Drawn up 24 May 2018.
Katsa Oy, Ilmailunkatu 23, 33900 Tampere, Finland
Ville Hovi, +358 3 31 515 369
4. Legal basis for and purpose of personal data processing
Grounds for the processing under the EU’s General Data Protection Regulation are:
– agreement which the data subject is party to
– controller’s legitimate interest.
The purpose of the personal data processing is communication with customers and interest groups,
maintaining of the customer or supplier relationship, customer service, invoicing, processing of
invoices, processing of notices of defect, and marketing.
Data will not be used for automated decision-making or profiling.
5. Information that Katsa processes
The following data are processed: person’s name, position, undertaking/organisation, contact
details (telephone number, email address, address), IP address, details of ordered services and
changes thereof, billing information, other data related to customer or supplier relationship, and
information related to ordered goods and services.
The data will be stored for the duration of the customer relationship or other co-operation
relationship or for the period set out in law.
6. Regular sources of information
Personal data are received from the customer, the supplier or other co-operation partner inter alia
by email, phone, through social media services, agreements, in customer or co-operation meetings,
and in other situations in which the customer or other co-operation partner provides their
7. Regular disclosures of data and transfer of data outside the EU or EEA
Data are not regularly disclosed to third parties. Data may be published insofar as this has been
agreed on with the customer or other co-operation partner.
Data may also be transferred outside the EU or EEA by the controller.
8. Principles of filing system protection
Care is taken in the processing of the filing system, and data processed using data processing
systems are protected appropriately. When records are stored on web servers, the physical and
digital data security of the equipment thereof is appropriately taken care of. The controller ensures
that the stored data and access rights of the servers and other information critical to the security of
the personal data are processed confidentially and only by such employees who need to do so over
the course of their working duties.
9. Provision of personal data
Personal data are provided to co-operation partners for the purposes of sending and receiving
invoices and notices of defect and fulfilling contractual obligations.
10. Other rights related to the processing of personal data
The data subject has the rights set out in the EU’s General Data Protection Regulation. Any requests
shall be sent in writing to the controller at firstname.lastname@example.org.
If necessary, the controller may request for additional information e.g. for the purpose of verifying
the identity of the person making the request. The controller will reply the customer within the
time limit set out in the General Data Protection Regulation (typically within one month).
10.1. Right of access
The data subject has the right to obtain from the controller confirmation as to whether or not
personal data concerning them are being processed, and, where that is the case, access to the
personal data and the additional information included in the 8-point list given in the relevant Article
15 of the GDPR.
10.2 Right to rectification
The data subject has the right to demand the controller to rectify inaccurate personal data
concerning them without undue delay. Taking into account the purposes of the processing, the data
subject has the right to have incomplete personal data completed, including by means of providing
a supplementary statement.
10.3. Right to erasure i.e. right to be forgotten
The data subject has the right to obtain from the controller the erasure of personal data concerning
them without undue delay, and the controller has the obligation to erase personal data without
undue delay where one of the six grounds listed in the relevant Article 17 of the GDPR applies.
10.4. Right to restriction of processing
The data subject has the right to obtain from the controller restriction of processing where one of
the four grounds listed in the Regulation applies, such as that the accuracy of the personal data is
contested by the data subject.
If processing has been restricted, these personal data may, with the exception of storage, only be
processed, inter alia, with the data subject’s consent or for the establishment, exercise or defence
of legal claims or for the protection of the rights of another natural or legal person.
10.5. Right to have the controller notify the recipients of the data of rectification, erasure and
restriction of processing
The controller shall communicate any rectification or erasure of personal data or restriction of
processing to each recipient to whom the personal data have been disclosed, unless this proves
impossible or involves disproportionate effort. The controller shall inform the data subject about
those recipients if the data subject requests it.
10.6. Right to data portability
The data subject has the right to receive the personal data concerning them, which they have
provided to a controller, in a structured, commonly used and machine-readable format and have
the right to transmit those data to another controller without hindrance from the controller to
which the personal data have been provided, where the processing is based on consent or the
processing is carried out by automated means.
In exercising their right to data portability, the data subject has the right to have the personal data
transmitted directly from one controller to another, where technically feasible.
10.7. Right to object
The data subject has the right to object, on grounds relating to their particular situation, at any time
to processing of personal data concerning them which is based on certain points of Article 6,
including profiling. The controller may no longer process the personal data unless the controller
demonstrates compelling legitimate grounds for the processing which override the interests, rights
and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to
object at any time to processing of personal data concerning them for such marketing, which
includes profiling to the extent that it is related to such direct marketing.
10.8. Right not to be subject to automated decision-making
The data subject shall have the right not to be subject to a decision based solely on automated
processing, including profiling, which produces legal effects concerning them or similarly
significantly affects them. It is essential whether the controller produces in its own operations such
automated decisions which have such effects on the data subject as described above.
The aforementioned shall not apply if the decision is necessary for conclusion or execution of an
agreement between the data subject and the controller or is based on the data subject’s express
10.9. Right to receive information on a personal data breach concerning the controller
Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural
persons, the controller must inform the data subject of the personal data breach without undue
10.10. Right to lodge a complaint with a supervisory authority
Without prejudice to any other administrative or judicial remedy, every data subject has the right
to lodge a complaint with a supervisory authority, in particular in the Member State of their
habitual residence, place of work or place of the alleged infringement if the data subject considers
that the processing of personal data relating to them infringes the General Data Protection
10.11. Right to receive compensation for suffered damage
If a data subject suffers material or non-material damage as a result of an infringement of the
General Data Protection Regulation, they have the right to receive compensation from the
controller or processor for the damage suffered.