GAPPS Privacy Statement
Customers (existing and potential)
Staff and job candidates
We develop digital services, so it is evident that we could not practice our business without collecting and processing some amount of personal data. Personal data is all data relating to an identified or identifiable person, such as name, email address and photo. However, every person values his/her privacy. That is why we are also committed to protect the privacy of our customers, employees, partners and job candidates.
GAPPS processes personal data relating to its customers, employees and job candidates in accordance with this privacy statement and applicable laws. We may update this privacy statement due to changes in our operations or in applicable laws.
We also operate often in the role of a data processor to our customers. The data processing principles regarding this is described in our customers’ privacy policies and in the contracts we conclude with our customers.
The data controller relating to processing of personal data pursuant to this privacy statement is (hereinafter also “GAPPS”, “us” or “we”):
Contact persons in privacy matters:
For what purposes GAPPS collects and uses personal data and what is the legal basis for processing personal data?
We collect, store and process personal data relating to customers (existing and potential), employees and job candidates only for predefined purposes. We also always make sure that there is at least one legal basis for processing personal data. The main purposes and the applicable legal basis for processing personal data are:
Providing and delivering our services. We collect and process personal data for fulfilling contractual obligations relating to provision of our services. During the customer relationship, we also use personal data for invoicing, debt collection, handling of complaints as well as for customer support purposes. The legal basis for this processing is a contract between GAPPS and the customer, or preparations made for concluding a contract, as well as our legitimate interest.
Sales and marketing. We contact potential customers and execute direct and digital marketing campaigns, such as social media advertising and search engine marketing. We may also perform marketing based on customer profiles. The legal basis for this processing is primarily our legitimate interest. A person has however always the possibility to object direct marketing. We do not sell or rent personal data for marketing purposes to third parties.
Customer communications. We collect and process personal data for customer communication purposes, such as handling support requests and feedback as well as for making service notifications. The legal basis for this processing is our legitimate interest, possibly also a contract between GAPPS and the customer.
Analytics and business development. We may also use personal data for developing our business relating to development of digital services. The legal basis for this processing is our legitimate interest.
Fulfilling legal obligations. We may also use personal data for fulfilling legal obligations (e.g. bookkeeping, employment contracts act, tax laws).
HR and recruiting. Personal data relating to employees are mainly collected and used for human resources management purposes, such as payment of salaries, fulfilling other rights and obligations relating to employment contracts and meeting legal requirements relating to employment. The legal basis for this processing may be fulfilling a contract between GAPPS and the employee, consent as well as fulfilling legal obligations relating to employment. In recruitment situations we use personal data primarily for preparing an employment contract and on the basis of consent of the job candidate. Based on consent we may also process personal data from other sources than the job candidate.
What personal data GAPPS collects and from which sources?
We collect, store and use personal data mainly relating to our customer contacts (including potential customers), employees and job candidates.
We collect personal data relating to our customers and potential customers mainly from the person itself. We also collect data regarding the use of our website with Google Analytics. During customer relationship we also collect and store data, but this concerns mainly the company, not a person. Information about potential customers may also be collected from other services providers and public sources, such as LeadFeeder, Fonecta, Discover.org and LinkedIn.
Typically we get the following data relating to customers and potential customers from the person itself:
- company name
- name of the person
- work email
- work phone
- marketing opt-in / opt-out
- contact in support matters
- contact in contractual matters
Similar data may also be received from other services providers and public sources.
Employee data is collected from the employee and with consent from other sources. We may also process personal data that is generated during the employment.
We collect and store especially the following personal data about employees:
- social security number
- salary and information required for payment of salaries and withholding taxes
- contact details
- sick leave information (for legal obligations relating to employment)
- other data (with consent)
Job candidate data is received mainly from the candidate itself and with the person’s consent from other sources.
