for JCDecaux Finland Oy’s Corporate Customer, Supplier, Partner and Marketing Register
Updated February 26, 2025
Updated February 26, 2025
JCDecaux Finland Oy (Business ID 0201696-2)
Mekaanikonkatu 11, 00880 Helsinki, Finland
Contact details for any data protection questions and requests:
The data controller processes personal data based on the following legal bases and for the following purposes:
The register contains the following information concerning the decision-makers and contact persons of the current and potential customer, subcontractor and co-operation partner companies and entities:
The information in the register is as a rule collected from the data subject themselves in connection with their use of services and the website, filling out a contact request or other form, conclusion of an agreement or other personal, electronic or telephone dealings or in connection with attendance at events. Furthermore, personal data may be collected and updated from publicly available information sources, such as from corporate websites, trade register, postal operators, contacts services (for instance Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy) as well as from other comparable corporate and decision-making registers and other public and private registers.
The data controller may disclose information recorded in the register to the data controller’s group companies and co-operation partners, when necessary for carrying out the intended purposes of the register, e.g. to deliver the agreed products or services. Otherwise, information is not disclosed to third parties without the data subject’s consent.
The data controller also has the right to utilise subcontractors for carrying out the intended purposes of the register. Such subcontractors include, for instance:
In such cases, personal data may be transferred to subcontractors in the extent necessary for the carrying out of the services. These subcontractors process personal data on behalf and in the name of the data controller, in accordance with the data controller’s instructions and this privacy policy. The data controller shall ensure through contractual means that personal data is processed in accordance with the legislation.
Personal data may be transferred to be processed also in a country outside of the EU/EEA. Unless the European Commission has decided that the level of data protection in the processing country is acceptable, the data controller ensures appropriate data protection by concluding with its subcontractors written agreements using the standard clauses approved by the European Commission (Decision C (2010)593) or through another lawful procedure.
The right of use to the data is limited to only the persons who by virtue of their work are entitled to process the information in the register. The data is retained in locked premises, protected by access control. Electronic data has been protected with firewalls, access rights control and other technical means. Each user has their own user ID and password to the system. The data controller ensures the actualisation of data security in its subcontractors’ services by means of data processing agreements to be concluded with its subcontractors processing personal data.
Personal data is retained for as long as necessary for the intended purpose. As a general rule, the information is deleted when 1.5 years have elapsed from the cessation of the customer, supplier or other relationship between the data controller and the Company, or once the data controller has been informed that the data subject is no longer a contact person of the Company, with the following exceptions:
The data controller assesses the necessity of retaining data on a regular basis and takes all reasonable measures to ensure that no personal data concerning the data subject that are incompatible with the purposes of the processing, outdated or incorrect are retained in the register.
Each data subject has the right to inspect their data recorded in the register of persons and to have any incorrect, outdated, unnecessary or unlawful information be rectified or erased. The data subject also has the right to retract at any time the personal data processing consent they have previously granted. Retracting consent shall not affect the lawfulness of the processing that occurred prior to retracting consent.
The data subject has the right to object to personal data processing or to request a restriction on the processing, as well as to lodge a complaint to the data protection officer regarding personal data processing.
If the data subject has submitted their personal data to the data controller and the processing is based upon consent or agreement, they have the right to obtain such information for themselves in a structured, generally used and machine-readable form and the right to transfer the data to another data controller in accordance with the legislation in force.
When the basis for the processing of personal data is a legitimate interest, the data subject has the right to object to the processing of their data on a basis related to their particular personal situation. In connection with filing the request, the data subject must specify the particular situation that the objecting is based upon.
Requests concerning the exercise of the above-mentioned rights must be sent to the email address mentioned under Clause 1. If necessary, the data controller may request the data subject to specify their request in writing and to prove their identity.