HYTEST LTD PRIVACY NOTICE

Last updated 22nd of January 2025 

This Privacy Notice (“Notice”) is provided by Hytest Ltd (“Hytest”, “we” or “us”) to describe the processing of personal data relating to representatives of our current, former or prospective corporate customers, suppliers and other business partners (“Business Partners”), together hereinafter referred to as “you”, in connection with your relationship with Hytest (“Personal Data”).

This Notice may be updated from time to time in accordance with the applicable legislation, for example in cases where we implement new systems or processes that involve processing of personal data.

To the extent you are a user of our website at https://www.hytest.fi, please note that the website may contain third-party components e.g., to social media services. These third-party components on our website are downloaded from the servers of these third parties. Please note that such services and applications provided by third parties are subject to their own terms and conditions, and the data protection and privacy practices of these third parties may significantly differ from the practices described in this Notice adhered to by us. If you wish to obtain more information on how these third parties process your personal data, please familiarize yourself with the privacy policies and other such documentation of these third parties.

1.     CONTROLLER AND CONTACT INFORMATION

Hytest Ltd, business ID 0956538-2

Joukahaisenkatu 6, 20520 Turku, Finland

dataprotection@hytest.fi

Tel. 02 512 0900

2.     CATEGORIES OF personal DATA

In connection with your relationship with us, we process the following categories of Personal Data:

–       Identifying data and contact details, such as your name and title, email and business address, and telephone number, 

–       Specifics related to the business relationship, such as the name of the organisation you represent and business ID, information related to the agreement between us and you or the organisation you represent as well as your association with the agreement, your preferred language, and invoicing and payment details, 

–       Contents of communications with us, such as information provided to us in meetings, email correspondence, and by other means of communication, as well as timing and other details of the communications between you and us, 

–       Event registration information, such as information which events you have registered for, selections and preferences related to the event, event feedback, and special diets,  

–       Information acquired through technical monitoring, such as recordings of camera surveillance at our premises, to the extent permitted by applicable law.

When you visit our website, we automatically collect certain data on your terminal device as well as details on your visit, such as your IP address, information on your operating system and interface, your web browser type, version and language, the time of your visit, referral page and the amount of data transferred. The collecting and further processing of your personal data on our website is mostly done by using automated technical means, such as cookies and other similar technologies.

 

3.     purposes and legal bases for processing

We process your Personal Data only for the purposes described in this Notice or as otherwise communicated to you when collecting your Personal Data, and only to the extent it is necessary for each purpose of processing further described herein.

We may process Personal Data for the following purposes and based on the following legal bases:

–       Business relationship management, such as managing and developing the business relationship, invoicing and payment administration and management, performing due diligence and any other form of background check as permitted by applicable laws, entering into and performing the agreement between us and you or the organisation you represent. The legal basis for this processing is our legitimate interest (Article 6(1)(f) of the GDPR) to conduct our business and your relation to the organization with whom we conduct our business. 

–       Complying with requirements of applicable law, such as tax, and corporate compliance related requirements, and complying with requests of authorities, based on e.g., tax or accounting related legislation or other legal obligation to which we are subject, in which case the processing is based on Article 6(1)(c) of the GDPR. 

–       Ensuring and monitoring compliance with the agreement between us and you or the organisation you represent, and investigating suspected malpractice, based on our legitimate interest (Article 6(1)(f) of the GDPR) to conduct our business and protect our property and interests. 

–       Communicating with you and third parties, such as current or potential customers, suppliers or other business partners, based on our legitimate interest (Article 6(1)(f) of the GDPR) to our activities in the course of our business to e.g., maintain and improve our relationship with our Business Partners, or respond to requests or enquiries from representatives of potential or existing Business Partners. 

–       Sending marketing communications, we may, e.g. provide you with information regarding our services. The legal basis for the processing for marketing purposes is our legitimate interest (Article 6(1)(f) of the GDPR), namely the sales promotion of our services to organizations. 

