Privacy statement

Datadrivers Oy is a Finnish company that aims to develop driver education software and make efficient use of training data. This Privacy Statement applies to the processing of personal data of Datadrivers’ customers and users of the services it provides, such as Webauto, Netreeni, Fleetskills.com, opetusluvalla.fi and lomakelahetys.fi. Datadrivers processes the personal and training information of customers and service users in order to fulfill the contract for the service ordered by the customer, provide a comprehensive training search for those in need of training as well as notify registrants of expiring professional licences and other qualifications.

We are committed to protecting the privacy of our customers and users of our services in accordance with applicable data protection laws. Below is a more detailed description of, e.g.:

• our contact details
• what kind of data we collect
• how is the data used and what is the legal basis of the processing of said data
• how the services use cookies
• how long is the data stored
• where the data is disclosed and transferred
• the rights of the data subjects
• how we protect the information

Please read the contents of the Privacy Statement.

1.  Contact details

Controller: Datadrivers Oy

Address: Hallituskatu 2 A 7, 95400 Tornio E-mail: info@kuljettajaopetus.fi

2.  Personal Data and Categories of Personal Data to be Processed

We only collect personal data that is appropriate to the purposes of the service. The collected data is sorted in detail in the next section. When we collect information, we tell you what information is a prerequisite for using the services and what information the user can provide if they wish. The information is primarily collected from the data subject themselves when they log in and use the services.

Training information can also be collected from the Traficom Transport Register. Information about the data subject can also be stored by instructors or a registered employer.

In addition to service user and training information, we process the following customer information. The information is collected from the data subjects. Exceptions are mentioned below:

• basic information, such as first and last name, address, contact details, date of birth or social security number, position, employer, gender, native language, country of birth
• basic information about the persons responsible for teaching, secretaries, teachers and instructors, such as their first and last name, contact information, company name and information about the use of business ID services, such as the username and password, the information collected automatically through the use of the application and its various functions as well as information provided by the user in the application
• basic information of the employer community, such as name and contact details (address, e-mail address, telephone number) and the name and contact details of the contact person
• training information, such as information on the training attended or enrolled by the data subject and the degrees they have completed
• training information is also collected from the Traficom register
• information related to the contractual relationship, such as the time of use of the service, communication and transactions related to the service and information related to invoicing and collection
• direct marketing authorisations and bans

In addition, we collect information about the use of our services as described in the cookie clause (section 6).

4.  Purposes of the processing and legal basis

The data is processed for the following purposes:

• Implementation of Services: We use personal information to identify and log in the user, provide, maintain and protect the services, invoice and collect as well as communicate with the data subject. As part of providing the service, we may also analyse the use of the services, the training information of the data subjects, obtained either from the data subjects’ input or from the Traficom register, and the responses of the data subjects to surveys to create a learning profile for the user in order to provide a more customised service. Without the mandatory information marked with an asterisk, the services cannot be provided in accordance with the agreement. This processing is based on the performance of the contract.
• Maintaining the Learning Database: In the learning database, we combine the learning and professional qualifications of the data subject in the same view. We may use this information to notify the data subject of expiring professional licences or other qualifications as well as provide the data subject’s employer or potential employer with access to the data subject’s learning and professional qualifications necessary for the employer’s operations. This data processing is based on a legitimate interest.
• Marketing: We use data obtained from data subjects to market our products and services. Marketing messages can be customised using information provided by users or collected about the use of services. In this case, the processing is based on the data subject’s consent or legitimate interest. The data subject may object to the marketing or withdraw their consent at any time.
  • For marketing purposes, we create custom audiences and lookalike audiences through modelling with our selected partners. In such cooperation, we transfer our customer data encrypted to our partner, such as Meta, Google or LinkedIn, which compares the encrypted data with its own data and forms a target group to which we can target advertising on that partner’s website or utilise the data in such a way that we restrict the advertising to a target group that already uses our services
• Product Development and Reporting: We use data to improve our services. For example, customer contacts help us understand what features are desired for our services. This processing of data is based on our legitimate interest.
• Prevention and Investigation of Abuse: From time to time we need to use the information to prevent and investigate abuse. For example, automatically collected log information allows us to monitor and determine the actions of the information system user and the lawfulness of the use of the data in accordance with our legitimate interests. This processing of data is based on our legitimate interest.
• Statutory Obligations: We retain correspondence regarding documents and transactions for six years from the end of the calendar year in which the financial year ends in order to comply with the Accounting Act. For example, in the above situation, the processing of personal data is based on compliance with a legal obligation.

