fi
en
sv
Privacy notice on the processing of our customers’ personal data
The purpose of this privacy notice is to inform our private and corporate customers, as well as potential customers, about how we process their personal data at CAP-Group Oy in connection with our CAP Driving School and CAP Pro Academy professional driver training and education activities. We take compliance with the EU General Data Protection Regulation (GDPR) and other applicable data protection legislation seriously when processing personal data. We also ensure that data processing is secure and that our data protection practices enable the full exercise of data subjects’ rights.
Updated: 18.11.2025
Data controller
CAP-Group Oy (0841716-9)
Ilmalantori 4, 00240 Helsinki
050 913 0300
tietosuoja@cap.fi
(hereinafter ”we”)
All enquiries and requests relating to this notice must be submitted in writing to the email address specified above.
Privacy notice on the processing of our customers’ personal data
We process the personal data of our private customers in driving school and driver training services, such as driving school students, driver trainees, learners under an instruction permit, and participants in other courses offered. We process the personal data of a learner’s/participant’s guardian when the learner/participant is a minor, as well as the personal data of the payer when the payer is someone other than the learner/participant or guardian. In addition, we process the personal data of contact persons of our corporate customers.
The table below describes the categories of personal data processed, the purposes of processing and the legal bases.
| Personal data | Purposes of processing | Legal basis |
|---|---|---|
| Basic details of the data subject* such as name, personal identity code**, username and password Contact details of the data subject* such as email address, phone number and address Company and company contact person details* such as business ID, names, titles, contact details and website address | Delivery and development of our products and services | Performance of a contract Our legitimate interest to process data for conducting and developing our business |
| Fulfilment of contractual and other commitments and obligations | Performance of a contract | |
| Invoicing | ||
| Marketing of our services | Our legitimate interest to process data for conducting and developing our business | |
| Delivery of newsletters | ||
| Delivery of guides and other materials | ||
| Competitions and prize draws | Consent | |
| Accounting | Our statutory obligation under the Accounting Act | |
| Direct marketing prohibitions and consents | To comply with the customer’s wish not to receive direct marketing | Our statutory obligation to comply with a direct marketing prohibition |
| Customer relationship and contract-related data such as information on past and current driving instruction and driver training contracts as well as other course and training contracts, data related to the implementation of contractual services, teaching and examination data, including a learning profile based on service use and survey responses, correspondence and other communications with the customer, payment data, data voluntarily provided by the customer in our systems | Fulfilment of our contractual and other promises and obligations | Performance of a contract |
| Provision of tailored instruction to the customer | ||
| Invoicing | ||
| Customer relationship management | Our legitimate interest to manage and develop the customer relationship Our legitimate interest in developing our services | |
| Marketing of our services | ||
| Delivery and development of our products and services | ||
| Accounting | Our statutory obligation under the Accounting Act | |
| Student, training and examination data related to driving school, driver and professional competence training | Statutory student records | Our statutory obligation under the Driving Licence Act |
| Automatically collected log data on user actions in our information systems | Prevention and investigation of misuse | Our legitimate interest to monitor and investigate the lawfulness of system use and data use |
| Medical certificate | Crediting an invoice arising from failure to cancel agreed driving instruction or late cancellation | Consent |
| Provision of driving fitness related services | ||
| Customer’s communications connection and terminal device data such as IP address, device ID or other device-specific identifier and cookie data | Targeting advertising in our online services | Consent |
| Behaviour analysis and profiling |
Data marked with an asterisk (*) is a prerequisite for the creation of our contractual and/or customer relationship. Without the required personal data, we cannot deliver the product and/or service.
** Processing of the personal identity code is necessary for arranging driving and professional driver instruction, post-invoicing, debt collection and credit granting, and when the payer is a person other than the student/participant, such as the guardian of a minor student.
We process the following personal data of our potential customers:
| Personal data | Purpose of processing | Legal basis |
|---|---|---|
| Company and company contact person details such as business ID and the names, titles and contact details of contact persons, website address | Marketing of our services | Our legitimate interest to process data for conducting our business and providing our services |
| Delivery of newsletters | ||
| Delivery of guides and other materials | ||
| Direct marketing prohibitions and consents | To comply with the customer’s wish not to receive direct marketing | Our statutory obligation to comply with a direct marketing prohibition |
| Customer’s communications connection and terminal device data such as IP address, device ID or other device-specific identifier and cookie data | Targeting advertising in our online services | Consent |
| Behaviour analysis and profiling |
Data sources
Personal data is primarily obtained from the customer themselves and during the customer relationship, such as in connection with the use of services, but also from authorities, credit reference agencies, contact information service providers and other comparable reliable parties.
