Privacy Notice

Updated 29.01.2019

Controller

Open Badge Factory Oy
Kiviharjunlenkki 1 E, 90220 Oulu
FINLAND
contact@openbadgefactory.com
(hereafter “we” or “Open Badge Factory”)

Contact person for register matters

Eric Rousselle
Kiviharjunlenkki 1 E, 90220 Oulu
FINLAND
Phone number: +358 400 587 373
dataprotection@openbadgefactory.com

Name of register

CUSTOMER AND MARKETING REGISTER FOR OPEN BADGE PASSPORT SERVICE

What is the legal basis for and purpose of the processing of personal data?

The basis of processing personal data is Open Badge Factory’s justified interest on the basis of a customer relationship or implementing a contract with the data subject, as well as consent as regards direct marketing.

The basis of processing personal data is:

• the delivery and development of our Open Badge Passport Service (“Service”),
• fulfilling our contractual and other promises and obligations,
• taking care of the customer relationship,
• analysing and profiling behaviour of the data subject,
• electronic and direct marketing,
• targeting advertising in our and others´ online services

What data do we process

We process the following personal data of you:

• Basic information of the data subject such as name, country, language, user name, password*;
• Contact information of the data subject e-mail address*, phone number, address, city, state;
• Information of the service relationship and the contract such as details of the open badge(s) granted to the data subject, details of the user profile, correspondence with the data subject and other references, cookies and data related to use of them;
• Other voluntary information provided by the data subject into the Service such as personal introduction in the Service, links to social media accounts (such as Facebook, Linkedin, Twitter, Pinterest, Instagram, blogs etc.).

Committing personal data marked with a star as well as allowing the use of cookies in the service user’s browser, is a requirement for our contractual relationship with the data subject. Without this necessary information we are not able to provide the Service.

From where do we receive data?

We receive the above mentioned personal data primarily from the data subject him/herself, as the data is entered into the Service by the data subject.

We receive the data subject’s e-mail address to which we send the granted Open Badge from our customer (as the data controller). We act as the data processor in this relationship.

For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.

To whom do we disclose data and do we transfer data outside of EU or EEA?

Only the data subject’s user name which each user can define him/herself, is displayed to other users in the Service.

We process information ourselves and use subcontractors that process personal data on behalf of and for us. We have outsourced the IT-management to an external service provider, to whose server the data is stored. The server is protected and managed by the external service provider.

Data may be disclosed to authorities under compelling provisions. We don’t disclose information of the register to external quarters.

We may disclose aggregate, anonymous information about you for marketing, advertising, research, compliance, or other purposes.

We do not transfer personal data outside of EU/EEA.

How do we protect the data and how long do we store them?

The personal data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons, i.e. only those of our employees, who on behalf of their work are entitled to process customer data. These persons include the Service Provider’s customer service personnel and the technical administrators of the Service. Each user has a personal username and password to the system.

The data subject may at any time add, change and remove all his/her data from the Service as well as delete his/her account entirely. The deletion of the account will erase all the data subject’s data from Service.

We store the data as long as it is necessary for the purpose of processing the data. We estimate regularly the need for data storage taking into account the applicable legislation. In addition, we take care of such reasonable actions of which purpose is to ensure that no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing.

What are your rights as a data subject?

As a data subject you have a right to inspect the personal data conserning yourself, which is stored in the register, and a right to require rectification or erasure of the data. This may be done by accessing, modifying and/or deleting your personal data stored in the Service by logging into the Service. If you need assistance, please contact the person mentioned in Section 2 above.

You also have a right to withdraw or change your consent for direct marketing. As a data subject, you have a right to object processing or request restricting the processing and lodge a complaint with a supervisory authority responsible for processing personal data.

For specific personal reasons, you also have a right to object profiling and other processing concerning you, when processing the data is based on the customer relationship. In connection to your claim, you should identify the specific situation on which you object the processing. We can refuse to act on such request on the basis of the law.

As a data subject you have the right to object processing at any time free of charge, including profiling in so far as it relates to direct marketing.

Who can you be in contact with?

All contacts and requests concerning this privacy notice shall be submitted in writing or in person to the person mentioned in section two (2).

Changes in the Privacy Notice

Should we make amendments to this privacy protection statement, we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you review these privacy protection principles from time to time to ensure you are aware of any amendments made.