Privacy policy

Are you looking for a job? See our recruitment privacy notice here.

Processing of customer data of Joo Group Oy

1. Controller

Joo Group Oy, PL 196, 00101 Helsinki, Finland

Tel. +358 (0)20 766 1390

tietosuoja(at)joogroup.fi

Joo Group Oy (controller) processes personal data in compliance with applicable data protection legislation.

2. The purposes of processing the personal data of customers and potential customers

Joo Group Oy processes personal data related to the management of customer or lease relationship, marketing, communications and the electronic locking system, and the personal data submitted in the eWhistleblowing system.

The purpose of the processing of personal data is the acquisition, management, administration and maintenance of customer relations related to rental housing as well as the development of rental housing services, and regarding electronic locking systems, the recording video surveillance and sensor monitoring system or other technical system installed in the apartment by the contractor for the protection of people and property. The purpose of the processing of personal data obtained from the whistleblowing system is to investigate suspected wrongdoing in more detail. Reports can, however, also be submitted anonymously.

The controller also stores and evaluates information regarding visits to the controller’s website and uses the information to target advertising. This information is also used to develop advertising and housing services provided by the controller.

3. Legal basis for processing personal data

The processing of personal data by the controller is based on a contract between the customer and the controller, the consent of the customer or a potential customer, or the legitimate interest of the controller.

The processing of personal data related to the establishment and management of customer and lease relationships is based on a contract. The processing of personal data regarding the electronic locking system, recording video surveillance and sensor monitoring or other technical system is based on a contract or a legitimate interest of the controller to protect property.

The processing of personal data used for the quality control and development of the controller’s housing services is based on the legitimate interest of the controller.

In addition, data can be collected from potential customers for sales and marketing purposes. The processing is then based on the legitimate interest of the controller or the consent of the data subject, depending on the source of the information. The legal basis for processing personal data submitted to the whistleblowing system is the data subject’s consent and, regarding the object of the report, the statutory obligation of the controller.

4. Categories of personal data that are processed

Joo Group Oy collects the following personal data:

  • Tenants as customers and those living with them, including their possible representatives or contact persons

    • Name and date of birth
    • Contact details: telephone number, address and email
    • Personal identity code of the tenant or the business ID of a company for invoicing, etc.
    • Language for communications
    • Information on the tenant’s guardianship, when necessary
    • Recording of communications related to the customer service situation
    • Information based on the customer relationship, such as contact history and feedback
    • Apartment-specific disturbance reports
  • Customers who have lodged an application for an apartment and their representatives

    • Name, personal identity code or business ID
    • Contact details and previous address
    • Regarding private persons: information on employment or study as well as possible default data (yes/no) in credit information
    • Recording of communications related to the customer service situation
    • Information based on the customer relationship, such as contact history and feedback
  • Potential customers, for example, people contacted through online services or campaigns

    • Name and contact data (telephone number, email and address)
    • Information regarding the need for an apartment
    • Data collected from the website, such as via cookies
  • People using the electronic access control system

    • Name, apartment number and keycode
    • Date, time and place registered by the electronic access control system
  • Recording video surveillance footage (Note: Data is not collected in all buildings. If your housing company has a video surveillance system in place, information thereof is given in your rental agreement, amongst others.)

    • Video footage with time and location codes
  • The temperature and humidity sensor monitoring system or other corresponding technical system installed in the apartment by the contractor (only in some buildings)

    • Apartmentspecific recorded values to monitor the condition of the buildings.
  • eWhistleblowing system

    • Name and contact details (telephone number, email address and street address) and other data submitted by the whistleblower that may contain data on the object of the report.

5. Regular sources of data

Personal data is collected from the following sources:

  • The information necessary for the management of the customer relationship is collected directly from the data subject
  • The information from the whistleblowing system is collected from the whistleblowers.
  • The credit information of potential tenants is checked from Intrum's credit information register.
  • The electronic locking information is collected from the locking system, information from the video surveillance is collected from video footage, and information from the sensor monitoring system is collected directly from the measurement device.
  • The data related to potential customers is collected from online services, social media services, and participants in customer meetings, campaigns or events.

Joo Group Oy may, if necessary, also check and update contact details and other personal data from other reliable sources of information provided by public or private parties.

