Registry and Privacy Statement

Prepared on: December 16, 2024

1. Data Controller
Brande Oy

2. Contact Person for Registry Matters
Jari Palonen
jari.palonen@brande.fi
+358 400 572 860

3. Name of the Registry
Customer Registry of the Impaktitalous.fi Website

4. Legal Basis and Purpose of Processing Personal Data
The legal basis for processing personal data under the EU General Data Protection Regulation (GDPR) is:
The data subject’s consent (documented, voluntary, specific, informed, and unambiguous), or A contract in which the data subject is a party.

Purpose of processing:
To manage customer communication and marketing activities.
No automated decision-making is performed based on the data.

5. Data Content of the Registry
The registry may include:

• Name
• Position
• Company/organization
• Contact details (phone number, email, address)
• Website addresses
• IP address of the network connection
• Information about subscribed services and changes to them
• Billing information
• Other information related to the customer relationship and subscribed services

Visitor IP addresses and essential cookies for the website’s functionality are processed under legitimate interest—for example, to ensure security and collect visitor statistics when such data can be considered personal.
Consent is requested separately for third-party cookies when necessary.

6. Regular Sources of Data
Information stored in the registry is primarily obtained from the customer via:

• Web forms
• Email
• Phone
• Social media
• Contracts
• Customer meetings
• Other situations where the customer voluntarily shares their data

Contact information for representatives of companies and organizations may also be collected from public sources such as websites, directory services, and other companies.

7. Regular Disclosures and Transfers of Data Outside the EU/EEA
Data is not routinely disclosed to third parties. Information may be published only with the customer’s explicit consent.

8. Cookies
The controller’s website uses third-party analytics and marketing services (Google Analytics). The system collects visitor data via cookies for the purpose of developing the website and services—not for identifying individual users. Google Analytics transmits and stores this data on its own servers.

9. Principles of Registry Protection
The registry is handled with care, and data processed through information systems is protected appropriately. When registry data is stored on Internet servers, physical and digital security of the equipment is ensured. Access to stored data, server credentials, and any security-critical information is strictly limited to employees whose job descriptions include such responsibilities. All handling of personal data is done confidentially.

10. Right of Access and Right to Request Correction
Every person registered has the right to:

• Access the personal data stored about them
• Request correction of inaccurate data
• Request completion of incomplete data

To make such a request, a written application must be sent to the data controller. Proof of identity may be required. The controller will respond within one month.

11. Other Rights Related to Personal Data Processing
Data subjects have the right to:

• Request the erasure of their personal data from the registry (“right to be forgotten”)
• Restrict the processing of personal data in certain situations
• Exercise all other rights under the GDPR

Requests must be submitted in writing to the data controller. Proof of identity may be requested. The controller will respond within one month.