Small Folks Daycare
1. General information
This Privacy Notice describes how Small Folks Daycare (later “we” or “Small Folks Daycare”) processes personal data; what personal data Small Folks Daycare collects, how the data is used and to whom the data is disclosed, and how the data subject can control the processing. The Privacy Notice also informs about the obligations Small Folks Daycare follows when processing personal data.
This Privacy Notice applies to all services offered by Small Folks Daycare (later “Services”). This Privacy Notice covers all persons whose personal data are processed (later “data subjects”, “you”) in connection with the Services.
Small Folks Daycare is dedicated to protecting the privacy of the data subjects and commits to process their personal data in compliance with the applicable privacy laws and regulations and good data processing practice.
Personal data refers to information, which allows a person to be directly or indirectly identified as an individual person, as defined in the GDPR. Examples of personal data: name, email address, date of birth and Internet Protocol (IP) address of a personal computer.
2. Controller and contact information
Small Folks Daycare Oy
Business ID: 2610565-2
Address: Tekniikantie 12 A, 02150 ESPOO, FINLAND
3. Purpose and legal basis of the processing of personal data
We only process personal data that are relevant for the purpose it has been collected or obtained for, and we process the data in compliance with laws and regulations.
Personal data are processed for our Services, including customer relationship management, communications, quality assurance, service planning and development, analysis, generating statistics and administrative purposes such as consent and rights management.
The legal bases of the processing are the performance of a contract or preparation of a contract with Small Folks Daycare and the legitimate interests of Small Folks Daycare. The legitimate interests include administration and development of the Services, and operations which are necessary for carrying out pre-contractual measures such as inquiries concerning our Products or Services.
Personal data are not used by Small Folks Daycare for marketing purposes.
You may subscribe to our newsletter. When Personal data are used for sending you our newsletter, such communications will be based on your consent (opt-in) which you can withdraw at any time. However, Small Folks Daycare can send direct marketing regarding similar product and services you have acquired from us, and using the electronic contact information provided by you. You have the right to object to this kind of marketing too, and it is possible to do it also in advance (opt-out).
Tracking and automated decision making including profiling
Personal data are processed for preventing, detecting and remediating potentially prohibited or illegal activities. They are also processed for protecting data and property. Personal data can be used for investigating possible security incidents, crimes or damages.
Processing related to security and safety is a legal obligation, but some of the security measures are done in the legitimate interests of Small Folks Daycare such as protection of our property.
We also process personal data when required by applicable law and/or to comply with the laws and regulations (e.g. accounting or other specific legislation). The legal obligation is the basis for the processing.
Purposes that require your consent
Your consent is required for certain types of processing of your personal data such as newsletters and processing of sensitive data. We do not intend to collect sensitive personal data, but data subjects may submit it voluntarily, and then we process it based on consent.
For the processing of personal data that you have given your consent you can withdraw your consent at any time regarding further processing of your personal data. See instructions further down (8 Rights of the data subjects and the Supervisory authority). We will comply with such request unless there is another legitimate ground to process the data.
4. Personal data processed and sources of information
We collect and processes only personal data which is relevant and necessary for the purposes outlined this Privacy Notice.
We collect the following categories of data:
|Categories of data||Examples of personal data|
|Identity and contact information||name, personal identification code / date of birth, address, phone number, email|
When you order/purchase our Services or otherwise enter into a contract with us, or when we have a legal obligation to ask for your data, we need your personal data to fulfil the contract and/or our legal obligations. We will inform you at the time which personal data are mandatory to be provided by you.
We collect the information from the following sources:
- Information you provide e.g. when contacting us, visiting us, utilising our Services (including web services and social media), participating in our marketing activities and when entering into a contract with us / ordering our Services.
- Automatically gathered information when you use our Services e.g. when you use our online services.
- Information from service providers such as marketing service providers
- Information from third parties such as public and private registers
5. Retention of Personal data
The Personal data we collect are retained for the period necessary to fulfil the purposes outlined in this Privacy Notice unless a longer retention period is required by law (e.g. accounting obligations), or we need it to protect our legal rights. Thereafter, the Personal data will be deleted within a reasonable timeframe or rendered anonymous.
