The Muotolevy Group (hereinafter “Muotolevy”) consists of Muotolevy Oy (business ID: 0935790-3), Raitatuote Oy (business ID: 1034370-1)
1 PERSONAL DATA
“Personal Data” means any information relating to a data subject, by which the data subject can be identified, directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679) (“GDPR”). Data by which a data subject cannot be identified, directly or indirectly, is not considered personal data. Muotolevy adheres to the GDPR and other applicable legislation when processing personal data.
2 DATA CONTROLLER
Data controller: Muotolevy Oy
Address: Tervasuontie 3, 03100 Nummela
Contact person: Markus Merinen
3 PURPOSE AND LEGAL GROUNDS FOR the PROCESSING OF PERSONAL DATA
Personal data is processed for purposes such as:
- Ordering and maintaining Muotolevy products and services as well as related development, quality control and communications activities
- Ensuring the safety of services and products and preventing misuse
- Planning business operations and product development
- Customised customer services as well as targeted customer communications and monitoring the use of services
- Marketing and the focusing of marketing efforts on customers and potential customers
- Compliance with statutory obligations, such as those stipulated in the Finnish Occupational Health and Safety Act and legislation concerning accounting
- Risk management and prevention of malpractice
- Ensuring the safety of people and Muotolevy’s premises, sites and property
The legal basis for processing data subjects’ personal data is the contractual relationship between Muotolevy and the data subjects, which is based on ordering a product or service provided by Muotolevy. The processing of personal data is also based on statutory obligations such as those relating to accounting, occupational health and safety and statutory reporting to organisations such as tax authorities. Processing personal data for the purpose of customer relationship management and direct marketing is based on Muotolevy’s legitimate interest.
Digital direct marketing is based on consent granted by data subjects or on the customer relationship. Data subjects can withdraw their consent at any time or prohibit the use of their personal data for digital direct marketing purposes.
4 CATEGORIES OF PERSONAL DATA AND CONTENT OF THE DATA FILE
The following details of data subjects are processed:
Categories of personal data and examples of the content of the data file.
Data subject’s name, address, phone number, email address.
Data subject’s personal identity code, corresponding national identity code and date of birth.
Details relating to the customer relationship:
Account number, billing and payment details and other details that identify a customer relationship.
Details of customer events and contracts:
Details of contracts between Muotolevy and the data subject or between Muotolevy and an organisation representing the data subject, customer feedback as well as contacts, complaints and similar events made by the data subject.
Other business-related material:
Other business-related material that includes the data subject’s personal data.
Footage from the CCTV system placed in Muotolevy’s premises and sites where a data subject may be identifiable.
Behavioural tracking and technical identification details:
Tracking a data subject’s online behaviour and use of Muotolevy services by using cookies or similar technical identification tools. The data to be collected may include the user’s IP address, the pages visited, the browser type, the URL, the time and duration of the session.
The provision of personal data is necessary for the management of contractual and regulatory obligations between Muotolevy and the data subject and for the production of Muotolevy’s services.
5 SOURCES OF DATA
Personal data is mainly obtained from the data subject through messages submitted on our website, by email and telephone, and from contracts, customer meetings and other situations where the customer provides its details. We may also collect details concerning our customers from public records, registers maintained by authorities and other trusted registers. Personal data may also be collected from the organisation that the data subject represents. For example, Muotolevy’s subcontractors, contractors and partners provide Muotolevy with personal data regarding data subjects in the circumstances required by law and contractual obligations.
Muotolevy also uses the analytics services provided by Hubspot, Salesforce Pardot and Google Analytics to collect cookies and other technical identifiers.
6 PERSONAL DATA STORAGE
Personal data will be processed for the duration of the customer and contractual relationship as well as for any period of time necessary after the termination of the customer and contractual relationship.
Regarding organisations, the storage of personal data depends on the length of time the data subject represents the organisation in relation to Muotolevy. Personal data will be deleted within a reasonable time after this role no longer exists.
Personal data that is necessary for marketing purposes will be stored until the data subject withdraws its consent to electrical direct marketing or for as long as the data subject does not object to its personal data being used for marketing purposes.
When personal data is no longer needed for the purposes described above, the data will be deleted within a reasonable time.
7 PROCESSORS AND RECIPIENTS OF PERSONAL DATA
Companies in the Muotolevy Group can process personal data in accordance with data protection legislation.
In order to meet statutory and contractual obligations, personal data may be disclosed to organisations such as tax and distraint authorities, insurance companies and Muotolevy’s contractual partners.
In the event of an emergency or other unforeseen circumstances, Muotolevy may disclose data subjects’ personal data in order to protect life, health and property. Muotolevy may also be required to disclose data subjects’ personal data if Muotolevy is involved in litigation or other dispute settlement proceedings.
If Muotolevy becomes involved in a merger, acquisition or other arrangements, it may be required to disclose data subjects’ personal data to third parties.
8 TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN UNION OR THE EUROPEAN ECONOMIC AREA
Personal data will not be transferred outside the European Union or the European Economic Area.
9 DATA PROTECTION PRINCIPLES AND SECURITY
Personal data is processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.
Muotolevy uses appropriate technical and organisational safeguards for data protection, including firewalls, encryption techniques and secure facilities, appropriate access control and instructions for employees and subcontractors involved in personal data processing. Everyone involved in data processing has the obligation to observe secrecy with regard to the processing of personal data.
10 RIGHTS OF DATA SUBJECTS AND THE EXERCISE OF THE RIGHTS
Data subjects have the following rights as guaranteed by the data protection legislation:
Right of access
Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed.
Data subjects are also entitled to inspect the data concerning themselves and, upon request, the right to receive the data in writing or by electronic means.
Right to rectification and erasure
Data subjects have the right to request that incorrect or inaccurate information be rectified. Data subjects also have the right, as stipulated in the data protection legislation, to request that their data be deleted.
Muotolevy also erases, rectifies and completes, at its own initiative, any personal data that it perceives to be incorrect, unnecessary, incomplete or outdated for the purpose of the processing.
Right to transfer data and right to restrict and oppose processing
In accordance with current data protection legislation, data subjects have the right to require the controller to transfer data relating to them to another controller.
Data subjects also have the right, under conditions determined by the data protection legislation, to request that the processing of their personal data be restricted. Moreover, in cases where personal data suspected to be incorrect cannot be corrected or deleted or if there is confusion about a request to erase personal data, Muotolevy restricts the access to the data.
Data subjects have the right to object to the use of their data for a particular type of processing. Data subjects have the right to object to the disclosure and processing of their data for the purposes of direct marketing.
Right to withdraw consent
If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw this consent. Said withdrawal does not affect the processing carried out prior to the withdrawal.
Exercise of the rights
The data subject’s identity will be verified before the information is provided, so we may have to ask for more specific details. The request will be answered within a reasonable time and, where possible, within one month of the request and the verification of identity.
If a data subject’s request is refused, the data subject will be notified of the refusal in writing. Muotolevy may refuse a request (such as erasure of personal data) on basis of a statutory obligation or right.
11 RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY
A data subject has the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current legislation. Contact details of the data protection authority:
Office of the Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki, Finland
Postal address: P.O. Box 800, 00521 Helsinki, Finland
Telephone: +358 29 56 66700
Fax: +358 29 56 66735