Cursor Oy Privacy Policy

1. GENERAL

Cursor Oy is committed to protecting the rights of individuals and safekeeping the information it processes.

This Privacy Policy describes how Cursor collects, uses, stores and protects personal information.

In the Cursor Group, the controller is Cursor Oy alongside the subsidiaries of Cursor you conduct business with.

Cursor processes personal information for several reasons. In this Privacy Policy, ‘You’ refers to customers, potential customers, our customers’ employees and other stakeholders, and Cursor refers to Cursor Oy and all its subsidiaries.  

2. CONTROLLER

Unless otherwise stated, Cursor Oy is the controller of all personal data mentioned in this Privacy Policy.

For some registers, Cursor is the processor of personal data on a contractual basis.

Cursor Oy’s contact information:

Cursor Oy, Business ID: 0727178-6
Kyminlinnantie 6
48600 KOTKA, Finland

Cursor Oy is a non-profit development company, part of the City of Kotka Group.

3. DATA PROTECTION OFFICER

Cursor Oy is part of the City of Kotka Group and the Group’s Data Protection Officer is responsible for Cursor Oy. The Data Protection Officer’s contact information is available at https://www.kotka.fi/kotkan-kaupunki/tietosuoja/

At Cursor Oy, the contact person for data protection matters is Toni Jaakkola, IT Manager, toni.jaakkola@cursor.fi, tel. +358 40 190 2526.


4. RIGHTS OF THE DATA SUBJECT

By virtue of the GDPR Regulation, you have the right to obtain information about the processing of your personal data and to influence the processing of your personal data.

This Privacy Policy serves as the general information document. In addition, should you wish, you may request the controller to provide further information. Moreover, you have the following rights in relation to the personal data we process, unless otherwise provided by the controller’s obligations or legislation in force:

• Right of access to your personal data

• The right to have your personal data rectified or incomplete personal data completed

• The right to have your personal data erased

• The right to restrict the processing of your personal data

• The right to data portability

• The right to object to the processing of your personal data

• The right not to be subjected to automated decision-making

If you wish to exercise the aforementioned rights, requests to do so will be assessed on a case-by-case basis in each situation. In general, your request will be answered no later than 30 days after the request is made.

To exercise your rights, you will be separately identified by us to fulfil the request and to secure the rights of other data subjects.

Requests to exercise the aforementioned rights must be made in writing either to the e-mail address tietosuoja@cursor.fi or by post to:

Cursor Oy
Data privacy issues
Kyminlinnantie 6
48600 KOTKA

Right of appeal:

You also have the right to lodge an appeal or contact the data protection authority. The contact information of Finland’s Data Protection Authority is available at www.tietosuoja.fi.

5. PERSONAL DATA ROLES

Cursor processes your personal data on various grounds, depending on the type of services you use.

You may belong to one or more categories of personal data, depending on the extent to which you use our services.

In the following chapters, the issues related to the processing of personal data are specified separately for each personal data role. The personal data roles are described in more detail in the subsections of Chapter 5.

Personal data roles include:

• 5.1 Website users

• 5.2 Start-up entrepreneurs

• 5.3 Active entrepreneurs and company employees

• 5.4 Project customers

• 5.5 Newsletter subscribers

• 5.6 Event/webinar participants

• 5.7 Rental customers and camera surveillance in properties

• 5.8 Political decision-makers and influencers in the region’s municipalities

• 5.9 Members of Cursor’s Board of Directors

• 5.10 Designated users of online services


5.1 Website users

Purpose of and grounds for processing of personal data:
We use a number of different services within our website to provide you with better services and to analyse the functioning, ease of use and technical performance of the website.

The processing of tracking analytics is based on the user’s consent to the use of cookies.

The purpose of technical monitoring is to ensure the technical performance of our website.

We use this data to develop the technical, functional and logical features of the website and to ensure and monitor the data security of websites and to prevent possible cybercrime.

In addition, separately entered data is processed to provide customer service – for example, the business premises register (in which case the data is processed based on the role of active entrepreneurs or designated users of online services).

Your information is also used for the purposes of so-called remarketing, which means that on the basis of your visit, you will see our marketing messages on the platform you use, such as Facebook or Google ads.

In addition, we generate various statistics and analyses about the operations of our online services.

Most of the information is collected on the basis of your consent to the cookie policy. The cookie policy can be accessed via the bar at the bottom of our websites, where you can also choose the cookies you approve.