–       Providing the opportunity to use our website: When you visit our website, we process your Personal Data to offer you the opportunity to use our website and its functionalities, as well as for ensuring the overall security, functionality and stability of the website, including preventing and detecting possible misconduct and attacks towards the security of the website, based on our legitimate interest (Article 6(1)(f) of the GDPR). The collecting and further processing of your Personal Data on our website is mostly done by using automated technical means, such as cookies and other similar technologies.  

–       Other legitimate business interests: We may also process your Personal Data for a limited number of other legitimate interests related to our business, such as for the purposes of recognition of potential customers and lead generation; developing and improving the quality, functionality or user experience of our services and website; ensuring and improving data security or the security of our premises and data network; protecting our assets; preventing and investigating suspected malpractices; analyzing and compiling statistics for business purposes. The processing of Personal Data is based on our legitimate interest (Article 6(1)(f) of the GDPR) and the legitimate interest in question is the aforementioned business-related purpose. 

In some limited cases, the legal basis for the processing of Personal Data may be your consent (Article 6(1)(a) of the GDPR), for example, if you sign up to receive our newsletter or participate to an event hosted by us.

The provision of Personal Data in the manner described in this Notice may be partially based on the contract between us and the organization you represent. The non-delivery of personal data may prevent us from performing our contractual or other obligations or commitments towards you or the organization you represent, which may lead to impediments to our business relation with the organization.

4.     REGULAR SOURCES OF PERSONAL DATA

We primarily obtain your Personal Data directly from you. You may provide us Personal Data for instance through our website, by sending us emails, through phone conversations or meetings with us, or through documents you provide to us. We may however obtain Personal Data relating to our Business Partners also from other representatives of their organization.

We may collect and update Personal Data also from publicly available sources, or registers of authorities and companies providing services related to personal data.

We may also collect Personal Data automatically when the data subject visits our website, where personal data may be collected via cookies. 

5.     TRANSFERS AND DISCLOSURES OF PERSONAL DATA

We may transfer Personal Data to third parties as further described in the following. Personal data may also be transferred to entities within Hytest’s group. Limited categories of personal data may also be transferred to the parent company of Hytest in Hytest’s interest and for the purposes described in this Notice. The other group companies may, as well, act as data controllers in these circumstances.

When transferred to an entity processing Personal Data on behalf of us (i.e., processors), we have, including by contractual arrangements, ensured that Personal Data is processed only under our instructions and for the purposes specified in this Notice. The processing carried out by our processors may include, for instance, the provision of data systems and other IT and software services.

We may disclose your Personal Data within the limits permitted or required by the applicable laws, for example to authorities, external advisors, or other third parties including where such disclosure is necessary for compliance with a legal obligation to which we are subject, or for the establishment, exercise or defence of legal claims, whether in court proceedings or in an administrative procedure. For example, we may disclose Personal Data to a debt collection agency for purposes of debt collection, or to other service providers or partners of ours, but only to the extent that the fulfilment of their tasks requires the disclosure of Personal Data.

If we are involved in a merger, sale of assets or other business transaction or reorganization, we may disclose limited amounts of Personal Data to the purchaser candidates and their representatives in accordance with the applicable law.

Where you are a representative of a supplier or another Business Partner, we may disclose limited amounts of your Personal Data to our customers for purposes of carrying out our business.

Some of our service providers, as well as group companies, to whom we transfer personal data are located or may store Personal Data outside the EU or the EEA, and therefore, to the extent necessary, Personal Data may be transferred to countries outside the EU or the EEA. In such cases, we will ensure the adequate level of data protection. Information on transfers of Personal Data outside the EU or the EEA area and on the appropriate safeguards applied thereto from time to time is available from the email address mentioned in the beginning of this Notice.

6.     COOKIES

We may use cookies and tags on our website to ensure that the website functions optimally and that all content is displayed properly. A cookie is a text file that is stored on your web browser or device. We also use cookies to collect comprehensive analytical information about your use of our services and products, to store functionality and to direct relevant news and offers to you.

You have the option to change your web browser settings regarding the use and coverage of cookies. However, remember that if cookies are not accepted, some of the functions of the website may be impaired and some of the content of the website may not be displayed properly. For more information on the use of cookies on our website, please take a look at our Cookie Policies.

