The data protection declaration of the customer register (Lacara RAC Ky)
The data protection declaration of the customer register according to the Personal Data Act (523/1999) 10 § and 24 § and to the General Data Protection Regulation (679/2016) Articles 12 and 13
Name of the register
The Customer register of Lacara RAC Ky
Lacara RAC Ky
Hämeentie 12, 00530 Helsinki
Contact person regarding this issue
The justification for keeping the register
We handle personal data due to a customer relationship based on a contract.
The purpose of keeping the register
The purpose of keeping the register is to reliably and flexibly maintain customer relationships and to provide better service. The information may be used to maintain, improve and analyze customer relations and other services.
The information may also be used to direct mailing and targeting network marketing.
The description of the registered persons’ groups
The person has or has had a customer relationship, or an application or an offer has been made to establish the relationship.
The content of the register
– Customer’s basic contact information such as name, home address, email address, phone number, personal identification number, driver’s license details and credit card number
- Information about use of services (past reservations and rentals)
- Information about direct marketing permissions
- Information regarding billing and collecting
- Additional information concerning customer service circumstances
- IP address of the website user
- Vehicle positioning data
The regular information sources
The information about the potential customers will be received from themselves with permission during the website visit or via some other personal or digital interaction.
The personal data may be collected or updated also from a population information organization or system, trade register, credit card register or some other such public or private register.
Regular disclosure and transfer of data outside the EU or the EEA
The personal data may be disclosed only with the permission of the registered, under the rental terms and conditions, or obligated by the present legislation. Data (limited to the purpose) may also be disclosed to carefully selected service providers and business partners (e.g. auto repair shops & dealers) only when providing the service and maintaining the customer relationship so demands (e.g. sending the contract paper to the pick-up place).
The third party, carefully selected by the registrar, may handle the information. The ownership of the information does not shift to the third party and the third party does not have a right to a broader usage of the information than the assignment requires.
We have ensured that all of our service providers are aware and obey the data protection legislation. The service providers used regularly are:
– Tujaus Oy (the administrator of the register)
– Outokone Oy
– Projant Oy (previously Ab LevelUp Oy)
– Zoner Oy (Domain services)
– Google G-Suite (e-mail services)
The data will not be transferred or disclosed outside the EU or the EEA.
Principles for the protection of the data
When handling the data, we will follow good practice in information management and care and protection obligations according to the data protection legislation.
We put all the necessary technical and organizational measures into practice to protect the data from outsiders accessing it; intentionally or unintentionally losing, damaging, harming or changing it; or from any other illegal handling.
Only employees whose assignments so require have access to the data.
Digitally stored and managed data is in a database secured with firewalls, passwords and other technical means. Manual data is stored inside the controller’s premises in locked facilities and may only be accessed by authorized staff members. The facilities are secured by an access control system and the employees are under a formal obligation of secrecy.
Data preservation time and criteria
Data will be preserved as long as the purpose of managing personal data demands it. Deletion times and practices will be determined, and old and unnecessary personal data will be deleted. The obligation to preserve personal information may also be determined by law.
The rights of the registered
The registered has a right to review the information about themself. The written request with personal identification number and signature is to be submitted to the official mail address of the company. The request may also be presented in the premises of the registrar in the address mentioned above.
The registered has the right to require the registrar to rectify erroneous data contained in a personal data file.
In certain circumstances the registered has a right to remove the personal data concerning themself or ask to move the information to another data controller.
The registered has a right to prohibit the registrar from using the data for direct mailing, distance selling or other direct marketing, as well as opinion polls and marketing research.
Digital direct marketing may be directed to the registered with permission. The registered may withdraw their consent to this kind of marketing any time.
The primary method of settling disputes is through negotiations between the registrar and the registered. The registered has the right to take the case to the data protection authority.