data protection, gdpr

Customer and marketing register, privacy policy

Personal Data Act (523/99) 10 §

The General Data Protection Regulation (EU) 2016/679 (GDPR)

Latest update: 25.5.2021


1. Data controller                                                                              

Tehdasvalo Oy, Piikatu 16, 55120 Imatra, Finland

Contact person: Tehdasvalo Oy / Hanne Saari

2. Data subject

Customer register includes the contact persons of business customers. Marketing register may include also representatives of other stakeholders.

3. Legal basis and purpose of data processing  

Legal basis:

  • Personal data is processed based on registered customer relationship
  • Personal data is processed based on consent (e.g. contact list gathered at fair or other event, written concent, request for quotation or other straight contact)

Purpose of processing personal data:

  • Execution of customer relationship
  • Carrying out customer satisfaction surveys
  • Marketing communication related to products, services and operation

4. Categories of data processed

The following personal data may be processed:

  • First and last name of a contact person of a business customer
  • Title/position at company
  • (Business) e-mail address and (business) telephone/mobile number

5. Rights of the data subject

Data subject has the following below listed rights, of which use have to be requested in person at data controller’s office or by duly signed letter, addressed to: Tehdasvalo Oy, Piikatu 16, 55120 Imatra, Finland.

Right to access and correct: Individuals have the right to access and check their personal data, free of charge. If the individual believes that their personal data processed are incorrect, incomplete or inaccurate, they have the right to have it rectified or completed.

Right to object and to erasure: Data subject has the right to object processing of their personal data, if they believe data has been processed against legal terms.

The data subject has the right to ask for erasure of their personal data, for example if it is no longer needed for fulfilling the processing purpose. Upon request, we will erase the personal data or state the reason why we cannot erase them.

It is acknowledged that data controller may have legal obligation or some other right not to erase the personal data. Data controller is obliged to keep the accounting material in accordance with the period (10 years) specified in the Accounting Act (Chapter 2, 10 §). Therefore, any accounting related data cannot be deleted before the deadline.

Right to prohibit direct marketing: Data subject has the right to prohibit the use of their personal data for direct marketing purposes.

Right to withdraw their consent: If data is processed only based consent and not e.g customer relationship or other legal obligation, the data subject has the right to cancel the consent.

Right of appeal: The data subject has the right to demand that we limit the processing of the disputed data until the matter is solved.

The data subject has the right to make an appeal to the Data Protection Ombudsman if they feel that we are processing the personal data in violation of the data protection regulations. Contact information, Office of the Data Protection Ombudsman:

6. Regular sources of personal data

Personal data is obtained from: 

  • business customers’ contact persons themselves upon establishing a customer relationship
  • persons themselves upon request for quotation or other direct contact
  • persons themselves when they subsribe to our e-mail newsletter

7. Protection and storage period of personal data

Customer and marketing register is maintained in electronic form on technically and physically secure servers. Entry to the register is allowed only to those Tehdasvalo Oy’s employees who need the data to conduct their work.

The personal data is being processed mainly as long as the company needs them for abovementioned processing purposes.  When a customer’s contact person is no longer in the service of the business customer, the personal data of that person will be erased without a delay.

8. The data processors

Personal data is processed only by those employees in our company whose work duties require it. Conducting normal business operations, we may partially outsource the processing of data to a third party, in which case we will ensure by contractual agreements, that our service providers process personal data in accordance with applicable data protection laws and otherwise in an appropriate manner.

9. Data transfer to another company and outside the EU

Personal data is not transferred outside Tehdasvalo Oy for marketing purposes.

Personal data may be trasferred upon contractual agreement to service providers in order to conduct the following measures: service maintenance, storage of the personal data as well as support, development and consulting services. These service providers are committed to complying with the requirements of the Data Protection Regulation.

The data may be transferred by service provider partly outside the EU or the European Economic Area. When data are transferred outside the EU and the EEA, an adequate level of protection of personal data will be ensured, by agreeing on issues related to the confidentiality and processing of personal data as required by law.

10. Automated decision-making and profiling

We do not use personal data for automated decision-making or profiling.

11. Modification of the privacy policy

Data controller reserves a right to update and modify this privacy policy. When legislation requires, we will inform the data subjects of such update or modification.