Description of data protection at Digita
Ensuring effective data protection measures are in place is an important aspect of Digita Ltd’s (“Digita”) operating principles. This description of Digita’s data protection explains how we ensure that personal data is processed in accordance with legislation in our operations and that our data protection is at a high level.
Digita processes the data of customers, employees, and other stakeholders.
Our data protection practices are based on current European and Finnish legislation concerning personal data and data protection, as well as any current guidelines and recommendations issued by data protection authorities. Privacy policies that describe data security functions in more detail are applied to supplement this general data protection policy. These policies can be found by clicking on the following links.
Digita’s goal is to bring the types of services available online to the big screen – to people’s television receivers. This means expanded content offerings, content targeting and interactive services. To develop services like this and features for them, Digita has developed the Hybrid TV service platform, which is automatically enabled on television receivers when they are tuned to channels that use Hybrid TV. Data protection is important to us and it has been a major consideration in the implementation of Hybrid TV.
Read more about Hybrid TV data protection »
Data protection on Pay-TV
Effective data processing
When we process personal data as the data controller, we ensure that general data protection principles, such as requirements concerning due care, purpose limitation, necessity, accuracy and legality are applied appropriately. We pay particular attention to restriction of access to personal data and ensuring personal data is protected and kept confidential as required.
In our operations, personal data is protected from loss, unauthorised processing and use, destruction, alteration and unauthorised disclosure using the appropriate technical, physical and organisational security measures. To ensure data is protected, we employ appropriate technical and administrative security measures that are proportionate to the probability and seriousness of possible damage and threats and the sensitivity of the data. The systems used to process personal data, regardless of whether they are managed by Digita or provided as a service by a partner, are protected against data system break-ins with sufficient and up-to-date technical data security solutions. Only Digita personnel whose duties require them to do so are permitted to access the system components and/or files that contain personal data. Each user is issued a personal unique user ID and password. Access to workspaces is monitored using passes and, in some facilities, video surveillance.
Responsibilities and organisation
Each of Digita’s business units is responsible for the implementation of data security. A data protection professional who manages and develops the implementation of data protection and whose role includes assisting business units in data protection matters is employed under Digita’s legal management.
Each business unit is also responsible for data protection when outsourcing data processing and ensures that the chosen partner observes Digita’s data security requirements. When outsourcing processing of personal data, a written agreement is drawn up that specifies the duties and responsibilities of the parties.
Data lifecycle, use and disclosure
The processing of personal data is based on the consent of the data subject or another basis defined by law. Personal data is only processed for justified purposes and to the extent and for the duration necessitated by said purposes. The accuracy of the data used is verified wherever possible, and data is only updated through communication with the data subject or reference to another reliable source. When data is no longer necessary for its purpose, it is either erased after the expiration of the storage period or anonymised and archived appropriately.
Data is used for the purposes described upon its collection within the limits of current legislation. Data is only disclosed on a justified basis or a basis described by law. Digita uses subcontractors in its operations and ensures that the processing of personal data has been agreed upon in writing with them. Data is not transferred outside the EU/EEA unless it is essential for business purposes, in which case we will draw up and sign an agreement in accordance with the Standard Contractual Clauses approved by the European Commission.
Data security breaches
Digita takes data security breaches very seriously. Any data security breaches must be reported immediately to the Legal and Regulation unit, and the compromised personal data must be reported internally to the responsible data controller. Affected data subjects will be notified of any breaches without delay.
Rights of the data subject
We guarantee data subjects all rights afforded by the law.
The data subject has the right to withdraw their consent for the processing and disclosure of their personal data, the right to demand the rectification of inaccurate/incomplete data and the right to request the erasure of their data. However, there are exceptions to the right to erasure of data. We may refuse to erase data if its processing or storage is necessary for the purposes of meeting legal obligations, verifying contractual obligations, performing functions that are essential to a customer relationship or other corresponding justifying functions. We will, however, erase the data without delay once the period determined by the purpose has expired and, where possible, we will pseudonymise the data during the storage period.
If we refuse to undertake measures corresponding with the data subject’s demand, we will notify the data subject of the legal basis for said refusal without delay and no later than a month after receipt of the demand. We take all matters related to data security extremely seriously. If the data subject feels that their rights have been violated, they can submit the matter to the Data Protection Ombudsman. We will provide the contact details of the Office of the Data Protection Ombudsman in our response.
If we detect a data security breach, we will inform all affected data subject without undue delay.