Privacy policy

1 Data Controller

The controller of the register is Ukko Finland Oy.

The contact person for register matters is: Jani Jaatinen

Address: Gneissikuja 1 F, 65300 Vaasa
Phone: +358 400 488 289
Email: info@ukkofinland.fi

2 Name of the Register

The name of the register is the UkkoFinland customer register.

3 Purpose of Processing Personal Data

Personal data is processed for purposes related to the management, administration and development of the customer relationship, the provision and delivery of services, as well as the development and invoicing of services. Personal data is also processed for purposes required for handling possible complaints and other claims.

In addition, personal data is processed in customer communication, such as for information and news purposes, as well as in marketing, including for direct marketing and electronic direct marketing.

The customer has the right to prohibit direct marketing targeted at them.

The controller processes the data itself and also uses subcontractors acting on behalf of and for the controller in the processing of personal data. We use Shopify to power our online store. You can read more about how Shopify uses your personal data here: https://www.shopify.com/legal/privacy

We use Google Analytics to help us understand how our customers use the Site. You can read more about how Google uses your personal data here: https://policies.google.com/privacy?hl=fi. You can also opt out of Google Analytics here: https://tools.google.com/dlpage/gaoptout.

For more information about how targeted advertising works, you can visit the Network Advertising Initiative’s ("NAI") educational page at http://www.networkadvertising.org/understanding-online-advertising/how-does-it-work.

You can opt out of targeted advertising by:

FACEBOOK – https://www.facebook.com/settings/?tab=ads
GOOGLE – https://www.google.com/settings/ads/anonymous
BING – https://advertise.bingads.microsoft.com/en-us/resources/policies/personalized-ads]
In addition, you can opt out of some of these services by visiting the Digital Advertising Alliance’s opt-out portal at: http://optout.aboutads.info/

4 Legal Basis for Processing

The legal bases for processing personal data in accordance with the EU General Data Protection Regulation (hereinafter also “GDPR”) are:

1. the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
2. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)(b));
3. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which results from the data subject being a customer of the controller, and where the processing is carried out for purposes that the data subject could reasonably expect at the time of the collection of personal data and in the context of the relevant relationship.

5 Data Content of the Register (Categories of Personal Data Processed)

The register contains the following personal data as a rule for all data subjects:

1. basic and contact information: first name, last name, address, phone number, email address;
2. information relating to the person’s company or other organisation and the person’s position or job title in that company or organisation;
3. the person’s direct marketing permissions and prohibitions.

6 Regular Sources of Data

Personal data is collected from the data subject themselves.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources that relate to the implementation of the customer relationship between the controller and the data subject and that enable the controller to fulfil its obligations related to maintaining customer relationships.

7 Retention Period of Personal Data

Data collected in the register is stored only for as long and to the extent as is necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to retain personal data is assessed every five years, and in any case data relating to a specific data subject is deleted from the register seven years after the customer relationship between the data subject and the controller has ended and the obligations and measures related to the customer relationship have been completed. For example, accounting records are stored for six years after the end of the financial year.

The controller regularly assesses the necessity of data retention in accordance with its internal codes of conduct. In addition, the controller takes all reasonable steps to ensure that personal data that is inaccurate, incorrect or outdated, having regard to the purposes for which it is processed, is erased or rectified without delay.

8 Recipients of Personal Data (Categories of Recipients) and Regular Disclosures

We disclose data to the extent necessary to manage orders, payments and deliveries to the companies fulfilling the orders and to the payment service providers of the online store. Personal data is not otherwise disclosed to external parties.

9 Transfer of Data Outside the EU or EEA

Personal data contained in the register is not transferred outside the EU or EEA.

10 Principles of Register Protection

Materials containing personal data are stored in locked premises with access granted only to designated persons who are authorised to access them due to their duties.

The database containing personal data is located on a server stored in a locked space with access granted only to designated persons who are authorised to access it due to their duties. The server is protected by an appropriate firewall and technical safeguards.

Access to databases and systems is granted only with individually issued usernames and passwords. The controller has restricted access rights and permissions to information systems and other storage platforms so that only those persons who need the data for lawful processing can view and process it. In addition, the use of databases and systems is logged in the controller’s IT system.

The controller’s employees and other persons are bound by a duty of confidentiality and are obliged to keep confidential any information they receive in connection with the processing of personal data.

11 Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation:

1. The right to obtain from the controller confirmation as to whether or not personal data concerning them is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Art. 15). This basic information (i)–(vii) is provided to the data subject in this document;
2. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
3. The right to obtain from the controller without undue delay the rectification of inaccurate or incorrect personal data concerning the data subject and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes for which the data were processed (GDPR Art. 16);
4. The right to obtain from the controller the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or national law to which the controller is subject (GDPR Art. 17);
5. The right to obtain restriction of processing from the controller where (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to their particular situation pending the verification whether the legitimate grounds of the controller override those of the data subject (GDPR Art. 18);
6. The right to receive the personal data concerning them, which they have provided to the controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent as referred to in the Regulation and the processing is carried out by automated means (GDPR Art. 20);
7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Art. 77).

Requests concerning the exercise of the data subject’s rights shall be addressed to the controller’s contact person mentioned in section 1.