Updated: 5 September 2022
We serve as data controllers for a number of our contract customers (“Customer”), for example when users (“User”) and customer contact persons (“Customer Contact Person”) working in the customer organisations store personal data on our service.
Our business operations make it necessary to process personal data (personal data refers to any information by which an individual is or can be identified, such as name, email address, organisation and/or profile picture). We are committed to protecting personal data in accordance with the EU General Data Protection Regulation (679/2016) and the applicable national data protection legislation (“Data Protection Legislation”).
Contact details of the controller:
Business identity code: 1768399-5
Address: Leppäsuonkatu 6, 00100 Helsinki
Telephone number: +358 (0)207 571 650
The above contact details can be used for asking questions or making inquiries regarding the personal data we process. To address the matter, steps to ascertain identity may be required. We will be happy to provide any additional information and instructions necessary for addressing the matter at hand.
Sources of data
We collect personal data primarily from the Customer or the individuals themselves. We collect personal data that
- the Customer Contact Person or User discloses to us, for example when concluding a contract or logging in to or using our Service;
- the Customer Contact Person or User voluntarily adds to their profile;
- is received from other sources to the extent permitted by law, such as the Trade Register, Population Information System, Business Information System or the Postal Service Address Information System; and
- is obtained by means of cookies (Google Analytics) when our website is accessed.
It is not mandatory for the Customer Contact Persons or Users to provide us with personal data, but a failure to do so may make it impossible for us to provide the Service.
What personal data do we collect?
Information on Users, Customers, partners and potential customers, such as:
- User data: first name, last name, email (username), password, profile picture, organisational unit/industry/division, title, courses taken and time spent on courses, grades, test results, chat conversations, logs of service usage, and data collected from websites using cookies or similar technologies.
- Customer’s or partner’s contact persons: first name, last name, organisation, title, telephone, email
- Prospects: first name, last name, organisation, title, telephone, email
- Customer contacts and information related to customer relationships: correspondence, entries related to data subjects’ rights as well as service and order information, payment information, invoicing information and the results of customer satisfaction surveys
- Marketing information: such as consents/bans as well as information obtained through direct marketing efforts, such as newsletter clicks and click-through rates
Purpose and legal basis of the processing of personal data
We collect, store and process personal data for pre-determined purposes. We make sure in every instance that a valid legal basis exists for processing personal data. We process the personal data of Customer Contact Persons and Users for the following purposes:
Provision of the Service and customer service
We collect and process personal data for the purpose of fulfilling contractual obligations in connection with the provision of services and for the purpose of maintaining customer relationships. During a customer relationship, we process personal data for purposes such as the delivery of services, invoicing, collection, complaints processing, customer service and feedback management. We also gather information on the representatives of our partners.
We also collect functional information related to customer-specific service usage reporting, including information about the courses a person has taken, tests, access times and content views.
In these cases, the processing of personal data is based on a contract with the customer/partner and its preparation and our legitimate interest.
Marketing and customer communications
The personal data may be used for marketing and customer communications:
- For Customer Contact Persons, we may carry out electronic direct marketing and social media advertising to provide information about new features and content on the Service or to promote other services provided by us or our partners, or to run various campaigns and competitions before, during or after the commencement of the customer relationship.
- For Users, we may, unless otherwise agreed with the Customer, implement electronic direct marketing and social media advertising to provide information about new features and content on the Service, or to promote other services provided by us or our partners, or to run various campaigns and competitions during the customer relationship. We may also provide marketing communication services to a Service User even after the expiry of the customer relationship if the User has personally subscribed to our newsletters or blog.
- We may also direct marketing efforts at potential new customers (“Prospects”). If so, we will process the personal data of the company contact persons in full compliance with law.
We collect, aggregate, analyse and otherwise process the personal data of Customer Contact Persons, Users and Prospects in order to better understand their interests and offer them products or services that are of interest to them. For example, we collect information about your website behaviour and process viewing history information in order to provide targeted communications and marketing materials. Additionally, we use statistics on site visits for customer segmentation for sales purposes.
In the above cases, the processing of personal data is based on our legitimate interest and possibly on the consent of the individual involved.
Business development, data security and in-house reporting
We also process personal data for the purpose of developing our business related to the provision of services and for internal reporting purposes. By this we mean, inter alia, the processing of personal data in order to be able to provide a suitable range of courses or to conduct market research, customer surveys and opinion polls. However, the internal reports will not show the details of any individual Users.
We also process personal data in order to ensure the data security of the Service and website, to improve the quality of the Service and website, and to test and develop the Service and related services, systems, tools and processes.
In these cases, the processing of personal data is based on our legitimate interest to ensure the proper functioning of our Service and website and data security as well as to obtain sufficient and appropriate information necessary for developing the Service and managing our business.
Fulfilment of legal obligations
We may also process personal data in order to comply with legal obligations (including those related to accounting and taxation), to respond to or prepare for legal actions or claims, or to investigate and prevent crime, fraud or other irregularities.
In this respect, the lawful basis for processing personal data is a legal obligation or right.
Other purposes that you have consented to
We may also process your personal data for other purposes that you have given your consent to.
Who process your personal data? Is the data disclosed to other parties?
