CUSTOMER REGISTER DESCRIPTION per 7 May 2018
Vilkas Group Oy (Business ID: 1033996-4)
(hereinafter referred to as “Vilkas”, “we” or “our”)
Tel. +358 20 743 1919
Contact person in matters regarding the register
Finlaysoninkuja 19, 33210 Tampere, Finland
Tel. +358 20 743 1916
User register of Vilkas Group Oy’s online services
General terms and conditions
These register terms and conditions of Vilkas Group Oy customer register (hereinafter referred to as “Register description”) shall be applied to the personal data saved in the Vilkas Group Oy customer register.
In the processing of personal data, our goal is to provide as high quality service as possible and improve customer experience while respecting the protection of privacy. We do not collect unnecessary data about our customers, and we recognise our responsibility for protecting the privacy of our customers and their stakeholders.
Information contained in the register
We record the following information about our customers and, if the customer is not a natural person, about the contact persons and any other persons relevant for handling the customer relationship and other stakeholders (hereinafter referred to as “Data subjects”):
- First and last name
- Business language
- E-mail address
- Telephone number
- Any other data relating to the management of the customership, such as data on marketing permits and prohibitions and on the ordering of services
Updating the data
The user may update their name and address data in their webstore profile. The user may also contact the contact person mentioned in this description in order to update their information. The user is also entitled to prohibit the processing of their data for marketing purposes afterwards. This request must be presented by e-mail to the contact person mentioned in this description.
The purpose of personal data processing
We use the data collected about the data subjects for:
- the delivery and ordering of services
- personalising our services and communications, making recommendations and targeting our marketing activities
- customer services and customer communications relating to services, for example, sending messages, reminders, technical notes, updates and information requested from us
- the production, maintenance, protection and development of services
- direct marketing in accordance with the consent and prohibitions of the Data subject
- ensuring the appropriateness and functionality of communications
- business design and product development
- other tasks required for the fulfilment of the rights and duties of the controller
- resolving any disputes between us and any customer and executing agreements we have made with third parties.
If the Data subject gives us their electronic contact data, such as their e-mail address, in connection with customer communications, we consider them to have given their unambiguous consent to send them the above-mentioned communications also via electronic channels.
The purposes of the processing of personal data for individual, pre-identified and short-term campaigns may also be communicated in campaign-specific register descriptions. The data collected for the campaigns shall be destroyed immediately after their purpose of use relating to the campaign ends.
Regular sources of information
Regular sources of information include data given by the Data subject in orders and forms and data created in connection with customer service, offers, contact requests, complaints and the use of products and services. With the consent of the Data subject and based on the law, we may also acquire or receive data relating to the Data subject from third parties such as authorities, for example, to improve the quality of communications and ensure the up-to-dateness of the data.
Regular data disclosures
No regular data disclosures are made from the Vilkas user register.
Vilkas may hand over personal data within the limits allowed and obligated by the existing legislation to third parties, for example, authorities.
In e-mail communications, Vilkas uses the MailChimp system, in which personal data is saved in servers outside the European Union and the service provider is in the PrivacyShield system of the US, which means that data protection is at the EU level.
Register protection principles
The register and the personal data included in it are processed confidentially. The register is properly protected from outsiders with firewalls and other technical protection methods. The register is only kept in electronic format, and any occasional paper printouts from the register are immediately and appropriately destroyed in accordance with the internal instructions of Vilkas.
Personal data may be kept on Vilkas’s own physical platform and in a cloud service provided electronically by an external service provider. When the services of an external service provider are used, the service provider in question is, as the controller, responsible for the measures concerning the rights of the Data subject. Regardless of whether we store and process data in our own environment or an outsourced environment, we are responsible as the controller for ensuring that data security is appropriately organised and personal data is properly protected from outsiders by protective measures.
We do our best and continuously implement and update our operations in order to protect personal data from unauthorised use, destruction or modification. We collaborate with the authorities and our partners in order to guarantee data protection for the Data subjects in accordance with the applicable laws. However, it must always be remembered that no data is completely reliable or safe online.
Rights of the data subject
The Data subject has the following rights under the EU General Data Protection Regulation:
- the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source; and (viii) the existence of automated decision-making and meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (GDPR, Art. 15);
- the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR, Art. 7);
- the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement (GDPR, Art. 16);
- the right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing based on a special personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR, Art. 17);
- the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing based on a special personal situation pending the verification whether the legitimate grounds of the controller override those of the data subject (GDPR, Art. 18);
- the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent referred to in the regulation and the processing is carried out by automated means (GDPR, Art. 20);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR, Art. 77).
Requests concerning the exercising of the rights of the Data subject shall be submitted in writing to the contact person of the controller in a personally signed or similarly certified document or personally presented to the controller.
The Data subject is responsible for the accuracy of the data they provide. The Data subject must give notice of any changes in the data provided by them.
The Data subject may provide and cancel consent for direct marketing in accordance with the Information Society Code (917/2014) by notifying the contact person indicated in this register description by e-mail. In addition, the Data subject has the right to ban the processing and handover of data concerning them for direct advertising, remote sales and direct marketing as well as for market and opinion surveys by notifying the controller’s contact person of the ban. The right to ban does not apply to customer communications or other communications relating to the implementation of services or managing customer relationships in connection with services.
This description was last updated on 7 May 2018. Vilkas reserves the right to change the data protection policies described here and update these terms and conditions accordingly.
If users have questions about our products or services, they are advised to contact customer service. If the question is specifically about privacy protection, we ask the user to contact the contact person indicated in this Register description.