The websites managed by Cursor Oy include:

• https://www.cursor.fi

• https://www.visitkotkahamina.fi

• https://www.businesskotkahamina.fi

• https://www.datariina.fi

• https://www.seffc.fi


In addition, our sites have embedded services provided by external service providers:

• Premises and land register: https://cursor.toimitilapalvelut.fi, service provider Hakosalo Oy

• Event calendar: https://cursor.tapahtumakalenterit.fi, service provider Hakosalo Oy

• Company directory: https://cursor.yrityshakemistot.fi, service provider Hakosalo Oy

• Material bank: https://platform.crowdriff.com/m/visitkotkahamina, service provider CrowdRiff

• Booking calendar, service provider Slotti


Cursor is the controller of the information content and usernames also for these services. These services request you to consent to cookie policies specifically for each site.

Our service range also includes the travel online store https://visitkotkahamina.travel. The controller of this service is Elämys Group.

The personal data we collect:
We collect data from you about the features and location of your computer, including your IP address, cookie IDs, pages visited, your behaviour on our site, the route you used to access our site, the time, operating system, devices and browser. In addition, we naturally store all information you enter on the site or its services.

Information collected about website users will not be used to identify an individual unless you also subscribe to our newsletter. Most of the data collected is processed automatically into a format that only allows us to identify large entities. For the purposes of investigating any vandalism and potential offences, we also use this data to identify you.

Where do we get the personal data we collect?
The personal data we collect comprise the technical and usage data provided by your terminal device, data generated by your activities on the websites, and information entered by you.

Which parties do we disclose information to?
We do not disclose information about website usage to third parties. However, in order to perform maintenance, our service providers have access to the information.

Is data transferred outside the EU?
The Google Analytics service we use stores personal information on servers located outside the EU.

The GDPR compatibility of Google Analytics is specified in the additional terms for data processing by Google Analytics.

How long do we store the data?
The retention period of Google Analytics’ analytics data is 38 months.
The retention period of Facebook advertising cookies is 180 days at maximum.

Will the data be used for personal profiling purposes?
The data we collect may be used for the purposes of targeted website marketing.

5.2 Start-up entrepreneurs

Purpose of and legal basis for processing of personal data
One of our services is providing advice to entrepreneurs before starting a business. If you come to us for advice to start-up entrepreneurs, you belong to this group.

We use the data to provide customer service, to generate statistics/analyses, and, subject to your specific consent, also for e-marketing purposes.

We also use this information if you require a statement from us for a financier, such as Finnvera or TE Services.

We collect and process start-up entrepreneurs’ data on a contractual basis on behalf of our owner municipalities. The personal data register is owned by the contracting municipalities and we are the processor of personal data.

The personal data we collect:
From you, we collect information about your name and contact details (phone number, email, address, etc.), gender, your home municipality, date of birth, language of communication and information relating to the provision of the service. This information includes your education category, description of education, occupation, work situation category, description of your work situation, description of your work experience, emails you have exchanged with us, profitability calculations, business plans and other such documentation required to provide the service.

Where do we get the personal data we collect?
We receive personal data from the following sources:

1. The customer in person

2. From the marketing system of the Finnish Enterprise Agencies (Suomen Uusyrityskeskus SUK ry.), we receive your name, email address, postal code and job status.

Based on this information, we will contact you to implement the service.

When you completed the form, you gave your consent to the disclosure of this information.

Which parties do we disclose information to?
At the customer’s request, the information is disclosed e.g. to members of our network of experts. In this case, the person’s contact details and a concise description of the business idea will be disclosed.

Statistical material generated from this personal data will be made widely available to Cursor’s stakeholders and the media. However, individuals cannot be identified on the basis of this information.

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

The information will not be disclosed to third parties

However, the data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks. Non-disclosure agreements have been signed with the system vendors.

Is data transferred outside the EU?
No

How long do we store the data?
If we have not heard from you in the last 24 months, we will delete your data, but we will send you a reminder about this to the latest email address that we have for you, approximately 30 days before the erasure of the data.

If you start a company, you will be transferred to the personal data role of “Active entrepreneurs and company employees” in our personal data category, and we will use the data for service provision in your new role, see Chapter 5.3.

Will the data be used for personal profiling purposes?
No.

5.3 Active entrepreneurs and company employees

Purpose of and legal basis for processing of personal data:
This is the largest category in which we process your data. We collect information about the companies, entrepreneurs and staff who work in our region, are our partners, or potential customers to be located in our region.

This information is used for providing services to customers and analysing customer satisfaction, for the purposes and targeting of marketing and for performing various statistical analyses.

 We keep all discussions and actions taken with companies confidential or secret.

Note, however, that if you are a project customer at the same time, some information may partly or entirely fall within the scope of the Act on the Openness of Government Activities.