In addition, personal data may be collected and updated for the purposes described in this privacy notice also from publicly available sources and on the basis of data received from authorities or other third parties within the limits of applicable legislation.
Transfers, disclosures and recipients of personal data
We use subcontractors acting on our behalf in the processing of personal data. We have outsourced IT management, invoicing and customer service systems to external service providers, on whose managed and secured servers personal data is stored. In addition, we disclose data to companies providing credit application or debt collection services and to authorities when required by legislation, such as the police and the Finnish Transport and Communications Agency Traficom and its contractual partner Ajovarma Oy. We may disclose the data subject’s data to third parties, such as the data subject’s employer or insurance company, if the data subject has given separate consent for this purpose at our request. We may process the data subject’s personal data within companies belonging to the same group. If we sell, merge or otherwise reorganise our business, personal data may be disclosed to purchasers and their advisors.
Personal data is generally not transferred outside the EU or EEA. However, the IT management systems we use may allow the service provider access to data from outside the EU/EEA, such as the United States. When personal data is processed outside the EU or EEA, we ensure that the transfer is based on an adequacy decision of the European Commission or that the subcontractor has committed to safeguards in accordance with the General Data Protection Regulation, such as the European Commission’s standard contractual clauses for the processing of personal data and necessary supplementary safeguards.
General description of technical and organisational security measures
Only those of our employees who are entitled to process customer data by virtue of their work are authorised to use systems containing personal data. Each user has their own username and password for the system. We have signed personal data processing agreements with system suppliers and other partners processing personal data, in which our partners have committed to complying with the data protection and information security requirements of the General Data Protection Regulation.
Databases containing personal data are protected by passwords and access levels. The data is located in an environment protected by appropriate information security software and technical arrangements. Documents containing customers’ personal data that are processed manually are stored in locked storage facilities.
Retention period of personal data
We regularly assess the necessity of retaining data, taking applicable legislation into account. As a rule, we retain the data of our customers and other partners for the duration of the contract and for the necessary complaint or litigation period thereafter. We retain documents relating to teaching, training and examination data for six (6) years following the year of instruction or training, in accordance with the Driving Licence Act and the Transport Services Act. Certificates relating to vocational labour market training implemented by Traffica Oy are retained permanently based on the Archives Act. Data collected based on consent is processed for as long as the legal basis for processing exists. Medical certificates are destroyed immediately once the matter concerning crediting has been processed or when processing is no longer necessary for providing a driving fitness related service. In connection with competitions and prize draws, data is deleted immediately after the end of the respective draw or competition. Data processed on the basis of legitimate interest is processed for as long as the legal basis exists. If the customer can object to the processing, the data is deleted once the objection request has been processed and the objection accepted.
In addition, we take reasonable measures to ensure that personal data that is incompatible with the purposes of processing, outdated or incorrect is not processed. Such data is rectified or destroyed without delay.
Personal data may be retained longer than the above retention periods if necessary for a specific reason, such as suspected criminal offences and related authority investigations. After the end of the customer relationship, personal data relating to customer payment transactions may also be retained longer in accordance with the retention periods required by the Accounting Act.
Rights of the data subject
| Right | When applicable |
|---|---|
| To access personal data | Always |
| To request rectification of incorrect or outdated data | Always |
| To request erasure of data | When one of the conditions under Article 17 of the General Data Protection Regulation is met |
| To withdraw consent | When processing is based on consent |
| To object to processing | When processing is based on legitimate interest and there is a specific personal situation, or when data is processed for direct marketing purposes |
| To request restriction of processing (e.g. for the time required to investigate and resolve requests concerning the data) | When the accuracy of the data is contested or one of the conditions under Article 18 of the General Data Protection Regulation is met |
| To transfer data to another controller’s system | When processing is based on consent or contract, processing is carried out automatically and the transfer is technically possible, and when the data concerns data provided by the customer themselves |
| To lodge a complaint with the Data Protection Ombudsman | Always |
The above requests, prohibitions and withdrawals can be made by submitting them in writing to the email address tietosuoja@cap.fi from an email address that can be reliably identified. The request must include the data subject’s name and contact details. To ensure data protection, we may request the data subject to verify their identity.
We will respond to requests and enquiries concerning the exercise of data subject rights within one month.