CRS Laboratories Oy
Updated 22 October 2025
- Data Controller
CRS Laboratories Oy
Address: Takatie 6, 90440 Kempele, Finland
Business ID: 0971958-0
- Contact Persons Regarding the Customer Register
Daniela Vesterbacka
daniela.vesterbacka@crs.fi
+358447499711
- Name of the Register
Customer Register
- Legal Basis and Purpose of Processing Personal Data
We process personal data based on the data subject’s consent, contractual obligations, and the legitimate interests of the data controller. These legitimate interests include maintaining customer relationships, conducting research and statistics, and supporting the marketing and sales of our services and products.
The customer register may be used for the following purposes:
- Managing customer relationships and communications
- Administering customer and cooperation agreements
- Handling financial administration tasks such as invoicing and payment management
- Marketing and sales of services and products
- Collecting customer feedback
- Conducting surveys
- Using customer and user data for the development of services and business processes
Personal data in the register will not be used for automated decision-making or profiling.
- Data Content of the Register
The register may include the following data:
- Name of the individual
- Contact details (phone number, email address)
- Company/organization represented by the individual, and their role in the company/organization
- Company/organization website, invoicing details, contract information
- Details of ordered services and any changes and updates made to them
- Other information related to the customer relationship and ordered services
- Sources of Data
Customer data may be collected in the following ways:
- Email, telephone, communications via social media channels
- Contracts
- Customer meetings
- Public sources such as company websites and directory services
- Analytics collected from the company’s website and social media channels
- Forms completed by the customer
- Other situations where the customer knowingly provides their information
- Disclosure and Transfer of Data Outside the EU or EEA
We use subcontractors to provide certain services. Personal data may be transferred to subcontractors when necessary to deliver the service or product ordered. This applies to analyses purchased from MSALabs as a subcontractor.
Products and services ordered from MSALabs may require the transfer of customer data outside the EU and EEA. In such cases, the following data may be transferred:
- Name of the individual
- Contact details (phone number, email address)
- Company/organization represented by the individual, their role in the company/organization
- Company/organization website, invoicing details, contract information
- Details of ordered services and any changes and updates made to them
- Other information related to the customer relationship and ordered services
All data transfers and encryption are carried out in compliance with the General Data Protection Regulation (GDPR), the Finnish Data Protection Act, and other applicable legislation, by both the data controller and the subcontractor.
- Data Retention
Personal data will be retained for as long as necessary to fulfill the purposes described in this Privacy Policy, to comply with legal obligations, to resolve disputes, and to enforce contracts.
- Rights of the Data Subject
Data subjects have the right to:
- Access and review the personal data stored about them
- Request the correction of their information, or completion of incomplete information
- Request the erasure of their personal data where there are no legal grounds for its retention
- Restrict the processing of their personal data in certain circumstances, as stated in the GDPR
- Withdraw their consent to the processing of personal data
- Lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data
Requests related to the processing or erasure of personal data must be submitted in writing to the data controller (see contact details in section “2. Contact Persons Regarding the Customer Register”). The data controller may, for justified reasons, request verification of the requester’s identity.
All requests will be handled within the timeframe set by the GDPR, i.e. within one month. Personal data will be provided in a machine-readable format that enables the individual’s right to data portability.
