Privacy statement


1.  Controller

Puustelli Group Oy [hereinafter referred to as the “Controller”]

Business ID:           1570646-0

Address:                 Teollisuuskatu 46, 29200 Harjavalta

Tel:                          +358 10 277 6000

E-mail:                    [email protected]

Contact person on data protection matters: Puustelli Customer Service ([email protected])

2.  Definitions

‘Personal data’ means the data related to any identified or identifiable natural person (hereinafter referred to as the “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A ‘Customer’ means, out of the data subjects, those consumers and contact persons of those companies and other organisations (hereinafter referred to as the “company”) who the Controller has a customer relationship with. 

‘Potential customers’ means, out of the data subjects, those consumers and contact persons of those companies who the Controller aims to create a customer relationship with.

‘Interest groups’ means those consumers and the contact persons of those companies the Controller is partnering with (representatives of companies producing services for the Controller, for example) or by other means are connected with (for example representatives of the media as parties of communication activities, decision-makers in society related to community relations and retired former employees).

3.  What purposes do we process your personal data for?

The Controller processes the personal data of the data subjects for the following purposes (for one or more purposes simultaneously):

 •    Analysis and development of customer and interest group relations

The Controller may use your personal data directly with you or for the management, analysis and development of a customer or interest group relationship with the company you represent.

 •    Offering of products and services

The Controller may use your personal data to offer products and services, if you yourself have or the company has, for example, purchased a product or service from us, used our digital services, subscribed to our newsletter or brochure, or participated in our training or other events, such as the events at our stands in fairs. Personal data are used for carrying out the rights and obligations based on the mutual agreement or other commitment between the Controller and the Customer.

 •    Customer communication

The Controller may use your personal data in its customer communication, for example, to send you notifications related to products and services, to inform you about any changes made to the services and to ask for feedback on products and services.

 •    Marketing

The Controller may contact you to tell you about new products, services and benefits. The Controller may use personal data to customise its offering and to provide relevant content. This means that we may, for example, give recommendations or show customised content and customised advertisements in our own and third-party services.

 •    Product and service development

The Controller may use your personal data to develop its products and services.

The legal foundation for the processing of personal data is the following paragraphs in Article 6 of the General Data protection Regulation of the EU (GDPR):

 a)      you have given your consent to the processing of your personal data for one or more specific purposes;

 b)      processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

 c)      processing is necessary for compliance with a legal obligation to which the Controller is subject; and

 f)       processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except where such interests are overridden by your interests or your fundamental rights and freedoms which require the protection of personal data.

The Controller processes your personal data to execute the agreement concluded with you or with the company you represent.

The Controller has legitimate interests related to conducting its business, such as the right to promote the sales of its products and services by means of marketing and sales, and the Controller may, on the basis of a legitimate interest, exercise direct marketing and sales using your contact information, including the processing of your personal data for profiling. Other legitimate interests based on which the Controller may process your personal data are, inter alia, consulting and other customer service to non-customers, further development of the business and the investigation of any potential misconduct.

Due to internal administrative reasons, the Controller has legitimate interests pursuant to the General Data Protection Regulation of the EU (GDPR) to transfer personal data within the group from one limited liability company to another/others.

If the processing of personal data is not based on contractual needs or a legitimate interest, the Controller may request your consent for another kind of processing of personal data.

In addition, the Controller may process your personal data when the legislation obliges to do so, e.g. the data retention obligation stipulated in the Bookkeeping Act.

4.  What data types can we process?

The personal data that the Controller has collected may contain the following types of information and the changes thereto:

4.1.   Basic information of all data subjects

  • forename and surname
  • contact information (mailing address, e-mail address, phone numbers)
  • gender
  • the Controller's information concerning the use of digital services
  • the technical data sent by the Controller to the digital equipment of the user (such as computers and mobile equipment) and the data concerning cookies and other corresponding techniques
  • communication targeted to data subjects and related activities
  • direct marketing options selected
  • recordings of customer service calls and e-mail discussions and online chats related to customer service in social media channels, for example

4.2.   Supplementary information on company representatives

  • title and/or job description in the current and former work related to Controller's activities

 4.3.   information on data subjects who have purchased the products or services of the Controller, or have given feedback on them and/or issued a complaint on them

