Data  Protection

Record of Processing Activities from Digia's Customer Register


1 Introduction

This is a record of activities from Digia’s customer register. In its GDPR assessment the Digia entities defined in section 1.2 are the controllers of the customer register.

For CRM and reporting purposes, the customer register data is divided between several systems, which provide views or copies of the register in question. Master data is stored in the CRM system. In addition, personal data reported to customers’ contact persons is stored in the marketing automation system, e-marketing and newsletter communications service, survey tool (e.g. customer satisfaction surveys) and webinar application.

Other systems in which the data is processed include an ERP system (invoicing contact details) and reporting system, which do not involve the processing of private individuals’ data. Data is processed also to grant customers access to Digia's learning environment.

2 Controller, contact information and the Data Protection Officer

The joint controllers are:

  • Avarea Ltd and Digia Plc with regard to Avarea Ltd customers;
  • Digia Finland Ltd and Digia Plc with regard to Digia Finland Ltd customers;
  • Digia Sweden Ab and Digia Plc with regard to Digia Sweden Ab customers;
  • Integration House Ltd and Digia Plc with regard to Integration House Ltd customers.

Digia Plc's and Digia Finland Ltd's address is Atomitie 2A, 00370 Helsinki, Finland.

The Business ID’s for the companies are:

  • Digia Plc, 0831312-4
  • Digia Finland Ltd, 1091248-4
  • Avarea Ltd, 2253723-9
  • Digia Sweden AB SE556560767701
  • Integration House Ltd, 2548426-7

Data Protection Officer: CSO Mikko Jylhä,

Controller’s representative: Ari Rikkilä,

On detected/suspected information leakage, please send a notice by email to


3 The purpose of processing personal data

The purpose for the processing of Digia’s customer register is an existing or potential customer relationship management.

4 Description of the categories of personal data and their processing

The data is used for task profiling and internal reporting related to the targeting of customer communications. Digia’s customer database includes, or its data can be used to form, the following data categories in Digia’s register:

i.    Personal basic details: first name, surname, job title, role in the company, email, phone number, company, organisation, address
ii.    Activities: meetings, telephone conversations, opening and clicking of e-mails, content downloads
iii.   Sales opportunities
iv.   Customer feedback, other feedback
v.    Filling in of web forms: contact requests, registrations for events
vi.   IP address

Digia does not process specific personal data on the customer register.

5 Description of the data recipient categories

Digia provides its partners with data from the personal data register for the collection of customer feedback.  Customer contact information (e-mail address) is required for carrying out the customer surveys.

6 Information on the transfer of personal data to outside the European Union or European Economic Area

Personal data is recorded in the EU/EEA area. Separate evaluations of data transfers are performed prior to data transfers.

The support service for the marketing automation system is located outside the EU, in the United States. The marketing automation system is Privacy Shield certified.

With regard to transfers of personal data outside the EU and the European Economic Area, Digia complies with Directive 95/46/EC of the European Parliament and of the Council and other, currently valid national and international regulations.

7 Description of the storage and deletion of personal data

Personal data is stored for the duration of an existing customer relationship. Personal data related to customer relationships is deleted after 5 years of the end of the customer relationship.

8 Description of technical and organisational security measures taken in accordance with Article 32

Personal data is processed and maintained in accordance with Digia’s quality system, the related data security guidelines and Digia’s privacy policy. Digia trains all its employees in implementing the guidelines (mandatory courses and induction), whereas the quality of actions is monitored through both internal audits, and audits performed by our software service customers.

Digia's data security and privacy policies form part of Digia’s quality system. Further information and documentation can be requested on these (data security procedures and privacy policy).

A personal username and password are required in order to use the register. Any access rights granted are personal.

9 List of Sub-Processors used for the processing of personal data

Digia uses sub-processors in the processing of personal data.

10 Reports on audits

The supervisory authority has not audited the register.

11 Rights of data subjects

1.    From the controller, the data subject has the right to request access to any personal data concerning the data subject, and to request the correction or deletion, or the limitation of the processing of such data, or to forbid its processing, and has the right to transfer the data from one system to another.  Inquiries can be sent to

Attach the following information to your inquiry:

    • data, on the basis of which you can be identified (at least the e-mail address for which you have ordered the newsletter)
    • indicate the role in which you are contacting us (= recipient of Digia's customer communications and e-mail correspondence)
    • do you want to know what data Digia is holding concerning you?
    • do you want to change or correct data that Digia has concerning you?
    • do you want to withdraw your consent to receiving Digia's customer communications?

2.    The data subject has the right to request his or her removal from the register at any time. Such a request can be sent to

3.    The data subject has the right to make a complaint to the supervisory authority (see

4.    The data subject has the right to information on the existence of automated decision-making, such as profiling, as defined in Article 22, paragraphs 1 and 4, and, in at least such cases, the relevant information on the processing logic used, as well as the implications of processing and the possible consequences for the data subject.

5.    If Digia plans to continue processing personal data for any purpose other than that for which the personal data was collected, Digia shall inform the data subject of such a purpose prior to the further processing in question, and provide all of the relevant information.