Data Processing Policy, according EU general data protection regulation (EU 2016/679)

1. Controller

NOVITA OY

Tehtaankatu 27-29 5. floor

00150 Helsinki

Business ID: 0112428-3

2. Contact person in matters regarding the register

Merja Berg / lankapalvelu(@)novita.fi

3. Name and description of the register

Customer register

4. Purpose for processing personal data

The purpose for processing personal data is to offer Novita’s services to its customers. The personal data is processed within the limits of EU general data protection regulations and local legislation regarding Novitaknits.com (including targeted service, communication, marketing, inquiry, statistic and other corresponding measures, and necessary verification and data security measures), and additionally managing possible legal obligations. Novita may additionally utilize the personal data for targeting sales and marketing efforts in an individual manner and other digital marketing.

5. Justification for processing personal data

Processing the personal data is justified primarily based on the explicit consent of processing by the data subject. In other cases processing is justified as the data subject has voluntarily submitted the personal data to Novita in order to get access to the services of the website.

6. Content of the register

The register contains only personal data that the users of the service have entered themselves, or that have been created on the users’ request or consent. As a registered user to the service, the following personal data is commonly processed:

• Display name of the service
• Email address
• Profile picture
• Full name
• Mini biography
• Birthday
• Telephone number

The system adds user identity codes and information regarding the consent for processing given by the user, and also possible linkages to the user’s social media accounts.

The user may also enter content to the community of the web service, comment on and like other users’ content. Any content entered to the web service becomes the ownership of Novita, and it will remain available in the service to its other users also after the posting user has left the service. The source of such content is marked as ’unknown’ after its creator has left the service.

All processed personal data, the purposes of processing, storage location, storage duration, forwarding of data, access rights to the data and approvals for processing can be requested from Novita’s contact person identified above in section 2.

7. Regular data disclosure

Data may be disclosed to Novita’s service providers for storage, processing and maintenance of the personal data, for charging of fees, or delivering services ordered by the customers. Information can also be disclosed to authorities for fulfilling legal obligations or on authoritative request. Additionally, external technical experts under maintenance and non-disclosure agreement may get access to personal data in the service when improving or repairing the system. A copy of the service including its personal data may be created for development and maintenance purposes due to quality assurance reasons.

8. Transfer of personal data outside of EU or EEA

Personal data will not be transferred outside EU/EEA.

9. Principles of data security

Personal data is primarily not stored in paper format. Rather in digital format either on Novita’s own computers or on computers of Novita’s outsourced data processors. The register is processed confidentially. Access to the register is restricted to persons bound by non-disclosure agreement and who need to access the personal data due to and according to their duties as employees or subcontractors of Novita.

The register is protected with appropriate IT security technology including firewalls and other technical and organizational protective measures. But it should be noted that no service in the internet is completely secure.

10. The rights of the data subject

Novita guarantees all given legal rights to the data subjects. Among these rights are especially the right to access, correct, transfer, and restrict processing of the personal data, and the right to be forgot.

The right to get the personal data deleted is limited. Novita can refuse to delete the data, if processing of it is necessary for example for legal obligations, for contractual reasons, for possible communication of data security matters, or investigation of something related, or for other legally justifiable reasons. Novita will not actively process the personal data, if the data subject prohibits it.

If the data subject wishes to use his/her legal rights, the data subject needs to confirm his/her identity and present the request in writing. The contact information can be found in sections 1. and 2. of this document. The data subject shall be aware that restriction of processing of his/her personal data may limit the services offered partly or completely.

11. Storage time of the personal data

Novita keeps the personal data of the data subjects for the duration of their customer relationship. The personal data of a service user will be deleted when the user has not logged onto the service for a continuous period of three years. In case the personal data is needed for fulfilling legal obligations (for ex. book keeping obligations) it is stored for 10 years, or the period set by law in that particular context. Novita may also anonymize the personal data instead of completely deleting it. This means that all references to the data subject will be deleted, but any user generated content or other non-identifiable data may be kept without time limitations.

12. Updates

Novita inspects and evaluates the use of its customers’ personal data regularly as a part of the company’s business development and possible changes in legislation. Novita has a unilateral right to update this data processing policy by informing of it in advance by appropriate means, or by informing of it when the user logs into the service. Novita may in this case request renewed acceptance of the terms of service.

12. Trackers and cookies