JOINT CONTROLLERSHIP PRIVACY STATEMENT: FACEBOOK PAGES

This privacy statement applies only to the situations where Compensate Operations Oy (hereinafter referred to as “Compensate” or “we”) and Facebook Ireland Ltd (hereinafter referred to as "Facebook") act as joint controllers when you visit our Facebook page (hereinafter referred to as the "Facebook page"). The purpose and the means of processing of personal data is jointly determined by Compensate and Facebook. This results from the fact that Compensate, as the operator of the Facebook page, by setting up such a page, allows Facebook to place cookies on the computer or any other device of yours visiting the Facebook page (hereinafter “you” or "Visitor"), regardless of whether you have a Facebook account or not.

Below you will find a description of how Compensate and Facebook handle your personal data when you visit the Facebook page. We would like to point out that you use this Facebook page and its functions within your own responsibility. This applies in particular to the use of interactive functionalities (e.g., commenting, sharing, rating).

1. Joint controllers

Facebook

Facebook Ireland Ltd.

4 Grand Canal Square

Grand Canal Harbour

Dublin 2 Ireland

You can contact the data protection officer of the primary controller Facebook here .

Compensate Operations Oy

Lönnrotinkatu 7 B,

00120 Helsinki

Finland

legal@compensate.com

compensate.com 

I Processing of personal data by Facebook

Facebook processes the data according to its privacy principles and statement. You can find it here . Facebook is primarily responsible for ensuring the compliance with the applicable privacy legislation, the security measures and your privacy rights when you use the Facebook page. You can amend your privacy settings on Facebook. 

Where your interaction with the Facebook page and the content associated with it triggers the creation of an event for so called “Page Insights”. Page Insights gives us information about the performance of the Facebook page, like demographic data of our audience and how people are responding to our posts. More information about Page Insights here

Facebook assumes primary responsibility under the General Data Protection Regulation (hereinafter referred to as the “GDPR”) or other applicable privacy legislation for the processing of Page Insights data and fulfils all obligations under the GDPR with regard to the processing of Insights data (including Articles 12 and 13 GDPR, Articles 15 to 22 GDPR and Articles 32 to 34 GDPR). In addition, Facebook makes the essentials of this Page Insights supplement available to the data subjects. The corresponding "Page Insights Controller Addendum" can be found ) here ).

II Processing of personal data by Compensate

2. How we collect data

 We are active in social networks in order to communicate with interested parties and active Visitors and to inform them about our products, events and news. We mainly process the following types of data: Visitor Data and Analytics Data.

2.1 Visitor Data

We have access to your name, your public profile picture and all other public information on your Facebook profile. In practice, this is the information that is visible to others, too. You may also give additional personal data to us by commenting or by Facebook messenger.

Your Visitor Data is being used, for instance:

  • To provide you services
  • For customer communication and marketing
  • Social media campaigns and competitions
  • For quality improvement and trend analysis
  • To buy advertisements from Facebook and measure their efficiency.

We will not transfer the personal data to other services than those of Facebook without a separate consent.

2.2 Analytics Data

When you access our Facebook page, your browser transmits certain technical data to the web server for which Facebook is responsible. Facebook also uses so-called "cookies". Cookies are small text files that are stored in the memory of your device via your browser. Cookies set by Facebook are intended, among other things, to enable Compensate, as the operator of the Facebook page, to obtain statistics for the purpose of controlling the marketing of our activities, which Facebook compiles on the basis of visits to this page.

2.2.1 Facebook Page Insights

Compensate may use the Facebook Page Insights function, which Facebook makes available to us free of charge as an indispensable part of the user relationship, to obtain anonymous statistical data regarding visitors to our Facebook page. This data is collected using cookies set by Facebook, which each contain a unique user code and that are stored by Facebook on the visitor's device. The user code that can be linked to the login information of those Visitors that are registered on Facebook is collected and processed when they visit the Facebook Page.

3. How we use Analytics Data

 We use the analytics data we collect for quality improvement and trend analysis and for customer communication and marketing. 

In particular, Compensate may receive demographic information provided by Facebook about its target audience - and thus the processing of that information - including trends in age, gender, relationship status and professional situation, information about the lifestyle and interests of its target audience, and information about the purchases and online purchasing behaviour of visitors to its site, the categories of goods or services that interest them most, and geographic information that informs it of where to conduct special promotions or organize events and generally enables it to target its information offering as effectively as possible.

Although the Visitor statistics compiled by Facebook are transmitted exclusively in anonymous form to Compensate as the operator of the Facebook page, the compilation of these statistics is based on the previous survey - using cookies set by Facebook on the Visitor's device - and the processing of the personal data of these visitors for these statistical purposes. More information about Facebook Page Insights can be found here and here .

It also provides information about the Facebook groups associated with our Facebook page. 

We use this aggregated information to make our contributions and activities on our Facebook page more attractive to Visitors. For example, we use the age and gender distributions for an adaptive customer approach and the preferred visiting times of the Visitors to optimize the planning and timing of our postings. Information about the type of devices used by visitors helps us to adapt the contributions optically and creatively. In accordance with Facebook's terms of use, which each user has agreed to when creating a Facebook profile, we may identify subscribers and fans of the site and view their profiles and other shared information from them.

The reason for the use of the Visitor Data and Analytics Data is mostly our legitimate interest to run, maintain and develop our operations and to create and maintain customer and other business relationships. When choosing to use your data on the basis of our legitimate interests, we weigh our own interests against your right to privacy and e.g., provide you with easy to use opt-out from our marketing communications and use pseudonymized or non-personally identifiable data when possible.

