Data Protection Policy

Updated 25th May 2018

Multim Ltd processes your personal data under the conditions of the GDPR while also taking into account the current Personal Data Act (523/1999) or any effective data protection legislation. This data protection policy may be updated from time to time by releasing a new version, so please check this data protection policy regularly on our website.

Registry Controller’s Details

Registry Controller
Multim Oy 
Customer Service
Isolinnankatu 24 
28100 Pori
tuki@shellit.org

Person responsible for registry matters
Jani Rajala, CEO

Definitions


  • ”GDPR” means the regulation 2016/679 of the European Parliament and the Council on the protection of natural persons with regards to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) combined with any national data protection regulation that is effective in the member state of our main establishment.
  • Other terms shall be defined as in Article 4 of the GDPR.

Processing of Your Personal Data


We collect and process your personal data to be able to conduct business and to provide the services you have ordered, to target marketing and to otherwise serve you. The personal data we collect may be used for managing customer relationships, for keeping statistics on the usage of our services, for enhancing and researching the user experience and for other research with the aim of improving our website or services. We may also analyse customer feedback. The personal data may also be used for customer relationship communications and for managing marketing and contacts. We may also use the data for the purposes of conversion tracking and targeted marketing.

We process your personal data according to the requirements of the GDPR. Processing is legitimate, reasonable and transparent. Processing of your personal data may be based on a contract, your consent, our legitimate interests or legal obligations. Our legitimate interests may include, but are not restricted to, communication with you, direct marketing including direct marketing after the customership has ended and targeted marketing.

Your personal data is only processed for the purpose it has been collected. Personal data collected for the same purposes may be combined and personal data may be connected to other pieces of data gathered through the means of analytics for being able to e.g. target marketing.

We try to keep the amount of personal data we store about you as small as possible. We also try to make sure the personal data is accurate. We do not disclose your personal data to other parties, unless we have an appropriate reason to do so, for example while registering a domain name for you, marketing purposes or other activities relevant to running our business.

Personal Data We Collect and Our Sources of Data

We may collect the following data:

  • Personal information, e.g. name, address, phone number, email address
  • Social security number or birth date, if the order contains a .fi domain
  • Company ID or VAT code, organisation name, contact person, if the order is made by a company, association or other organisation
  • Usernames and passwords related to the service
  • IP address from which the services are used
  • Data related to providing the services, e.g. billing and payment data, mandates, authorizations, messages or other information related to communicating with you, emails, phone call details, chat logs
  • Marketing permissions, subscriber data of newsletters and equivalents
  • Cookies
  • Other data necessary for producing the services

We also collect data that is created using the services. This may include:

  • Order and billing history
  • Data related to maintaining the services, e.g. logs
  • Tracking data related to marketing and using our websites
  • Data gathered through analysing customers
  • Other data created while using our services

Additionally, we may collect other data we have received from you based on your consent.

Our sources of data may include yourself, e.g. when you are in dealing or in contact with us, use our services, use our website or subscribe to our newsletters. We may also collect data about you by observing the usage of our services. Sources of data may also include, but are not restricted to, email, contact form, customer service chat or logs.

Our external sources of data may include e.g. publicly available registers, commercial marketing registers or equivalents and different kinds of services, e.g. Facebook, Twitter, Google AdWords, Google AdSense and LinkedIn.

We may also utilize data deduced from other data collected about you, e.g. observations, conclusions and deductions, that may include e.g. your likely areas of interests.

Recipients of the Personal Data


We may disclose data from our registers to e.g. partners or subcontractors within the limits allowed and obliged by the legislation currently in effect.

Data may also be disclosed to e.g. investigate a suspicious payment transaction with our payment intermediaries. Additionally, ordering a domain name personal data (name, contact person, organisation, phone number, email, company ID, VAT code or equivalent, social security number, birth date) needs to be disclosed to third parties as required by the domain name registries as domain names are, by default, registered to direct ownership of the customer. The data may also be to transmitted to third party services for the purposes of conversion tracking and targeted marketing.

