Description of file and data protection
This is Lapuan Kankurit's description of file and data protection pursuant to the Personal Data Act (sections 10 and 24) and the EU's General Data Protection Regulation (GDPR). Prepared on 1 April 2018. Last modified on 24 April 2018.
Lapuan Kankurit Oy, Tervaspuuntie 1, 62100 Lapua, Finland
2. Contact person in charge of the data file
Eveliina Vähäsantanen email@example.com telephone: +358 6 4338 300
3. Name of data file
Lapuan Kankurit Oy’s online service user register
4. Legal grounds and purpose of processing personal data
The legal grounds for processing the personal data pursuant to the EU’s General Data Protection Regulation is the customer relationship, the customer’s consent or the exercising of rights and fulfilment of obligations resulting from contracts with the customer and/or applicable legislation.
The personal data are used for:
- processing online store orders
- managing and developing the customer relationship
- identifying and individualisation of the customer in the online service
- managing customer data and customer and contact history
- communication about services
- with the customer’s specific consent, direct marketing
The data are not used for automated decision-making or profiling.
5. Information content of the data file
Our register may contain the following information:
Basic customer data
- name (company/person)
- e-mail address
- Web address
- IP address
User account data
- online service user ID and encrypted password
- login data and history
- user account history
Information related to the customer relationship
- invoicing and delivery data (business ID, address and other contact details)
- information about gift purchases and rewards: name, mailing address, delivery address, telephone number and e-mail address of the recipient
- online store order history
- information about marketing consents/prohibitions
- newsletter subscriptions, statistics and sending history
- information provided by the customer via the website forms (e.g., product reviews, requests for quotes, brochure orders, feedback and other requests).
The data are stored until further notice and will be deleted upon the customer’s specific, written request.
6. Regular data sources
The information stored in the register is obtained from the customer, for example via messages submitted by online forms, by e-mail, telephone, social media services, agreements, customer events and other situations where the customer provides their information.
7. Regulatory information disclosure and transfer of information outside the borders of the EU or the EEA
The customer’s data are not disclosed to parties other than Lapuan Kankurit Oy or third parties authorised by Lapuan Kankurit Oy. Authorised third parties are: service providers and developers, participants to service analysis, parties delivering orders and payment service providers. These authorised third parties may use your personal data only for the purposes described in this data protection policy. In cases where required by law, such as investigating fraud or abuse, information may be disclosed to authorities.
The personal data are not transferred outside the EU or the EEA.
8. Register protection principles
The personal data stored in the register are always processed confidentially and carefully. The data are protected with the appropriate technical and administrative measures. The information security of the hardware and software used for storing the personal data is actively monitored and maintained with regular software updates. The information and the service are secured with technical measures, such as firewall, encryption technologies and access rights. The controller ensures that the stored information and the access rights to the servers and other information critical to the security of the personal data are always handled with confidentiality and only by those employees whose job description includes such handling.
9. Right of review and right to request rectification
A person in the register has the right to review the information stored in the register concerning the person and receive copies of it. The person also has the right to request the correction of any errors and supplementing of incomplete information. The above requests must be sent in writing directly to the controller. The requestor must prove his or her identity to prevent abuse. The controller will respond to the customer within the period of time specified in the EU General Data Protection Regulation (primarily within a month).
10. Other rights related to the processing of personal data
A person whose information is stored in the register has the right to request the deletion of information concerning the person from the register (“the right to be forgotten”). Furthermore, the data subject has the right to request the restriction of the processing of the data in certain situations, such as use of data for direct marketing. The requests must be sent in writing to the controller. The requestor must prove his or her identity to prevent abuse. The controller will respond to the customer within the period of time specified in the EU General Data Protection Regulation (primarily within a month).