Privacy policy

This is the Register and Privacy Statement of Magni Mundi Oy according to the EU’s General Data Protection Regulation (GDPR). Created on 22.05.2018. Last change 23.05.2018.

Controller

Magni Mundi Oy, PL 41, 20101 Turku, Finland

Contact person for register queries

Annamari Laine, annamari(at)magnimundi.fi, tel. +358 40 758 8449

Name of the Register

Customer and marketing register of Magni Mundi

Legal basis and the purpose of processing personal data

The legal basis for the processing of personal data is the EU’s general data protection regulation
– the consent of a person (documented, voluntary, individualized, aware and unambiguous)
– the contract where the registered party is a party
– legitimate interest of the controller (eg customer relationship).

The purpose of processing personal data is to communicate with customers, arrange trips according to customer’s wishes, maintain customer relations, marketing and other similar purposes.

Information is not used for automated decision making or profiling.

Information content of the register

The information to be stored in the register is: person’s name, position, company / organization, contact information (phone number, e-mail address, address), website addresses, information on subscribed services and their changes, billing information, other information related to customer relationships and ordered services.

We will keep personal information as long as it is necessary for the purpose of personal data. Personal data in the Customer and Marketing Register will be deleted when the period of complaint related to a specific customer relationship or service has expired or data is no longer needed due to the deadlines required by the Accounting Act or the information used for marketing actions is identified as obsolete or unavailable. The information will be deleted no later than 10 years after the last contact of the registered contact person or contact.

Regular sources of information

The information stored in the register is obtained from the customer, among others via email, phone, social media, contracts, customer meetings and other situations where the customer delivers their information.

Regular disclosure or transfer of personal data outside the EU or EEA

Information is not disclosedt to other parties except as far as is necessary for the provision of services ordered by the customer. The information can be published as far as it has been agreed with the customer.

Data can also be transferred by the controller to outside the EU or the EEA.

The recipient groups include organizers of various transport, accommodation and excursion services.

Principles of registry protection

Careful handling of the registry is ensured, and data processed by the information systems is adequately protected. When keeping records on Internet servers, the physical and digital security of their hardware is handled appropriately. The controller shall ensure that stored data, server access privileges and other critical data related to the security of personal data are processed confidentially and only by employees whose job description they belong to.

Material in paper form is kept in a locked space, with access only by those entitled. Access to a digital material is limited to those entitled to handle the material, and with personal user name and password.

The right of inspection and the right to demand correction

Everyone in the register has the right to check his / her data stored in the register and to demand that any incorrect information to be corrected or incomplete information supplemented. If a person wishes to check or request correction of his / her record, the request should be sent in writing to the registrar. The controller may, if necessary, request the applicant to prove his identity. The controller is responsible for the customer within the time limit set in the EU Data Protection Regulation (usually within one month).

Other rights related to the processing of personal data

A person in the register has the right to request the deletion of his / her personal data from the register (“the right to be forgotten”). Also, those who are registered have other rights under the EU’s general data protection regulation such as restricting the processing of personal data in certain situations. Requests should be sent in writing to the registrar. The controller may, if necessary, request the applicant to prove his identity. The controller is responsible for the customer within the time limit set by the EU Data Protection Regulation (usually within one month).