Personal Data Act (523/1999) 10§ and 24§ & GDPR (679/2016) articles 13, 14 and 30
Name: Basecamp Explorer AS
Business ID: 979 581 297
Address: Mustads Vei 10, 0283 Oslo, Norway
2) PERSON IN CHARGE OF DATA FILES
Name: Brita Knutsen Dahl
3) THE CATEGORIES OF DATA SUBJECTS
3.1) persons who are employed by Basecamp Explorer AS or seek employment from Basecamp Explorer AS;
3.2) other persons who contact Basecamp Explorer AS via email or website or through other means.
4) THE CATEGORIES OF PERSONAL DATA
The data files concerning the data subjects of Sections 3.1 and 3.2 may contain the following categories of personal data:
- contact information, such as full name, address, phone numbers and e-mail addresses;
- data about your device, such as information about the device you use: type of your device, your IP-address and various diagnostic data; and
- possible other information gathered with the data subject’s consent.
The data files concerning the data subjects of Section 3.1 and 3.2 may also contain the following categories of personal data:
- user information, such as username, password and other unique identification browsing, search information and other information concerning your use of our services;
- information regarding the customer relationship, such as billing and payment information, product-, service- and ordering information, information regarding customer feedback, contacts and cancellation;
The data files concerning the data subjects of Section 3.1. and 3.2 may also contain the following categories of personal data:
- personal identification numbers;
- nationality, age, gender, title or profession and mother tongue;
- work background; and
- bank account data.
5) PURPOSE OF THE PROCESSING OF PERSONAL DATA
Personal data of the data subjects of Sections 3.1 – 3.2 can be handled for following purposes:
- customer service;
- for improving our user experience;
- to enable us to comply with our legal and regulatory obligations; and
- analysis and statistics.
Personal data of the data subjects of Section 3.1 can also be handled for following purposes:
- management and development of the customer relationship; and
- marketing, market surveys and studies.
Personal data of the data subjects of Section 3.2 can also be handled for following purposes:
- management and development of the employee and jobseeker relationships; and
- management of employment contracts and other related matters.
Personal data can also be processed by Basecamp Explorer AS’s affiliate companies, if any, in accordance with the Personal Data Act, the GDPR and the Data Protection Act.
6) LEGAL BASIS FOR PROCESSING
The controller has the right to process the personal data of the data subjects based on the:
- consent received from the data subjects;
- performance of a contract in which the data subject acts as the contact person of the organizer; or
- legal obligation to which the controller is subject.
- to protect the vital interests of the data subject or of another natural person;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the data subject is a child.
7) REGULAR SOURCES OF INFORMATION
Information regarding the data subjects are regularly gathered:
- from data subjects themselves via phone, internet, e-mail or in other similar fashion;
- with cookies and other similar tech;
8) PERIOD FOR WHICH THE PERSONAL DATA WILL BE STORED
The controller shall not store the personal data longer than is necessary, taking into consideration the purpose for the processing of personal data. If a jobseeker is not chosen for the position she applied for, we shall not store any data of her without her consent. If we do not receive her consent, we destroy her data immediately. If she gives us her consent, we may store her data for six (6) months, after which we will destroy all such data. The controller inspects monthly the necessity of the personal data stored.
9) CATEGORIES OF RECIPIENTS OF PERSONAL DATA
The recipients of personal data may consist of the following categories:
- Basecamp Explorer’s affiliate companies;
- third parties who offer cloud services;
- third parties who offer accounting, marketing and auditing services;
- third parties who help Basecamp Explorer to fulfil its legal obligations;
and all other information than information concerning data subjects of Section 3.1 may be disclosed with the data subject’s consent for marketing purposes in accordance with the Personal Data Act and the GDPR.
10) REGULAR DISCLOSURE OF DATA AND INFORMATION TRANSFER OUTSIDE OF EU OR THE EUROPEAN ECONOMIC AREA
Information may be transferred and stored to a server outside of EU or the European Economic Area to be processed by the Controller or Controller’s affiliate on Controller’s behalf in accordance with the Finnish Personal Data Act, the GDPR and the Data Protection Act.
11) DATA SUBJECTS’ RIGHTS
The data subject has a right to use all of the below mentioned rights. The contacts concerning the rights shall be submitted to the person in charge of the data file stated in Section 2. The rights of the data subject can be put into action only when the data subject has been satisfactorily identified.
Right to inspect
Having presented the adequate and necessary information, the data subject has the right to know what, if any, data the controller has stored of her/him into this register. While providing the requested information to the data subject, the controller must also inform the data subject of the register’s regular sources of information, to what are the personal data used for and where is it regularly disclosed to.
Right to rectify and erasure
The data subject has a right to request the controller to rectify the inaccurate and incomplete personal data concerning the data subject. The data subject can request the controller to erase the personal data concerning the data subject, if:
- the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
- the data subject withdraws consent on which the processing is based on;
- the personal data has been unlawfully processed; or
- the personal data has to be erased for compliance with a legal obligation in EU or Member State law to which the controller is subject to.
If the controller does not accept the data subject’s request to rectify or erase the personal data, it must give a decision of the matter to the data subject in a written form. The decision must include the reasons for which the request was not granted. The data subject may then refer the matter to the relevant authorities (Data Protection Ombudsman). The controller must inform the party to whom the controller has disclosed the personal data to or has received the personal data from of the rectification or erasure of personal data. However, there is no such obligation where the fulfilment of the obligation would be practically impossible or otherwise unreasonable.
Right to restriction of processing
The data subject can request the controller to restrict the processing of the personal data concerning the data subject where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; or
- the controller no longer needs the personal data for the purposes of the processing, but the personal data is required by the data subject for the establishment, exercise or defense of legal claims.
If the controller has based the restriction of the processing of personal data on the abovementioned criteria, the controller shall give a notification to the data subject before removing the restriction.
Right to object
Where personal data is processed for direct marketing purposes, the data subject shall have the right to object at any time to processing of personal data concerning her/him for such marketing, which includes profiling to the extent that it is related to such direct marketing.