Data Protection Policy

Iro Research Oy provides market research and opinion surveys as well as data analysis services.

This Data Protection Policy concerns the processing of personal data of our corporate clients’ and partners’ representatives within the aforementioned activities. In addition, this Data Protection Policy concerns the processing of personal data when an individual takes part in a research project carried out by Iro Research and when Iro Research, as a data processor, processes the personal data of the individual participating in the research project. This policy also describes how our site uses cookies.

This Data Protection Policy does not concern situations when Iro Research is conducting research by the commission of a corporate client and on their behalf as a data processor. In such cases the research is covered by the data protection policies of Iro Research’s corporate client.

In our operation we are committed to following current data protection legislation. In this Data Protection Policy, we will describe further:

  • what kinds of personal data are being processed
  • for what purposes and on what kind of grounds personal data are processed
  • how long personal data will be stored
  • how the service utilized cookies
  • what measures can the data subject take
  • where personal data is disclosed or transferred
  • how personal data is protected
  • when we act as joint controller
  • how the Data Protection Policy can be altered
  • who the data subject can contact.

1. What kinds of personal data are being processed?

As part of our operation, we mainly process the following personal data:

1) Data of clients and partners:

  • contact information, such as name, address, phone number, e-mail address
  • information concerning the work tasks of an individual, such as position or field of responsibilities in the company (for the part of a representative of a corporate client or partner)
  • information pertaining to the client relationship, such as information on invoicing and payments, product and subscription information, customer feedback and contacting
  • information provided for surveys and studies
  • recorded phone calls
  • consents and refusals.

2) Data of potential clients or partners:

  • contact information, such as name, address, phone number, e-mail address
  • information concerning the work tasks of an individual, such as position or field of responsibilities in the company (for the part of a representative of a corporate client or partner)
  • information concerning possible earlier subscriptions
  • contacting and reactions
  • consents and refusals

3) Data concerning participants of studies

  • contact information, such as name, phone number, e-mail address
  • demographic information (date of birth, gender, education, position, family size etc.)
  • for the part of company representatives, the contact information of the company (name of the office, town, field of industry, phone number).

In addition we process the answers that the data subject has given for the research. The answers will be anonymized as soon as possible and after that they cannot be traced back to the data subject.

4) Service use data gathered by means of cookies or similar technologies:

  • usage and browsing information of the service, such as the site visitedtechnical data such as unique device and/or cookie identifier, browser and browser version, IP address, time and duration of the session, and screen resolution and operating system.

We receive this data primarily from the data subject themself or the company they represent. We may use external data sources for obtaining, updating and enriching data, such as the so-called Robinson registry, maintained by Finnish Customer Marketing Association (ASML), the population information system maintained by the Digital and Population Data Services Agency, address database of the Finnish postal service Posti, telephone companies’ contact information registers and other similar private and public records.

2. For what purposes and on what kind of grounds personal data are processed?

We process data on the following grounds that are based on the data protection legislation:

Consent: If the data subject consents to it, we may process their data in order to conduct research. We may also ask for the consent of the data subject in case the purposes of the processing are changed. In addition, cookies are mainly placed based on the consent of the data subject.

Legitimate interest: We process the data of the representatives of our corporate clients or partners based on a contract we have made with that company. We also process information for carrying out business development, prize draws, events and research, for prevention and investigation of abuse, for the correction, profiling and segmentation of errors and personalization of content or communications based on them, as well as marketing by phone or mail or marketing personalized by work task. We do not implement automatic decision-making if it has legal consequences concerning the data subject or if it affects the data subject in a similar, significant manner.

These purposes are necessary to our business and justified by the appropriate connection between the data subject and our company, and, therefore, within our legitimate interest. Regarding the nature and purposes of the data that is processed and the connection between the data subject and our company, our opinion is that the processing is not in conflict with the basic rights and freedoms of the data subject. The data subject may object to processing, and, for example, decline receiving marketing content at any time.

Legal obligation: We may be obligated to store some of the personal data of the data subject in order to comply with accounting laws or other mandatory legislation. In such cases the processing is conducted on the basis of complying with a legal obligation.