Flows of Personal Data to Countries outside the Union

The data may be transmitted outside the European Union and the European Economic Area if required for the purposes of providing the services and for the purposes of marketing and communications. The data that may be transmitted includes name, organisation name and email address. Prior to disclosing the data, we confirm the processor meets the requirements set in the GDPR. Registering domain names data disclosed may also include other pieces of data in addition to the aforementioned, to the extent required to provide the services you have ordered. In some cases the controller of the domain name registry may be located outside the Union, in a country that does not meet the data protection requirements of the GDPR. In these cases the data may still need to be disclosed to the controllers of the domain name registries if, for example, you have ordered a top-level domain whose registration requires the data to be disclosed.

Deletion of the Personal Data


We delete your personal data either automatically or manually when the personal data is not relevant for the purposes presented in this data protection policy. For example, personal data processed based on your consent is stored and processed as long you have not withdrawn your consent. Personal data processed based on legal obligations is stored and processed as long as those legal obligations require (e.g. accounting data). Accordingly, personal data stored and processed based on a contract is deleted after a reasonable amount of time, usually about three months, after the contract or the contracts have been terminated, when that data is not necessary anymore for the purposes of billing, for being able to continue contract or for other purposes. Data processed based on our legitimate interests is stored and processed as long as the legitimate interests are valid.

Protection of the Data


Personal data in other forms than electrical is stored in locked cabinets. Only persons, whose work assignments so require, have access to the cabinets.

Personal data in digital form is protected using passwords, by limiting access and by using encrypted connections and email. Personal data is only processed in unencrypted email if you provide us data that way. By default, we request you to provide personal data securely through our control panels.
We only store intact and reliable personal data. Intactness and coherency is ensured by the means of maintaining backups.

Rights of the Data Subject


Right to access your personal data: you have the right to get a copy of the personal data we have stored about you. You may request this copy from the control panel or by contacting us. We may require you to prove your identity to execute the request. If you make a new request in less than a year from the previous one, we may charge a fee based on our price list for executing the request.

Right to rectification of your personal data: you can update your basic personal data by logging in to our control panels. If needed, you may send a rectification request using the contact methods found on our website. If the rectification request is sent by other means than by directly through our service, you will need to provide us with information we can use to reliably identify you. This information may include your name, address, phone number, email address and customer number.
Right to give or cancel your consent: if we are processing your personal data based on a consent you have given, you have the right to give a new consent or cancel the consent you have given at any time.

Right to be forgotten: you have the right to ask us to delete the personal data we have stored about you if 1) there is no need for the data considering the original purpose of collection 2) you cancel the consent, in which case the personal data processed based on that will be deleted 3) your personal data has been processed illegally 4) the personal data has to be removed in order to comply with a legal obligation 5) the personal data has been collected to offer information society services to a child.

Right to object to the processing of your personal data: you may have the to right to object to the processing of your personal data when the processing is done for the performance of a task carried out in the public interest or for the purposes of the legitimate interests pursued by us. If the personal data is processed for the purposes of direct marketing, you have the right to object to the processing for this purpose at any time.

Right to restrict processing of your personal data: you may have the right to restrict the processing of your personal data in situations mentioned in Article 18 of the GDPR.

Right to portability of your personal data: you have the right to receive the personal data you have provided us in a structured, commonly used and machine-readable format and to transmit those data to another controller if the data is processed based on a consent or a contract.
Right to lodge a complaint with a supervisory authority: you have the right to lodge a complaint with a supervisory authority if you believe the processing of your personal data to be against the GDPR.

Use of Cookies

A cookie is a small text file sent to the user’s browser by the server. The cookie is saved on the user’s hard drive. Cookies are used to ensure proper functioning of the service and they are needed e.g. to enable login functionality. Additionally, cookies are used to for marketing purposes, to generate traffic statistics, to research the usage of, track and enhance the user interface, the user experience and the service. Cookies are used to ensure user-friendliness of the service. They may also be used by services run by third parties, including e.g. user tracking and marketing. The user can allow or disallow the usage of cookies by configuring browser’s settings. The use of cookies is considered to be allowed unless the user has configured the browser to disallow them. If the use of cookies is not allowed by the user, the proper functio of the service cannot be ensured. Without cookies, it will not be possible to order services or to login to the control panel. Further information on disallowing cookies can be found from your browser vendor’s website.