This document informs you about privacy issues such as the collection, storage, use, and disclosure of Personal Information received from users of this Site, data subjects (customers and their clients) of Ensuredly, or Quarto Compliance, which is the parent company of Ensuredly (hereinafter also: the Company).

Ensuredly acts as a Data Controller related to its own and direct customers, which are employees from companies, or company representatives signing up for the service.

Ensuredly acts as a Data Processor, when processing employee personal data, such as the employee name, email, and signature logs of completed trainings.

If you have questions or comments, you may always contact via mail, phone, or email at: helsinki@ensuredly.com

Instructions:

1. What is this document going to be about?

2. Specify, or mention, your roles as Data Controller (deciding the purpose and means of the data), Data Processor (acting on behalf of the Data Controller), or a Third party (a recipient of personal data neither in the position of Data controller, or Data processor.)

3. Add your company details

From our website visitors, the Company collects personal data such as:

Company representative name and email
Business or company name
Phone number (if provided)
Address/ Country
Purpose for contacting Ensuredly

We collect this data based on your consent, Article 6 (1) (a) of the European General Data Protection Regulation 2016/679, because you have reached out to us for information or questions or like to be contacted by Ensuredly.

Regarding customers, and for the purpose of providing the service, the Company collects data such as:

Business name, address and country
Names and emails of business employees
Log of employee names and emails that have completed the training
Anonymised information from employees performing the training
Personal data that you process and is related to our services to you
Company's banking information to invoice you
Personal data related to your customers or clients when the need arises during the service.

This data is collected based on the contractual obligation from Ensuredly to provide you the product and services of GDPR documents, consultation and advice, which stems from Article 6 (1) (b) of the European General Data Protection Regulation 2016/679.

Marketing

Ensuredly collects potential customer representative names and emails it received via:

LinkedIn
Via a common professional acquaintance
Via an event we attended
Via other professional avenues where Ensuredly has been informed you may have an interest in our services.

Where Ensuredly receives your information, we reach out to you based on the company's legitimate interest.

Where you respond to our engagement you have provided consent to stay in touch, or remain connected for the purpose of engaging with our services in the future. Ideally, we connect on LinkedIn, so that your information can be removed from our email folders.

Where you do not engage with us within 1 year, or have expressed not to wish to engage with us, we remove your information from our email and servers.

Instructions on data collection:

What personal data do you collect?
On which legal basis and for what purpose do you use it?
Be as specific as possible:
- Consent: data that is provided to you freely and unambiguously
- Contract: data that is collected or processed by you based on a contract
- Legitimate interest: data that is collected or processed by you due to a specific reason, necessary for your business interest, and in proportion to the data subject rights.
- Legal obligation: data that you process because of a law or legal order
- Vital interest: data that you process based on life or death matters
- Public interest: data that is processed in the public interest, such as journalism or scientific research.

Marketing

Explain the type of marketing funnels you use, and what data is collected in such way. Do you track people? Do you create behavior profiles? Do you keep marketing prospect lists?

If you collect more, or other data, for example, video surveillance, research from your services, add it here and explain what it is that you do.

Cookies

Ensuredly does not collect personal identifiable cookies. It does review website statistics, which are anonymous cookies, such as number of visits, and the area (such as country or continent) you visited from.

Instructions on cookies:

When tracking people, or creating profiles based on website visits, ask consent. For any cookie that is created or shared, that stores or collect personal information you must ask consent via a banner.

Anonymous cookies do not need consent, but you must inform people about these.

Note: anonymous information is not subject to GDPR rules anymore, however, data can be considered anonymous when there is no link anymore with the data subject, so that the data subject cannot be re-identified anymore.

Sub-processors

We use the following sub-processors:

Domain and Email:

MailerLite, France

Business email and productivity tools:

Google Business Suite and Microsoft, European data centres

Course forms

Jotform EU

Documentation and policies:

Slite, Belgium

We refuse to sell any personal information.

We only use authorised and vetted sub-processors that can establish data centres in the EU, and have contractual tools and documentation in place for us to prove data protection compliance

Sub-processors:

You do not legally need to name all your sub-processors, but you must be able to transparently provide clarity, where personal data is processed, in which location (EU or abroad).

Securing personal data

We use appropriate technical and organisational security measures, such as, but not limited to:

Only using certified and registered companies for business contracts
Contractually committing businesses to secure personal data that is processed
We process personal data only - as far as possible - in the European Union, or, if there is a necessity for internal transfers, we have the appropriate transfer tools from the GDPR in place.
That said, we choose security over location if we can ensure the location via contractual limitations and agreements. For example, we chose Jotform and Google because designing forms ourselves is more prone to security flaws, as we teach you in our courses.
We have access, user accounts, and login attempts monitored.
Our screens and devices have automatic lock screen after seconds of idle time.
We have safe and secure suggested passwords, do not use passwords more than once, and have where possible, multi-factor authentication for employee or user identification.
Training users are sent a directed invitation email, which must be a company email.
No more personal data is stored, collected, or accessed without the necessity to provide the services.
We retain personal data only for legal retention reasons, such as tax- and bookkeeping in Finland, and delete or return information wherever possible to the client.

Securing personal data:

You do not need to go into detail as we did here, but you should address if you have secured personal data from unauthorised loss, modification, or access wherever possible.

These measures include, at least (but you can add any measure that work for you to reduce the risk):

Access controls (limit admin accounts and user accounts as personal data is only need-to-know basis.)
Location, or transferring or storing personal data (aim for EU because other countries may not have the same or equivalent standards of data protection)
Retention (how long do you plan to keep data? Do you plan to return it to the customer, anonymise and archive?)

Data subject rights

Data subjects have the following data subject rights:

The right to be informed of data processing, and any changes, modifications, or data breaches that have a high risk to your rights and freedoms.
The right to request access for copies of all personal data processed
The right to rectify any information that you believe is inaccurate
The right to request 'to be forgotten' and have your personal data deleted
The right to object or restrict processing of your personal data
The right to object to automated decision-making and be assisted by a human.
The right to request a structured, commonly used and machine-readable formate to transfer personal data to another controller or directly to you ('portability').

It may be possible that Ensuredly cannot comply to your data subject right request. Where Ensuredly is the Data Processor, it shall refer you to your Data Controller, which is your employer, without undue delay, and assist your Data Controller to the best of its abilities.

Where Ensuredly is prohibited due to reasons based on a legal obligation from a National Authority, or reasons for public interest or public health, it shall inform you whether this is the case, where possible.

Regardless, Ensuredly, shall answer to your request by execution, or failure of execution due to any of the reasons above, within the legal limit of 30 business days.

Please contact helsinki@ensuredly.com to file such a claim.

Data subject rights

Mention all data subject rights, and explain if you cannot comply with them, of example, because you have anonymised the data and the data subject cannot be re-identified anymore, if you will return the request to the data controller (and assist to the best of your ability), or any other reason that applies.

Note that for authorities, this is a very important section!

Add the contact information for data subjects to file a claim, and you must respond within 30 days, which is a legal time frame.

Changes to this policy

This policy was updated in April 2024. Should you wish to report a complaint or you feel Ensuredly has not sufficiently addressed your concerns, you may contact the Data Protection Authorities in Finland, or in your country of residence.

Time and Authorities

Always add the last review date for updates, and to which authorities the persons can file a claim. This is also a legal requirement, thus do not forget this last part.

Privacy policies should be updated at least annually.