M&M AC Baltic Oü / Trustimia Privacy Statement

Coverage

An anonymized string created from yourThis privacy statement describes M & M AC Baltic’s security and privacy practices, processes and technologies used by M&M AC Baltic to protect its customers’ information. This Privacy Statement applies to M&M AC Baltic’s websites, digital services for customers and production systems for financial management services.

Trammels

This Privacy Statement does not apply to third party sites, applications or services that may be available through additional partner services provided on M&M AC Baltic’s services. M&M AC Baltic always recommends that our customers familiarize themselves with the privacy practices of the third-party service before the customer allows the collection and use of their own personal information on those services.

Principles of data protection

M & M AC Baltic’s data protection principles are disclosure of the lawfulness and purpose of data processing, disclosure of data collected and processed, technical, administrative and physical protection of data, lawful data verification and the possibility to request changes

Personal data registers and their register descriptions

Marketing Register Register Description


Customer Data Register Registry Description

Processing of personal data on behalf of the controller

In some of its services, M&M AC Baltic processes personal data on behalf of M&M AC Baltic’s customer. In such cases, the customer is the registrar of the established personal register and M&M AC Baltic acts as the processor of the personal data of the personal register, in the capacity defined by the Personal Data Act. In this case, the processing operations related to the processing of personal data have been separately agreed with the customer of M&M AC Baltic, using the Description of personal data processing operations included in this document: Description of the processing of personal data.

Technical protection of register data

The electronically processed information contained in the register is technically protected by firewalls, passwords, by providing M&M AC Baltic customers with two-stage authentication to customer information systems and by other generally accepted technical means in the information security industry. The data transmission between the customer and M&M AC Baltic is encrypted with TLS (Transport Layer Security) technology. The data is backed up regularly and the backups are stored in a different location than where the primary data is located.


M&M AC Baltic conducts internal and third-party assessments covering both the technical security of critical information systems and administrative data security and data protection processes and guidelines

Administrative protection of registers

User access rights are monitored regularly and the creation of dangerous access combinations is prohibited in the access control policy. In particular, the permissions of the administrators of the various systems are regularly checked and deleted when the user no longer needs them. The access rights of M&M AC Baltic’s departed employees will be removed from all schemes upon termination of employment.


The customer’s data is processed only by the M&M AC Baltic employee who has been assigned to perform the work in question. Processing of customer data on other grounds is prohibited, even if the employee has technical access to the customer data on the basis of his or her job function and business reasons.


All M&M AC Baltic personnel, and third parties acting on its behalf, are bound by professional secrecy with respect to all customer and personal information. The duty of confidentiality is enshrined in the employment contracts of A&C Baltic personnel, including sanctions. Confidentiality is enshrined in agreements with third parties, including sanctions.


M&M AC Baltic’s customer data employees are trained through regular training, in which the basics of work legality are an integral part of the training. mandatory training on data security and data protection.


The existence and location of a security policy is communicated through regular security training and employees are reminded of the binding nature of that policy. The information security policy describes the general rules on information security and data protection that are binding on the employee, whether they are technical rules, information security processes or practices and guidelines applicable to everyday work.

Physical protection of register data

Customer data is processed in information systems located in a data center in cloud services located in Finland or in the territory of the European Union, with the exception of e-mail services used in customer communications and systems for statistics on the use of electronic systems. In data centers located in Finland, the most important production systems have been duplicated into two physically separated data centers to ensure security, data preservation and service continuity in normal and exceptional situations. These data centers use security policies, access control and monitoring certified by the service provider. The e-mail service used for customer communications and the systems for statistics on the use of electronic customer systems are located on servers located in the United States and are protected by those service providers in accordance with European Union data protection law. Statistical information in electronic systems does not contain personally identifiable information.


The manually maintained materials are located in premises to which unauthorized access has been prevented by access control, and video surveillance is used in the main premises to detect and verify a possible breach of physical security.

Use of cookies

Information about visitors to the Trustimia.com website may be collected and cookies may be used on the website. Cookies are small text files that are stored on a visitor’s terminal. M&M AC Baltic uses cookies to improve the user experience of our website, to evaluate the content used and to support marketing. The information collected through cookies is anonymous and cannot be used to obtain information about an individual identifiable person.


For example, cookies can be used to collect the following information:

  • The user’s IP address
  • Time of visit
  • Pages visited and duration of visit
  • The type of browser or operating system of the terminal used
  • Where the user has come to the site and where the user will go after using the site
  • Partner Network.The information collected through cookies can be used, for example, for targeted advertising on the Google

By using the M&M AC Baltic website, you agree to the use and storage of cookies on your computer. Most browsers automatically accept cookies. The visitor has the option to block the use of cookies by changing the browser settings so that the browser does not allow the storage of cookies. In that case, the user accepts that, for some services, blocking the use of cookies may affect the functionality of the service.

Rights of data subjects

In accordance with Sections 15-22 of the European Union Data Protection Decree, the data subject has e.g. legal:

  1. verify personal information
  2. to correct the data
  3. deleting data
  4. processing

In those situations where the data subject wishes to check or change his data from the data belonging to the M&M AC Baltic customer-owned register, the data subject must make a data check or change request to the controller and the data controller will execute the data check or change request together with M&M AC Baltic. In this case, the registrar must address a written request for verification to the e-mail address mentioned below.


