The purpose of this privacy policy is to provide a comprehensive description of what kind of personal data and on what basis personal data is collected and processed and for what purposes personal data is used by the Muotolevy Group.

The Muotolevy Group (hereinafter “Muotolevy”) consists of Muotolevy Oy (business ID: 0935790-3), Raitatuote Oy (business ID: 1034370-1)

This privacy policy applies to all building, manufacturing and installation services provided by Muotolevy, as well as to other services provided by Muotolevy, including those offered by Muotolevy offices, sites, websites and social media services. In addition to our existing customers’ personal data, this privacy policy also applies to the processing of personal data of potential customers who are interested in Muotolevy’s products and services. This privacy policy also applies to the processing of personal data and surveillance footage of representatives of Muotolevy’s corporate clients, partners, service providers and subcontractors as well as people visiting any Muotolevy premises and sites.

Muotolevy processes personal data as the controller according to both these principles and the applicable law, so please read this privacy policy carefully.

“Personal Data” means any information relating to a data subject, by which the data subject can be identified, directly or indirectly, as defined in the EU General Data Protection Regulation (2016/679) (“GDPR”). Data by which a data subject cannot be identified, directly or indirectly, is not considered personal data. Muotolevy adheres to the GDPR and other applicable legislation when processing personal data.

Data controller: Muotolevy Oy

Address: Tervasuontie 3, 03100 Nummela

Contact person: Markus Merinen

Email: markus.merinen@muotolevy.fi

Personal data is processed for purposes such as:

The legal basis for processing data subjects’ personal data is the contractual relationship between Muotolevy and the data subjects, which is based on ordering a product or service provided by Muotolevy. The processing of personal data is also based on statutory obligations such as those relating to accounting, occupational health and safety and statutory reporting to organisations such as tax authorities. Processing personal data for the purpose of customer relationship management and direct marketing is based on Muotolevy’s legitimate interest.

Digital direct marketing is based on consent granted by data subjects or on the customer relationship. Data subjects can withdraw their consent at any time or prohibit the use of their personal data for digital direct marketing purposes.

The following details of data subjects are processed:

Categories of personal data and examples of the content of the data file.

Contact details:
Data subject’s name, address, phone number, email address.

Identifying details:
Data subject’s personal identity code, corresponding national identity code and date of birth.

Details relating to the customer relationship:
Account number, billing and payment details and other details that identify a customer relationship.

Details of customer events and contracts:
Details of contracts between Muotolevy and the data subject or between Muotolevy and an organisation representing the data subject, customer feedback as well as contacts, complaints and similar events made by the data subject.

Other business-related material:
Other business-related material that includes the data subject’s personal data.

CCTV:
Footage from the CCTV system placed in Muotolevy’s premises and sites where a data subject may be identifiable.

Behavioural tracking and technical identification details:
Tracking a data subject’s online behaviour and use of Muotolevy services by using cookies or similar technical identification tools. The data to be collected may include the user’s IP address, the pages visited, the browser type, the URL, the time and duration of the session.

The provision of personal data is necessary for the management of contractual and regulatory obligations between Muotolevy and the data subject and for the production of Muotolevy’s services.

Personal data is mainly obtained from the data subject through messages submitted on our website, by email and telephone, and from contracts, customer meetings and other situations where the customer provides its details. We may also collect details concerning our customers from public records, registers maintained by authorities and other trusted registers. Personal data may also be collected from the organisation that the data subject represents. For example, Muotolevy’s subcontractors, contractors and partners provide Muotolevy with personal data regarding data subjects in the circumstances required by law and contractual obligations.

Muotolevy also uses the analytics services provided by Hubspot, Salesforce Pardot and Google Analytics to collect cookies and other technical identifiers.

Muotolevy stores personal data for as long as necessary for the purposes specified in this privacy policy unless the law requires the retention of personal data for a longer period of time, or unless Muotolevy requires the information for the establishment, exercise or defence of legal claims or for the resolution of a dispute.

Personal data will be processed for the duration of the customer and contractual relationship as well as for any period of time necessary after the termination of the customer and contractual relationship.

Regarding organisations, the storage of personal data depends on the length of time the data subject represents the organisation in relation to Muotolevy. Personal data will be deleted within a reasonable time after this role no longer exists.

