DATA PROTECTION POLICY FOR PUTINKI OY’S CUSTOMER REGISTER
The controller of the register is Putinki Oy, Business ID: 1040942-4
Contact person for register matters: Liisa Idänpään-Heikkilä, CEO
Address: Hämeentie 135, 00350 Helsinki
Tel. 09 773 2874
2 Name of register
The name of the register is Putinki Oy’s customer register.
3 Purpose for handling personal data
Personal data is processed for purposes related to the management, administration and development of customer relationships, providing and delivering services, as well as the development and invoicing of services and products. Personal data is also processed in connection with purposes related to investigating possible complaints and other claims.
In addition, personal data is processed in customer communications, such as for sending news to our customers, as well as, in marketing. Personal data may also be processed for purposes related to direct marketing and electronic direct marketing.
The customer has the right to forbid all direct marketing directed at them.
The controller processes the information and uses partners in processing personal data for and on the behalf of the controller.
4 Legal basis of the processing
The lawful bases of the processing of personal data are the following principles according to the EU General Data Protection Regulation (GDPR):
The registered individual has given clear consent to process their personal data for a specific purpose or several purposes (GDPR 6 art. 1.a);
the processing is necessary for a contract you have with the individual, or because the registered individual has asked to take specific steps before entering into a contract (GDPR 6 art. 1.b);
the processing is necessary for the controllers legitimate interests or the legitimate interests of a third party. (GDPR 6 art. 1.f).
The aforementioned legislative interest of the controller is based on the relevant and appropriate relationship between the data subject and the controller, which is the consequence of the fact that the data subject is the customer of the controller, and when the processing takes place for purposes the data subject could have reasonably expected when the data was collected and in conjunction with the appropriate relationship.
The following data and similar data may be stored on the data subject: personal data, such as name, job title, employer’s address information, telephone number, e-mail address, credit rating and the name of the company the data subject represents. In addition, we may store background data related to sales and data related to contacting the customer as well as purchase and order history.
5 Register data content (processed personal data groups)
The register stores the following personal data initially from all data subjects:
customer’s basic information and contact details: first name, surname, address, phone number, email address;
information related to the customer’s company or other organization and the customer’s job title in the company or organization in question;
customer’s consent or refusal of direct marketing.
6 Regular sources of information
Personal data is collected from the registered him/herself.
Personal data will also be collected and updated, within the limits of applicable law, from publicly available sources related to the implementation of the relationship between the controller and the data subject and enabling the controller to fulfill its responsibilities in maintaining the relationship.
7 Duration of data retention
The data collected in the register is retained only as far and to such an extent as it is necessary in relation to the original or for compatible purposes for which the data was collected.
The retention of personal data is assessed every 5 years and in each case the data concerning a registered person is deleted from the register six years after the relationship between the customer and the controller has ended, and the obligations and procedures related to the customer relationship have been completed. For example, accounting documents are stored for 5 years after the end of a fiscal period.
The controller will regularly assess the necessity of storing data according to internal
code of conduct. Additionally, the controller performs all the required, reasonable actions to ensure that the inaccurate, incorrect or expired personal data, for the purpose of processing, are removed or corrected immediately.
8 Receivers of personal data (receiving groups) and lawful transfers of data
Personal data is not transferred to third parties.
9 Data transfer outside EU or ETA
The personal data in the register is not transferred outside the EU or ETA.
10 Principles of Register Protection
The data containing personal data is stored in locked spaces, to which access is limited to only named and authorized personnel.
The database containing personal data is on a server, that is stored in a locked space, to which access is limited to only named and authorized personnel. The server is protected by an appropriate firewall and data security solutions.
The access to the databases and the systems is allowed only by individually admitted personal usernames and passwords. The controller has limited the user rights and authorizations to the databases and other data storage platforms so that the data can only be seen and processed by personnel necessary for lawful processing.
The controller’s employees and other personnel are committed to comply with the confidentiality requirements and to maintain the confidentiality of the information received during personal data processing. Additionally, the user sessions of databases and systems registered in the controllers IT system’s logfile.
The controller’s employees and other personnel are committed to comply with the confidentiality requirements and to maintain the confidentiality of the information received during personal data processing.
11 Rights of the data subject
The data subject has the following rights according to the EU General Data Protection Regulation:
the right to obtain from the controller at any time, confirmation as to whether or not personal data relating to the data subject is being processed, and if this personal data is processed, the right to have access to personal data and the following information: (i) purposes of processing; (ii) categories of personal data in question; (iii) recipients or recipient groups, to whom personal data has been transferred or are meant to be transferred; (iv) the planned duration of data retention, where possible, and if this is not possible, the definition criteria of the duration of data retention; (v) the right to request from the controller access to and rectification or erasure of the personal data concerning the data subject or to object to the processing of such personal data; (vi) the right to lodge a complaint to the supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to their source (GDPR 15 art.). This described personal data (i)–(vii) is given to the data subject with this form;
the right to withdraw his or her consent at any time and the withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. (GDPR 7 art.);
the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement. (GDPR 16 art.);
the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based according and where there is no other legal ground for the processing; (iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing needed for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR 17 art.);
the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing of personal data due to a specific personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject.(GDPR 18 art.);
the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on the regulation’s purpose and the processing is carried out by automated means (GDPR 20 art.);
the right to lodge a complaint to the supervisory authority if the data subject sees that the processing of the personal data concerning them breaches the EU General Data Protection Regulation (GDPR 77 art.).
The requests regarding the exercise of data subject’s rights are addressed to the contact person of the controller mentioned in section 1.
We use Google Analytics, Google Search Console and Google AdWords for using our website, popular products, trends and sale related analytics and also with your consent, targeting. The information sent to Google is anonymized. Read more about how Google Analytics processes data.
In addition to the privacy measures of account management, you can refuse the tags used for targeting by using your browser’s Do Not Track setting and by setting the browser to disable third party cookies. When signed in to the customer account the privacy settings of account management override the browser’s Do Not Track setting.