Datadrivers Oy
Hallituskatu 2 A 7
FIN-95400 TORNIO

PRIVACY STATEMENT

22.5.2018

Datadrivers Oy is a Finnish company that aims to develop driver education software and make efficient use of training data. This Privacy Policy applies to the processing of personal data of Datadrivers' customers and users of the services it provides, such as Webauto, Netreeni, opetusluvalla.fi and lomakelahetys.fi. Datadrivers processes the personal and training information of customers and service users in order to fulfill the contract for the service ordered by the customer, provide a comprehensive training search for those in need of training as well as notify registrants of expiring professional licences and other qualifications.

We are committed to protecting the privacy of our customers and users of our services in accordance with applicable data protection laws. Below is a more detailed description of, e.g.:

• our contact details
• what kind of data we collect
• how is the data used and what is the legal basis of the processing of said data
• how long is the data stored
• how the services use cookies
• the rights of the data subjects
• where the data is disclosed and transferred
• how we protect the information

Please read the contents of the privacy statement.

1. Contact details

Controller: Datadrivers Oy
Address: Hallituskatu 2 A 7, 95400 Tornio
E-mail: info@kuljettajaopetus.fi

2. Personal Data and Categories of Personal Data to be Processed

We only collect personal information that is necessary for pre-defined uses. When we collect information, we tell you what information is a prerequisite for using the services and what information the user can provide if they wish. The information is primarily collected from the data subject themselves when they log in and use the services. Information about the data subject can also be stored in the services by instructors or a registered employer.

In addition to service user and training information, we process the following customer information:

• basic information, such as first and last name, address, contact details, date of birth or social security number, position, employer, gender, native language, country of birth
• basic information about the persons responsible for teaching, secretaries, teachers and instructors. These include first and last name, contact information, company name and business ID
• information about the use of the services, such as the username and password, the information collected automatically through the use of the application and its various functions as well as information provided by the user in the application
• basic information of the employer community, such as name and contact details (address, e-mail address, telephone number) and the name and contact details of the contact person
• training information, such as information on the training attended or enrolled by the data subject and the degrees they have completed
• information related to the contractual relationship, such as the time of use of the service, communication and transactions related to the service as well as information related to invoicing and collection
• direct marketing authorisations and bans

In addition, we collect information about the use of our services as described in the cookie clause.

3. Purposes of the Processing and Legal Basis

The data is processed for the following purposes:

• Implementation of Services: We use personal information to identify and log in the user, provide, maintain and protect the services, invoice and collect as well as communicate with the data subject. As part of providing the service, we may also analyse the use of the services, the training information of the data subjects and the responses of the data subjects to the queries to create a user-friendly learning profile to provide a more customised service. Without the mandatory information marked with an asterisk, the services cannot be provided in accordance with the agreement. This processing is based on the performance of the contract.
• Maintaining the Learning Database: In the learning database, we combine the learning and professional qualifications of the data subject in the same view. We may use this information to notify the data subject of expiring professional licences or other qualifications as well as provide the data subject's employer or potential employer with access to the data subject's learning and professional qualifications necessary for the employer's operations. This data processing is based on a legitimate interest.
• Marketing: We use data to market our products and services. Marketing messages can be customised using information provided by users or collected about the use of services. In this case, the processing is based on the data subject's consent or legitimate interest. The data subject may object to the marketing or withdraw their consent at any time.
• Product Development and Reporting: We use data to improve our services. For example, customer contacts help us understand what features are desired for our services. This processing of data is based on our legitimate interest.
• Prevention and Investigation of Abuse: From time to time we need to use the information to prevent and investigate abuse. For example, automatically collected log information allows us to monitor and determine the actions of the information system user and the lawfulness of the use of the data in accordance with our legitimate interests. This processing of data is based on our legitimate interest.
• Statutory Obligations: We retain correspondence regarding documents and transactions for six years from the end of the calendar year in which the financial year ends in order to comply with the Accounting Act. For example, in the above situation, the processing of personal data is based on compliance with a legal obligation.

Driver data such as driving licence and driving licence related data as well as professional qualification data such as initial and continuing learning data for lorry and bus drivers and taxi drivers, and licence data, are public data that training centres and professional transport operators need to process. It is also in the data subject's interest that the compiled information is available to the employer or potential employer in an up-to-date manner. In so far as the processing is based on a legitimate interest, we consider that the data subject can reasonably await the processing, taking into account the public nature of the information, the employer-employee relationship and the need for the professional transport company to process in order to fulfill the contractual and legal obligation. Treatment based on a legitimate interest may be opposed as described below.

4. Data Retention Period

We will retain the information for as long as is necessary to fulfill the purposes defined above in accordance with applicable law. Learning records shall be kept in accordance with the Driving Licence Act and the Act on the Professional Qualifications of Truck and Bus Drivers for six calendar years following the year in which the training or examination was completed.

After the above period, we will truncate the information and process the name and contact information as well as individual information describing the user profile for marketing purposes as long as the data subject has not refused to receive marketing messages. If the registrant refuses the marketing and there is no other reason to process the data, we will retain information about the ban and contact information so that we can ensure compliance with the ban. The data subject may also request the deletion of their data in its entirety.

