Privacy Policy

Customer and User Register of Secto Automotive Oy

1. General

This privacy policy describes how Secto Automotive Oy ("Secto" or "data controller") processes personal data. The privacy policy applies to our website, marketing, and customer relationship management, as well as the processing of personal data related to the products and services we offer. Additionally, this privacy policy also applies to the processing of personal data that occurs through surveillance cameras installed in Secto's premises. Our premises may have surveillance cameras that can automatically capture and record images/videos of you when you visit our premises. Such recordings may contain your personal data if we can identify you through these images or videos. The surveillance cameras are positioned so that they do not capture public areas surrounding our premises. We do not use automatic facial recognition or similar technologies to identify individuals based on biometric data processing.

We comply with applicable data protection legislation in all personal data processing. Data protection legislation refers to the current data protection legislation, such as the General Data Protection Regulation (2016/679) of the European Union and the Finnish Data Protection Act (5.12.2018/1050). The data protection concepts not defined in this privacy policy are interpreted in accordance with data protection legislation.

Our services and website may contain links to external websites and services operated by other organizations. This privacy policy does not apply to their use, so we encourage you to review their respective privacy policies separately.

"Personal data" refers to all information related to natural persons ("data subjects") that can directly or indirectly identify the person, as defined in the General Data Protection Regulation.

2. Data Controller and Data Protection Officer

Data Controller: Secto Automotive Oy

Business ID: FI2113572-1

Address: Näsintie 27, 06100 Porvoo FINLAND

Email address: tietosuoja@secto.fi

Data Protection Officer's contact information:

Noora Floor-Berg

Phone: +358 40 54 64 164

3. Purposes and legal bases for processing personal data

The purposes for processing personal data are:

  • Delivering products and services, making customer agreements, and handling orders (contractual relationship or its preparation, legitimate interest)

  • Customer service and communication, as well as customer satisfaction surveys (legitimate interest, consent, contractual relationship)

  • Billing, credit decisions, and debt collection (legitimate interest)

  • Marketing, including market research, other marketing promotion and analysis, and producing statistics and measuring marketing effectiveness (legitimate interest)

  • Direct marketing, including electronic direct marketing and telemarketing, as well as planning and measuring the effectiveness of advertising and marketing, and combining and updating personal data for direct marketing purposes (legitimate interest, consent)

  • Managing stakeholder relationships, as well as cooperation with subcontractors and service providers (legitimate interest, contractual relationship or its preparation)

  • Improving the user experience of our website and other services and monitoring user traffic (consent)

  • Developing the AI tools we use (legitimate interest)

  • Fulfilling legal obligations (e.g., accounting and tax-related actions) and reporting obligations (compliance with legal obligations)

  • Internal and group-level reporting and other administrative measures (legitimate interest, compliance with legal obligations)

  • Handling warranty and defect liability issues, as well as complaints and legal and administrative proceedings (compliance with legal obligations)

  • Complying with and managing the Know Your Customer (KYC) process (compliance with legal obligations)

  • Preventing and investigating misuse, as well as ensuring the security of data, individuals, and property (legitimate interest, compliance with legal obligations)

 The legal basis for processing personal data for delivering our products and services, making customer agreements, and handling orders and related obligations is a contractual relationship or its preparation.

The legal basis for processing personal data may also be the legitimate interests of the data controller or a third party. Managing customer relationships, customer communication, and processing personal data related to reporting, complaints, and legal processes are based on legitimate interest. Secto may also use personal data for developing its AI tools based on legitimate interest. In all processing based on legitimate interest, Secto ensures that the processing is proportionate to the data subject's interests and that the data is processed for purposes that align with the data subject's reasonable expectations. We provide additional information on processing personal data based on legitimate interest upon request.

The legal basis for processing personal data related to surveillance cameras is legitimate interest. The processing is necessary to protect property from theft, unauthorized access to information, or other activities intended to cause harm, as well as to prevent and investigate crimes.

The implementation of certain marketing activities, such as electronic marketing directed at individual customers, is based on the explicit consent of new customers. It is possible to send electronic direct marketing to previous customers based on legitimate interest when the marketing concerns direct marketing of products or services belonging to the same product category.

When we process personal data to comply with legal requirements or fulfill certain reporting obligations, the legal basis for processing is primarily compliance with legal obligations. For example, processing personal data for the KYC process is based on legal obligations.

4. Automated decision-making, profiling, and use of AI

The processing of personal data does not include automated decision-making or profiling.

Secto utilizes AI in its operations. Information processed using AI is not disclosed to AI service providers for their own purposes. More detailed information on the use of AI is available in the AI statement.

5. Processed personal data and data sources

Attached is a table presenting different data categories Sectos services, along with examples of the type of data content included in each category.

We collect personal data directly from the data subject, for example, during transactions, or when the data subject purchases or orders our products or services either themselves or on behalf of the organization they represent, or during registration, when the data subject visits our website or other electronic services, uses our electronic services (e.g., Driver Assistant service), subscribes to our newsletter, responds to a customer satisfaction survey, or otherwise contacts us. We also receive personal data from other external sources, such as private register services (e.g. Dun&Bradstreet) and registers maintained by authorities.

