Privacy notice on the processing of our customers’ personal data
The purpose of this notice is to inform our private and corporate customers, potential customers and users of our services how we process their personal data as the controller at Datadrivers Oy when they purchase or use the Logimaster software service.
We take seriously our obligation to comply with the EU General Data Protection Regulation as well as other applicable legislation on the processing of personal data. We also ensure that processing is secure and that our data protection practices enable the full exercise of data subjects’ rights.
Please note that if you are a user of a Logimaster account administered by our corporate customer, such as an employee of our corporate customer or a driver working for them, we act as a processor for our corporate customer with respect to employee and driver data. In addition, the trainings offered in our service are organised by our training partner, in which case the relevant training organisation acts as the controller for personal data related to the trainings and we act as a processor on behalf of the training organisation. For more information on the processing of personal data in these contexts, please refer to the privacy notice of the employer and the training organisation.
Updated: 10 December 2025
Controller
Datadrivers Oy (Business ID 2866403-6)
Hallituskatu 2 A 7, FI-95400 Tornio, Finland
tietosuoja@datadrivers.fi
(hereinafter “we”)
All contacts and requests concerning this notice must be submitted in writing to the email address specified in this section.
Personal data processed, purposes of processing and legal basis
We process personal data of our corporate customers, such as contact persons at companies in the transport sector and contact persons at training organisations, as well as personal data of private customers who have registered for our service as private individuals. We process personal data of users of our services, such as natural persons employed by our corporate customer or using our service on behalf of our corporate customer, which they provide when registering, placing an order or using the service. In addition, we process professional competence and qualification data of individuals registered as private customers and of employees of our corporate customers or drivers working for them, when we retrieve such data via interfaces provided by the Finnish Transport and Communications Agency Traficom and the Centre for Occupational Safety. We also process log, communications, device and cookie data of users of our information systems. The table below specifies the personal data we process, the purposes of processing and the legal bases:
| Personal data | Purpose of processing | Legal basis |
| Basic details of contact persons of the training organisation*, such as name, contact details, company name, username and password Details relating to the company and its contact persons* such as Business ID and the names, titles and contact details of contact persons, website address, username and password Basic details of a private customer* such as name, date of birth or personal identity code**, username and password, employer, service language Contact details of a private customer*, such as email address, phone number, address details Information provided by the service user when registering for the service, placing an order or using the service, such as name, date of birth, username and password, employer, service language, contact details, email address, phone number, address details | Delivering and developing our products and services | Performance of a contract Legitimate interest to process data for operating and developing our business |
| Fulfilling our contractual and other commitments and obligations | Performance of a contract | |
| Invoicing | ||
| Marketing of our services (corporate customers only) | Legitimate interest to process data for operating our business and offering our services | |
| Competitions and prize draws | Consent | |
| Accounting | Our statutory obligation under the Accounting Act | |
| Data retrieved via the Traficom interface: driving entitlements, driving licence categories, professional competence (CPC), validity periods | Automatic updating of qualification data in the system; disclosure of qualification data to employers and their contractual and cooperation partners to ensure compliance with statutory obligations | Consent (individual driver) |
| Data retrieved via the Centre for Occupational Safety interface: first name, last name, card number, validity period, sector information of the training, place of completion | Disclosure of qualification data to employers and their contractual and cooperation partners | Consent (individual person) |
| Direct marketing bans and consents | To comply with the customer’s wish not to receive direct marketing | Our statutory obligation to comply with a direct marketing ban |
| Customer relationship and contract information, such as information on past and current contracts and other orders, correspondence and other contacts with the customer, payment information, and information voluntarily provided by the customer in our systems | Fulfilling our contractual and other commitments and obligations | Performance of a contract |
| Invoicing | ||
| Managing the customer relationship | Legitimate interest to manage and develop the customer relationship | |
| Accounting | Our statutory obligation | |
| Training database information, such as public information on driving entitlements and driving licence categories, information on professional competence and other qualifications and their validity periods, data on Occupational Safety Card holders and qualification data of Occupational Safety Card course instructors (incl. first name, last name, card number, validity period, sector information of the training and place of completion) | Maintaining the training database and driving entitlement, driving licence and professional competence data and notifying data subjects of qualifications that are about to expire; and, where necessary, granting the data subject’s employer or potential employer access to training and qualification data about the data subject that are necessary for the employer’s operations | Legitimate interest to process data for operating our business and offering our services |
| Automatically collected log data on the user’s actions in our information systems | Preventing and investigating misuse | Legitimate interest to monitor and verify the lawfulness of user actions and data use |
| Data concerning the communications connection and device, such as IP address, device ID or other device-specific identifier, and cookie data | Targeted advertising in our online services | Consent |
| Behavioural analysis and profiling |
Providing the personal data marked with (*) is a prerequisite for establishing our contractual relationship and/or customer relationship. Without the necessary personal data, we cannot deliver the product and/or service.