6. The recipients of personal data/disclosure and transfer of personal data

The data controller does not, as a rule, disclose the personal data of the data subjects to third parties.

The controller may disclose registered data to the authorities for the investigation of suspected criminal offences. The data may also be disclosed to other authorities subject to a specified legal basis.

However, the controller may transfer personal data in such a way that the processor uses the transferred data on behalf of and for the account of the controller, for example a housing manager, a security services supplier, a locksmith, a contractor, a debt collection agency or law firm, or the whistleblowing system service supplier in the performance of their contractual duties. In these cases, the data processor undertakes to comply with the terms and conditions of data processing as the controller.

The controller shall not transfer the data outside the European Union or the European Economic Area. The controller’s data processor may transfer data outside the European Union or the European Economic Area if an express written agreement is made thereof in advance and the data protection legislation valid at a given time is complied with in the transfer. For example, Hubspot is used on the controller's website, when using it personal data may be transferred outside the EU and EEA.

However, the controller may not prevent the possible transfer of third-party cookie data from the website outside the European Union or the European Economic Area.

7. The storage period of personal data

The controller shall process and store the data only for as long as is necessary for the purpose. The retention period varies depending on the type of personal data, depending on the specific purpose of processing thereof.

The personal data of customers, that is, tenants and those who have applied for rental housing, will be retained for the period required by the assignment and any tenancy, but may also be retained and used for the duration and to the extent necessary for invoicing, recovery and legal action. The personal data of the customer relationship will be deleted no later than three years after the end of the said customer relationship.

Data from potential customers, such as those who have given their consent in online services or events, will be kept for the time being; that is, until the consent is withdrawn or for as long as such personal data can be used for customer communication or marketing. Whistleblowers’ personal data collected from the whistleblowing system will be kept for as long as is necessary from the viewpoint of law; that is, unnecessary personal data must be deleted.

Electronic access control data and recording video surveillance footage will be stored on the same bases as other data based on the rental agreement. Data collected from the humidity sensor or other corresponding technical system will be used and stored for the entire lifespan of the building.

More detailed information on the storage periods of cookie data regarding the controller's website can be found in the information on cookies.

8. Data subjects’ rights

Data subjects have the right to:

  • Withdraw their consent to the processing of personal data at any time.
  • Receive information on the processing of their data, unless exempted by law.
    • If such personal data is processed, the data subject has the right to access the data.
  • Check their personal data; that is, data subjects have the right to request the controller to correct any inaccurate and incorrect personal data without undue delay.
  • Have their personal data deleted without undue delay
    • provided the data subject withdraws their consent and there is no other legal basis for the processing of their personal data.
  • Object to the processing of their personal data.
  • Restrict the processing of their personal data.
  • Obligation to notify about the rectification or deletion of personal data or the restriction of the processing of their personal data.
  • Transfer their personal data from one system to another.
  • Notify the Office of the Data Protection Supervisor (www.tietosuoja.fi) if the data subject considers that the controller is in breach of data protection legislation.

To exercise the aforementioned rights, please contact Joo Group Oy’s customer service. Contact details can be found in item 1 of this Privacy Policy.

9. Processing and profiling of personal data

The controller does not process personal data by means of automated decisionmaking.

10. Further processing of personal data

The controller does not process personal data for purposes other than those described in this Privacy Policy.

Should the controller process personal data for other purposes, the controller is obliged to inform the data subjects of this purpose before further processing.

11. General description of the appropriate technical and organisational measures of the controller

The registers are accessible only to those employees of the controller who have committed to the company’s written data protection instructions and confidentiality provisions.

The security of information systems is organised by appropriate measures: encryption and technical restrictions, as well as security software and firewalls. The systems can only be accessed with passwords. Personal data is only processed in premises with access control. Materials containing any personal data are disposed of securely.

12. Changes to the Privacy Policy

This Privacy Policy was updated on 4 May 2022.

The controller has the right to change this Privacy Policy. The controller shall inform data subjects of specific changes to this Privacy Policy before they take effect.

If you have any questions regarding our data processing, we kindly ask you to contact us by means of sending an email to tietosuoja(at)joogroup.fi or calling us on +358 (0)20 766 1390.