Privacy policy

REGISTER DESCRIPTION

PRIVACY POLICY OF KALVE CUSTOMER REGISTER

1 Data controller

The data controller for the register is Kalve016 Oy (business ID 3335845-5).

The contact person for register matters is Elina Kvist, CEO.

Kalve 016 Oy

Address:Kauppakatu 19 60100 Seinäjoki

Phone: 040 377 19 69

Email: info@kalveshop.fi

2 Register name

The register name is Kalve 016 Oy’s customer register.

3 Purpose of processing personal data

Personal data is processed for purposes related to managing, administering, and developing customer relationships, providing and delivering services, and invoicing. Personal data is also processed for the purposes of investigating any complaints and other claims.

In addition, personal data is processed for communication with customers, such as for information and news purposes, and as part of marketing. This includes processing personal data for direct marketing and electronic direct marketing.

Customers have the right to object to direct marketing addressed to them.

The data controller processes the data themselves and uses subcontractors who process personal data on behalf and on behalf of the data controller.

4 Legal basis for processing personal data

The legal bases for processing personal data are the following as per the General Data Protection Regulation (GDPR):

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes. (GDPR Art. 6 (1) (a));
  • Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. (GDPR Art. 6 (1) (b));
  • Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject. (GDPR Art. 6 (1) (f)).

The legitimate interest of the data controller mentioned above is based on a relevant and appropriate relationship between the data subject and the data controller, as a result of the data subject being a customer of the data controller, and when processing is carried out for purposes that the data subject could reasonably have expected at the time of data collection and in connection with the appropriate relationship.

5 Content of the register (categories of personal data processed)

The register contains the following personal data on all registered persons by default:

  • Basic personal and contact information: [first name, last name, address, phone number, email address];
  • Information on the person's company or other organization and the person's position or job title in the company or organization;
  • Personal opt-ins and opt-outs for direct marketing.

6 Regular sources of information

Personal data is collected directly from the data subject.

Personal data is also collected and updated from generally available sources within the limits of applicable legislation, which relate to the implementation of the customer relationship between the data controller and the data subject and which help the data controller fulfill its obligations related to maintaining customer relationships.

7 Storage period for personal data

Data collected in the register is kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need for the retention of personal data is assessed [every five years]; and in any case, data concerning the data subject is removed from the register [5 years] after the end of the customer relationship between the data subject and the data controller, and the obligations and measures related to the customer relationship have been completed. For example, accounting vouchers are kept for five years after the end of the fiscal year.

The data controller regularly assesses the need for data retention in accordance with its internal guidelines. In addition, the data controller takes all reasonable measures to ensure that personal data that is inaccurate, incorrect, or outdated with respect to the processing purposes is removed or corrected without delay.

8 Recipients of personal data (recipient groups) and regular disclosures of data

Personal data is not disclosed to third parties.

9 Transfer of data outside the EU or EEA

Personal data included in the register is not transferred outside the EU or EEA.

10 Principles of protection of the register

Data containing personal information is kept in locked premises with access only by designated persons authorized to access such information for their duties.

The database containing personal data is on a server kept in a locked room, accessible only by designated persons authorized to access the data for their duties. The server is protected by appropriate firewalls and technical protection.

Access to databases and systems is granted only by personal usernames and passwords. The data controller has restricted access rights and authorizations to information systems and other storage platforms so that only those individuals necessary for the lawful processing of the information can access and handle the data. In addition, usage events for databases and systems are recorded in the data controller's IT system logs.

The data controller's employees and other individuals are committed to confidentiality and to keeping confidential any information they receive in connection with the processing of personal data.

11 The rights of data subjects under the GDPR include:

  1. Right to confirmation: Data subjects have the right to know whether their personal data is being processed, and if so, they have the right to access their personal data and information regarding the processing activities (purpose, recipients, storage period, etc.).
  2. Right to withdraw consent: Data subjects have the right to withdraw their consent to the processing of their personal data at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
  3. Right to rectification: Data subjects have the right to request the rectification of inaccurate or incomplete personal data.
  4. Right to erasure: Data subjects have the right to request the erasure of their personal data, provided certain conditions are met (e.g. the data is no longer necessary for the purpose for which it was collected).
  5. Right to restriction of processing: Data subjects have the right to request the restriction of the processing of their personal data, in certain circumstances (e.g. when the accuracy of the personal data is contested).
  6. Right to data portability: Data subjects have the right to receive their personal data in a structured, commonly used and machine-readable format, and to transmit that data to another controller, without hindrance.
  7. Right to object: Data subjects have the right to object to the processing of their personal data, in certain circumstances (e.g. when the processing is based on legitimate interests).
  8. Right not to be subject to automated decision-making: Data subjects have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them, unless certain conditions are met.

Requests for the exercise of registered rights shall be addressed to the contact person of the data controller referred to in section 1

12 Web analytics

The following services collect anonymized data about website visits without personal information.

-Google Analytics

13 Targeted marketing

Based on website visits, we may conduct targeted advertising on the following services.

-Facebook

-Instagram

Gift card