Tampereen Aluetaksi Oy
Privacy Policy Clause

(Updated: 15.11.2018)

1. General on processing your personal data

We process your personal data, so that we are able to offer our services, maintain and develop our business and improve the quality of our services. Personal data is also processed, so that we can be in contact with you about the application (“Application”) and notify you of any changes that apply to it. We also process your personal data to comply with our legally mandated obligations. In addition, we process and release personal data to our partners for direct marketing purposes if you have provident consent to it.

We follow the effective data privacy laws in our operations. We also exercise special care to ensure data privacy of our Users when using the Application. By using the Application, you consent to the Application’s privacy principles and the terms of the Privacy Policy. You can withdraw consent at any time for processing your data and upon withdrawal, you are to terminate use of the Application from the account management of the Application or by contacting our Customer Service.

2. What personal data do we process

When you create a login for the Application, you are to provide your name, email address and phone number. Providing this information is a requirement for using the Application. People less than 15 years of age may only use the Application, if their legal guardian has provided consent to process the data.

3. Location data

Location data is utilised upon submitting orders in order to offer the default location and to offer the order history. The location data of orders can be used to develop the Service and it may be released to third parties to offer value add services. The location data can also be disabled, but this reduces the usability of the service.

4. Managing your personal data

You can review and manage your information in the user management function in the Application.

If you delete the Application, your user information will be deleted from the phone. You can delete your user account from the user management function in the Application.

5. Releases and transfers of personal data outside of the EU (EEA)

The personal data of users will not be released outside of the EU or EEA.

6. Further information on personal data protection

If you have any privacy related questions, please contact: IT Manager Tommi Rautajoki, tommi.rautajoki@taksitampere.fi.

7. Data protection

We use all reasonable and appropriate technical and organisatory procedures to protect the Service and prevent unauthorised access to your personal data and to prevent the loss, misuse, discovery and unauthorised revisions of your personal data.

In the event that a data breach that will likely result in being harmful to your privacy occurs despite our preventive measures, we will notify you of the breach.


Tampereen Aluetaksi Oy’s Privacy Policy / Privacy Notice For Customers And Stakeholders

(Updated: 15.11.2018)

1. Controller

The controller of the data register is Tampereen Aluetaksi Oy (Business ID 0829622-1) (“Tampereen Aluetaksi”).

Sammon Valtatie 7
33530 Tampere, Finland
+358 (0)10 4765 600
info@taksitampere.fi

2. Controller’s contact person

IT Manager Tommi Rautajoki
tommi.rautajoki@taksitampere.fi

Requests about data subject rights are sent to the controller’s contact person.

3. Controller’s Data Protection Officer

IT Manager Tommi Rautajoki
tommi.rautajoki@taksitampere.fi

4. Name of data register

Tampereen Aluetaksi’s Taksi Tampere application (“application” and the register of customers and stakeholders for the application.

5. Purpose for processing personal data

Tampereen Aluetaksi processes the collected data for the following purposes, among others:

Offering services and features

The data is processed in order of offer, revise and maintain products and services. This includes the use of the data for the following purposes:

  • Enabling transports, deliveries and other services
  • Processing payments for the services
  • Completing internal procedures that are necessary to offer the services, such as analysis of the application and Service

Customer support

Tampereen Aluetaksi uses customer-specific history data in order to resolve potential problems and claims, if requested by the customer.

Research and development

Tampereen Aluetaksi uses the data for testing, research, analysis and product development. The data makes it possible to develop new features and products.

Communication between parties that use the service

Tampereen Aluetaksi uses the data to enable communication between the parties that use the service.

Communication from Tampereen Aluetaksi

Tampereen Aluetaksi may use the data to communicate on services, campaigns, studies, surveys, news, updates and events.

Court trials and demands

Tampereen Aluetaksi may use the data to examine demands and disputes associated with customers using the service, in order to answer these demands and disputes or also for other similar purposes if this is allowed in compliance with applicable laws.

Subcontractors

The controller processes the data itself and utilises subcontractors that process personal data on behalf of and for the controller.

Automated decision-making

Tampereen Aluetaksi may utilise automated decision-making for targeted offers and marketing, for limiting use of the application, optimising use and other similar purposes.

6. Legal justification for processing personal data

Tampereen Aluetaksi processes personal data in accordance with the following justifications of the EU General Data Protection Regulation (“GDPR”).

a) The data subject has given consent to the processing of his or her personal data for one or more specific purposes (GDPR Article 6, 1.a);

b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6, 1.b);

c) processing is necessary for compliance with a legal obligation to which the controller is subject (GDPR Article 6, 1.c);

d) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Article 6, 1.f).

The aforementioned controller’s legitimate interest may exist when, for example, there is a meaningful and appropriate relationship between the data subject and the controller, because the data subject is a customer of the controller and when the processing occurs for purposes that the data subject should reasonably expect at the time of data collection and during the appropriate relationship.