The retention periods depend on the purpose of the processing and type of the information.
Personal data and retention periods are listed in the table below:
|Categories of personal data||Retention period or criteria used to determine the period|
|Customer data||We will keep the personal data for the duration of the contract and no longer than 6 years after that (city of Espoo’s regulations).|
|Newsletter and website users||We will keep the customer as newsletter receivers and users of our website no longer than 1 month after the termination of the customer contract.|
|Waiting list data||We will keep the personal data of non-clients active on our waiting list for the duration of the wait listing time only.|
6. Recipients of Personal data
Personal data are also shared with service providers and third parties. We will only share personal data to the extent necessary for performing the service (e.g. to provide, maintain, develop and secure the service).
We disclose your Personal data to the following recipients:
|Category of recipients||Recipients|
|Third-party service providers (including health care providers, 3rd party school counselor, IT service provider, web provider)||
LähiTapiola (insurance company)
Optimesys Oy (IT service provider)
Orange Advertising Oy (web provider)
Suomen Terveystalo Oy (staff health care provider)
Valjas Services Oy (accounting company)
Transfers outside EU/EEA
When Personal data are transferred outside EU/EEA, the transfer is secured by legal measures, appropriate safeguards.
In addition, we may share your information in connection with any merger, sale of our assets, or a financing or acquisition of all or a portion of our business and in connection with other similar arrangements.
Personal data are also disclosed to third parties if required under any applicable law or regulation or order by competent authorities, and to investigate possible infringing use of the Services as well as to guarantee the safety of the Services.
7. Protection of Personal data
We commit to follow to the security provisions of applicable data protection regulations, as well as to process Personal data in compliance with good processing practices.
Personal data are protected with appropriate technical and organizational measures. We store the information with limited access rights and secure IT-environments. The IT-environments are protected with firewalls and other adequate security technics, and advanced monitoring is done 24/7. Our personnel and processors that process Personal data are obliged to keep Personal data strictly confidential. Access to Personal data is only granted to those employees that need the information to perform their work tasks. Employees and processors have personal IDs and passwords.
We inform the authorities and users/data subjects of data breaches according to applicable information security and data protection regulation(s).
8. Rights of the data subjects and the Supervisory authority
The data subjects have the rights set out in the applicable data protection legislation.
Right to access and verify
You have the right to have confirmed if we process your personal data.
You have the right to verify and access your personal data and to request us to provide you the data in writing or electronically.
Right to correct and erase (right to be forgotten)
You have the right to have corrected any incorrect or incomplete personal data. You have also the right to request us to remove data.
We also remove, correct and complete incorrect, unnecessary, incomplete or outdated data on our own initiative when we notice such data.
Right to data portability and to object and restrict processing
You have the right to transmit your data to another controller.
You have the right to request us to restrict processing of your personal data in accordance with the conditions set out in the data protection legislation. We will also restrict the processing of your personal data if we cannot correct or remove incorrect data, or if there is any uncertainty related to request to erase your data.
You have the right to object to processing of your personal data for certain purposes. You have the right to deny any processing or transferring of data for direct marketing.
Right to withdraw consent
If the processing of your personal data is based on consent, you have the right to withdraw consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
You can deny any direct marketing and withdraw your consent regarding electronic direct marketing by following the instructions received in connection to the marketing communication (e.g. in the marketing email or SMS).
You can always withdraw any consent including parental consent by contacting Small Folks Daycare using the contact information provided in the beginning of this document.
How to exercise the rights of the data subjects
After receiving all the required information of your request (including confirmation of identity), we will start the processing of your request. We will do our best effort to process your request within a period of one (1) month.
We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded.
Right to lodge a complaint with the supervisory authority
In case you consider our processing activities of your Personal data to be inconsistent with the General Data Protection Regulation (GDPR) (EU) 2016/679, you have the right to complain with a data protection supervisory authority.
9. Changes to this Privacy Notice
We may change this Privacy Notice from time to time, whenever necessary. All changes hereto will be made available on our website at www.smallfolks.fi.
This Privacy Notice has been published on 30 May 2018
|Version number||Change description||Date|
|1.0||–||30 May 2018|