We may also process your personal data when you have consented us to do so or to fulfill our contractual obligations or in order to comply with our legal obligations. 

5. How we may share your personal data?

 We only share your personal data within our organization if and as far as reasonably necessary for the purposes of this Privacy Statement. Most of the data we share is anonymized and aggregated data for data analysis purposes. For example, we might analyze the views of different websites. 

We do not share your personal data with third parties outside of our organization unless one of the following circumstances applies:

For the purposes set out in this Privacy Statement and to authorized service providers

To the extent that third parties need access to the Visitor Data for us to provide the Services, we provide such third parties with your data. Furthermore, we may provide your personal data to our affiliates or to authorized service providers who perform services for us (including, for instance, data storage, accounting, payment, sales, and marketing service providers).

When your personal data is processed by third parties as data processors on behalf of Compensate, Compensate has taken the appropriate contractual and organizational measures to ensure that your data are processed exclusively for the purposes specified in this Privacy Statement and in accordance with all applicable laws and regulations and subject to our instructions and appropriate obligations of confidentiality and security measures.

Please bear in mind that if you provide personal data directly to a third party, such as through a link somewhere on our website, the processing is typically based on their policies and standards.

For legal reasons and legal processes

We may share your personal data with third parties outside our organization if we have a good-faith belief that access to and use of the personal data is reasonably necessary to: (I) meet any applicable law, regulation, and/or court order; (ii) detect, prevent, or otherwise address fraud, crime, security or technical issues; and/or (iii) protect the interests, properties or safety of Compensate, the Visitors or the public as far as in accordance with the law. When possible, we will inform you about such processing.

For other legitimate reasons

If Compensate is involved in a merger, acquisition or asset sale, we may transfer your personal data to the third party involved. However, we will continue to ensure the confidentiality of all personal data. We will give notice to all the Visitors concerned when the personal data are transferred or become subject to a different privacy statement. 

With your explicit consent

We may share your personal data with third parties outside Compensate when we have your explicit consent to do so. You have the right to withdraw this consent at all times. 

6. Transfer to countries outside the European Economic Area (EEA)

We use service providers in several geographical locations. As such, we and our service providers may transfer your personal data to, or access it in, jurisdictions outside the EEA and your domicile. 

We will take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which they are processed. We provide adequate protection for the transfers of personal data to countries outside of the EEA through a series of agreements with our service providers based on the  Standard Contractual Clauses or through other appropriate safeguards. 

7. How long we will store your data

Compensate does not store your personal data longer than is legally permitted and necessary for the purposes of this Privacy Statement. The storage period depends on the nature of the information and the purposes of the processing. The maximum period may, therefore, vary per use. When the processing of your personal data is no longer necessary for the purposes they were collected, we will delete or anonymize the personal data relating to you in a secure manner. 

In relation to the data Facebook processes, see the privacy policy here . For personal data collected with cookies, see the cookie policy of Facebook here .

8. Your rights

 Facebook and we have agreed that Facebook is responsible for providing you with information about the processing for Page Insights and for enabling you to exercise your rights under the GDPR. Under the GDPR, you have the right to access , rectify, port , delete and object to and restrict processing of your data. Learn more about these rights in your Facebook settings . You can also contact the data protection officer of Facebook whose contact details can be found in Facebook’s Data Policy or on this Privacy Statement. 

Your privacy rights are important to you. In relation to the data Compensate processes under this privacy statement, you have

right to access

right to withdraw consent

right to rectify

right to erasure

right to object

right to restriction of processing

right to data portability.

All the rights are outlined more in detail in Section 8 of our general privacy policy.

Please note that, as stated above, Compensate may not be able to provide you with all the information under this privacy statement because we are jointly responsible for processing your personal data. 

How to use your rights

The aforementioned rights may be used by sending a letter or an e-mail to Facebook or to us on the addresses set out above, including the following information: full name, address, and e-mail address. We may request the provision of additional information necessary to confirm your identity. We may reject requests that are unreasonably repetitive, excessive or manifestly unfounded. 

In case you consider our processing of personal data to be inconsistent with the applicable data protection laws, a complaint may be lodged with the local supervisory authority for data protection. Facebook and Compensate have agreed that the Irish Data Protection Commission is the lead supervisory authority responsible for overseeing the processing for Page Insights. You always have the right to lodge a complaint with the Irish Data Protection Commission (please see at www.dataprotection.ie ) or with any other supervisory authority.

In Finland, the local supervisory authority is the Data Protection Ombudsman ( www.tietosuoja.fi ).

9. Direct Marketing

 You have the right to prohibit us from using your personal data for direct marketing purposes, market research and profiling made for direct marketing purposes by contacting us on the addresses indicated above or by using the unsubscribe possibility offered in connection with any direct marketing messages. You can prohibit Facebook from using your data for advertisements on your profile settings.  

10. Information security

 We use administrative, organizational, technical, and physical safeguards to protect the personal data we collect and process. Measures include for example, where appropriate, encryption, pseudonymization, firewalls, secure facilities, and access right systems. Our security controls are designed to maintain an appropriate level of data confidentiality, integrity, availability, resilience and ability to restore the data. We regularly test our systems, and other assets for security vulnerabilities.

Should despite the security measures, a security breach occurs that is likely to have negative effects on your privacy, we will inform you and other affected parties, as well as relevant authorities when required by applicable data protection laws, about the breach as soon as possible.

More information on how we process your data please visit our General Privacy Statement.

Date 14.12.2020