Cursor’s task is to enhance the vitality of companies in the Kotka-Hamina region and to attract new businesses to the region. Therefore, the processing of your data is in our legitimate interest.

We collect and process the data of entrepreneurs and company employees on a contractual basis on behalf of our owner municipalities. The personal data register is owned by the contracting municipalities and we are the processor of personal data.

The personal data we collect:
From you, we collect information about your name and contact details (phone number, email, address, etc.), date of birth (for entrepreneurs in the region), gender, your home municipality, language of communication and information relating to the provision of the service.

Such information includes e.g. e-mails, memos on telephone conversations, meeting notes, and any other documentation required to provide the service.

If you have been a “start-up entrepreneur” client with us, we will also use all information collected under that role. In addition, if you are part of our network of experts, we will process information about your expertise and the services you provide.

For start-ups, we collect information classified as sensitive, on whether the contact person comes from an immigrant background.  This information will only be used for statistical purposes.

Where do we get the personal data we collect?
The information is obtained primarily from the data subjects themselves, Cursor’s partners and the companies, organisations and individuals covered by the services. In addition, data is collected from the companies’ websites and other public sources of information, such as the Finnish Patent and Registration Office and the YTJ Business Information System.

Which parties do we disclose information to?
The information will not be disclosed to third parties

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
Some of the data is stored in a cloud-based system located outside the EU. The system’s GDPR compatibility has been verified by the system manufacturer.

How long do we store the data?
We collect information about companies in the region throughout their life cycle. We also store information about entrepreneurs throughout the life cycle of the business.

We process the information of key people in companies when we provide services. This information will be retained for 24 months from the latest contact.

Information relating to invoicing, contracts and accounting will be retained in accordance with the relevant current national legislation.

Will the data be used for personal profiling purposes?
The information can be used for targeted marketing communications purposes. No other profiling is done.


5.4 Project customers

Purpose of and legal basis for processing of personal data
When you participate in a measure, training or event of an EU-funded project, you are a project customer.

The information is used in the implementation of project communications, marketing and customer service measures. In addition, for the purposes of EU project reporting, we provide the project financier, the project’s primary implementer and project supervisor with certain personal data.

In ESF projects, we collect various statistical data for the register or the Ministry of Finance, but in that case, we serve as the processor of personal data on behalf of the Ministry.

 In ENI-CBC projects, the processing of personal data is agreed on in the partnership agreement not only in accordance with EU legislation, but also as required by national law.

Project data is processed to fulfil the statutory obligations laid down in national and EU legislation on structural funds, which include, among others: 

Act on Regional Development and the Administration of Structural Funds (7/2014), Act on the Funding of Regional Development and Structural Fund projects (8/2014), Common Provisions Regulation (EU) No. 1303/2013, Regulation on the ERDF (EU) No. 1301/2014, Regulation on the ESF (EU) No. 1304/2013).

We carry out project activities on a contractual basis on behalf of our owner municipalities.

The personal data register is owned by the contracting municipalities and we are the processor of personal data.

The personal data we collect:
We collect the same data as for the personal data roles “Active enterprises and their employees” and “Start-up entrepreneurs”.

Where do we get the personal data we collect?
The information is obtained primarily from the data subjects themselves, Cursor’s partners and the companies, organisations and individuals covered by the services.

 In addition, data is collected from the companies’ websites and other public sources of information, such as the Finnish Patent and Registration Office and the YTJ Business Information System.

Which parties do we disclose information to?
For the purposes of EU project reporting, we provide the project financier, the project’s primary implementer and project supervisor with certain personal data. In ESF projects, we collect various statistical data for the register or the Ministry of Finance, but in that case, we serve as the processor of personal data on behalf of the Ministry.

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
In ENI-CBC projects, the processing of personal data is agreed on in the partnership agreement not only in accordance with EU legislation, but also as required by national law.

How long do we store the data?
Data retention periods for projects are quite long. Personal data will be retained for at least 10 years after the end of the project.

The retention period is defined in accordance with the regulations of the Council of Europe and the national obligation concerning the retention period.

Will the data be used for personal profiling purposes?
No.

5.5 Newsletter subscribers

Purpose of and legal basis for processing of personal dat
We offer you the opportunity to obtain interesting additional information about our services and the region.

If you subscribe to the newsletter, you will be in this role.

We use this information to implement, monitor and analyse communications. In addition, we use the information we collect to implement automated marketing.

By subscribing to the newsletter, you give your express consent to the processing of your personal data and email marketing.

The personal data we collect:
We collect contact details from you, such as your email address and name. This information is combined with data collected in other roles. In addition, we collect information about whether you read our newsletters and which of the links in them you use, and when you use the links, we can see which of our web pages you are viewing.