7. Content of data register and personal data groups subject to processing

The customer data register contains the following personal data groups:

  • Private customers
  • Business customers
  • Drivers
  • Transport operators

8. The data register contains the following personal data deemed meaningful for each personal data group:

The customer data register contains the following personal data groups:

Customer basic information:

  • first name
  • surname
  • email address
  • mobile phone number
  • customer pick-up address

Data associated with customer’s payment transactions:

  • first name
  • surname
  • email address
  • payment information
  • data created from using the service, such as completed orders

Data associated with customer’s payment transactions:

  • name
  • business ID
  • invoicing address
  • first name of contact person
  • last name of contact person
  • email address
  • mobile phone number
  • customer data of the company’s employees in accordance with the above personal data

Driver basic information:

  • first name
  • surname
  • email address
  • mobile phone number
  • location of vehicle

Basic information of transport operator:

  • name
  • business ID
  • invoicing address
  • first name of contact person
  • last name of contact person
  • email address
  • mobile phone number

9. Regular information sources and personal data created during the controller’s operations

Private customers and business customers enter their own information. This information is not supplemented using other information sources.

The information for drivers and transport operators is obtained from Tampereen Aluetaksi’s broker system.

10. Storage period of personal data

Personal data collected into the data register is only stored as long and to the extent that as necessary for the purpose of processing the data for each personal data group. In addition, personal data is stored as required by any potential legally mandated storage period.

The controller evaluates the need for storing the data regularly in accordance with internal procedural rules.

Basic customer relationship data is stored as long as the customer relationship is active and as long after it as is necessary to fulfil the obligations and rights of the parties.

Driver and transport operator data is stored as long as they have an effective service or other relationship with Tampereen Aluetaksi and as long after it as is necessary to fulfil the obligations and rights of the parties.

Accounting data is stored for six (6) or ten (10) years in addition to the current year, in accordance with the Accounting Act.

Payment and receipt information is stored five years after the end of the calendar year of the payment transaction in order to resolve potential claims.

Date related to orders is stored a maximum of two years in order to resolve potential claims and to develop and analyse operations.

11. Regular releases of personal data

Personal data is not released regularly to external parties from the data register. The location data may be released to a third party to offer value add services. Personal data is only released to authorities from the data register if necessary and they have a lawful reason to demand the data.

12. Releases and transfers of personal data outside of the EU (EEA)

The personal data of users are not released outside of the EU or EEA.

13. Data protection principles

Databases and systems and the data register can only be accessed by employees of the controller or subcontractors working for the controller that have the right to process data in the data register in order to complete their work. Each user that uses the data register has a personal username and password systems.

Content with personal data is stored in an encrypted database. The database with personal data is on a server that is stored in a locked room, which can only be accessed by specific individuals who are authorised due to their work responsibilities. The servers are protected with appropriate firewalls and technical protection. The servers are located in Ireland and the servers are maintained Amazon Web Services Inc.

14. Rights of the data subject

The data subject has the following rights in accordance with GDPR:

1) The right to obtain confirmation from the controller if any of the personal data of the data subject is processed or not and if the personal data is processed, the right to access the data and the following information:

  1. purposes for processing;
  2. personal data groups in question;
  3. recipients or recipient groups that the personal data was released to or will be released to;
  4. the planned storage time of the personal data if possible, if it is not possible the criteria that determines the storage time;
  5. the data subject’s right to ask that the controller corrects or deletes personal data pertaining to the data subject or restricting processing personal data or object to such processing;
  6. the right to file a claim with a supervisory authority;
  7. if personal data is not collected from the data subject, all of the available information on the origin of the data; and
  8. the existence of automated decision-making and the significant information on the logic for this type of processing, in addition to the significance of such processing and the potential consequences to the data subject (GDPR Article 15).

In addition, the data subject has the following rights:

1) The right to withdraw consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal (GDPR Article 7).

2) The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement (GDPR Article 16).

3) The right to have the controller delete the personal data of the data subject without unnecessary delay, provided that:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
  2. the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing;
  3. the data subject objects to the processing due to personal grounds specific to their situation and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes;
  4. the personal data have been unlawfully processed; or
  5. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR Article 17).

4) Right to restriction of processing, if

  1. the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
  2. the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
  3. the controller no longer needs the personal data 
for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or
  4. The data subject has objected to processing based on reasoning pertaining to their specific personal situation and pending the verification whether the legitimate grounds of the controller override those of the data subject (GDPR Article 18).

5) The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent and the processing is carried out by automated means (GDPR Article 20).

6) The right to file a complaint with a supervisory authority if the data subject believes that EU GDPR regulations are not followed with the processing of his or her personal data (GDPR Article 77).

Requests pertaining to fulfilling data subject rights are directed to the contact person of the controller.

15. Other

The data subject may prohibit the use of his or her personal data for direct marketing, distance selling, surveys or market research.