Registry Manager
Alan´s Cafe
Town Hall Square 4, 10900 Hanko
Mikaelavenberg@gmail.com
1339033-5

Representative of controller
Mikaela Venberg
Raatihuoneentori 4, 10900 Hanko
Mikaelavenberg@gmail.com

The name of the register is Alan´s Café customer register.

Personal data is processed for purposes related to the management, administration
and development of the customer relationship, the offering and delivery of services,
and the development and billing of services. Personal data is also processed for the
purposes of dealing with possible complaints and other claims.

In addition, personal data is processed for communication to customers, such as for
information, news and marketing purposes, including for direct marketing and
electronic direct marketing purposes.

The customer has the right to object to direct marketing directed at him/her

The controller processes the data itself and uses subcontractors acting for and on
behalf of the controller to process personal data.

The legal bases for the processing of personal data are those set out in the EU
General Data Protection Regulation (hereinafter also referred to as “GDPR”):

1. the data subject has given his or her consent to the processing of his or her
   personal data for one or more specific purposes (GDPR 6 art. 1.a);
2. processing is necessary for the performance of a contract to which the data
   subject is a party or in order to take steps at the request of the data subject prior
   to entering into a contract (GDPR 6 art. 1.b);
3. processing is necessary for the purposes of the legitimate interests pursued by
   the controller or a third party (GDPR 6 art. 1.f).

The aforementioned legitimate interest of the controller is based on a relevant and
proper relationship between the data subject and the controller, resulting from the
fact that the data subject is a customer of the controller and where the processing is
carried out for purposes which the data subject could reasonably have expected at
the time of collection of the personal data and in the context of the relevant
relationship

By default, the register contains the following personal data of all data subjects:

1. basic personal data and contact information: first name, surname, address,
   telephone number, email
2. information about the person’s company or other organisation and the person’s
   position or job title in that company or organization
3. the person’s direct marketing consents and prohibitions.

Personal data is collected from the data subject himself/herself.

Personal data are also collected and updated, within the limits of applicable law, from
publicly available sources related to the performance of the customer relationship
between the controller and the data subject and through which the controller carries
out its obligations in relation to the maintenance of the customer relationship

Data collected in the register will be kept only for as long and to the extent necessary
in relation to the original or compatible purposes for which the personal data were
collected.

The need to retain personal data will be assessed every five years and in any event,
data relating to a data subject will be erased from the register ten years after the end
of the data subject’s customer relationship with the controller and the completion of
the obligations and measures relating to the customer relationship. For example,
accounting records are kept for five years after the end of the accounting year

The controller regularly assesses the need for data retention in accordance with its
internal code of conduct. In addition, the controller shall take all reasonable steps to
ensure that personal data which are inaccurate, inaccurate or out of date, having
regard to the purposes of the processing, are erased or rectified without undue
delay.

Personal data will not be disclosed to third parties.

The personal data contained in the register will not be transferred outside the EU or
EEA

Access to databases and systems containing personal data is only possible with
personal usernames and passwords, which are issued separately. The controller has
limited access rights and authorisations to information systems and other storage
platforms so that only persons necessary for the lawful processing of the data have
access to and can process the data. In addition, access events to the databases and
systems are recorded in the log files of the controller’s IT system.

The controller’s employees and other persons are committed to maintaining
confidentiality and secrecy with regard to information obtained in connection with the
processing of personal data.

The data subject has the following rights under the EU General Data Protection
Regulation:

1. 1. the right to obtain confirmation from the controller that personal data concerning
   him or her are being processed or not being processed and, if such personal data
   are being processed, the right of access to the personal data and the following
   information: (i) the purposes of the processing; (ii) the categories of personal data
   concerned; (iii) the recipients or categories of recipients to whom the personal
   data have been or are to be disclosed; (iv) where possible, the envisaged period
   of retention of the personal data or, if that is not possible, the criteria for
   determining that period; (v) the data subject’s right to obtain from the controller
   the rectification or erasure of personal data concerning him or her or the
   restriction of the processing of personal data or to object to such processing; (vi)
   the right to submit a complaint to a supervisory authority; (vii) where the personal
   data are not collected from the data subject, any available information on the
   origin of the data (GDPR 15 art.). This basic information described in (i)-(vii) is
   provided to the data subject on this form
2. the right to withdraw consent at any time without affecting the lawfulness of the
   processing carried out on the basis of consent before its withdrawal (GDPR 7
   art.)
3. the right to demand that the controller rectify, without undue delay, inaccurate or
   incomplete personal data concerning the data subject and the right to have
   incomplete personal data completed, inter alia, by providing further explanations,
   taking into account the purposes for which the data were processed. (GDPR 16
   art.)
4. the right to have the controller erase personal data concerning the data subject
   without undue delay, provided that (i) the personal data are no longer necessary
   for the purposes for which they were collected or otherwise processed; (ii) the
   data subject withdraws the consent on which the processing was based and
   there is no other lawful basis for the processing; (iii) the data subject objects on
   grounds relating to his or her particular personal situation and there is no
   legitimate ground for the processing or the data subject objects to the processing
   for direct marketing purposes; (iv) the personal data have been unlawfully
   processed; or (v) the personal data must be erased in order to comply with a
   legal obligation under EU or national law to which the controller is subject.
   (GDPR 17 art.)
5. 5. the right to have processing limited by the controller if (i) the data subject
   contests the accuracy of the personal data, in which case the processing is
   limited for a period of time within which the controller can verify its accuracy; (ii)
   the processing is unlawful and the data subject objects to the erasure of the
   personal data and requests instead the restriction of their use; (iii) the controller
   no longer needs the personal data concerned for the purposes of the processing,
   but the data subject needs them for the establishment, exercise or defence of
   legal claims; or (iv) the data subject has objected to the processing of personal
   data on grounds relating to his or her particular situation, pending verification
   whether the legitimate grounds of the controller override those of the data
   subject. (GDPR 18 art.)
6. 6. the right to receive personal data relating to him or her which the data subject has
   provided to the controller in a structured, commonly used and machine-readable
   form and the right to transmit such data to another controller without hindrance
   from the controller to whom the personal data have been provided, where the
   processing is based on consent within the meaning of the regulation and the
   processing is carried out automatically (GDPR 20 art.)
7. 7. the right to file a complaint with a supervisory authority if the data subject
   considers that the processing of personal data concerning him or her infringes
   the EU General Data Protection Regulation. (GDPR 77 art.).
   Requests concerning the exercise of the rights of the data subject shall be
   addressed to the contact person of the controller mentioned in section 1.