Where do we get the personal data we collect?
The personal data we collect originate from the newsletter subscriber in person, from public business registers, Cursor Oy’s customer register and data publicly available for municipal officials and decision-makers.

Which parties do we disclose information to?
We do not disclose information to third parties. The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
Some of the data is stored in a cloud-based system located outside the EU.

The system’s GDPR compatibility has been verified by the system manufacturer.

How long do we store the data?
If your only role is that of newsletter subscriber, we will erase your personal data when you cancel your consent to receive email.

If you have other roles, too, and cancel your consent to receive email, we will retain your data based on the other roles.

Will the data be used for personal profiling purposes?
No.


5.6 Event/webinar participants

Purpose of and legal basis for processing of personal data:
We use electronic forms to collect registration information about participants in events/webinars.

The data is used for the purposes of organising events and statistics on the number of participants. The data is used also for informing about eventual changes and future events, and for customer feedback surveys.

Subject to consent, the information may also be used for the purposes of marketing communications.

The storage of data is based on the data provider’s consent.

The personal data we collect:
We collect from you your name, contact information, the organisation you represent and other information relevant for organising the event, requested in the questionnaire.

For events/webinars organised in connection with projects, we collect the personal data required for project activities, depending on the party financing the project in question (ESF/ERDF etc.) Please see the section “Project customers”.

Where do we get the personal data we collect?
We collect personal information from the data subjects themselves and from the party registering for an event/entering participants for an event.

Which parties do we disclose information to?
For events organised in connection with projects, we save or deliver to the project financier the personal data of the event/webinar participant required for the project activity, which the financier requires to be available for project audits, see section “Project Customers”.

In addition, we may provide participants’ name and contact information to partners involved in organising events.

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
Some of the data is stored in a cloud-based system located outside the EU. The system’s GDPR compatibility has been verified by the system manufacturer.

How long do we store the data?
Attendance data will be retained for 24 months after the event/webinar, if no consent for marketing communications has been given.

If consent has been given to the use of the data in marketing communications, the data will be retained as long as the information is relevant for the purposes of marketing communications.

Any data found to be obsolete will be erased without delay. Data will also be erased without delay if the person in question so requests.The data collected of project events will be retained according to the instructions given by the financier, please see section “Project customers”.

Will the data be used for personal profiling purposes?
No. However, targeted marketing communications may be sent on the basis of the information, subject to consent given.

5.7 Rental customers and camera surveillance in properties

Purpose of and legal basis for processing of personal data:
As part of our operations, we offer rental of conference facilities, business premises, etc. If your business or you rent premises from us, you are a rental customer.

Your data will be used for providing customer service and the related communications and information, and for invoicing and customer satisfaction surveys. Contact information is also used to fulfil potential maintenance requests.

We use information collected from the use of access control and criminal alarm system identifiers only for the management of access rights and for the prevention and investigation of criminal offenses, where necessary, to identify persons who have moved on the premises in the event of any cases of vandalism or crime.

 Identification data from access control and criminal alarm systems and the related information about names and access data is handed over to the tenant of the premises to enable them to check the correctness of the lists of access rights. Information collected from the use of identifiers will not be disclosed to the tenant.

Our camera surveillance records live footage of the surveillance area and the persons and vehicles possibly moving within the range of each surveillance camera. The primary goal of camera surveillance is to prevent crime and we use the information we collect from surveillance only for the investigation of criminal incidents and accidents and, where appropriate, to identify the persons who have moved on the premises.

Information collected from camera surveillance will not be disclosed to the tenant.

Cursor Oy has separate Privacy Policies for access control, criminal alarm system and camera surveillance, available for viewing on request.

If you rent our premises as a private person, we will process your data on a contractual basis. If the company you represent rents premises from us, we process your data based on a legitimate interest, as unless we do so, we cannot provide good customer service or serve our customers to the extent required by the tenancy.

The personal data we collect:
We collect information necessary for invoicing, sales ledger, and possible debt collection purposes, and we link you with the premises rented by you or the company you represent.

 In addition, for the purposes of the rental business, we collect your contact information from the service requests you make and other material you provide to us.

In addition, we collect information from the access control and crime alarm system identifiers you use and we record camera surveillance footage.

Where do we get the personal data we collect?
We obtain the personal data we collect from the data subject in person, or from the company the data subject represents.

The personal information we collect will be supplemented, if necessary, by publicly available sources of information.

Which parties do we disclose information to?
The data collected is stored in information systems, which are also accessible for system vendors performing maintenance and service tasks. No actual disclosure of data is performed.