Driver data such as driving licence and driving licence related data as well as professional qualification data such as initial and continuing learning data for lorry and bus drivers and taxi drivers, and licence data, are public data that training centres and professional transport operators need to process. It is also in the data subject’s interest that the compiled information is available to the employer or potential employer in an up-to-date manner. In so far as the processing is based on a legitimate interest, we consider that the data subject can reasonably await the processing, taking into account the public nature of the information, the employer-employee or jobseeker relationship and the need for the professional transport company to process in order to fulfill the contractual and legal obligation. Treatment based on a legitimate interest may be opposed as described below.

In order to provide interesting marketing messages and advertising, or to provide a customised learning experience, we carry out profiling. However, we do not make automated decisions that have legal effects on the data subject or otherwise significantly affect the data subject.

5.  Data retention period

We will retain the information for as long as is necessary to fulfill the purposes defined above in accordance with applicable law. Learning records shall be kept for six calendar years following the year in which the training or examination was completed in accordance with the Driving Licence Act and the Act on the professional qualifications of truck and bus drivers. The determination of the data retention period applies to data received from the data subjects as well as data received from other systems.

After the above period, we will truncate the information and process the name and contact information as well as individual information describing the user profile for marketing purposes as long as the data subject has not refused to receive marketing messages. If the registrant refuses the marketing and there is no other reason to process the data, we will retain information about the ban and contact information so that we can ensure compliance with the ban. The data subject may also request the deletion of their data in its entirety.

We strive to keep the personal information we hold accurate and up-to-date by deleting unnecessary information and updating outdated information. However, we encourage users of the Services to periodically check that their information is up to date by logging into the Services. The data subject can also influence the data retention period themselves through the options described below.

We comply with our legal obligations to retain information.

6.  Cookies

We may automatically collect information about the service user terminal through server logs as well as cookies and other similar technologies. A cookie is a small text file that a browser stores on a user’s device. Cookies often contain an anonymous, unique identifier that allows us to identify and count the browsers that visit our site.

Cookies do not move online by themselves, but are rather installed on the user’s terminal only with the site the user visits. Only the server that sent the cookie can later read and use the cookie. Cookies or other technologies do not damage the user’s terminal or files, and cookies cannot be used to access programs or spread malware.

We automatically collect the following information:

• the use and browsing data of the service features
• the page from which the user has navigated to our site
• device model
• browser name and version
• IP address
• time and duration of the session
• the screen resolution and operating system
• unique device or cookie tag

The so-called first-party cookies are set by the website visible in the address bar. In addition to these, our services use cookies from so-called third parties, such as measurement and monitoring service providers and social media services.

We use both session-specific and persistent cookies. Session-specific cookies expire when the user closes the browser. Persistent cookies stay on the user’s device for a fixed period of time, or until the user deletes them. The term for persistent cookies typically varies from a few months to a few years.

Cookies allow us to remember the registrant’s login information and choices, develop our services and business and investigate possible abuses. We also use cookies to statistically track the number of visitors to our services and to investigate whether marketing emails or newsletters have been opened and acted upon.

Some cookies are necessary for the functioning of our website. They enable various functionalities, such as maintaining a session. These cookies are always enabled.

In addition to the necessary cookies, we use cookies on the basis of the user’s consent for the following purposes:

• Preferences: Preference cookies are used to store information that changes the performance and appearance of the site, such as the language preferences or the user’s location.

• Statistics: Statistical cookies help us understand how users interact with websites by collecting and reporting information anonymously.

• Marketing: We use marketing cookies to track visitors. The purpose is to show advertisements that are relevant and interesting to individual users.

We use Google Analytics and Google Signals, for example. Google Analytics is a web analytics service provided by Google Inc. that we use to analyse the use of our websites and to develop our websites to better serve our users. Google Signals is a feature that is part of Google Analytics and provides enhanced reporting features by using the data of users who are signed in to a Google account. Google reports the data anonymised and aggregated. Personal information, such as names or email addresses, will not be disclosed and will not be used for reporting purposes. Google Signals is enabled if the user is logged in to a Google Account and has given their consent to the use of cookies.

Our partners and the description of the cookies they set are described in more detail in the cookie choices.

The user can influence cookies as described in section 7.