Personal data that is necessary for marketing purposes will be stored until the data subject withdraws its consent to electrical direct marketing or for as long as the data subject does not object to its personal data being used for marketing purposes.

When personal data is no longer needed for the purposes described above, the data will be deleted within a reasonable time.

Companies in the Muotolevy Group can process personal data in accordance with data protection legislation.

In accordance with this privacy policy, Muotolevy may outsource the processing of personal data to service providers or subcontractors. Processors of data include service providers that offer Muotolevy services related to IT systems and financial administration, debt collection and legal services, supplies and other services. By contractual obligations Muotolevy ensures that personal data is processed appropriately.

In order to meet statutory and contractual obligations, personal data may be disclosed to organisations such as tax and distraint authorities, insurance companies and Muotolevy’s contractual partners.

In the event of an emergency or other unforeseen circumstances, Muotolevy may disclose data subjects’ personal data in order to protect life, health and property. Muotolevy may also be required to disclose data subjects’ personal data if Muotolevy is involved in litigation or other dispute settlement proceedings.

If Muotolevy becomes involved in a merger, acquisition or other arrangements, it may be required to disclose data subjects’ personal data to third parties.

Personal data will not be transferred outside the European Union or the European Economic Area.

Personal data is processed in a manner that ensures the appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Muotolevy uses appropriate technical and organisational safeguards for data protection, including firewalls, encryption techniques and secure facilities, appropriate access control and instructions for employees and subcontractors involved in personal data processing. Everyone involved in data processing has the obligation to observe secrecy with regard to the processing of personal data.

In accordance with this privacy policy, Muotolevy may outsource the processing of personal data to service providers or subcontractors, in which case Muotolevy will ensure, through adequate contractual obligations, that personal data is processed appropriately and lawfully.

Data subjects have the following rights as guaranteed by the data protection legislation:

Data subjects have the right to obtain confirmation as to whether or not their personal data is being processed.

Data subjects are also entitled to inspect the data concerning themselves and, upon request, the right to receive the data in writing or by electronic means.

Data subjects have the right to request that incorrect or inaccurate information be rectified. Data subjects also have the right, as stipulated in the data protection legislation, to request that their data be deleted.

Muotolevy also erases, rectifies and completes, at its own initiative, any personal data that it perceives to be incorrect, unnecessary, incomplete or outdated for the purpose of the processing.

In accordance with current data protection legislation, data subjects have the right to require the controller to transfer data relating to them to another controller.

Data subjects also have the right, under conditions determined by the data protection legislation, to request that the processing of their personal data be restricted. Moreover, in cases where personal data suspected to be incorrect cannot be corrected or deleted or if there is confusion about a request to erase personal data, Muotolevy restricts the access to the data.

Data subjects have the right to object to the use of their data for a particular type of processing. Data subjects have the right to object to the disclosure and processing of their data for the purposes of direct marketing.

If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw this consent. Said withdrawal does not affect the processing carried out prior to the withdrawal.

Requests concerning data subjects’ rights are to be made in person, in writing or electronically and addressed to the data protection officer named in this privacy policy (contact details in section 2 of this privacy policy).

The data subject’s identity will be verified before the information is provided, so we may have to ask for more specific details. The request will be answered within a reasonable time and, where possible, within one month of the request and the verification of identity.

If a data subject’s request is refused, the data subject will be notified of the refusal in writing. Muotolevy may refuse a request (such as erasure of personal data) on basis of a statutory obligation or right.

A data subject has the right to lodge a complaint with a data protection authority if the data subject considers that the processing of personal data relating to him or her infringes current legislation. Contact details of the data protection authority:

Office of the Data Protection Ombudsman

Address: Ratapihantie 9, 6th floor, 00520 Helsinki, Finland

Postal address: P.O. Box 800, 00521 Helsinki, Finland

Email: tietosuoja@om.fi

Telephone: +358 29 56 66700

Fax: +358 29 56 66735

Muotolevy may need to amend and update this privacy policy. Changes may also be based on changes to the data protection legislation. We recommend that you regularly review the content of this privacy policy. Data subjects will be notified of any substantial changes.

This privacy policy was published on 24 May 2018.