Camera surveillance recordings are stored locally in systems on our own premises.

Is data transferred outside the EU?
The data we collect will not be transferred outside the European Union or the European Economic Area.

How long do we store the data?
We process the personal data of persons in companies when we provide services and we retain this information until the end of the customer and tenancy relationship, with the exception of the following:

Information relating to invoicing, contracts and accounting will be retained in accordance with the relevant current national legislation.

Any information stored in maintenance requests will be retained until further notice. This information mainly comprises the person’s name, office or contact details.

We retain information collected on the use of access control and criminal alarm system identifiers for 30 days and data collected from camera surveillance up to 14 days, depending on the capacity of the recorder, unless there is a specific reason to retain the data longer (for example, in suspected cases of crime).

Will the data be used for personal profiling purposes?
No.


5.8 Political decision-makers and influencers in the region’s municipalities

Purpose of and legal basis for processing of personal data:
As part of the regional cooperation organised by our municipal owners, we process your data under this role.

This information is used to communicate about regional cooperation events and news.

Information about your participation in events and information for the payment of meeting fees and travel expenses will be handed over to Sarastia Oy and the City of Kotka.

The municipalities in our region buy regional cooperation from us as a service, which is why the processing of your data is in our legitimate interest. We cannot provide the service without data processing.


The personal data we collect:
At the beginning of the Council term of office, you will be asked by your municipality to give consent to the disclosure of data to us. This data comprises your name, email address and other contact information.

We collect your data about your participation in regional meetings and events (including the Regional Forum, seminars) as well as information for the payment of any travel expenses.

Where do we get the personal data we collect?
The information we collect originate from the individuals themselves and from public municipal sources of information.

Which parties do we disclose information to?

We do not disclose information to third parties. The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
No.

How long do we store the data?
The data will be retained for a maximum of two years after the person no longer holds a relevant position from the viewpoint of regional cooperation in decision-making.

Will the data be used for personal profiling purposes?
No.

5.9 Members of Cursor’s Board of Directors

Purpose of and legal basis for processing of personal data

As part of the work of Cursor’s Board of Directors, in line with the articles of association, we process your data under this role.

This information will be used for submitting a Trade Register notification, communication between the Board of Directors and Cursor, maintenance of the register of related parties and payment of meeting fees.

In accordance with Cursor’s shareholder agreement and articles of association, our operations include the Board of Directors, so the processing of your data is in our legitimate interest.

 Without data processing, we cannot submit a Trade Register notification, implement the cooperation between the Board of Directors and the Supervisory Board, or pay meeting fees.

The personal data we collect:
At the beginning of the Board of Directors’ term of office, you will be asked to give your consent to the disclosure of data to us. This data comprises your name, email address, other contact information and information required for the payment of meeting fees.

We collect information about your participation in Board meetings for the purpose of payment of meeting fees.

For the register of related parties, we collect information about Board members’ and their spouses’ holdings of more than 50%, board memberships and other dominant positions in organisations.

Where do we get the personal data we collect?
Information is obtained primarily from the Board members themselves.

Which parties do we disclose information to?
If necessary, the information may be disclosed to the tax authorities and the company’s auditor.

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.

Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
No.

How long do we store the data?
The data will be retained after the end of your term of office as a Board member in accordance with payroll legislation.

Will the data be used for personal profiling purposes?
No.


5.10 Designated users of online services

Purpose of and legal basis for processing of personal data:
For some of our online services, a username is created for you, or you use our online service with a third-party account. In such cases, you are a designated user of the online services.

The information is used to ensure the technical functioning of the service, to organise access control and for the purpose for which the online service we provide is intended. In addition, we store various lists of the use and editing of files.

The legal basis for the data processing varies on a case-by-case basis. The online service can be used to fulfil a statutory obligation or the processing may be based on the so-called legitimate interest when we cooperate through the online services.

The personal data we collect:
We collect from you the information required for creating a username, which varies depending on the service. As a general rule, this information consists of the following: name, contact details and information about the organisation you represent.

In addition, we collect information about how you use the service and all information you enter into the service.

Where do we get the personal data we collect?
The personal data we collect originate from the users themselves and their activities on the website.

Which parties do we disclose information to?
We do not disclose information to third parties.

The data is stored in third-party system vendors’ cloud-based systems, allowing systems maintenance personnel to see the information during maintenance tasks.


Non-disclosure policies have been agreed with the system vendors.

Is data transferred outside the EU?
No.

How long do we store the data?
Usage data is maintained by our hosting service providers for the period required for technical maintenance.

Data on document editing and commenting is used throughout the lifecycle of the document.

Will the data be used for personal profiling purposes?
No