DATA PROTECTION POLICY FOR MERKKAUSNETTI OY’S CUSTOMER REGISTER (GDPR)
The controller is Merkkausnetti Oy (business ID FI30933629)
Merkkausnetti.fi - online store
Address: Ilmolantie 3, 82500, Kitee
Telephone: +358 50 5431354
2. Name of file
The name of the file is Merkkausnetti.fi's customer register.
3. The purpose of processing personal data
data are processed for purposes related to maintaining, managing and
developing the customer relationship, offering, supplying and developing
services as well as invoicing. Personal data are also processed for the
purposes necessitated by resolving any possible complaints and other
Furthermore, personal data are processed in communications
directed at customers as well as marketing, in conjunction to which the
data are also processed for purposes pertaining to direct marketing and
electronic direct marketing.
Customers have the right to refuse direct marketing targeted at them.
controller processes personal data directly and also utilises
subcontractors working on its behalf in the processing activities.
4. Legal grounds of the processing
legal grounds for processing personal data are the following grounds
specified in the European Union’s General Data Protection Regulation
(hereinafter referred to as “GDPR”):
data subject has given consent to the processing of his or her personal
data for one or more specific purposes (GDPR Art. 6(1)(a));
is necessary for the performance of a contract to which the data
subject is party or in order to take steps at the request of the data
subject prior to entering into a contract (GDPR Art. 6(1)(b));
is necessary for the purposes of the legitimate interests pursued by
the controller or by a third party (GDPR Art 6(1)(f)).
aforementioned legitimate interest of the register keeper is based on a
meaningful and appropriate relationship between the data subject and
controller as a result of the data subject being a customer of the
controller and the processing being conducted for purposes that the data
subject can have reasonably anticipated at the time of collecting the
personal data and in the context of the appropriate relationship.
5. Data content of the file (categories of personal data processed)
As a general rule, the file contains the following personal data on all data subjects:
- basic information and contact information for the person: first name, last name, address, telephone number, e-mail address;
related to the person’s company or other organisation and the person’s
position or title in the company or organisation in question;
- direct marketing permissions and bans for the person.
6. Regular sources of information
Personal data are collected from the data subjects themselves.
addition to this, personal data are collected within the framework of
the applicable legislation from generally available sources that pertain
to fulfilling the relationship between the controller and data subject,
and that the controller can use to perform its duties related to
maintaining customer relationships.
7. Storage period of personal data
data collected in the file are stored only for as long and to the
extent that is necessary in relation to the original or a compatible
purpose for which the personal data has been collected.
The need to retain personal data is assessed every 2 (two) years
and, in any case, data concerning a data subject are removed from the
file 5 (five) years after the end of the customer relationship between
the data subject in question and the controller has ended, and the
obligations and measures related to the customer relationship have been
fulfilled. For example, accounting records are kept for six years after
the end of a financial period.
The controller shall
regularly assess the necessity of storing the data in accordance with
its internal code of conduct. Furthermore, the controller shall by all
reasonable measures ensure that any personal data that are inaccurate,
erroneous or contain obsolete information in terms of the purposes of
processing the data are deleted or corrected without delay.
8. Recipients of personal data (recipient groups) and regular data disclosures
Personal data will not be disclosed to third parties.
As an exception, usage information for Facebook buttons is sent to the Facebook service.
9. Transferring data outside the EU or EEA
Personal data contained in the file will not be transferred outside the EU or EEA.
10. Register protection principles
containing personal data are stored in locked spaces that can only be
accessed by the appointed persons with task-based authorisation.
database containing personal data is on a server which is stored in a
locked space that can only be accessed by the appointed persons with
task-based authorisation. The server is protected with the appropriate
firewall and technical safeguards.
The databases and systems can
only be accessed with separately provided personal user IDs and
passwords. The controller has restricted access rights and
authorisations to information systems and other storage platforms so
that the data can only be viewed and processed by persons who are
required to do so to ensure the lawful processing of the data.
Furthermore, the database and system interactions are registered in the
log data of the controller’s IT system.
The controller’s employees
and other persons have undertaken to observe secrecy and keep secret
any information they may gain in the context of processing personal
11. Rights of the data subject
The Data subject has the following rights under the EU General Data Protection Regulation:
right to obtain from the controller confirmation as to whether or not
personal data concerning him or her are being processed, and, where that
is the case, access to the personal data and the following information:
(i) the purposes of the processing; (ii) the categories of personal
data concerned; (iii) the recipients or categories of recipient to whom
the personal data have been or will be disclosed; (iv) where possible,
the envisaged period for which the personal data will be stored, or, if
not possible, the criteria used to determine that period; (v) the
existence of the right to request from the controller the rectification
or erasure of personal data or restriction of processing of personal
data concerning the data subject or to object to such processing; (vi)
the right to lodge a complaint with a supervisory authority; (vii) where
the personal data are not collected from the data subject, any
available information as to their source (GDPR, Art. 15); This basic
information (i)–(vii) is provided to the data subject on this form;
right to withdraw consent at any time, without affecting the lawfulness
of processing based on consent before its withdrawal (GDPR, Art. 7);
right to obtain from the controller without undue delay the
rectification of inaccurate personal data concerning him or her and,
taking into account the purposes of the processing, the right to have
incomplete personal data completed, including by means of providing a
supplementary statement (GDPR, Art. 16);
- the right to obtain
from the controller the erasure of personal data concerning him or her
without undue delay where one of the following grounds applies: (i) the
personal data are no longer necessary in relation to the purposes for
which they were collected or otherwise processed; (ii) the data subject
withdraws consent on which the processing is based and where there is no
other legal ground for the processing; (iii) the data subject objects
to the processing based on a special personal situation and there are no
overriding legitimate grounds for the processing, or the data subject
objects to the processing for direct marketing purposes; (iv) the
personal data have been unlawfully processed; or (v) the personal data
have to be erased for compliance with a legal obligation in Union or
Member State law to which the controller is subject (GDPR, Art. 17);
right to obtain from the controller restriction of processing where one
of the following applies: (i) the accuracy of the personal data is
contested by the data subject, for a period enabling the controller to
verify the accuracy of the personal data; (ii) the processing is
unlawful and the data subject opposes the erasure of the personal data
and requests the restriction of their use instead; (iii) the controller
no longer needs the personal data for the purposes of the processing,
but they are required by the data subject for the establishment,
exercise or defence of legal claims; or (iv) the data subject has
objected to processing on grounds relating to his or her particular
situation pending the verification of whether the legitimate grounds of
the controller override those of the data subject (GDPR Art. 18);
right to receive the personal data concerning him or her, which he or
she has provided to a controller, in a structured, commonly used and
machine-readable format and the right to transmit those data to another
controller without hindrance from the controller to which the personal
data have been provided, where the processing is based on consent
referred to in the regulation and the processing is carried out by
automated means (GDPR, Art. 20);
- the right to lodge a complaint
with a supervisory authority if the data subject considers that the
processing of personal data relating to him or her infringes the EU
General Data Protection Regulation (GDPR, Art. 77).
requests regarding the enforcement of the data subject’s rights are to
be addressed to the controller’s contact person listed in Section 1.