By subscribing to the Newsletter you will receive a 5% discount with the code sent to your email. Offer only for new newsletter subscribers. Subscribe to the newsletter here

Privacy Notice for the Customer Register

1 Controller

The controller of the register is Wanhat Kupit Paimala ky (Business ID 0836398-1).

Contact persons for register-related matters are:

Harri Koski
Tel. +358 400 321750
harri.koski (at) wanhatkupit.fi

and

Jaana Kaarto
Tel. +358 50 606454
jaana.kaarto (at) krookila.fi

Wanhat Kupit Paimala ky
Paimalantie 369
20460 Turku
verkkokauppa (at) wanhatkupit.fi

2 Name of the register

The name of the register is:
a) Wanhat Kupit Paimala ky Customer Register
b) Wanhat Kupit Paimala ky Marketing and Communications Register

3 Purpose of processing personal data

Personal data is processed for purposes related to managing, administering, and developing the customer relationship; providing and delivering services; developing services; and invoicing. Personal data is also processed as necessary for handling possible complaints and other claims.

In addition, personal data is processed for customer communications such as informing and news purposes, as well as for marketing, including direct marketing and electronic direct marketing.

The customer has the right to object to direct marketing addressed to them.

The controller processes the data itself and also uses subcontractors acting on behalf of and for the account of the controller in the processing of personal data.

4 Legal basis for processing

The legal bases for processing personal data under the EU General Data Protection Regulation (hereinafter also “GDPR”) are:

the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
processing is necessary for the performance of a contract to which the data subject is a party, or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).
The above-mentioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller arising from the fact that the data subject is a customer of the controller, and where the processing is carried out for purposes that the data subject could reasonably have expected at the time the personal data was collected and in the context of the relationship.

5 Contents of the register (categories of personal data processed)

As a rule, the register contains the following personal data for all data subjects:

Basic personal data and contact details:
a) Wanhat Kupit Paimala ky Customer Register and Personal Register: first name, last name, address, phone number, and email address
b) Wanhat Kupit Paimala ky Marketing and Communications Register: first name, last name, email address
Direct marketing consents and prohibitions (opt-ins and opt-outs).
6 Regular sources of data
Personal data is collected from the data subject themselves.

Within the limits of applicable legislation, personal data is also collected and updated from publicly available sources related to the customer relationship between the controller and the data subject, and used by the controller to fulfil its obligations relating to maintaining customer relationships.

Data for the Marketing and Communications Register is also collected from external services or applications such as Facebook, Instagram, other social media channels, Mailchimp, Campaign Monitor, company websites, online business directories, possible trade fairs and events, customer meetings, and partners.

7 Retention period of personal data

Data collected in the register is stored only for as long as and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to retain personal data is assessed every three years, and in any case the data relating to a data subject will be deleted from the register five years after the customer relationship between the data subject and the controller has ended and obligations and measures related to the customer relationship have been completed. For example, accounting documents are retained for six years from the end of the financial year.

The controller regularly evaluates the necessity of retaining data in accordance with its internal policies. In addition, the controller takes all reasonable measures to ensure that inaccurate, incorrect, or outdated personal data, with regard to the purposes of processing, is erased or rectified without delay.

8 Recipients of personal data (categories of recipients) and regular disclosures

Personal data is not disclosed to external parties.

9 Transfer of data outside the EU or EEA

Personal data included in the register is not transferred outside the EU or the EEA.

10 Principles of register security

Materials containing personal data are stored in locked premises accessible only to designated persons who are authorized to access them due to their duties.

The database containing personal data is on a server kept in a locked space accessible only to designated persons authorized due to their duties. The server is protected by an appropriate firewall and technical safeguards.

Access to databases and systems is granted only via individually issued personal user IDs and passwords. The controller has limited access rights and authorizations to information systems and other storage platforms so that only persons who need the data for lawful processing can view and process it. In addition, database and system usage events are recorded in the controller’s IT system logs.

The controller’s employees and other persons are committed to confidentiality and to keeping secret any information obtained in connection with the processing of personal data.

11 Rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

  1.  The right to obtain confirmation from the controller as to whether or not personal data concerning them is being processed, and where it is, access to the personal data and the following information: (i) the purposes of processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed; (iv) where possible, the envisaged retention period, or if not possible, the criteria used to determine that period; (v) the right to request rectification or erasure of personal data or restriction of processing, or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source (GDPR Art. 15). The above basic information (i)–(vii) is provided to the data subject in this notice;
  2. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
  3. The right to obtain from the controller without undue delay the rectification of inaccurate personal data, and the right to have incomplete personal data completed, including by providing a supplementary statement, taking into account the purposes of processing (GDPR Art. 16);
  4. The right to obtain from the controller the erasure of personal data without undue delay, provided that (i) the data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent on which processing is based and there is no other legal ground; (iii) the data subject objects to processing based on their particular situation and there are no overriding legitimate grounds, or the data subject objects to processing for direct marketing; (iv) the personal data has been unlawfully processed; or (v) the personal data must be erased for compliance with a legal obligation under EU or national law applicable to the controller (GDPR Art. 17);
  5. The right to restriction of processing if (i) the data subject contests the accuracy of the personal data, for a period enabling the controller to verify it; (ii) processing is unlawful and the data subject opposes erasure and requests restriction instead; (iii) the controller no longer needs the personal data for processing, but the data subject requires it for establishing, exercising, or defending legal claims; or (iv) the data subject has objected to processing based on their particular situation pending verification of whether the controller’s legitimate grounds override those of the data subject (GDPR Art. 18);
  6. The right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used, and machine-readable format, and the right to transmit that data to another controller without hindrance, where processing is based on consent and carried out by automated means (GDPR Art. 20);
  7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the GDPR (GDPR Art. 77).

Requests concerning the exercise of the data subject’s rights should be addressed to the controller’s contact person mentioned in section 1.

 

My cart
Your cart is empty.

Looks like you haven't made a choice yet.

Subtotal0,00 
Your cart is empty. Shop now