The Controller is obligated by the General Data Protection Regulation to clearly inform Data Subjects.
This statement fulfils the obligation to inform.
Oy Primapoli Ltd
Lehtimäentie 831, 63640 Ritola, Finland
Lehtimäentie 831, 63640 Ritola, Finland
+358 201 758 438
This Statement is an explanation of how Oy Primapoli Ltd (hereinafter the “Controller”) collects and process the personal data of their customers and partners and their contact persons.
3. Purpose and Legal Grounds for the Processing of Personal Data
Personal data are only processed for prespecified purposes, which are:
- Maintenance of customer relationships and the development of services
- Informing about services and direct marketing
- Responding to contact requests
- Partnership purposes
The legal grounds for the processing of personal data are:
- For private customers, consent or the implementation of the measures preceding the signing of a contract existing between the person and the Controller, or the completion of contracts
- For enterprise customers and partner contact persons, consent or the legitimate interest of the Controller (performing and promoting business practices)
Personal data will not be used for automatic decision-making. In order to perform targeted marketing, Data Subjects may be profiled on the basis of data such as geographical location or interests reported by the customer.
4. Personal Data Groups
The Controller processes the following personal data:
- Contact details (work-related), such as email address, telephone number, and postal address
- Possibly represented organisation and position within it
- Possible order history
- Possible other data provided by the Data Subject, such as information pertaining to a construction project
- Direct marketing permissions and bans
- IP address and other data collected via cookies
5. Regular Data Sources
Providing personal data is not mandatory on the basis of law or contract. However, issuing certain personal data is a prerequisite for the signing of and complying with contracts between the Controller and their customer or partner, and in order to provide the Controller’s services.
6. Regular Data Disclosures
The Controller discloses the personal data they process to such third-party service providers, i.e. personal data processors, that they employ, who will process the data on behalf of the Controller in accordance with instructions issued by the Controller.
Such processors include:
- The Controller’s sales representatives
- The Controller’s accountant
- Providers of the technical services used by the Controller
7. Data Transfers Beyond the EU or EEA
Some data processors employed by the Controller may be situated outside of the EU or the EEA. In this case, the Controller will ensure the level of personal data protection, for example by making sure that the standard contractual clauses approved by the European Commission have been incorporated into the contract in place between the Controller and the processor.
8. Personal Data Retention Periods
The Controller will keep the personal data only for as long and to the extent as is required in order to complete the purposes described in section 3 above.
Personal data are usually stored according to the following criteria:
- Personal data used for marketing purposes and to respond to contact requests are kept until five (5) years have passed since the latest contact, unless the contact has resulted in the signing of an order contract.
- Personal data used for order contracts and order deliveries are kept until ten (10) years have passed since the delivery of the order or until the applicable warranty period exceeding this time has passed.
- The personal data of partner contact persons are kept for as long as the partnership or representation agreement is ongoing.
- Personal data being processed on the basis of the Data Subject’s consent are kept until the Data Subject has withdrawn their consent.
- Personal data included in accounting materials are kept for ten (10) years after the end of the financial period to which the materials pertain.
Some cookies are required for basic website functionality. This is why such cookies cannot be turned off. The data collected via cookies placed on the basis of the visitor’s consent can be used to analyse website traffic and to target marketing.
Cookies are used to collect data such as the following:
- The user’s browser and IP address
- The time of the visit
- The pages visited and the view times for each page
Cookies used on the website can be managed through the cookie notice shown on the site. Only required cookies will be used unless the visitor has consented to the use of other cookies as well. The Controller may not be able to provide the visitor with certain services, and the visitor may not be able to see certain parts of the website, unless all cookies are allowed.
10. Camera Surveillance
The Controller has a camera surveillance system in place at their factory and offices that records the feed in order to ensure personal safety, to protect property, to control the proper functioning of the production process, and to prevent and investigate incidents that may jeopardise such functioning. The legal grounds for the processing is the legitimate interest of the Controller.
The personal data processed in connection with the recording surveillance system include materials recorded in the surveilled area and the timestamps of the recorded feeds. The data are collected from the Data Subject personally. The personal data obtained via the camera surveillance are stored electronically, separate from other personal data.
The personal data are only processed by appointed persons who need the data to carry out their designated work tasks. As a starting point, the personal data collected via the camera system will only be processed in events of security incidents, and the collected data can be disclosed to criminal investigators for investigative purposes as specified in the Criminal Investigation Act (805/2011). No automated decision-making or profiling is used with the camera surveillance.
The personal data collected via the camera surveillance system will be automatically destroyed no later than one (1) month after data collection, unless it is necessary to keep the data to investigate a safety incident.
11. Rights of the Data Subject
Data Subjects have the following rights, and any requests to exercise them should be addressed to email@example.com.
The Controller will notify the Data Subject of any measures implemented on the basis of the request, usually within one month of receiving the request. The Data Subject will also be notified if the Controller will not comply with the request for any reason.
Exercising rights is usually free of charge.
In order to safeguard the rights of the Data Subject, the Controller may have to ask the Data Subject for more information in order to be able to identify the Data Subject with sufficient precision.
Right of review
The Data Subject may ask the Controller whether any of their personal data are being processed. The Data Subject may ask the Controller for information about and access to the data being collected.
Right of rectification
The Data Subject may request rectification or supplementation of inaccurate, erroneous, or insufficient personal data.
Right to object
The Data Subject may object to the processing of their personal data if the processing based on the legitimate interest of the Controller. In this case, the Controller may no longer process the personal data in question, unless the Controller can show that there is a particularly important reason for the processing, which overrides the rights of the Data Subject.
Right to ban direct marketing and withdraw consent
The Data Subject may ban the use of their data for direct marketing. Data Subjects can remove themselves from our marketing list by visiting the link included in all marketing emails we send, or by submitting a request to firstname.lastname@example.org.
When the processing of personal data is based in consent, the Data Subject may withdraw their consent at any time.
Right of removal
The Data Subject may request the removal of their personal data, for example if the data are no longer necessary for the purposes for which they were originally collected. We will process the removal request and either delete the data or announce the reason why the data cannot be removed.
It should be considered that the Controller may be legally obligated or otherwise required to not delete information when asked to. The Controller must keep all accounting materials for the period (10 years) specified in the Accounting Act (1336/1997, chapter 2, §10). This is why any personal data included in accounting materials cannot be deleted until the legally mandated time period has passed.
Right to restrict processing
The Data Subject may demand the restriction of the processing of their personal data in certain cases, such as when the Data Subject has contested the correctness of their data. In this case, the processing will be limited until the Controller can verify the correctness of the data.
Restricting the processing of personal data means that the data may only be processed on very limited grounds specified in relevant data protection legislation.
Right to transfer the data from one system to another
Meeting certain prerequisites specified in the relevant data protection legislation, the Data Subject may ask that the Controller submit to the Data Subject any such personal data that the Data Subject has disclosed in order to have them moved to another controller.
Right of appeal
The Data Subject may complain to a data protection ombudsman in case they feel that we have violated valid data protection legislation in the course of our processing of personal data.
The contact details of the data protection ombudsman are: https://tietosuoja.fi/en/contact-information
12. Amending the Privacy Statement
The Controller reserves the right to update the Privacy Statement as the processing of the personal data by the Controller and/or applicable legislation changes.
The Controller recommends reviewing the Privacy Statement regularly. Data Subjects will be notified of significant changes to data processing practices via email.
The Statement has been last updated on 12.7.2023.