Sowellus privacy protection policy

We respect the privacy of our customers and service users (our customers’ customers). We are responsible for the processing of your personal data and protecting your privacy in our operations. We always comply with the valid legislation on personal data. This document describes Sowellus’ privacy protection and data protection policies regarding the data processing for which we act as the Controller as well as the data processing for which we act as the Processor.

Sowellus is a Finnish company and its technical systems are situated in Finland. Sowellus and its resellers provide software and services for private and public administration customers (hereinafter “the Customers”).

Software House Sowellus Oy (hereinafter “Sowellus”) aims to process your personal data with complete transparency regarding its privacy protection.

Scope and approval

This privacy protection statement applies to all business processes and websites, operating areas, mobile solutions, cloud services, communities and product websites of Sowellus as well as third-party social networks (such as Facebook).

This statement describes how Sowellus processes personal data when Sowellus acts as the definer of the purpose and means of the processing (Sowellus as the Controller) and when the data processing has been requested by a Customer and conducted according to the Customer’s instructions (the Customer as the Controller and Sowellus as the Processor).

Personal data means any information about an identified or identifiable person, such as their name, address, email address, phone number, and IP address.

Whose personal data do we process?

We primarily process personal data on the behalf of our Customers. In other words, we act as the Processor of the personal data. Our Customers enter the data of their own customers (“End Customers”) and other stakeholders, such as tenants or subcontractors, into our service.

As the Controller, we process the data of our Customers’ contact people. We also collect data from our online service visitors.

Sowellus as the Processor

Sowellus provides various services for its Customers. For these services, the Customer determines how personal data is processed in the services. In other words, the Customer acts as the Controller. Sowellus acts as agreed with the Customer in an agreement between the two parties. The data processing agreement (DPA) is always included in the overall agreement.

The Customer is responsible for the Controller obligations determined by law. Sowellus is responsible for the Processor obligations.

As the Processor of personal data, the responsibilities of Sowellus include:

  • Ensuring sufficient data protection with technical and organisational means
  • Processing the data only as agreed with the Customer (the Controller)
  • Sowellus shall help the Customer meet its obligations, for example, to realise the rights of the data subjects
  • Sowellus shall not disclose any of the Customer’s data without the Customer’s consent, or, if the data is requested to be disclosed by the police or other authority, Sowellus shall notify the Customer of this without undue delay
  • Sowellus shall report any unlikely but potential data security breaches to the Customer without undue delay

Which personal data do we process?

As the Controller, the Customer is responsible for its personal data in Sowellus’ services. However, it must be taken into account that the Customer is not in principle allowed to record any data belonging to special categories, such as medical information, into the systems of Sowellus. Nor are they allowed to record or send any data that is unnecessary regarding the use of the service into the systems. If a user of the software enters sensitive personal data into the user accounts they administer or posts, for example, comments to public forums or Sowellus sites, all the users of that account or site can read it and use it for purposes Sowellus cannot control. Sowellus is not responsible for any data entered or posted to accounts, forums, or Sowellus sites.

How is the data processed?

As the Processor, Sowellus only processes data that is necessary for the administration and development the service. Sowellus always makes a written data processing agreement with its Customers.

Sowellus as the Controller

Which personal data do we process?

As the Controller, Sowellus processes the data of its Customers’ contact people and its service’s service data. This data includes:

The Customer’s contact person’s
Contact information, such as name, address, email, and phone number

Our website’s visitor data
IP address and other browser information, such as language and the site the individual accessed the service from

Our service’s service data
IP address and other browser information, such as language and the site the individual accessed the service from

Why do we process data?

Sowellus processes personal data to manage its customer relationships and to fulfil its promises to the Customer. We collect service data to develop and improve our service.

Our goals:

  • To tell about software and services closely related to the services and software the Customer already uses
  • To provide support to the users of our software and services
  • To improve the quality of our software, services, and Sowellus sites
  • To identify and prevent information security threats, maintain our services and software, and fix errors
  • To prevent the misuse of our software and services
  • To provide information we generally require to perform and manage our customer relationships
  • To invoice and process orders and payments
  • To administer the access rights of web-based services (cloud services)

Processing the data for the aforementioned purposes is necessary for maintaining customer relationships and providing the service for the Customers’ end users. We have to monitor how people use the service to implement the agreement between Sowellus and its Customers, therefore, there is no need to give consent to the processing of the personal data.