We strive to keep the personal information we hold accurate and up-to-date by deleting unnecessary information and updating outdated information. However, we encourage users of the Services to periodically check that their information is up to date by logging into the Services. The data subject can also influence the data retention period themselves through the options described below.

We comply with our legal obligations to retain information.

5. Cookies

We may automatically collect information about the service user terminal through server logs as well as cookies and other similar technologies. A cookie is a small text file that a browser stores on a user's device. Cookies often contain an anonymous, unique identifier that allows us to identify and count the browsers that visit our site.

Cookies do not move online by themselves, but are rather installed on the user's terminal only with the site the user visits. Only the server that sent the cookie can later read and use the cookie. Cookies or other technologies do not damage the user's terminal or files, and cookies cannot be used to access programs or spread malware.

We automatically collect the following information:

• the use and browsing data of the service features
• the page from which the user has navigated to our site
• device model
• browser name and version
• IP address
• time and duration of the session and
• the screen resolution and operating system
• unique device or cookie tag

The so-called first-party cookies are set by the website visible in the address bar. In addition to these, our services use cookies from so-called third parties, such as measurement and monitoring service providers and social media services.

We use both session-specific and persistent cookies. Session-specific cookies expire when the user closes the browser. Persistent cookies stay on the user’s device for a fixed period of time, or until the user deletes them. The term for persistent cookies typically varies from a few months to a few years.

Cookies allow us to remember the registrant's login information and choices, develop our services and business and investigate possible abuses. We also use cookies to statistically track the number of visitors to our services and to investigate whether marketing emails or newsletters have been opened and acted upon.

When setting cookies, the user is given the option to refuse to set cookies using browser settings or to use the influence options listed in this privacy statement.

6. Data Subject Rights

The data subject can often influence the processing of data in different ways:

• Checking, Correcting and Deleting Data: A data subject has the right to review personal data stored about them. At the request of the data subject, incorrect, incomplete or outdated personal data will be corrected, supplemented or deleted. However, the data shall not be deleted to the extent necessary to comply with legal obligations or to establish, lodge or defend a legal claim or to fulfill an agreement between the data subject and the controller.
• Data Transfer: The data subject may, if they so wish, have their personal data transferred, which will be processed automatically on the basis of consent or agreement, by contacting the address mentioned in section 1 above.
• Right to Object and Limit: The data subject may object to the marketing at any time. The data subject may also object to other processing based on a legitimate interest on the basis of their personal situation. In such a situation, the processing is limited to the time when the grounds for opposing the processing are assessed. Processing can also be restricted when the data subject contests the accuracy of the personal data, in which case the processing shall be limited to the period during which the data is verified.
• Withdrawal of Consent: The data subject may withdraw their consent at any time by contacting the address mentioned in section 1 above.
• Right of Appeal: The data subject has the right to lodge a complaint with the authorities if they consider that their data has been processed in breach of the applicable data protection legislation.

With respect to automatically collected data, the user can influence the collection and processing of data in the following ways:

• Private Site Browsing: ”Private browsing” allows the user to browse websites without the use of cookies to store information about the pages the user has visited.
• Creating a New Cookie Profile: By clearing cookies from the browser at regular intervals, the user changes the unique identifier, which resets the profile associated with the previous identifier.
• Blocking Cookies: The user can block cookies from the browser settings. Blocking the use of cookies may affect the functionality of our services.
• Blocking Google Analytics: The user can block access to the site's data in Google Analytics by installing the Google Analytics Blocker Add-on here. This add-on prevents Google Analytics JavaScript (ga.js, analytics.js, and dc.js) running on websites from sharing site traffic data with Google Analytics.

7. Data transfers

The data subject's personal data is also processed by the company providing the training services in accordance with its own register data description or data protection clause. In addition, we may disclose information in the following ways:

• The Authorities: We may disclose the data subject's personal data in accordance with the requirements of the competent authorities, based on the legislation in force at the time.
• Consent: We may disclose the data subject's data to third parties if the data subject has given their consent.
• Group: We may process the personal data of the data subject within companies belonging to the same group.
• Mergers and Acquisitions: If we sell, merge or otherwise organise our business, the personal information of the data subject may be disclosed to buyers and their advisers.
• Recovery and Legal Claims: We may disclose the personal data of the data subject to third parties if this is necessary for the performance of the contract, the recovery of claims, the investigation of possible breaches or the preparation, presentation or defense of a legal claim.

We use subcontractors to provide services. In this case, we guarantee through contractual arrangements that the data will be processed in accordance with the legislation in force at the time and this register description. As a rule, data will not be transferred outside the European Union or the European Economic Area.

8. Registry Security Principles

The data is kept technically secure. Physical access to the data is blocked by access control as well as other security measures. Access to information requires adequate rights as well as multi-stage authentication. Unauthorised access is also prevented, e.g. with firewalls and technical protection.

The data is backed up securely and can be restored, if necessary. The level of security is audited at regular intervals through either external or internal auditing. The data shall be accessible only to the controller and to specifically designated persons who have access to the data in order to carry out their tasks. Users are bound by professional secrecy.