We process customer and tenant information to create, manage, develop, and maintain customer and tenant relationships, safety-related matters and communication regarding these, provide services, customer and tenant communication, send newsletters, organize events, evaluate customer experience, compile statistics, identify customer and tenant users, user management, troubleshooting of electronic services, payments and their verification, develop business and customer service, handle complaints and claims, defend against legal claims, and for accounting and other legal obligations. Furthermore, personal data is used for direct marketing by the controller and its group companies (including electronic newsletters), targeting and profiling of online advertising, as well as for the design and development of the controller’s products and services.
We process information about customers and tenants to fulfill our legitimate interests arising from the contract and cooperative relationship we have with the company the person represents. In certain cases, we may also process personal data of representatives of our potential customers with whom we have not yet entered into an agreement or established a customer relationship, or with whom we have previously had an agreement or customer relationship. The processing of said data is based on our legitimate interest to explore and understand potential customers, to communicate with them, and to develop our customer and market intelligence. Based on our legitimate interest and, if required, consent, we may use personal data for marketing, direct marketing, inquiries, market research, and other addressed mailings.
Customers and tenants of commercial premises:
Residential tenants:
Our regular sources of information are the details provided during preparation and the conclusion of the contract, as well as during the customer and lease relationship.
We collect information for our register directly from our customers and tenants or their representatives, from lease agreements, and the Citycon Portal. Information may be collected, for example, when you participate in campaigns and events organized by us.
We update your information based on your communications and developments during the relationship. Information may also be provided by a third party, in which case we strive to ensure the validity of the information.
We may check the validity of personal data regarding our residential tenants from the population register in connection with entering into a lease agreement. From the same register, we can also verify residency information for our apartments. We may collect and update your personal data based on information obtained from our partners, as well as authorities and companies providing personal data services.
We may collect and update credit and payment information as well as sanction lists from Suomen Asiakastieto Oy or equivalent companies that provide information on companies and creditworthiness.
Information collected for the user management of our data systems, such as the Citycon Portal, is obtained from you or a representative of your company, and our employees create and manage the login information. Logging information is automatically saved in connection with the use of the data system.
We may disclose customer data within the Citycon Group companies and, where we have a legal obligation to do so, to authorities.
We may also transfer data to our service providers, who process the data on our behalf and in accordance with our instructions (for example, to manage and develop the customer relationship or services, leasing, divestment of apartments or commercial premises, property management services, construction and repairs and their supervision, safety-related matters and communication regarding these, supplementary customer information, debt collection, and the development and maintenance of data systems and data security).
When Citycon divests an asset, information regarding existing lease agreements may be transferred to the buyer of the asset.
Personal data may be transferred outside the EU/EEA in accordance with applicable data protection laws and regulations and within the limitations set out in said laws and regulations.
When personal data is transferred outside the EU/EEA to a country that does not guarantee an adequate level of data protection, we will use appropriate safeguards, such as the EU Commission’s standard contractual clauses, and if necessary, apply additional security measures in accordance with applicable laws and regulations on data privacy.
We retain customer data throughout the customer relationship. After the customer relationship has ended, we retain the data for as long as the personal data is necessary for Citycon’s genuine needs and the legal and regulatory requirements Citycon is subject to, or in the absence of applicable regulatory requirements, for a maximum of 24 months.
We retain customer data regarding potential customers and tenants for as long as the personal data is necessary for Citycon’s genuine needs and the legal and regulatory requirements Citycon is subject to, or in the absence of applicable regulatory requirements, for a maximum of 24 months.