How is the data processed?

Sowellus collects personal data directly from the representative of the Customer. If the Customer, acting as the employer, buys Sowellus software or services through a partner company of Sowellus, we can collect user data directly from this partner company. When you use a Sowellus site, we will use cookies and other tracing technologies with your consent to optimise your user experience.

When do we disclose data?

Sowellus does not disclose personal data to third parties for marketing purposes without consent. Sowellus may disclose personal data to third parties for other purposes as follows:

Business partners
Sowellus may disclose personal data to its partners, if their business so requires. For example, if a user buys our software or services from our authorised partner on behalf of their employer, personal data may be disclosed.

Authorities
The police and other authorities may demand Sowellus to disclose personal data. In such cases, Sowellus discloses the data only if ordered by a court.

Company acquisition
If Sowellus merges with another firm or makes a company acquisition or if the business operations of Sowellus are partially or entirely sold, the buying party and the consultants used by it and Sowellus receive the data administered by the Sowellus unit in question. This data may include personal data. In such cases, external parties make a non-disclosure agreement with Sowellus that also covers the disclosure of any personal data.

The rights of the data subject

Here is a list of the rights of the data subject and related principles:

1. Right to access the data
You have the right to once a year confirm has Sowellus processed your personal data and receive a copy of the processed personal data. The copy is delivered either electronically or by mail.

2. Right to correct the data
You have the right to request Sowellus to complete or correct any incomplete or inaccurate data. The incorrectness of the data is decided case by case based on whether the data is in fact incorrect for the purpose of the processing (unnecessary, incomplete, outdated).

3. Right to erasure (“right to be forgotten”)
You have the right to request Sowellus to erase any data concerning you. The data will be erased unless there is a lawful basis for its processing.

4. Restricting the processing
You have the right to request the processing of your personal data to be restricted in special situations specified by certain laws.

5. Objecting to the processing
You have the right to object to the processing of your personal data, if the basis for the processing is the Controller’s legitimate interest or if your personal data is being processed for the purposes of direct marketing.

6. Right to data portability
You have the right to request your data to be transmitted to another service provider in a machine-readable format. This right applies to data that is in electronic format and the processing of which is based on your consent or the implementation of an agreement.

7. Right to withdraw your consent
If the processing of your personal data is based on your consent, you have the right to withdraw your consent whenever you like. After you have withdrawn your consent, the processing in question will stop. For example, you can refuse to receive marketing from Sowellus by contacting us via email. Please note that you may still receive administrative notifications from Sowellus, such as order confirmations and reports on your account (for example, verifications and notifications for changing the password).

8. Right to file in a complaint to an authority
If you believe that Sowellus has not processed your personal data legally, you may file in a complaint to a data protection authority.
If you wish to continue to use the aforementioned rights, please contact us via email.

Data security and storage of data

How do we protect the personal data?

Sowellus commits to prevent the unauthorised use and disclosure and other inappropriate processing of the personal data. We also commit to ensure that the data is used correctly to guarantee data security and safe use. As part of our commitment, we use reasonable physical, technical, and administrative methods to protect the data collected and processed by us, including:

Secured environment – Sowellus stores your data in a secured environment that only employees of Sowellus and its subcontractors who need the data for their job can access. Sowellus also follows the generally accepted standards of the industry.
All the services, data systems and other resources of Sowellus require a login with a username and password, for example. This is how we prevent the inappropriate use of the data.

How long do we store personal data?

We store personal data as long as it is needed for the specified purposes, such as responding to questions, solving issues, or implementing legal obligations.

When we no longer need the collected personal data, we destroy or erase the data securely. We may process personal data for statistical purposes, in which case we will anonymise the data.

Subcontractors and transmitting personal data

Sowellus uses subcontractors in application development and fixing software-related issues. Sowellus also uses subcontractors who come from outside the EU or EEA. For such subcontractors, Sowellus ensures the appropriate protection of data transmissions by using the EU Commission’s standard contractual clauses on data protection. In addition, Sowellus monitors and follows its subcontractors’ operations and obliges them to act according to the policies determined by Sowellus.