7.     Retention of personal data

We retain Personal Data only for the time necessary to achieve the purposes for which the data was collected, in accordance with applicable legislation.

For example, if you are a Business Partner, the retention period of your Personal Data is ultimately tied to the term of the business relation between us and the organization you represent. We may however continue to store your Personal Data after the end of the business relation to the extent necessary for certain legitimate business interests or if the data is necessary for purposes of protecting our rights.

The general minimum retention period for the Personal Data of Business Partners is until two calendar years have passed from termination of the agreement with the organization they represent. However, Personal Data may be stored for a longer period if the retention is justified on the basis of an appropriate connection between us and the data subject in question, for example for marketing purposes, and the person has not prohibited such processing.

The agreement documents themselves, which may also contain personal data, are stored for at least 10 years from the end of the calendar year during which the contract expired. The foregoing applies also to all communications which form part of the agreement or clarify the content of the agreement. Further, Personal Data that has been recorded to documents that are deemed to form a part of accounting material, such as invoices, will be retained for at least 10 years from the end of the calendar year in which the financial year ended.

We will retain Personal Data processed in relation to the security of our services and preventing abuses for the duration of the investigation of abuses. In addition to this, however, we may store the necessary Personal Data for a longer period where it is necessary in relation to managing and defending a legal claim or in order to comply with legal obligations.

If you have signed up or participated in our events, we will retain your data prior to and during the event and thereafter for a maximum of two years in order for us to fulfil our legitimate interest in evaluating the event and following up on event participation, as well as to plan any future events.

Personal Data processed based on your consent is retained until you withdraw your consent.

When we no longer need the Personal Data for such purposes, the data will be removed from our systems and records and/or the data will be irreversibly anonymised.

8.     Rights of the data subject

Below we have summarized the rights that you as a data subject have under the European data protection legislation. The “data subject” refers to a natural person whose personal data is processed by us. Some of the rights are complex and are subject to certain exceptions, and to keep this Notice concise, not all of the details have been included in the below summaries.

–     Right of access: You have the right to obtain from us confirmation as to whether or not personal data related to you is processed, and, where that is the case, to request access to such personal data. 

–     Right to rectification: You may have the right to obtain from us the rectification of inaccurate personal data relating to you. Depending on the purposes of processing, you may have the right to have incomplete personal completed, including by means of providing a supplementary statement. 

–     Right to be forgotten: Under certain circumstances, you may have the right to obtain from us the erasure of personal data related to you, and we may be obliged to erase such personal data. Please note that certain data processed by us are subject to statutory retention requirements, and regardless of a request of erasure, such data we cannot erase until the end of the statutory retention period. 

–     Right to object or restrict processing: In certain circumstances provided by law, you may have the right to object the processing of your personal data and the right to request the restriction of the processing of your personal data. Should the restriction of processing apply, the respective personal data will be marked and may only be processed by us for certain defined purposes. 

–     Right to withdraw consent: Where the processing of your personal data is based on consent, you may always withdraw your consent. However, any withdrawal of a consent does not have an effect on the processing carried out based on the consent prior to the withdrawal.  

–     Right to data portability: You may also have the right to receive your personal data that you have provided to Hytest in a structured, commonly used and machine-readable format and request Hytest to transmit the data to another controller. 

When we first collect your Personal Data, you may be provided the possibility to choose whether or not you wish to receive marketing communications from us. If you wish to stop receiving marketing communications, you can opt out at any time by clicking an ‘unsubscribe’ link at the bottom of one of our emails or by contacting us by other means.

To exercise the above rights, please reach out to us using the contact details mentioned in the beginning of this Notice. Your request must be in written or in electronic form and shall contain the basic information needed for finding the data to which your request relates. After receiving and processing the request, we will send you a response by mail or electronically which, depending on your request contains the copy of the Personal Data or other information on our processing of your request. We reserve the right not to complete your request if the request is manifestly unfounded. Should you request for multiple copies when using your right of access, or should you wish to submit more than one request per year, we may charge you a reasonable fee based on administrative costs for the execution of your request.

If you consider that our processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement. However, we encourage you to contact us directly to discuss any concerns that you may have and to allow us an opportunity to address these before you contact such an authority.