & M Grand Oy to promote products or services to the data subject.The controller is processing the customer information also based on the contract between the controller and data subject. The customer information is collected via table reservations, private functions, online purchases, catering-events, as well as programme event bookings, or for the invoicing of the products and services provided by T & M Grand Oy.
   

5. PURPOSE OF PROCESSING THE PERSONAL DATA
   We may use the collected information of the data subjects as follows:
   a) Delivering services requested by the customer, as well as processing orders and bookings
   b) Recommending, selling and promoting our services individually
   c) Customer service and communication regarding our services, for example sending messages, reminders, newsletters and requested information
   d) Creation, maintaining and development of services
   e) Payment, invoicing and debt collection
   f) Communication and marketing according to the agreement and restrictions of the data subject
   g) Business planning and product development
   h) Special diet information provided by the customer is used only for the production and serving of food
   i) Other tasks required by the rights and responsibilities of the controller
   j) To solve any possible disagreements between T & M Grand and any customers
   k) To carry out agreements with third parties
   

6. REGISTER’S DATA CONTENT
   Information stored on the data subject may include the following:
   a) Company name
   b) Position
   c) Full name
   d) Service language
   e) E-mail address and phone number
   f) Address
   g) Information about bookings
   h) Payment methods, invoice details, possible payment delays
   i) Corporate loyalty card
   j) Information about the customer’s choices or requests
   k) Social security number
   l) Other possible information that is necessary for the direct marketing register’s upkeeping, such as direct marketing consent and prohibition data.
   m) Information about purchases and use of services
   n) Possible customer feedback information
   o) Possible special diet information
   

7. REGULAR SOURCES OF INFORMATION
   As a regular source of information T & M Grand are the information provided to T & M Grand by the data subject via newsletter subscription, bookings, inquiries, forms, sales services, restaurants, quotes, customer feedback, online purchases as well as information provided during the use of services and products.In addition, T & M Grand Oy may receive necessary personal data to deliver services according to agreements from co-operative companies which T & M Grand Oy is providing restaurant or catering services for.With the data subject’s consent and on legal basis T & M Grand may also gather or receive information about the data subject from third parties, such as authorities, for example to ensure the quality of the communication or to confirm that the information is valid.
   

8. REGULAR DISCLOSURE OF DATA AND THE RECIPIENT GROUPS
   Data will not be disclosed to third parties from the T & M Grand Oy direct marketing register. T & M Grand Oy may disclose personal data to third parties such as authorities when we are legally obliged to do so.Cookies may be used on T & M Grand website and online shop. Information gathered with the cookies are used to develop the functionality of the website and to gather general visitor data. The user may switch off the cookies, but we can not guarantee full functioning of our website without cookies.
   

9. TRANSFER OF DATA OUTSIDE THE EU OR THE EEA
   T & M Grand Oy has subcontracted the registers of personal data in e-mail communication, websites as well as the online shop to third party cloud services (Squarespace), where customer data is kept. In addition, personal data is stored in other cloud services (Google). In these cases, the personal data may be saved on servers outside of Europe and the service providers are on the USA’s Privacy Shield system. Therefore, the data protection is at EU level.The fore mentioned service providers are responsible as register keepers for procedures that involve the rights of the data subjects. As a controller we always ensure that the data protection has been organized correctly and that the personal data has been protected appropriately.
   

10. STORAGE TIME OF PERSONAL DATA
    The personal data in the customer register is being processed for the length of the customer relationship. The controller considers that the customer relationship has ended, if the customer has not used the controller’s services in three years, and they are not subscribers of the newsletter. Once the customer relationship has ended the information will be removed within 3 months, unless there are other grounds for keeping the information.The contact person information of corporate clients will be removed in the same way, once the company’s customer relationship is considered to have ended. It is possible that the information is kept even after this, if there are other grounds for it. When the information is being processed because of an agreement between the controller and the data subject, the information is stored for as long as the information is needed to carry out the contract. Once the contract has been carried out the information is kept for as long there is a customer relationship or there are other grounds for saving the data. (for example, reclamations or accounting legislation).The register is primarily electronic. The occasional printed versions of the register will be destroyed immediately and appropriately following the T & M Grand Oy guidelines.
    