Regarding job candidates we process especially following personal data:
- basic contact details
- education, experience, skills and previous employers
- application and cv
- references (with consent)
- LinkedIn-profile (regarding applicants, with consent)
- recruitment and selection test results (with consent)
- statement regarding person’s working ability (with consent)
Who processes personal data? Is it transferred to anyone?
People within our organization have access to the personal data for the purposes of performing their work tasks. The more sensitive the data, the less people have access.
We store most of data in electronic form only and we use a substantial amount of various digital services and tools for performing our work. Such services provider may be considered as a data processor to GAPPS. We use third party services especially in the following matters:
- cloud storage;
- project management and communication;
- marketing automation and CRM;
- finance and bookkeeping;
- internal communication;
- email marketing;
- website hosting;
- customer chat and support ticketing system; and
- electronic signature of contracts.
In these situations, we make sure contractually and otherwise that the confidentiality of personal data is secured and data is processed and transferred lawfully and for our benefit only.
We may also transfer personal data to a third party for fulfilling a legal obligation or requirement by an authority. We may also transfer personal data to a third party if we are involved in a business sale or business restructuring.
Is personal data transferred outside the EU?
Personal data is primarily processed inside the EU, but as data is stored mainly in electronic form, some of the cloud services we use may locate outside the EU. These include, for instance, Google and Mailchimp. If personal data is transferred outside the EU, we make sure that it is done with adequate safeguards. Adequate safeguards may mean (1) transferring data to a transferee located in a white-listed country (as decided by the EU commission from time to time), (2) transferring data to a transferee that is Privacy Shield certified (if a US-based company), or (3) that the transfer occurs by using model clauses published by the EU commission.
How long is data stored?
We will not store personal data for a longer period than is necessary for its purpose or required by contract or law. The retention periods for personal data may vary based on its purpose and the situation as well as on the legal basis for processing personal data. The data may be deleted (1) when a person withdraws his/her consent or requests deletion of his/her data and we have no other grounds for processing personal data, (2) when a contractual relationship ends, (3) or when data becomes obsolete or is inaccurate. The retention period may also be based on laws (e.g. accounting, tax laws, employment contracts act). We may also update data from time to time.
How is data stored and kept secure?
Personal data is stored primarily in electronic form and it is secured in accordance with general industry standards and practices. We consider and keep personal data confidential. Access to personal data is also protected with user-specific logins, passwords and user rights. We do not sell or rent personal data for marketing purposes. Our premises are also safe and secure.
Is it mandatory to provide personal data? What happens if you don’t provide it?
We need some amount of personal data especially in customer relationships to conclude and fulfill contracts. Relating to employment we also need to process at least the minimum personal data required to fulfill employment contracts and legal obligations relating to employment.
What rights do you have?
Withdraw your consent
If we process personal data based on your consent, you can at anytime withdraw your consent by notifying us, for instance by contacting us using the contact details provided above.
Access to data
You have the right to have confirmed if we are processing your personal data and also to know what data we have about you. In addition, you have right to some supplemental information described in the law about the processing activities.
Right to have errors corrected
You have the right to request that we correct any inaccurate or outdated personal data we have about you.
Right to prohibit direct marketing
You have the right to request that your personal data is not processed for direct marketing purposes by contacting us using the contact details provided above.
Right to object processing
If we process your personal data based on public interest or our legitimate interest, you have the right to object processing of your data, to the extent that there is no such significant other reason that would override your rights or the processing is not necessary for handling legal claims. Please notice that in this situation we may not be able to serve you anymore.
Right to restrict processing
In certain situations you have the right to require that we restrict processing of your personal data.
Right to data portability
If we process your personal data based on your consent or fulfilling of a contract, you have the right to require transfer of the data you have provided to us to another services provider in a commonly used electronic format.
How can you use your rights?
You can execute and use your rights by contacting us, for instance by using the contact details provided above. Remember also that we need to use reasonable measures to verify your identity before executing your rights. If you consider that the processing of your personal data is not lawful, you can always also make a notification to a supervising authority (tietosuojavaltuutettu; www.tietosuoja.fi/en).