3. How long will the personal data be stored?

We will store the personal data of the data subject only as long as is necessary to carry out the aforementioned purposes in accordance with current legislation. We strive to keep the data up-to-date and correct. After the research is finished, individual research answers are anonymized within a maximum of three months. Iro Research Oy Salomonkatu 17 B 00100 HELSINKI Tel. +358 9 7740 600 VAT ID: FI08105501 www.iro.fi

We store the data of our client or partner and their representatives at least for the duration of the client relationship or partnership. The data of potential clients, such as our former and potential future clients, and their representatives are typically stored for marketing purposes as long as the individual has not refused to receive marketing communications, and the information is not otherwise outdated. An individual may at any time decline the receiving of marketing content or request for their information to be deleted.

We may be obligated to store some of the personal data of the registered individual in order to comply with accounting laws or other mandatory legislation even after a client relationship or a similar basis for processing personal data has been terminated. Invoicing data is typically stored for seven years.

4. Are cookies used on the site and what are they?

We and our selected partners store information, such as cookies and device identifiers, on the user’s device, and use the data for purposes that are described to the user. With the help of cookies and similar technologies it is possible to gather information on how and when the web services are being used, and to further improve the user-friendliness of the service.

A cookie is a file that is saved in the user’s browser. Among else, the technologies using cookies allow the user to avoid typing their login information every time they use the service. A cookie file contains an anonymous identifier that is used to identify the browser and to track service usage.

Cookies may be stored in the user’s device until they are deleted. There are some session-specific cookies in use that expire by the end of the user’s visit (the user’s session).

The so-called first party cookies are usually placed by the website shown in the browser’s address bar. In addition to these, our services use so-called third party cookies, and they are placed by, for example, reporting and chat service providers. Below are some examples of our partners: Iro Research Oy Salomonkatu 17 B 00100 HELSINKI Tel. +358 9 7740 600 VAT ID: FI08105501 www.iro.fi

Analytics: Google Analytics

  • We use Google Analytics, a web analytic service provided by Google Inc, to analyze the use of our websites and to further improve how our websites serve our users. The data stored in the cookies of Google tools are sent on to be stored in Google servers all around the world. Because of this, the data may be processed on servers not located in the user’s country of residence. Using the information it receives, Google evaluates the user’s way of browsing the content of the pages and prepares summary reports on site usage. Google also creates reports on services that are provided with the websites and produces statistics on Internet usage. Google may also forward information to third parties if required by legislation, or in cases where information is processed by a third party on Google’s mandate.
  • More information: https://policies.google.com/privacy?hl=en

Marketing: Leadoo

  • We use Leadoo user tracking to understand how our users move on our website and combine that data to the user data collected, for example, through chat interactions. We use this data for marketing our services. Leadoo uses etag tracking, a technology that differs from cookie-based tracking, but which can be influenced by the user through a website cookie query or clearing your browser’s cache.
  • More information: https://leadoo.com/privacy-policy-processor/

The necessary cookies include different functionalities, such as different site-specific settings. These necessary cookies are always active unless the user prevents cookies from their browser settings. Other, so called non-necessary cookies are placed with the consent of the user.

Detailed information about cookies in use at any given time, their uses and our partners can be found in the cookie settings of the website.

The user has the option to make cookie choices when they first arrive on the site and, for example, after the user clears the cookies on their browser. The user may change their cookie choices, such as withdraw their consent, at any time using the Cookie Options button at the bottom of the site. In addition, the user may clear the cookies or deny them from their browser settings. Denying cookies may prevent the website from working in the designed manner.

After clearing the cookies the user will have to make their desired cookie choices again. 

5. What measures can the data subject take?

We are committed to providing choice and control options concerning data protection. Below we list different measures the data subject may take to impact the collection and processing of data:

  • Right to access: The data subject has the right to have a confirmation on whether the data concerning them is being processed or not. If personal data is being processed, the data subject has the right to access the personal data in question, providing that data can be disclosed without harming the rights and freedoms of others.
  • Rectification and deletion of the data: By the request of the data subject, we will correct, supplement or delete personal data that is, for the purposes of the processing, erroneous, insufficient or outdated.
  • Data portability: The data subject can obtain the personal data that they have surrendered for transfer and that we process automatically on consensual or contractual basis.
  • The right to object to direct marketing and the profiling related to it: By contacting us at any time, the data subject may object to disclosing and processing their data for the purposes of direct marketing.
  • The right to object to and restrict data processing: The data subject may object to processing based on legitimate interest on the basis of their personal situation. For example, in such a situation the processing will be restricted for the duration of evaluating the basis for processing. The processing may also be restricted if the data subject contests the accuracy of their personal data, in which case the processing shall be restricted for a period enabling us to verify the accuracy of the personal data.
  • The right to withdraw consent: At any time, the data subject may withdraw the consent they have given by contacting us or in other means provided.
  • The right to make a complaint: The data subject may place a complaint with the authorities (www.tietosuoja.fi/en/home), in case they consider their personal data to be processed in conflict with this Data Protection Policy and the current legislation. For cookies, the supervisory authority is Traficom (www.traficom.fi/en)

The requests of the data subject will be assessed on a case-by-case basis. We may store and use the personal data of the data subject if it is necessary in order to comply with the legislation, solve disputes or comply with contracts. In order to exercise these rights we ask you to confirm your identity to ensure that we disclose personal data to only the person they concern. To use the rights, please contact us.

The contact information is listed in Section 10.

6. Is personal data disclosed or transferred to third parties?

We do not sell, rent out, transfer or disclose personal data to third parties and only do so in the following cases:

  • Media corporation Keskisuomalainen: We may disclose the personal data of our clients or potential clients within the media corporation Keskisuomalainen when there is a relevant basis for their use. The companies currently belonging to the media corporation Keskisuomalainen are listed here. The data of research participants is not disclosed.
  • Consent: We may disclose the data to third parties in case the data subject has consented to it.
  • Authorities: We may disclose the data subject’s personal data as required by the supervisory authorities or other entities in accordance with applicable legislation.
  • Corporate transactions: In case we are selling, merging or in some other ways making corporate transactions, the personal data of the data subject may be disclosed to the buyers and their advisors.
  • Recovery proceedings and legal claims: We may disclose personal data to third parties if necessary for the execution of a contract, to investigate any breach or to establish, file or defend a legal claim.

In the processing of data, we use subcontractors and we guarantee by contractual arrangements that the data will be processed in accordance with current legislation and this Data Protection Policy.

As a rule, we do not transfer data outside the EU or ETA. If we transfer data outside the EU or the EEA, we ensure an adequate level of protection of personal data by, among others, agreeing on matters relating to the confidentiality and processing of personal data as required by law, for example using standard contractual clauses approved by the European Commission, and otherwise by the processing of personal data in accordance with this Data Protection Policy.

7. How is the personal data protected?

We take the necessary technological and organisational data protection measures to protect personal data against unlawful access, disclosure, erasure or other unauthorized processing. These measures include the use of firewalls, encryption technologies, safe IT areas, appropriate access control, controlled licensing of access and monitoring of its use, the use of encryption techniques, instructing personnel involved in the processing of personal data, and careful selection of subcontractors.

We ask you to please take into account that the data safety of web services is not perfect. The data subject is responsible for appropriate data protection measures of their own information systems.

8. When does the data controller act as joint controller?

For example, we act as joint controller during the maintenance of our page on Facebook. Further information on data processing can be found in the data protection policy of Facebook. We are able to see the data of our Facebook likers and commenters based on the privacy settings they have put in place themselves. In addition, we deal with statistical data e.g. the likes and visits of our Facebook pages, the visibility of our publications, and the demographic profiles of people who were reached by our posts. We will not combine this data to other data described in this Data Protection Policy, and we cannot use the statistical information to recognize a specific individual.

9. Can this Data Protection Policy be altered?

We constantly develop our services and withhold ourselves the right to alter this Data Protection Policy by communicating about it in our services. The alterations may also be based on the changing of the legislation. We recommend you to familiarize yourself with the Data Protection Policy regularly.

The policy was last updated on 14th December 2022.

10. Who the data subject can contact?

Requests for the exercise of the rights mentioned in Section 5 above, questions about this Data Protection Policy and other requests should be made by email to the Data Protection Officer (tietosuojavastaava@iro.fi). The requests can be made in person at our offices or in writing at the address below:

Iro Research Oy Research Agency, Data Protection Officer

Salomonkatu 17 B, 00100 Helsinki, Finland

Data protection officer of the corporation: tel. +358 14 622 000