11. ABOUT THE RIGHTS OF THE DATA SUBJECT
    The personal data in the direct marketing register are processed based on the legitimate right of the controller. (The general data protection regulation article 6 article 1 part e below). In this case the legitimate right is the customer relationship. The personal data is also processed based on the agreement between the controller and the data subject. (The general data protection regulation article 6 article 1 part b below). This basis for processing has been described more in detail in clause 4 of this data protection description.

    
    When the data is processed based on the legitimate interest and agreement, the data subject has the following rights:

    
    The data subject has the right to demand access to their personal data (right of access) to find out if their personal data is being processed in the register. The data subject has in most cases the right to find out what kind of personal information about them has been saved in the register. The controller may ask the data subject to clarify which data or processing procedures the request involves. Based on the data protection regulation the data subject’s right of access to the data may be limited or prohibited, if giving out the information affects the rights of other parties in a harmful way, such protected rights include the controller’s trade secrets or other person’s personal information. The data subject’s right may also be limited by national legislation (such as data protection law).
    

    The right to demand rectification
    Based on the right to demand rectification, the data subject may demand the controller to rectify any unspecific or faulty personal information about themselves without unnecessary delay.
    

    The right to erase data
    If one of the following circumstances is valid, the controller must erase the personal data of the data subject on their request without delay:-The personal data is no longer necessary for the purpose it was collected-The data subject opposes to the processing of the personal data, or there is no legitimate reason for processing them-the data subject objects the use of their personal data for direct marketing (processing for other purposes is still possible in this case)-The personal data has been processed illegitimately
    

    Even if one of these circumstances was valid, the data does not have to be erased if the processing of the data is needed for example for legally binding obligation or for the drawing, presenting or defending of legal claims applied to the controller by the EU law or national legislation.

    
    The right to oppose to data processing
    When the data is processed based on the legitimate interest, the data subject has the right to oppose to the processing of their personal data based on their specific personal situation.If the data subject has opposed to the processing of their data based on a specific personal situation, they must specify what this specific personal situation is. The controller may continue the processing of the data despite the opposing of the data subject, if there is a notably important and justifiable reason, which overrides the rights of the data subject, or if it is needed for drawing, presenting or defending legal claims.
    

    The right to request restriction of data processing
    The controller must restrict active data processing in the following situations:-The data subject denies the validity of the personal information, when the data processing must be restricted until the controller can secure the legitimacy of the data-The processing is illegal, and the data subject demands for restriction instead of erasing of the data-The personal data is no longer necessary for the purpose it was collected, but the data subject needs them for drawing, presenting or defending legal claims-The data subject has opposed to the processing of their personal data (more about the right to oppose to data processing above), and the assessment of weather the legitimate interest of the controller overrides the rights of the data subject is not finalised.
    During the restriction of processing, the data may principally only be stored. The data may also be processed for drawing, presenting or defending legal claims or to protect the rights of other natural or legal persons, or based on the collective good. The data subject must be informed before the processing restriction is removed.
    

    The right to transfer data to another database
    The data subject has the right to receive electronic information about the personal data which is being automatically processed, and which they have personally delivered for the direct marketing database, and transfer the data to an another controller, if technically possible.
    

12. THE DATA SUBJECT’S RIGHT TO MAKE A COMPLAINT TO THE SUPERVISING AUTHORITIESThe data subject has the right to make a complaint to the supervising authorities, if the data subject considers that the controller has not followed the data protection legislation.
    

13. REQUESTS REGARDING THE USING OF THE RIGHTS OF THE DATA SUBJECT
    Inquiries regarding personal data processing and situations using data subject’s rights the data subject may contact the contact person stated in article 2.

    
    Inquiries and requests regarding the data subject’s rights must be made in a written form either via e-mail or post. The request may also be presented in person at the controller’s place of business.
    

    The controller may ask the data subject to clarify which information the inquiry concerns.

    
    The controller may ask the data subject to deliver a signed inquiry, to ensure that the personal data is not disclosed to anyone else but the data subject himself. The controller may also ask for an official identification from the person making the inquiry.