Privacy policy
1. Controller
TK Asset Management Oy
Business ID: 2704700-1
Kauppiaskatu 11 C 23, 20100 Turku
2. Contact person in matters concerning the register
Matti Äijälä, CEO
matti.aijala@tkassetmanagement.fi
3. Name of register
Tuloskiinteistöt Oy´s customer register
4. General information about the processing of personal data in the customer register
In this document, the term “customer” refers to
- Clients (such as property sellers and landlords) to whom the controller provides brokerage services and their counterparties (such as property buyers and tenants);
- potential buyers, tenants, etc. who are interested in properties being brokered by the controller, but who do not ultimately conclude a sale or lease agreement with the client; and
- parties who order valuation and consulting services provided by the controller.
The controller’s customers are mainly companies, in which case the term “data subject” refers to a contact person acting for and on behalf of the company. In exceptional cases, the customer may be a sole trader, a real estate consortium or a private person.
The processing of personal data contained in the customer register complies with the Data Protection Act and any other applicable legislation, decrees, regulations and official instructions on the processing of personal data. This document provides more detailed information about the procedures for processing personal data and the data subject’s rights.
5. Purpose and legal basis for processing personal data
The purposes for processing personal data in the customer register are:
- entering into a contractual/customer relationship with a customer with regard to a brokerage order, and establishing a relationship with the customer’s counterparty (or a potential counterparty interested in the property) in order to complete the order and fulfil contractual obligations;
- entering into a contractual/customer relationship with a customer who has ordered valuation or consulting services, in order to complete the said order and fulfil contractual obligations;
- managing and developing contractual/customer relationships;
- customer communications and marketing related to properties in which the customer is interested;
- providing, producing and developing the controller’s services;
- invoicing and debt collection; and
- fulfilling the controller’s legal obligations.
The brokerage activities carried out by the controller are governed by the Act on Real Estate and Housing Agency Services (1074/2000) and Act on Real Estate Brokerage and Letting Agencies (1075/2000). These acts require the controller to collect and process information and documentation about clients and orders, including the properties, counterparties and transactions (“assignments logbook”).
The processing of personal data is therefore based on fulfilling a contract or any prior action requested by the data subject as per Article 6(1)(b) of the EU General Data Protection Regulation (2016/679), and/or compliance with the controller’s legal obligations as per Article 6(1)(c). If no other legal basis is mentioned, the processing of personal data is based on the data subject’s consent to the processing of personal data as per Article 6(1)(a).
6. Data content
The customer register may contain the following information about data subjects:
- • the first and last name of the customer company’s contact person, their contact details (email and telephone number), job title and position at the company, gender and language
- if the customer is a sole trader, real estate consortium or private person, their personal identity number, postal address and bank account number in addition to the aforementioned details
- the customer company’s name, business ID, contact information, website URL, sector, payment information and other similar company information
- tenants’ credit ratings/other financial information
- information for invoicing and debt collection
- properties in which the customer has shown interest, and the customer’s reason for contacting the controller
- information related to the customer account/contractual relationship, such as services provided, the commission agreement, property details, the consulting, lease or sale agreement, and other similar information
- information about complaints and their processing
- IP address
Changes to all of the aforementioned data types may also be processed.
7. Regular sources of personal data
Data is mainly collected from the data subject and/or the customer company. Personal data may also be collected and updated from property management offices, company registers, the National Land Survey of Finland, credit registers and other registers.
8. The disclousure of personal data to third parties
The personal data stored in the customer register will not be disclosed or transferred to third parties, with the exception of an external accounting company that handles the controller’s accounting and an external service provider that handles the controller’s IT services. These external service providers are located in Finland. In specific situations prescribed by law, personal data may also be disclosed to the authorities (such as the Tax Authorities and Regional State Administrative Agencies).
When using external service providers to process personal data, the controller uses contractual means to ensure that personal data is processed in accordance with the requirements of applicable data protection legislation and only for the purpose specified by the controller.
No personal data will be transferred outside the EU or the European economic area.
9. Retention of personal data
The controller will delete outdated, unnecessary and incorrect personal data as soon as the controller has been made aware of this.
The information contained in the assignments logbook and in lease, sale and consulting agreements will be stored for ten (10) years from the end of the commission, unless there is a justifiable reason to retain the data for a longer period in order to fulfil obligations and responsibilities based on the customer relationship or to resolve a dispute. Otherwise, the controller will not retain data for longer than is necessary to carry out the purpose described in this privacy policy and to comply with any statutory legislation. If the processing of personal data is based solely on the customer’s consent, the personal data will be deleted at the customer’s request.
10. Protection of personal data
The register will be kept a) digitally and protected by appropriate technical means and data protection procedures, and/or b) will be manually available only to those entitled to the registered data. The information contained in the customer register can only be accessed by employees of Tuloskiinteistöt Oy who have agreed to keep personal data confidential, comply with appropriate data security measures and adhere to the principles of the General Data Protection Regulation.
Access to information systems is protected by user-specific usernames, access rights and passwords. Third parties are prevented from accessing the data in the register, and data security has been implemented using appropriate and regularly updated technical solutions that prevent unauthorised access to data (such as firewalls and antivirus software).
11. The data subject´s rights
A data subject
- has the right to know whether the register contains any data concerning them, and if so what personal data the register contains;
- has the right to request the correction, deletion or completion of their personal data if that data is incorrect, unnecessary, incomplete or outdated with regard to the purpose for collecting and processing personal data specified in this privacy policy;
- has the right to request restrictions on the processing of their personal data;
- has the right to receive the personal data supplied to the controller in a structured, commonly used and machine-readable format, and also the right to send that data to another controller if processing is based on consent or a contract and the processing is carried out automatically.
The data subject has the right to withdraw their consent to the processing of any personal data that was collected on the basis of the data subject’s consent. Withdrawing consent does not affect the legality of any processing carried out prior to the withdrawal.
A data subject who wishes to exercise the above-mentioned rights must submit a specific request to the contact person responsible for the register by means of a document signed by the data subject themselves.
The data subject has the right to lodge a complaint with the data protection authorities if the data subject feels that their personal data has been processed in violation of current legislation.