Privacy Policy

1. General

This privacy policy describes how Cactos Oy (“The controller”) processes personal data, what personal data is collected, the purposes for which personal data is processed and to which parties personal data may be disclosed and how you can influence the processing of your personal data. This privacy policy also provides information about the obligations that we comply with regarding the processing of personal data.

This privacy policy applies to customer work of Cactos Oy and delivering services, processing personal data in the context of services, as well as our online services, such as cactos.com website and processing the personal data collected through cookies. This privacy policy also applies to the processing of personal data of the representatives of our partners.

We comply with data protection legislation when processing personal data. Data protection legislation refers to data protection legislation in force, such as the EU General Data Protection Regulation (2016/679) (“Data Protection Regulation”) and the National Data Protection Act (5.12.2018/1050). Terms related to data protection that are not defined in this privacy policy shall be interpreted in accordance with data protection legislation.

Please note that our website may contain links to websites and services operated by other organisations which are not managed by us. This privacy policy does not apply to the use of them, and we recommend getting acquainted with the privacy policies of these third parties. We are not responsible for the privacy policies or terms of use of other websites or services (even if you access them by using links on our websites). We provide these links only as additional information in order to serve you better.

2. Name of the register

Cactos Oy Customer and Partner Register

3. Contact information for matters concerning the register

Managing director Oskari Jaakkola oskari@cactos.fi

4. Data content of the register

In our register, we process personal data of our customers, representatives of our corporate customers and representatives of our partners.

We collect and process the following personal data:

  • name
  • contact information, such as address and email address
  • username (when the username includes data through which a data subject can be identified, such as first or last name)
  • cookie information
  • IP addresses

5. Purpose and lawful basis for processing personal data

The controller or its authorised partner (acting on behalf of the controller) uses the personal data of the register in accordance with personal data legislation for the following purposes:

  • customer relationship management and development
  • enabling access for the customer’s representatives to access the information systems
  • providing, delivering and producing services
  • contract management and billing

The controller shall have the right to process personal data on the following grounds:

  • On the basis of the contract: concluding and implementing an agreement between the controller and the customer
  • On the basis of a legitimate interest: the controller has a legitimate interest based on the customer relationship to use customer data for the development of services and the marketing of products and services under the conditions and limitations defined by law.

6. Regular data sources

Information is obtained from representatives of customers and partners in connection with requests for tenders, orders, contracts and other contacts.

Data is also collected through the use of cookies and similar technologies in accordance with the procedures enabled by the applicable regulations.

Personal data may also be collected from public information sources such as company websites and LinkedIn.

7. Processors and other recipients of the data

In principle, personal data will not be disclosed to third parties. Data may also be transferred for processing to the partners of Cactos Oy for the purposes specified in section five.

8. Data transfer from EU/EEA

The personal data is not transferred outside the EU/EEA.

9. Principles of personal data retention

Personal data will be kept as long as the controller uses the data for the purposes described in section four. Personal data stored in the register will be deleted when there is no longer a legitimate basis for processing them.

Personal data will be stored in the Customer Information System for a maximum period of seven years after the end of the customer relationship or until the customer requests the deletion of the data. Personal data may also need to be kept longer than this if applicable law or our contractual obligations towards third parties require a longer retention period.

10. Principles for the  protection of the register

The data security of the register and the confidentiality, integrity and availability of the personal data shall be ensured by appropriate technological protection and organisational measures.

Only persons employed by Cactos Oy or its authorised operators whose work requires the processing of personal data are entitled to access the data. The register data is protected by personal user IDs and passwords. We require our staff and partners to commit to maintaining the confidentiality of customer data.

More on Cactos Oy’s data security policy here.

11. Rights of the data subject

The data subject has the rights based on data protection legislation. Please note that the precise application of these rights in each individual situation will depend on the purpose and context for which the personal data is processed.

Data subjects may send all requests concerning their rights by email to oskari@cactos.fi

As a rule, the controller shall not charge a fee for processing the request from the data subject. However, if the data subject's requests are clearly unfounded or unreasonable, such as if they are repeatedly submitted, the controller may charge the data subject a reasonable fee based on the administrative costs of processing the request.

11.1 Right of access by the data subject and right to obtain a copy of personal data

The data subject shall have the right to obtain confirmation as to whether or not personal data concerning him or her is being processed, as well as information on the processing of personal data as defined in data protection legislation. In addition, the data subject shall have the right to receive a copy of the personal data being processed.

11.2 Right to examination and rectification

The data subject shall have the right to access the personal data that is stored in the register. The data subject shall have the right to request the correction of inaccurate or imprecise personal data.  

11.3 Right to erasure

The data subject shall have the right to obtain the erasure of personal data concerning him or her without undue delay provided that:

  • the personal data is no longer necessary for the purposes for which it was collected or otherwise processed;
  • the data subject withdraws the consent on which the processing was based and there is no other lawful basis for the processing;
  • the personal data has been unlawfully processed; or
  • the personal data must be deleted to comply with a legal obligation under Union law or national law.

11.4 Right to restriction of processing

Restriction of processing of the personal data means that the personal data subject to the restriction may, in addition to retention, be processed only:

  • with the consent of the data subject
  • for the purpose of drawing up, making or defending a legal claim
  • to protect the rights of another natural or legal person
  • for reasons of important public interest of the Union or of a Member State

The data subject shall have the right to obtain restriction of processing by the controller if:

  • the data subject contests the accuracy of the personal data, in which case the processing shall be restricted until the controller verifies the accuracy of the data;
  • the processing is unlawful, and the data subject objects to the erasure of the personal data and requests instead the restriction of their use;
  • the controller no longer needs the personal data concerned for the purposes of the processing, but the data subject needs it for the purpose of drawing up, making or defending a legal claim.

11.5 Right to withdraw consent

If the processing of personal data is based on the consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time without affecting the lawfulness of the processing carried out on the basis of that consent. However, the personal data of the data subject may be retained if the retention of the personal data is necessary to comply with a legal obligation imposed on the controller.

11.6 Right to data portability

The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to the controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller if it is technically possible.

11.7 Right to lodge a complaint with a supervisory authority

The data subject shall have the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her infringes the applicable data protection legislation.

12. Changes to the privacy policy

We develop our services constantly, and we might need to change and update this privacy policy. Changing this privacy policy can also be based on changes in the applicable legislation. We advise you to familiarize yourself regularly with the content of this privacy policy. The newest version of this policy can be found on our website.

Version history

Version                                                                  Date

1. First privacy policy published                   07.02.2023