The request for inspection and amendment must identify the personal data to be inspected and give the name of the register to which the request relates. The request should be sent by e-mail to: info@trustimia.com. The data subject may exercise his or her right to personal data provided for in the Personal Data Act free of charge only once a year.

Privacy Policy Reporting Policies

The data subject shall be notified by the controller if the data protection breach is likely to pose a high risk to his or her rights and freedoms. The notification shall describe the nature of the data breach and the measures taken as required by law.

In those cases where the data protection breach concerns personal data covered by the personal data register owned by M&M AC Baltic’s customer, M&M AC Baltic’s customer is responsible for informing the data subjects. Notification to the controller shall be made without undue delay of the discovery of the data breach. The notification shall describe the nature of the data breach and the measures taken as required by law.

The notification to the Data Security Authority shall be made within 72 hours as specified by law, if the data protection breach is likely to pose a risk to the rights and freedoms of a natural person. The notification shall describe the nature of the data breach and the measures taken as required by law.

Modification of the Privacy Statement

M&M AC Baltic is constantly developing its business and reserves the right to change this privacy statement by announcing it in its electronic services and in connection with other customer communications. Changes may be based on changes in legislation and the implementation of the resulting requirements.

Register description – marketing register

Name of the register

Marketing register

​Applicable law

European Union Data Protection Regulation (EU 679/2016) and national data protection legislation

Updated

9/1/2021

Registrar

M&M AC Baltic Oü
14808243
Viru Square 2-3 floors
10111 Tallinn
+358451640017

Contact person

Mira Luukkanen
Email: mira@trustimia.com

Data Protection Officer

Mira Luukkanen
Email: mira@trustimia.com

Purpose of the processing of personal data

Personal information is stored and processed in order to provide Talenom’s financial management services in a contractual relationship between M&M AC Baltic and M&M AC Baltic’s customers. Personal data is processed in order to fulfill statutory and regulatory obligations and to improve the quality of M&M AC Baltic’s products and services.

Information content of the register

The following information can be stored in the registration:

  • name, personal identity number and necessary organizational information
  • contact information (address, telephone number, e-mail address)
  • customer relationship management information generated in customer service
  • customer services and their billing information

The registrant’s usage information is stored, such as:

  • terminal version
  • terminal operating system version
  • the version of the browser used
  • used Java version

Regular sources of information

M&M AC Baltic stores customer-related information at the beginning of the customer relationship. Registered customers add their own and their staff’s personal information to M&M AC Baltic’s electronic services. Personal information can be downloaded on the basis of electronic material provided by the customer. The customer can provide survey information related to quality improvement by answering the surveys.

User terminal information is automatically collected for the development of electronic products and customer service, for example, internet browser cookies, or similar technologies, using M & M AC Baltic’s electronic products and online services.

Disclosure of information

The information contained in the register may be disclosed to the tax authorities, pension insurance companies, insurance companies, trade unions, the Social Insurance Institution or occupational pension funds. M&M AC Baltic may disclose personal information to its partners for quality improvement and marketing surveys.

M&M AC Baltic does not sell, rent or disclose personal information to other parties.
M&M AC Baltic may be obliged to disclose personal data if required by applicable law or regulation or by a request from a judicial or administrative authority.

Data transfer outside the EU or the EEA

As a general rule, personal data will not be transferred outside the European Union or the European Economic Area unless the customer requests it in writing. The contact information used in customer communications and the statistical information generated by the use of M & M AC Baltic’s electronic systems are transferred to servers located in the United States and are protected by the respective service providers in accordance with European Union data protection legislation. Data transfers requested by the customer outside the EU or the EEA are made in compliance with the data transfer requirements of the European Union Data Protection Regulation.

​Disclosure practices

The information is disclosed to the client’s auditor without a separate authorization for the implementation of the agreement between the client and the auditor. For other customer partners, such as lawyers, consultants, etc., the customer will be asked for separate consent to the disclosure.

In connection with the release of written material, a certificate of disclosure of information is prepared, which indicates the basic information of the transferred material, to whom and when. This delivery certificate will be stored in the customer folders for possible future certification.

In connection with the handing over of the digital material to the customer’s partner, personal identifiers are created in the Supplier’s information system, with which the Customer’s partner has access to the transferred information. The customer’s request to create information system IDs and grant access to the customer’s data also includes the customer’s consent to the transfer of the customer’s data to that partner.

Information is disclosed to tax authorities, pension insurance companies, insurance companies, trade unions, the National Pension Fund or employment pension funds without the customer’s authorization or consent, where the disclosure of information is specifically specified by law.

The processing of digital data is controlled by means of event data in information systems, ie the storage of log data and their automatic or manual monitoring. In addition, log information can be used as evidence if necessary.

Retention and deletion of data

M&M AC Baltic deletes personal data from its information systems after a retention period of 5 years after the customer leaves M&M AC Baltic. After deletion from the operational information systems, the data is automatically deleted within 6 months of the backups.