Privacy statement


This is Sold Out Services Oy's register and privacy statement in accordance with the EU General Data Protection Regulation (GDPR). Prepared on 28.06.2024. Latest change on 30.06.2024.

1. Data Controller

Sold Out Services Oy, Sateenkaari 3 H 134, 02100 Espoo
info@soldoutservices.fi

2. Contact Person for the Register

Kari Heikkilä, kari.heikkila@soldoutservices.fi, +358503838580

3. Name of the Register

Sold Out Services Oy's online service user register

4. Legal Basis and Purpose of Processing Personal Data

The legal basis for processing personal data under the EU General Data Protection Regulation is:

  • The individual's consent (voluntary, specific, informed, unambiguous)
  • A contract to which the data subject is a party
  • The legitimate interest of the data controller

The purpose of processing personal data is to maintain contact with customers, manage customer relationships, and conduct marketing.

5. Contents of the Register

The information stored in the register includes: the person's name, company/organization, contact details (phone number, email address, address), information about ordered services and their changes, billing information, and other information related to the customer relationship and ordered services. Data is retained for 48 months, after which it is anonymized. IP addresses of website visitors and cookies necessary for the functionality of the service are processed based on legitimate interest, such as ensuring data security and collecting statistical data on website visitors when these can be considered personal data. Consent is separately requested for third-party cookies if necessary.

6. Regular Sources of Information

The data stored in the register is obtained from customers through messages sent via web forms, email, telephone, social media services, contracts, customer meetings, and other situations where the customer provides their information. Information about contact persons of companies and other organizations can also be collected from public sources such as websites, directory services, and other companies.

7. Regular Disclosures of Data and Transfers Outside the EU or EEA

Data is not regularly disclosed to other parties. Data may be published to the extent agreed with the customer. Data may be transferred by the data controller outside the EU or EEA. Data is not transferred to the United States without the explicit consent of the data subjects. Data is disclosed to service providers whose services the customer has ordered for the management of the customer relationship and order.

8. Principles of Register Protection

Care is taken when processing the register, and data processed via information systems is appropriately protected. When register data is stored on internet servers, the physical and digital security of the equipment is adequately ensured. The data controller ensures that stored information is treated confidentially and only by employees whose job description it includes.

9. Right of Access and Right to Rectification

Every person in the register has the right to check their stored data and request the correction of any inaccurate or incomplete information. If a person wants to check their stored data or request a correction, the request must be sent in writing to the data controller. The data controller may request the requester to prove their identity if necessary. The data controller will respond to the customer within the time frame set by the EU Data Protection Regulation (usually within one month).

10. Other Rights Related to the Processing of Personal Data

Persons in the register have the right to request the deletion of their personal data from the register ("right to be forgotten"). Likewise, data subjects have other rights under the EU General Data Protection Regulation, such as the restriction of personal data processing in certain situations. Requests must be sent in writing to the data controller. The data controller may request the requester to prove their identity if necessary. The data controller will respond to the customer within the time frame set by the EU Data Protection Regulation (usually within one month).