6. Retention of personal data

We retain personal data for as long as necessary to fulfill the purposes defined in this privacy policy and always for the period required by law (e.g., responsibilities and obligations related to accounting or reporting), or for the purpose of resolving legal or similar disputes. After the purpose of use has ended, personal data will be deleted or anonymized within a reasonable time. We do not retain outdated or unnecessary information. We strive to ensure that your personal data is up to date and accurate.

Image and video recordings are generally retained for 3 days to 24 months, depending on the purpose of processing and the location of the premises in question. Due to situations that endanger property or security, we may retain camera and video recordings for a longer period if necessary to prepare, present, or defend a legal claim.

 We provide additional information on personal data retention practices upon request.

7. Recipients of personal data

Personal data may be disclosed between companies belonging to the same group as the data controller in accordance with the requirements of data protection legislation for the purposes described in this privacy policy.

Various service providers and other third parties, such as providers of technical solutions, security services, or server space, or providers of accounting and financial management services, may also be used in the processing of personal data. Group companies may also process personal data on behalf of another group company. We ensure that we have agreements with the parties we use for personal data processing as required by data protection legislation.

Personal data may be disclosed to third parties in situations required by law or authorities, or to investigate misuse and ensure security. Personal data may also be disclosed to insurance companies. Additionally, personal data may need to be disclosed in connection with legal proceedings or similar legal processes. In connection with the sale of vehicles, information about the vehicle's maintenance history may be disclosed to the buyer.

Personal data may also be disclosed with the data subject's consent in cases of parking violations or similar situations to pay parking fines to the entity responsible for parking enforcement.

If the data controller or a company belonging to the same group is involved in a merger, business acquisition, or other corporate arrangement, personal data may be disclosed to the parties involved in the arrangement or to parties assisting in the arrangement.

Secto may disclose information collected for customer identification purposes (so-called KYC information) to the financing company for the purpose of making a financing decision. The data controller also acts as a processor on behalf of financing companies in certain situations. In these cases, the data protection practices of the financing companies apply to the processing of personal data.

Personal data may also be disclosed to car manufacturers and importers. In such cases, the disclosure of personal data occurs between two data controllers and is based on legitimate interest. In these cases, the car manufacturer or importer is an independent data controller for the information they receive and is responsible for their own personal data processing. In such cases, the data protection practices of the car manufacturer or importer apply to the processing of personal data. Similarly, necessary personal data about the vehicle holder may be disclosed to the car dealership delivering the vehicle for registration purposes. In such cases, the disclosure is based on a legal obligation.

 We provide additional information on the recipients of personal data upon request.

8. Transfer of personal data outside the European Economic Area

We do not transfer personal data outside the EU/EEA area.

9. Protection of personal data

Data security and the protection of personal data are a priority to us. We use appropriate technical and organizational safeguards to protect personal data. Personal data is protected by technical and organizational means. The data is stored on servers and systems that are protected by firewalls, passwords, and other technical means. Access to personal data is granted only if it is necessary for data processing. The parties processing personal data are bound by confidentiality obligations regarding matters related to personal data processing.

10. Rights of data subjects

Data subjects have rights to their personal data in accordance with data protection legislation. The application of rights in each individual situation depends on the purpose and situation of the personal data processing.

  • Right to access personal data. The data subject has the right to obtain confirmation of whether their personal data is being processed and other information required by data protection legislation about the processing of personal data. The data subject has the right to receive a copy of their personal data.

  • Right to rectification of personal data. The data subject has the right, with certain limitations, to request the correction or deletion of incorrect or inaccurate information.

  • Right to erasure of personal data. The data subject has the right, in accordance with the requirements of data protection legislation, to request the deletion of their personal data. Upon request, we will delete personal data unless the law or another applicable exception under data protection legislation requires us to retain the personal data.

  • Right to restrict processing. The data subject has the right, in accordance with the requirements of data protection legislation, to request the restriction of personal data processing in certain situations.

  • Right to data transfering. The data subject has the right to request the transfer of their personal data to another data controller. The right to data transfering generally applies to personal data that the data subject has provided to the data controller in a structured and machine-readable format, and the processing of which is based on the data subject's consent or contract, and/or the processing is carried out automatically.

  • Right to object to processing. The data subject has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for the compelling and legitimate interests of the data controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and related profiling.

  • Right to withdraw consent. If the processing of personal data is based on the data subject's consent, the data subject has the right to withdraw their consent to the processing of their personal data. The withdrawal of consent does not affect the processing carried out before the withdrawal.

 11. Exercising rights

We hope that you will contact us if you have any questions regarding the processing of your personal data. You can send a request regarding the rights of the data subject by letter or email using the contact details mentioned in this privacy policy. The identity of the requester will be verified before processing the request. The request will be responded to within a reasonable time and, in principle, within one month from the submission of the request and verification of identity. If the request cannot be granted, the refusal will be notified separately.

12. Right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the competent data protection authority if the data subject believes that their personal data has been processed in violation of data protection legislation. You can find the contact details of the Finnish data protection authority here.

13. Changes to the privacy policy

This privacy policy may need to be changed from time to time. Changes may also be based on changes in data protection legislation. We encourage you to regularly check the privacy policy for any changes. The latest version is available on our website.

 This privacy policy was published on March 14, 2025.