7.  Data subject rights

The data subject can often influence the processing of data in different ways:

• Checking, Correcting and Deleting Data: A data subject has the right to review personal data stored about them. At the request of the data subject, incorrect, incomplete or outdated personal data will be corrected, supplemented or deleted. However, the data shall not be deleted to the extent necessary to comply with legal obligations or to establish, lodge or defend a legal claim or to fulfill an agreement between the data subject and the controller.
• Data Transfer: The data subject may, if they so wish, have their personal data transferred, which will be processed automatically on the basis of consent or agreement, by contacting the address mentioned in section 1 above.
• Right to Object and Limit: The data subject may object to the marketing at any time. The data subject may also object to other processing based on a legitimate interest on the basis of their personal situation. In such a situation, the processing is limited to the time when the grounds for opposing the processing are assessed. Processing can also be restricted when the data subject contests the accuracy of the personal data, in which case the processing shall be limited to the period during which the data is verified.
• Withdrawal of Consent: The data subject may withdraw their consent at any time by contacting the address mentioned in section 1 above.
• Right of Appeal: The data subject has the right to lodge a complaint with the authorities if they consider that their data has been processed in breach of the applicable data protection legislation.

As described in section 4, we work with companies such as Google, Meta and LinkedIn to create target groups based on our encrypted customer data to target our advertising. With Google’s “Ads Customer Match”, Meta’s “Customer List Custom Audiences” and LinkedIn’s “Matched Audiences” services, you can primarily influence the targeting through the advertising choices of the partner in question:

• Google: https://myadcenter.google.com/home
• Meta: https://fi-fi.facebook.com/help/109378269482053/?helpref=uf_share
• LinkedIn: https://www.linkedin.com/mypreferences/d/categories/ads

With respect to automatically collected data, the user can influence the collection and processing of data in the following ways:

• Cookie choices on the website: You can use the website’s cookie preferences to give consent , not to give consent or to withdraw your consent to the use of cookies. The options are browser-specific. You can access your selected cookies from the navigation at the bottom of the website (“Change Cookie Consent”).
• Clearing cookies: By clearing cookies from the browser at regular intervals, the user changes the unique identifier, which resets the profile associated with the previous identifier.
• Blocking Cookies: The user can block cookies from the browser settings. Blocking the use of cookies may affect the functionality of our services.
• Blocking Google Analytics: The user can block access to the site’s data in Google Analytics by installing the Google Analytics Blocker Add-on here. This add-on prevents Google Analytics JavaScript (ga.js, analytics.js, and dc.js) running on websites from sharing site traffic data with Google Analytics.

8.  Data disclosures and transfers

The data subject’s personal data is also processed by the company providing the training services in accordance with its own register data description or data protection clause. In addition, we may disclose information in the following ways:

• The Authorities: We may disclose the data subject’s personal data in accordance with the requirements of the competent authorities, based on the legislation in force at the time.
• Consent: We may disclose the data subject’s data to third parties if the data subject has given their consent.
• Group: We may process the personal data of the data subject within companies belonging to the same group.
• Marketing: For example, we may share encrypted customer register information with a partner who matches the information with their own identifiers and creates target groups for use in targeting advertising.
• Mergers and Acquisitions: If we sell, merge or otherwise organise our business, the personal information of the data subject may be disclosed to buyers and their advisers.
• Recovery and Legal Claims: We may disclose the personal data of the data subject to third parties if this is necessary for the performance of the contract, the recovery of claims, the investigation of possible breaches or the preparation, presentation or defense of a legal claim.

We use subcontractors to provide services. In this case, we guarantee through contractual arrangements that the data will be processed in accordance with the legislation in force at the time and this Privacy Statement.

Data may be transferred outside the European Union or the European Economic Area. The transfer of data complies with the requirements of data protection legislation, as required by the conclusion of the European Commission’s standard contractual clauses or certification in accordance with the Data Privacy Framework.

9.  Registry security principles

The data is kept technically secure. Physical access to the data is blocked by access control as well as other security measures. Access to information requires adequate rights as well as multi-stage authentication. Unauthorised access is also prevented, e.g. with firewalls and technical protection.

The data is backed up securely and can be restored, if necessary. The level of security is audited at regular intervals through either external or internal auditing. The data shall be accessible only to the controller and to specifically designated persons who have access to the data in order to carry out their tasks. Users are bound by professional secrecy.

10.  Changes

We reserve the right to update this Privacy Statement, for example, due to the development of services or mandatory legislation. Changes and updates are communicated in our services. We recommend that you review the content of the cookie policy regularly.

This Privacy Statement was last updated on 7 February 2024. The biggest changes were that we described our cooperation with Google, Meta and LinkedIn in more detail.