** Processing the personal identity code is necessary for post-invoicing, debt collection and credit granting.
We process the following personal data of our potential customers:
| Personal data | Purpose of processing | Legal basis |
| Details relating to the company and its contact persons, such as Business ID and the names, titles and contact details of contact persons, website address | Marketing of our services | Legitimate interest to process data for operating our business and offering our services |
| Delivery of newsletters | ||
| Delivery of guides and other materials | ||
| Direct marketing bans and consents | To comply with the customer’s wish not to receive direct marketing | Our statutory obligation to comply with a direct marketing ban |
| Data concerning the communications connection and device, such as IP address, device ID or other device-specific identifier, and cookie data | Targeted advertising in our online services | Consent |
| Behavioural analysis and profiling |
Sources of personal data
Personal data are obtained primarily from the customer and during the customer relationship, for example in connection with logging into and using the services, but also from authorities, credit information companies, providers of contact information services and other similar reliable parties. Data relating to the data subject may also be recorded by trainers or by the data subject’s employer.
In addition, personal data may, within the limits of applicable legislation, be collected and updated for the purposes described in this privacy notice also from publicly available sources and from authorities or on the basis of information received from other third parties. For example, training data may be collected from the Finnish Transport and Communications Agency Traficom’s transport register. We collect data on Occupational Safety Card holders and course instructors’ qualifications via the Centre for Occupational Safety’s Occupational Safety Card interface. Data retrieved via the interfaces are based on the data subject’s consent. We store log data on all searches made via the interfaces, including the person who performed the search and a timestamp, for at least one (1) year to prevent and investigate misuse.
Transfers, disclosures and recipients of personal data
We use subcontractors who process personal data on our behalf. We have outsourced the software used for trainings (Zoom Communications, Inc.), IT administration, invoicing and customer service systems to external service providers, on servers administered and protected by those providers where personal data are stored. In addition, we disclose data to companies providing services related to credit applications or debt collection, and to authorities when required by law. We may process the data subject’s personal data within companies belonging to the same corporate group. If we sell, merge or otherwise reorganise our business, the data subject’s personal data may be disclosed to purchasers and their advisers.
Personal data may be transferred outside the EU/EEA. The training software and other systems we use may enable the service provider to access data from outside the EU/EEA, such as from the United States. When personal data are processed outside the EU or the EEA, we ensure that the transfer is based on an adequacy decision of the European Commission or that the subcontractor has committed to safeguards in accordance with the GDPR, such as the European Commission’s Standard Contractual Clauses and any necessary supplementary measures.
General description of technical and organisational safeguards
Only those of our employees who, by virtue of their duties, have the right to process customer data are authorised to use the system containing personal data. Each user has their own username and password for the system. With system suppliers and other partners processing personal data, we have signed data processing agreements under which our partners have committed to comply with the data protection and information security requirements of the GDPR.
Databases containing personal data are protected with passwords and access levels. The data are located in an environment protected by appropriate security software and technical arrangements. Documents containing customers’ personal data that are processed manually are stored in locked storage facilities.
Retention period of personal data
We regularly assess the necessity of retaining data, taking into account applicable legislation. As a rule, we retain data on our customers and other partners for the duration of the contract and for the necessary complaint or limitation period thereafter. For data in the training database, we comply with the training provider’s statutory retention period, up to six (6) years from the year in which the training or exam was completed. Data collected on the basis of consent are processed as long as the legal basis for processing exists. In connection with competitions and prize draws, data are deleted immediately after the prize draw or competition has ended. Data processed on the basis of legitimate interest are processed as long as the legal basis exists. Where the customer may object to processing, the data are deleted once the objection request has been processed and the objection accepted.
In addition, we take reasonable measures to ensure that we do not process personal data that are incompatible with the purposes of processing, outdated or inaccurate. We rectify or delete such data without undue delay.
Personal data may be retained longer than the retention periods mentioned above if necessary for a specific reason, such as suspicion of an offence and related authority investigation. After the end of the customer relationship, personal data relating to the customer’s payment transactions may also be retained longer than the above time limits in accordance with statutory retention periods under accounting legislation.
Data subject rights
| Right | When applicable |
| Access your personal data | Always |
| Request rectification of incorrect or outdated data | Always |
| Request erasure of data | When one of the conditions under Article 17 of the GDPR is met |
| Withdraw consent | When processing is based on consent |
| Object to processing | When processing is based on legitimate interest and there is a particular personal situation, or when data are processed for direct marketing |
| Request restriction of processing (e.g., for the time needed to clarify and decide requests concerning the data) | If the accuracy of the data has been contested or another condition under Article 18 of the GDPR is met |
| Data portability | If processing is based on consent or contract, processing is carried out by automated means, the transfer is technically feasible, and the data concern information provided by the customer |
| Lodge a complaint with the Data Protection Ombudsman (https://tietosuoja.fi/en/) | Always |
Note: If you have given your consent to the use of the interfaces, you may withdraw your consent at any time. After withdrawal, we will no longer automatically retrieve your data via the interfaces; however, data already retrieved will be retained in accordance with applicable retention periods.
The above requests, prohibitions and withdrawals can be made by submitting them in writing to tietosuoja@datadrivers.fi from an email address from which the sender can be reliably identified. The request must include the data subject’s name and contact details. To ensure data protection, we may ask the data subject to verify their identity.
We will respond to requests and enquiries relating to the exercise of data subject rights within one month.
