NEXSTIM

DATA PROTECTION DESCRIPTION

Legal Basis for the Processing and Purpose of Use of the Personal Data:

Processing of personal data ("Contact Data") is generally and primarily based on legitimate interest of the data controllers. Based on defined purposes of uses of Contact Data and relationship between data controllers and data subjects, the primary legitimate interest of the data controllers is the possibility to conduct justified and legitimate business according to applicable legislation.

Secondarily, the company process personal data based on the consent given by the data subject.  

Thirdly, for certain data subjects, the processing of Contact Data is based on direct or indirect contractual relationship between data subjects and data controllers.

Purposes of use:

  1. Marketing activities and information sharing;
  2. Client satisfaction and market surveys
  3. Customer relationship management ("CRM");
  4. Business development and reporting;
  5. Quality management;

Data Content:

  • First name;
  • Last name;
  • Title;
  • Company (employer);
  • Job role;
  • Street Address;
  • Postal Code;
  • City;
  • State;
  • Country;
  • Contact Method;
  • Telephone number;
  • Mobile phone number;
  • Telephone extension;
  • Fax number;
  • Email address;
  • Miscellaneous business information (free text field);
  • Customer survey communication prohibition;
  • Preferred customer survey method;
  • Membership in strategic customer survey contacts group;
  • Digital identity management system identifier;
  • Indicator of access to data controllers' digital platforms;
  • Email marketing consent;
  • SMS marketing consent;
  • Accepted data protection statement version;
  • General direct marketing inhibition;
  • Last data processing activity (time stamp);
  • Geographical location consent (if any);
  • Cookie consent;
  • Data request date (if any);
  • Web behavior information (depending on data subject's activity).
    This information collected may include, for example, the browsed page and visited pages of the user, network provider, IP address, location of the user, session ID, time and duration of the session, device model, unique device and/or cookie identifier, device operating system, screen resolution, channel (such as an application, a mobile browser or an internet browser) and the version of the web browser.
  • Data from electronic notices.
    This information collected from email notices include the reading of the notices, amount of openings, the time of the openings, opened links and the user IP address.

Data Subjects

Any natural persons representing customer companies of Nexstim Group, and natural persons representing companies investing in Nexstim Group and other persons interested in Nexstim Group.

Regular Sources of Data

Customer contact persons themselves and also when the data subject uses the services of the data controller, other persons representing the customer companies of Nexstim Group, employees and other persons working for or representing Nexstim Group.

Personal data may also be collected and updated from third party registers, such as Partners, service providers and networks providing contact information for user groups.

Regular Disclosures of Data and Transfer of Data to countries outside EU and/or EEA:

Contact Data are not disclosed (to another controller for independent use unless required by the law such as to authorities) regularly except within companies of Nexstim Group and even then at all times in accordance with applicable laws.

Contact Data are transferred outside EU and/or EEA (incl. Switzerland) only as allowed by and in accordance with applicable laws. In case of absence of EU Commission adequacy decisions, EU Commission standard contractual clauses (of type controller to processor, EU Commission decision 2010/87/EU) are used as appropriate or suitable safeguards for these data transfers. Copies of the standard contractual clauses will be available through the contact details mentioned below. Furthermore, if EU Commission adequacy decisions are applicable we may rely on them.

If Contact Data is transferred to external data processors (subcontractors or vendors) appropriate contractual arrangements (Including EU Commission standard contractual clauses, as applicable), as required by the applicable laws, are executed to secure lawful and appropriate processing of Contact Data.

Security Principles of Data File:

Contact Data is protected by technical and organizational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of Contact Data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Personnel processing Contact Data as part of their tasks is trained and properly instructed in data protection and data security matters.

Right to Object Data Processing:

In accordance with the law the data subject has at any time the right to:

  1. Object the processing of Contact Data for the purposes of direct marketing, market research and opinion polls; and
  2. On grounds relating to his or her particular situation, object the processing of his/her Contact Data when lawfulness of processing is based on legitimate interest of the data controllers.

In order to use these rights, the data subject shall contact the below mentioned contact persons in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

Other Rights of Data Subject:

In accordance with the law the data subject has at any time the right to:

  1. Access the Contact Data on him/her and at request, receive a copy of the Contact Data and related supplementary information concerning Contact Data processing as required by the law;
     
  2. Request, provided that the purposes of data processing allow:

    • Inaccurate Contact Data to be rectified;
    • Incomplete Contact Data to be supplemented; and
    • Outdated or obsolete Contact Data to be erased.
       
  3. Be forgotten by us, if:

    • Contact Data are no longer necessary in relation to the purposes of data processing;
    • The data subject has objected to the data processing pursuant to reason explained above in point 2 of the section "Right to Object Data Processing" and there are no overriding legitimate grounds for the data processing;
    • The data subject has objected to the data processing pursuant to reason explained above in point 1 of the section "Right to Object Data Processing"; or
    • The Contact Data have been unlawfully processed by us;
       
  4. Restrict the processing of the Contact Data on him/her if:

    • Data subject contests the accuracy of the Contact Data;
    • The processing is unlawful, and the data subject opposes the erasure of the Contact Data and requests the restriction instead;
    • The data controllers no longer need the Contact Data for the purposes of uses, but Contact Data are required by the data subject for the establishment, exercise or defense of legal claims; or
    • Data subject has objected to processing pursuant to reason explained above in point 2 of the section "Right to Object Data Processing" and pending the verification whether the legitimate interests of the data controller override those of the data subject;
       
  5. Receive the Contact Data concerning him or her, which he or she has provided to data controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to other data controller when the processing is necessary for performance of a contract where the data subject is involved; or
     
  6. Lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman);

In order to use these rights, the data subject shall contact the below mentioned contact person in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

Retention Period of Contact Data:

The necessity of retaining client's and prospective client's personal data for marketing purposes, as well as the data's correctness, is reviewed annually. Unnecessary and outdated data will be erased in accordance with the reviewing of the data's correctness, and also at other times when deemed necessary, and at the request of data subject.

Provision of Contact Data

It is not statutory for the data subject to provide the Contact Data but certain Contact Data is required to execute marketing activities and providing you with information from Nexstim Group. Lack of or failure to provide Contact Data prevents or may prevent the business activity (such as business contract) as the case may be.

Data Controller

Nexstim Plc, with the register number 1628881-1.
Address: Elimäenkatu 9b, 00510 Helsinki,
Tel: +358-(0)9-2727 170

Contact Person in Matters Related to Data File:

Data Protection Officer
info@nexstim.com
Tel: +358-(0)9-2727 170