Privacy policy

1. Data Controller 

Kolmen kampuksen urheiluopisto Oy and its group companies ("Data Controller") 
Pajulahdentie 167
15560 Nastola
Tel: +358 19 31 511 

2. Contact Person Responsible for the Register 

Irina Keinänen, Data Protection Officer 
irina.keinanen@kolmekampusta.fi 
Tel: +358 400 633 989 

3. Name of the Register 

Customer and marketing register of Kolmen kampuksen urheiluopisto Oy. 

The register processes the data of the Data Controller's customers, prospects, and their representatives as described below. 

4. Data Content of the Register 

The register may contain data grouped as follows regarding the data subjects: 

  • Name
  • Email
  • Phone number
  • Title
  • Company and its address details
  • Publicly available classification data
  • Classification data provided by the data subject
  • Order, billing, and delivery information
  • Details of ordered services and their changes
  • Data collected through cookies
  • Data collected from social media channels
  • Information about the device used by the data subject, such as device type, browser, IP address, and other device data
  • Any other data collected with the consent of the data subject 
     

5. Purpose and Basis of Processing Personal Data 

The Data Controller processes personal data for the following purposes: 

  • To manage and administer customer relationships
  • For customer communication
  • To fulfil the rights and obligations of the data subject and the Data Controller
  • For purposes related to online services
  • For research activities
  • In marketing services offered by the Data Controller and its partners
  • To fulfil the statutory obligations of the Data Controller
  • The legal bases for processing personal data in accordance with the EU General Data Protection Regulation are:
  • The consent of the data subject
  • Agreements related to the customer relationship
  • The legitimate interest of the Data Controller
  • Statutory requirements 

6. Regular Data Sources of the Register 

Personal data are collected from the following sources: 

  • Directly from the data subject (such as through the contact forms on the Kisakallio website or social media services)
  • Through the Data Controller's website (newsletter subscriptions, material downloads, event registrations)
  • Through tracking pixels of the Data Controller's newsletters
  • Data collected from the data subject at the time of contract formation
  • Data obtained from customer meetings
  • From the use of the data subject's service
  • From the Data Controller's customer information system
  • Other potential situations where the data subject provides their information to the Data Controller
  • From public data sources, such as company websites, the trade register, through Leadfeeder, or social media channels (like LinkedIn)
  • Through cookies and similar technologies 
     

Additionally, the Data Controller collects visitor data via Google Ads and Analytics, and marketing automation services to analyze and improve the website and target relevant marketing to visitors of the site. The information is stored automatically in the register when users leave data on the website or use the www.kolmekampusta.fi service. 

7. Regular Data Disclosures 

The Data Controller generally does not disclose the personal data of registered data subjects to third parties. Data may be disclosed as required by a competent authority, to fulfil contractual obligations, or to the extent agreed with the data subject. The data of registered data subjects may be disclosed to the Data Controller's subcontractors or partners in certain situations. Such parties process personal data confidentially and based on a separate written agreement according to the written instructions of the Data Controller. 

The Data Controller may disclose statistical or anonymized data that cannot be associated with a data subject. 

8. Data Transfer Outside the EU or EEA 

Data may be transferred and stored on servers outside the EU or European Economic Area for processing by the Data Controller or on behalf of the Data Controller's partner in compliance with the EU General Data Protection Regulation and Finnish data protection law. 

If personal data are transferred outside the EU/EEA, it is done in all cases on a legal basis: 

  • The European Commission has determined that the recipient country guarantees an adequate level of data protection;
  • The Data Controller has implemented appropriate safeguards for the transfer of personal data using standard contractual clauses on data protection approved by the European Commission (a copy of which can be provided upon request);
  • The data subject has given explicit consent to the transfer of personal data; or
  • There is another legal basis for transferring personal data outside the EU/EEA. 
     

9. Data Retention Period 

Personal data are retained only as long as necessary to fulfil the legal bases and purposes of processing personal data as defined in this privacy policy or as long as required by legislation, such as accounting law. The Data Controller regularly assesses the necessity of data retention according to its internal policies. 

10. Rights of the Data Subject 

The data subject has the following rights, and requests to exercise these rights should be made to the address mentioned in section 2. The Data Controller may request proof of identity from the requester if necessary. The Data Controller responds to the data subject within the timeframe stipulated by the EU data protection regulation. 

Right of Access 

The data subject has the right at any time to access their stored personal data. 

Right to Rectification and Erasure (Right to be Forgotten) 

On the data subject's request, the Data Controller rectifies, erases, or completes incorrect, unnecessary, incomplete, or outdated personal data for the purpose of processing. The Data Controller may also rectify, erase, or complete data on its own initiative. 

Right to Withdraw Consent 

The data subject has the right to withdraw consent to the processing of their personal data collected based on consent. 

Right to Data Portability 

The data subject has the right to have personal data transferred to another data controller based on consent or performance of a contract, where technically feasible. The Data Controller transfers the data in a commonly used and machine-readable format. The Data Controller is not responsible for the compatibility of the transfer format with the recipient's system. 

Right to Restrict and Object to Processing 

If the Data Controller processes personal data based on public interest or legitimate interest, the data subject has the right to object to the processing of personal data concerning them, unless there is a compelling reason that overrides the data subject's rights or the processing is necessary for a legal claim. 

The data subject has the right to prohibit direct marketing, including profiling analyses conducted for direct marketing purposes. Each direct email sent by the Data Controller contains a link through which the data subject can choose to prevent direct mailings to their email. 

The data subject has the right to request the restriction of data processing if the personal data are inaccurate, the processing is unlawful, or the data are no longer needed. 

Right to Lodge a Complaint 

The data subject always has the right to lodge a complaint with the relevant supervisory authority or the supervisory authority of the EU member state where the data subject has their domicile or place of work if the data subject believes that the Data Controller has not processed personal data in accordance with applicable data protection legislation. 

11. Principles of Register Security 

Personal data are kept confidential. The Data Controller's network and equipment, where the register is located, are protected by a firewall and other necessary technical measures. The Data Controller ensures that stored data, server access rights, and other critical information for the security of personal data are handled confidentially and only by employees for whom it is part of their job description. 

12. Cookies 

The Data Controller uses cookies on its websites to enhance the user experience and for targeted advertising. Cookies are small text files sent by the browser and stored on the user's computer. 

The cookies used by the Data Controller relate to marketing automation (Mautic), targeted advertising (Google Ads), analysis and monitoring of website visitor data (Hotjar and Leadfeeder), and social media channels used by the Data Controller (including LinkedIn, YouTube, Twitter, Instagram, and Facebook). These software record information about which pages a person visits, how long they stay on the site, how they arrived at the site, and which links they click. 

13. Changes to the Privacy Policy 

The Data Controller reserves the right to change this privacy policy by announcing it on this page.