Privacy and data protection policy
Is based on the EU General Data Protection Regulation (GDPR) 25.5.2018.
Combat Academy of Finland (Combat Academy Helsinki Oy (Y2431996-4), Combat Academy Vantaa Oy (Y2428096-7), Combat Brand Finland Oy (Y2434108-8), 00811 Helsinki
CONTACT PERSON RESPONSIBLE FOR THE REGISTER
PL 108, 00811 Helsinki
mari.vargman (at) combat.fi
DESCRIPTION OF DATA SUBJECTS
The register includes personal data of the natural persons (‘’Data Subject’’) who use the services provided by Combat Academy of Finland and the companies belonging to the same group (from now on ‘’Combat’’).
PURPOSE OF PROCESSING PERSONAL DATA
The purpose of processing personal data is to handle a customer relationship between Data Subject and Combat (use of service); administration and invoicing (member register); planning and developing business operations of Combat as well as contacting customers (marketing).
Debt collection is outsourced to a debt collection agency with whom Combat has an agreement that complies with the Personal Data Register Act.
It is not mandatory to hand over personal data, however, in that case, we cannot provide our services to the customers.
DESCRIPTION OF THE DATA SUBJECTS’ INFORMATION
The register contains the following information:
-Person’s first and last name, the corresponding information about a guardian of a minor
-Address, postal code and place
-Age or birth year
-Social security number
-Mobile phone number or phone number
Use of service data:
-Time and frequency of using services
-Invoicing and payments
-Level tests and camps
-Training brakes during the contract period
The personal data is stored as long as it is necessary for the purpose of handling customer relationship, domain management and accounting. The data is deleted when it is no longer necessary for the operations according to the corresponding laws.
All the addresses that Combat gets directly from its customers are collected during the customer relationship period either through the enrolment page on the Internet, during the customer service at the reception or by email. Combat does not update addresses/information by itself and does not collect it from anywhere else.
DATA DISCLOSURE AND TRANSFER
Data controller never discloses the data to the third party unless it is an authority, debt collection agency or another contractual partner that is involved in the payment policy and with whom the data controller has an agreement that complies with the Personal Data Register Act.
In all other cases, the data is used only by Combat. The data in the register is protected by the obligation of professional secrecy.
The register data is saved in databases that are protected by Firewalls, password and other technical means of protection. The databases and their backup copies are located in the locked premises.
Manually processed documents containing data subject’ information are stored in locked spaces so that unauthorised persons would not have access to them. Data controller makes sure that the necessary access to the information is only given to the data controller employees and employees of companies working on behalf of the data controller and that the information is used when necessary only for the purpose of implementing job duties.
RIGHT TO ACCESS, REFUSE AND CORRECT
The data subject can refuse to receive email messages, text messages and marketing posts; in that case, he or she cannot receive messages regarding the training process (e.g. training schedule changes, holiday breaks, season start dates and so on) and is responsible for acquiring such information by oneself.
The data subject has a right to access his or her information stored in the register. The access request must be signed and sent in writing to the contact person responsible for the register. The access request can be also made in person at the operating address of the data controller mentioned above. Combat aims at answering to the access requests no later than a month after submitting the access request.
The data subject can ask anytime to correct his or her personal data, update it or erase it by contacting the person responsible for the register or by informing the customer service representative of the data controller.
However, we cannot erase the information that is necessary for the purposes defined in this policy or is essential to keep according to the law.
DATA PROTECTION POLICY
The EU General Data Protection Regulation is applicable from 25.5.2018.
COMBAT ACADEMY IS THE DATA CONTROLLER AND PROCESSES PERSONAL DATA
Combat Academy is a professional academy that specialises in teaching self-defence and martial arts disciplines. Combat Academy collects and processes personal data of the persons participating in the training and inserts it to the register.
Because of the nature of the disciplines taught at the academy, Combat Academy must know its customers and make sure that e.g. the age limits of the disciplines are complied with and minors receive permission from their guardians. Combat Academy creates long contracts (bulk discount contracts) of 8, 14, or 24 months and these contracts are paid every month in monthly instalments, the so-called instalment agreement; a social security number is required for that.
PRINCIPLES OF PERSONAL DATA PROCESSING
Personal data is always processed confidentially and Combat Academy makes sure that its own employees, as well as possible partners, are duty-bound to comply with the obligation of professional secrecy and the EU General Data Protection Regulation.
The principles of information security in Combat Academy are determined by the security guidelines.
Regarding the information security, the most important matters that Combat Academy handles is ensuring the physical security of its premises, regular training of its employees in terms of information security, documented guidelines for personal data processing and management of access rights.
NOTIFICATION ABOUT SECURITY BREACHES
Combat Academy has an operating model to report security breaches according to the Data Protection Act.
When processing personal data, Combat Academy only uses the partners with whom it has a data processing agreement that ensures appropriate information security level.