Personal data is processed by our employees in the course of their regular duties. Additionally, personal data is processed by our partners, such as outsourced sales, marketing or service providers performing such services for our account. In such cases, we will ensure, through agreements or otherwise, that the confidentiality of the personal data is maintained and that the data is otherwise processed in accordance with the law and only for our benefit. We also give access to the performance data to designated contact persons within the customer organisation in order to fulfil our contractual obligations.
Otherwise, we may also disclose information when we are required to do so by law, a court of law or competent authority, or in order to respond to or prepare a legal claim, or when the Customer has consented to such disclosure. We may also disclose information if we are involved in a corporate or business transaction or other business or corporate restructuring.
Is personal data transferred to outside the European Union (EU) or the European Economic Area (EEA)?
As a rule, personal data is not transferred outside the EU, but as data is primarily stored and processed electronically, some of our service providers/contractors may be located in countries outside the EU. They include Survey Monkey (SVMK Inc.), HubSpot, Inc, ActiveCampaign, Inc., which we use to collect activation messages and carry out skills surveys. In this case, we put in place appropriate safeguards to ensure that the rights and freedoms of data subjects are honoured as provided in the Data Protection Legislation.
The graduation data of Users is not transferred outside the EU/EEA.
For how long will the data be retained?
As a rule, personal data is stored for the duration of the customer relationship. Parts of personal data may be retained, as appropriate, even after the expiry of the customer relationship, to the extent permitted or required by the applicable law or for as long as required for the purposes of this data file and the rights and obligations of the parties involved. For example, after the end of a customer relationship, we typically retain personal data that is necessary to respond to claims or lawsuits in accordance with the applicable statute of limitations. We may also, for example, retain personal data to the extent necessary to comply with your direct marketing opt-out and to develop our Service.
In addition, we may process your personal data for sales and marketing purposes before the start, or after the expiry, of the customer relationship, unless you have specifically opted out. In such a case, we will delete your personal data if, for example, your contact details no longer work and there is no other obstacle to deletion. Also, we may delete your data at your request, if it is possible to do so.
Personal data will be deleted when their retention is no longer necessary to comply with the law or the rights or obligations of either party.
How is the data protected?
Technical data security safeguards are in place to protect the data. Access to personal data is limited by access rights, user IDs and passwords. We hold all personal data in confidence. Our offices are located in a building provided with an access control system and the premises in which the data is processed are controlled and protected as appropriate.
Please note that all data security violations cannot be prevented even by appropriate safeguards. Any data security breaches are reported to you as provided in the Data Protection Legislation.
Consequences of failure to provide personal data
The provision and processing of personal data is necessary for the purpose of testing our services and entering into and performing contracts so as to allow us to ensure that the persons entering into contracts are competent and authorised to do so and to fulfil our contractual obligations while at the same time ensuring that our rights are respected and that no misuse occurs.
Rights of data subjects
The rights of the data subject are based on the EU General Data Protection Regulation, which, in certain situations, provides for the right of access and the right to have the data rectified or erased. The data subject may exercise his or her rights in the situations defined by law. The full exercise of rights may be subject to restrictions.
Any requests concerning the rights of data subjects must be made in writing to the contact person of the controller. Situations concerning the exercise of rights are assessed on a case-by-case basis and resolved by the issuance of a separate decision. As a rule, a request regarding the exercise of the data subject’s rights is to be answered within one (1) month of receipt of the request. No charge applies to the requests. If the request is manifestly ill-founded or unreasonable, in particular if it is filed repeatedly, the data subject may be charged a reasonable fee or the request may be refused. Any request concerning the exercise of rights may only apply to the personal data of the person making the request. The rights include the following:
Withdrawal of consent
If we process your personal data based on your consent, you may withdraw your consent at any time by notifying us using the contact details above.
Access to data and filing a request to review the data
As a data subject, you have the right to obtain confirmation from us as to whether we are processing your personal data and to know what personal data we are processing. Additionally, you have the right to complementary information on matters such as the basis on which your personal data is processed.
Right to rectification
As a data subject, you have the right to request that we correct any inaccurate, outdated or otherwise incomplete personal data about you.
Direct marketing opt-out
Even if we did not process personal data for direct marketing purposes on the basis of your consent, you may, at any time, object to the processing of your data for direct marketing purposes by contacting us using the contact details above.
Right to object to the processing of data
If we process personal data based on a public or legitimate interest, you have the right, as a data subject, to object to the processing of your personal data unless there are compelling reasons for such processing which override your right, or such processing is necessary for bringing or responding to legal action. It should be pointed out that in such a situation we are not likely to be able to provide the Service to the person involved.
Right to restrict processing
As a data subject, you have the right to demand that we restrict the processing of your personal data in certain situations.
Right to portability
If we have been processing your personal data on the basis of your consent or for the purpose of performing a contract, you have the right to receive the data provided to us electronically in a commonly used format so as to make it possible to transfer the data to another service provider.
Communications regarding personal data
With regard to matters concerning the processing of personal data, you may contact us using the contact details of the controller indicated above. If you find that you are unable resolve the matter concerning the processing of your personal data through our mutual communications, you may also contact the competent supervisory authority, i.e. the Data Protection Ombudsman at tietosuoja.fi.