Privacy policy of the customer register of Sukkamestarit Oy

1. Data controller

The data controller of the register is Sukamestarit Oy (business ID 2143817-5)

Register administrator and data protection officer: Jani Tarkki / factory manager

SUKKAMESTARIT Oy
Address: Kuukuja 2-4, 33420 Tampere
Phone: 03-3475000
Email: jani.tarkki@sukkamestarit.fi

2. Name of the register

The name of the register is the customer register of SUKKAMESTARIT Oy.

3. Purpose of processing personal data

Personal data is processed for purposes related to managing, administering, and developing the customer relationship, providing and delivering services, as well as developing and invoicing services. Personal data is also processed for purposes necessary for investigating possible complaints and other claims.

In addition, personal data is processed in customer communications such as for information and news purposes, as well as in marketing, including direct marketing and electronic direct marketing purposes.

The customer has the right to prohibit direct marketing targeted at them.

The controller processes the data itself and also utilizes subcontractors acting on behalf of and for the controller in the processing of personal data.

4. Legal basis for processing

The legal bases for processing personal data are the following grounds in accordance with the EU General Data Protection Regulation (hereinafter also “GDPR”):

The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a)); processing is necessary for the performance of a contract to which the data subject is party, or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));

1.b); the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Article 6(1)(f)).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which results from the data subject being a customer of the controller, and when the processing is carried out for purposes that the data subject could reasonably expect at the time of the collection of personal data and in connection with the appropriate relationship.

5. Content of the register (categories of personal data to be processed)

The register principally contains the following personal data about all registered individuals:

• basic and contact information of the person: first name, last name, address, phone number, email address; information related to the person's company or other organization and the person's position or job title in the respective company or organization; the person's direct marketing consents and prohibitions.

6. Regular sources of information

Personal data is collected from the data subject themselves.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources related to the fulfillment of the customer relationship between the controller and the data subject, and by means of which the controller fulfills its obligations related to maintaining customer relationships.

7. Retention period of personal data

The data collected in the register will be retained only as long and to the extent as is necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to retain personal data is assessed every five years and, in any case, data concerning a registered individual will be deleted from the register five years after the customer relationship between the data subject and the controller has ended, and the obligations and actions related to the customer relationship have been completed. For example, accounting documents are retained for five years after the end of the financial year.

The controller regularly assesses the necessity of data retention in accordance with its internal rules of conduct. In addition, the controller takes all possible reasonable measures to ensure that inaccurate, incorrect, or outdated personal data, in relation to the purposes of processing, are deleted or rectified without delay.

8. Recipients of personal data (recipient groups) and regular disclosures of data

We cooperate with third parties to enable the everyday operations of e-commerce, e-commerce platform development, company, service and product development, as well as targeted marketing:

• With the e-commerce platform provider, to enable the processing of orders placed through the online store.
• With logistics operators of your choice, to enable the creation of package deliveries and the formation of tracking information
• With the product and service review platform
• With the newsletter platform provider to enable marketing communications (if you have subscribed to the newsletter)
• To enable customer service and customer communications
• And with other possible parties to develop our operations. For example, customer satisfaction and market surveys.
• We may also use information related to your purchasing behavior, interests, and product purchases for targeted advertising through a third party or to create lookalike audiences. 

We never sell our registers for the marketing purposes of other companies.

What information we store:

• The name information you provide
• The address information you provide
• Email
• Phone number

Please note that information related to payments and payment details is an agreement between the customer and the payment intermediary.

9. Transfer of data outside the EU or EEA

In order to provide our excellent customer experience and our services, we may need to transfer personal data to a third-party service provider's server or for resources to be processed that are located outside the EU or its economic area. In these cases, we ensure that appropriate contractual measures are applied to the transfer of personal data (for example, commitment to the European Commission's standard contractual clauses), that the transfer has an appropriate legal basis, and that their processing meets the confidentiality requirements set by law.

Third parties outside the EU to whom it is necessary for us to disclose data due to order processing are listed below. In addition, third parties we use for marketing, development, and analysis of our site are listed below. This privacy statement covers the use of your data only by Sukkamestarit.com, so please also familiarize yourself with our partners' to privacy statements.

• Payment service providers: Adyen, PayPal
• Online store system and order processing: Shopify
• Customer service system and chat service provider: Gorgias
• Product reviews: Judge me 
• Others: Facebook, Instagram, Google, Tiktok

10. Principles of Register Protection

Materials containing personal data are stored in locked premises, to which only designated and authorized persons have access due to their duties.

The database containing personal data is on a server that is kept in a locked room, accessible only to designated and authorized persons due to their duties. The server is protected with an appropriate firewall and technical safeguards.

Access to databases and systems is only with separately granted personal usernames and passwords. The controller has restricted access rights and authorizations to information systems and other storage platforms so that only those persons who need the information for lawful processing can view and handle the data. In addition, the usage events of databases and systems are recorded in the controller's IT system logs.

The controller's employees and other persons are committed to observing confidentiality and keeping secret the information they receive in connection with the processing of personal data.

11. Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation:

• the right to receive confirmation from the controller as to whether or not personal data concerning him or her are being processed, and if such personal data are being processed, 
• the right to access personal data and the following information: 
• (i) the purposes of the processing; 
• (ii) the categories of personal data concerned; 
• (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; 
• (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; 
• (v) the right of the data subject to request from the controller rectification or erasure of personal data concerning him or her or restriction of processing of personal data or to object to such processing; 
• (vi) the right to lodge a complaint with a supervisory authority; 
• (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Article 15). These basic details described in (i)–(vii) are provided to the data subject with this form;
• the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
• the right to have the controller erase personal data concerning the data subject without undue delay, provided that 
• (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; 
• (ii) the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing; 
• (iii) the data subject objects to the processing on grounds relating to his or her particular personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; 
• (iv) the personal data have been processed unlawfully; or 
• (v) the personal data must be erased in order to comply with a legal obligation under Union law or national legislation applicable to the controller (GDPR Article 17);
• the right to have the controller restrict processing if 
• (i) the data subject contests the accuracy of the personal data, in which case processing will be restricted for a period enabling the controller to verify the accuracy of the personal data;
• (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; 
• (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise, or defense of legal claims; or 
• (iv) the data subject has objected to processing of personal data on grounds relating to his or her particular personal situation pending the verification of whether the legitimate grounds of the controller override those of the data subject (GDPR Article 18);
• the right to receive the personal data concerning him or her, which the data subject has provided to the controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is based on consent as referred to in the regulation and is carried out by automated means (GDPR Article 20);
• the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR Article 77).

Requests regarding the exercise of the data subject's rights should be addressed to the contact person of the controller mentioned in section 1. to the contact person of the controller.