Privacy notice

Updated 20th of February 2025 

On this page you will find general information about Q-Factory Oy’s data protection policies as well as data protection and privacy notice in accordance with the EU’s general data protection regulation (GDPR, 679/2016). 

GENERAL

Q-Factory Oy is a consulting company producing IT services and software solutions. Our solid know-how and the long experience of our staff lead to high-quality and secure solutions in which a person’s data protection is taken into account responsibly as required by law and regulations. 

Q-Factory Oy constantly strives to improve the level of Data security and data protection management and to prevent threats to it. We do this together with all our staff and all our stakeholders. 

The goals of Data security and data protection are defined in our company’s information security policy, and it is part of our company’s risk management based on ISO-27001 and ISO-9001 standards, VAHTI recommendations and best practices in the field of information technology. 

Q-Factory Oy monitors standards, legislation and regulations related to data security and data protection and takes measures required by these changes if necessary. 

The central objectives of our data security policies are:

• Uninterrupted and secure operation of Data systems that support the company’s operations 
• Uninterrupted and secure operation of the company’s services to customers 
• Prevention of destruction and unauthorized alteration of data content 
• Preventing intrusion into and unauthorized use of information systems 
• Ensuring personal data protection and rights 
• Ensuring business continuity in exceptional circumstances through continuity planning and contingency arrangements 
• Our personnel are required to participate in relevant training and commit to complying with the information security policy and guidelines. 

DATA PROTECTION POLICY 

1. THE CONTROLLER 

Q-Factory Oy (Business ID 2577936-4) 

Kauppaneuvoksentie 8, 00200 Helsinki 

+358 10 336 2600 

2. CONTACT IN DATA PROTECTION MATTERS 

Data Protection Officer 

Tuomas Huokuna 

Phone: +358 (50) 466 2727 

E-mail: tuomas.huokuna (at) q-factory.fi  

Contacts in matters concerning data protection are addressed to the e-mail address  

tietosuoja (at) q-factory.fi 

3. REGISTRIES CONCERNED 

We record personal data at different registries. The safeguards, processing and data subject rights apply to all data collected by us, if there is no service-specific privacy notice. Service-specific privacy notice is issued with the service.  

We collect personal data in various registries for different purposes: 

• marketing registry (purposes: development of business, communications, website analytics and data collection, cookies) 
• recruitment registry (purposes: processing applications, recruitment, business development) 
• registryy of client contacts (provision of services)  
• whistleblowing information

We regularly update this privacy notice, so please check it every now and then. 

4. LEGAL BASIS AND PURPOSE OF THE PROCESSING OF PERSONAL DATA

The legal basis for the processing of personal data is the legitimate interest of the controller, and, concerning recruitment, the consent of the data subject.  

In the case of cookies, the processing is based on the user’s consent or, in the case of cookies necessary for the operation of the site, a legitimate interest. The user can manage their cookie settings on the website. 

Personal data is used to market the controller’s services and events, as well as to communicate with potential and current customers and partners, and to maintain customer and partnership relationships. 

Necessary cookies are used to ensure the operation of the site. Other cookies are used to develop the controller’s services and website. 

As concerns the personal data collected for or during the provision of service to our customers, the basis for processing is fulfilment of contractual obligations and such data is used as deemed necessry in the provision of service, such as reporting and correspondence with customer.  

Personal data is also subject to analytics use and development of our marketing and services. 

5. DATA CONTENT OF THE REGISTRY 

The registry may contain the following Data 

• First and last name 
• Title/position 
• employer and employer contact Data 
• email address 
• telephone number 
• information included in job application or resume
• cookies, analytics data
• information contained in a whistleblowing report (eg. location at a time of an incident)

In addition, the registry may collect Data on the data subject’s participation and registration for events organized by the controller. 

Our general customer registry contains the data of contractual and technical liaison personnel of our customers. 

6. REGULAR SOURCES OF DATA

The Data contained in the registry is collected through a customer or partnership relationship, through the website’s contact form, and from registrations and participation in events. 

Cookies and analytics data are stored when you use the website.  

Information contained in whistleblowing report is collected as the report is sent.

In addition, Data may be collected from the registries or public sources of other controllers providing search or similar services. 

7. DISCLOSURE OF THE CONTENTS OF THE REGISTRY

 The contents of the registry will not, in principle, be disclosed or transferred outside the EU and the European Economic Areaand is by default stored in servers and data storages that are located in European Economic Area.  

Data is disclosed to our partners, such as: 

• Business development partners, marketing partners 
• IT infrastructure providers such as cloud service providers (eg. Microsoft, Amazon) or different software providers (eg. CRM-software) 
• Communication solution providers  
• Whistleblowing channel provider

Least possible amount of data is always disclosed. 

Data contained in our registries is not by default transferred outside the European Economic Area. Servers and data storages we use are located in the European Economic Area. However, service providers we use may be from third countries and such providers or governmental authorities may have access to data due to administrative structure or statutory demand. 

When data is transferred outside the European Economic Area, we comply with European Commission standard contractual clauses and additional safeguards to protect the data.  

However, Data may be disclosed to authorities, for example, on the basis of a legal requirement.

8. PROTECTION OF THE REGISTRY

The registry exists only in electronic form in the company’s high-security cloud service and is protected by appropriate administrative and technical security measures. 

 Access to the registry is only possible with an encrypted connection and a personal username and password. The use of the registry is confidential and its access is limited to persons belonging to the controller’s own staff whose duties require access to the registry. The staff of the controller has a duty of confidentiality and has received appropriate training in data security and data protection. 

9. DATA RETENTION PERIOD

 The Data collected in the registry shall be kept only for as long and to the extent necessary in relation to its purpose. The Data content of the registry, the legal basis for use and the need for processing shall be assessed at least every three (3) years. 

Data contained in a whistleblowing report is kept until the report is processed and may be retained if need be. In any event the data is deleted after it is not needed and pieces of report data retained are evaluated annually for delectability.

Data contained in recruitment registry is retained for 24 months.

10. RIGHTS OF THE DATA SUBJECT
11. a) The right of access to personal data

The data subject has the right to receive confirmation as to whether personal data concerning him or her are being processed and, if so, the right to receive a copy of his or her personal data. 

1. b) Right to rectification of data 

The data subject has the right to request that incorrect or inaccurate personal data concerning him or her be corrected or supplemented. 

1. c) Right to delete data

 The data subject has the right to request the deletion of personal data concerning him or her if: – the personal data are no longer needed for their original purpose – the personal data have been processed unlawfully  

(d) Right to restrict processing 

The data subject has the right to restrict the processing of personal data concerning him if: – the data subject denies the accuracy of the data – the processing is unlawful and to defend  

1. e) Right to object

 The data subject shall have the right to object to the processing of his data on the basis of his personal situation if the controller cannot demonstrate that there is a substantial and justified reason for the processing which overrides the data subject’s interests, rights and freedoms. 

1. f) The right to transfer data from one system to another

The data subject shall have the right to obtain his or her registry data in a commonly used and machine-readable form and to transfer such data to another controller.  

(g) Right of appeal to the supervisory authority 

The data subject has the right to lodge a complaint with the national supervisory authority, which is the Data Protection Officer attached to the Ministry of Justice, if the data subject considers that the processing of personal data concerning him or her has infringed the relevant legislation. 

FOR MORE INFORMATION 

All requests for information and other contacts must be forwarded to the person responsible for the registry at the access point mentioned in point 2.