Register and Privacy Statement
This is the Registry and Privacy Statement of the Personal Data Act (10 ja 24 §) and the EU General
Data Protection Regulation (GDPR) for the auxiliary business name Archtours, of ark-byroo Oy.
Created on 21.5.2018.
Archtours, Kustaankatu 3 C, 00500 Helsinki
+358 (0)10 235 0560
2. Contact person for the register
Kiira Halinen, email@example.com puh. +358 (0)10 2350564
3. Registry name
Archtours customer register.
4. Purpose of processing personal data
The purpose of processing personal data is to communicate with customers, as well as maintain and
market customer relations.
Information is not used for automated decision making or profiling.
5. Data content of the register
The information to be stored in the register is the following: person's name, status, company /
organization, contact information (phone number, email address, address), billing information, and
other information relating to customer relationship and ordered services.
Personal information may be removed from the register at the customer's request. Ordering a
newsletter can be cancelled at any time from the link at the end of each newsletter or by posting the
message to the registry administrator.
6. Standard sources of information
The information stored in the register is obtained from the customer through messages sent via web
forms, email, telephone, contracts, customer meetings, and other situations where the customer
delivers their information.
7. Processing or transfer of data outside the EU or EEA
Information will not be disclosed to other parties, but the register will be utilized in the MailChimp e-
mail service, whereby the information may go outside the EU or the EEA within the service.
Archtours has signed a DPA (Data Processing Agreement) agreement with Mailchimp, which also
allows MailChimp to comply with the GDPR-compliant procedures in its operations.
The information can be published as far as it has been agreed with the customer.
8. Principles of registry protection
Careful handling of the registry is maintained, and information processed by the information
systems is adequately protected, including proper physical and digital security standards. The
controller shall ensure that stored data, server access privileges and other critical data related to the
security of personal data are processed confidentially and only by employees whose job description
they belong to.
9. The right of inspection and the right to demand correction
Everyone in the register has the right to check their data stored in the register and to demand that
any incorrect information be corrected, or incomplete information supplemented. If a person wishes
to check or require correction of their record, the request should be sent in writing to the
controller's contact person.
The controller may, if necessary, request the applicant to prove his identity. The controller is
responsible for the customer within the time limit set in the EU General Data Protection Regulation,
as a rule within a month.
10. Other rights related to the processing of personal data
A person in the register has the right to request the deletion of their personal data from the register
("the right to be forgotten") or to limit the processing of personal data.
Requests should be sent in writing to the contact person responsible for the register. The controller
may, if necessary, request the applicant to prove his identity. The controller is responsible for the
customer within the time limit set in the EU Data Protection Regulation, as a rule within a month.