Updated February 26, 2025

JCDecaux Finland Oy (Business ID 0201696-2)
Mekaanikonkatu 11, 00880 Helsinki, Finland

Contact details for any data protection questions and requests:

•  by email: gdpr@jcdecaux.fi
• by telephone:  +358 20 7758 200

The data controller processes personal data based on the following legal bases and for the following purposes:

1. implementation of a contract between the data controller and a company being its customer, supplier, subcontractor, landlord or co-operation partner (hereinafter, the ”Company”) and the carrying out of actions preceding the conclusion of the contract upon the data subject’s request, e.g. responding to queries, quotation requests, etc., provision and obtaining of agreed products and services, administration of contracts and orders, invoicing and debt collection;
2. the creation, management, maintenance and development of a customer or other relationship between the data controller and the Company, in accordance with a legitimate interest based upon the contractual relationship between the data controller and the Companies; design and development of business, products and online as well as other services and customer service; customer and other satisfaction surveys, along with any other communications based upon the relationship between the Company and the data controller;
3. carrying out the data controller’s statutory obligations, as well as the detection, prevention and investigation of any fraud, money laundering and other criminal action and malfeasances, in accordance with the data controller’s legitimate interests;
4. in accordance with the data controller’s legitimate interests, the direct marketing of its products and services and targeting of same (incl. sending a newsletter) by telephone, by letter, email, SMS message or otherwise in electronic form; carrying out of surveys and market research, arranging marketing contests and other events;
5. based on the data subject’s consent concerning the use of cookies, the processing of information regarding the use of online and mobile services and social media for analytics, segmentation, profiling as well as advertising the products and services of the data controller and of its co-operation partners and for the targeting of same in their own and other Internet and mobile media, services, applications and for any other purposes set forth in this policy. For further information on the use and management of cookies, see here [insert link to cookie information here];
6. in accordance with the data controller’s legitimate interests, for analysing, profiling, segmentation and compiling statistics of the data subjects and their data in conjunction with the aforementioned purposes and for the purposes of same.

The register contains the following information concerning the decision-makers and contact persons of the current and potential customer, subcontractor and co-operation partner companies and entities: 

• Basic information: name, rank or occupation, status or position in the company, company details, business ID and name of sole proprietor, work-related contact details (mailing and visiting address, email address, telephone number), year of birth, gender, mother tongue, service language, preferred mode of communication;
• Marketing information: information concerning tasks and position in business life or in public office, professional interests, other information disclosed by the data subject; marketing measures directed at the data subject, attendance at events, direct marketing and other permissions and consents, as well as prohibitions and restrictions;
• Information on the use of electronic services: e.g. registration details required by the right of use, such as user ID, alias, password and any other individualising identification; information concerning the reading of newsletters, utilisation and browsing information concerning services collected with the aid of cookies, advertising identifiers or other comparable technical means of monitoring, displayed advertisements as well as details of clicking on advertisements; site from which the user has transferred to the data controller’s site, device model, individual device and/or cookie identifier, data collection channel (internet browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, as well as screen resolution and operating system, positioning data.
• Information related to communications: e.g. feedback and communications, emails, electronic communications forms, chats, telephone call recordings, other measures undertaken by the data subject on behalf of the company it represents
• Information on use of social media: The data controller’s website may utilise social media functions (i.e. social media plugins), such as the ”Share” or ”AddThis” button intended for the sharing of content. When you utilise these buttons, the data controller and the provider of the social media plugin collect and share information in accordance with the cookie consent you have given on how you use the data controller’s website and social media. For further information on the use and management of cookies, see here [insert a link to the cookie information here]. The company providing the social media plugins bears responsibility for same. The privacy policy for the AddThis plugin is available at https://www.oracle.com/legal/privacy/addthis-privacy-policy.html
• Profiling and classification information: customer/user and marketing segments and analyses formulated on the basis of analysing and profiling the information described above, as well as classification etc. information collected from regular data sources.

The information in the register is as a rule collected from the data subject themselves in connection with their use of services and the website, filling out a contact request or other form, conclusion of an agreement or other personal, electronic or telephone dealings or in connection with attendance at events. Furthermore, personal data may be collected and updated from publicly available information sources, such as from corporate websites, trade register, postal operators, contacts services (for instance Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy) as well as from other comparable corporate and decision-making registers and other public and private registers.

The data controller may disclose information recorded in the register to the data controller’s group companies and co-operation partners, when necessary for carrying out the intended purposes of the register, e.g. to deliver the agreed products or services. Otherwise, information is not disclosed to third parties without the data subject’s consent.

The data controller also has the right to utilise subcontractors for carrying out the intended purposes of the register. Such subcontractors include, for instance:

• ICT service providers
• Analytics services providers: Google
• Marketing automation: Hubspot

In such cases, personal data may be transferred to subcontractors in the extent necessary for the carrying out of the services. These subcontractors process personal data on behalf and in the name of the data controller, in accordance with the data controller’s instructions and this privacy policy. The data controller shall ensure through contractual means that personal data is processed in accordance with the legislation.

Personal data may be transferred to be processed also in a country outside of the EU/EEA. Unless the European Commission has decided that the level of data protection in the processing country is acceptable, the data controller ensures appropriate data protection by concluding with its subcontractors written agreements using the standard clauses approved by the European Commission (Decision C (2010)593) or through another lawful procedure.

The right of use to the data is limited to only the persons who by virtue of their work are entitled to process the information in the register. The data is retained in locked premises, protected by access control. Electronic data has been protected with firewalls, access rights control and other technical means. Each user has their own user ID and password to the system. The data controller ensures the actualisation of data security in its subcontractors’ services by means of data processing agreements to be concluded with its subcontractors processing personal data.

Personal data is retained for as long as necessary for the intended purpose. As a general rule, the information is deleted when 1.5 years have elapsed from the cessation of the customer, supplier or other relationship between the data controller and the Company, or once the data controller has been informed that the data subject is no longer a contact person of the Company, with the following exceptions:

• Utilisation data of electronic services and information related to communications is retained for five years from the said time.
• Anonymised data may be retained permanently.
• The basic details of the data subject and the marketing information may be retained permanently for the purposes of direct marketing.
• Data collected on the basis of consent shall be retained in accordance with the consent.
• In circumstances permitted by the legislation in force from time to time, beyond the above-mentioned retention periods.

The data controller assesses the necessity of retaining data on a regular basis and takes all reasonable measures to ensure that no personal data concerning the data subject that are incompatible with the purposes of the processing, outdated or incorrect are retained in the register.