  • personal identity number
  • the time and means of the beginning and the end of a customer or corresponding relationship
  • customer's transaction history
  • campaigns and offers targeted to customers and their use
  • areas of interest reported by customers or other information
  • content of feedback and complaints, related correspondence and further action
  • information related to financing, maintenance and other ancillary contracts

4.4.   information on the data subjects who have participated in events organised by the Controller

  • dietary information (specific information voluntarily provided by the user)
  • date of birth for events for which a shipping line, for example, requires to have the information
  • names of and dates of birth of travelling companions when, for example, a shipping line so requires

 4.5.   information on the Controller's online service customers

  • log-in credentials of the data subjects
  • actions in the online service after log-in

5.  What sources do we collect your personal data from?

Most of the information is derived from you at the beginning of a customer and interest group relationship and during it and from the software with which you use our products and services.

In addition, the Controller receives personal data and their updates from the authorities’ organisations and companies which offer acquisition and update services of credit history and personal data as well as from public directories and other public sources of information, such as company websites and social media channels. In addition, the Controller receives personal data from its group members and partners, such as various financing, installation and maintenance service operators and other operators in the construction and furnishing industry.

The Controller also receives the personal data of the representatives of companies from their colleagues. In other words, the main contact person of a company may also inform the Controller about the personal data of other persons related to using the Controller's products and services.

6.  Do we use your personal data for profiling?

Any automatic processing of personal data where certain personal properties of a natural person are evaluated by using personal data, especially by analysing or anticipating the natural person's characteristics related to the person's work performance, financial situation, health, personal preferences, areas of interest, reliability, behaviour, location or movement, shall be deemed profiling as referred to in the GDPR.

For the time being, we do not exercise the profiling described hereinabove. Instead, we may otherwise analyse and exploit the personal data included in our registers and link them with the data obtained from third parties.

7.  Who can we share your personal data with?

The Controller does not give, sell or otherwise disclose your personal data to third parties outside the Harjavalta Group unless mentioned otherwise in the following.

The Controller may share your personal data with third parties performing services for the Controller. These services include, for example, customer service, installation and maintenance, software R&D services, research activities and event management. The Controller may share your personal data for the collection of payments for products and services and may, for example, transfer or sell unpaid invoices to third parties offering collection services. As the protection of your personal data is important to the Controller, it does not permit the said parties to use the data for any purposes other than for offering the services in question. To do this, the user's personal data must be protected in compliance with this privacy statement and the applicable legislation.

The Controller may share your personal data with partners who the Controller jointly manages and implements projects with and who the Controller is cooperating with in relation to managing customerships, such as financing companies in situations where a data subject is applying for financing from a partner of the Controller in conjunction with trading.

The Controller may share your personal data with carefully considered third parties for joint or independent direct marketing purposes. The data can be shared for the said purposes only when the planned use of the third party is not contrary to the uses the Controller has defined in this privacy statement.

The Controller may, at its own discretion, share the personal data of persons participating in events to other participants of the event if seen appropriate due to the nature of the event.

The Controller may share your personal data in conjunction with a company acquisition or other corporate transaction or when a service is transferred to another service provider. The Controller may share your personal data based on the order of a court or a similar instance.

 8.  Do we send your personal data outside the EU area?

The Controller may, when offering the services, use resources and servers at various locations around the world. The Controller may transfer your personal data outside the country in which they are used and possibly also to countries outside the EU area whose data protection legislation is different.

In these cases, the Controller shall ensure that there are legal grounds for transferring the data and that the user's personal data are protected, for example, by using (when necessary) standard agreements approved by relevant authorities, and by requiring compliance with appropriate technical and other data protection measures.

9.  How long do we keep processing your personal data?

The Controller shall keep processing your personal data in this register as long as the Controller has any valid criterion for the processing described in section 2 of this privacy statement, and for a reasonable period thereafter.

The processing period of various person groups is determined on the basis of the following criteria:

  • consumer customers

The Controller may process your personal data during your customership (including the guarantee period) and until the end of the third year after the year your customership ended.

Thereafter, the Controller can transfer the necessary personal data to our marketing register and treat you again as a potential customer.

  •  business customer representatives

The Controller can process your personal data as long as you represent the Controller’s business customer and until the end of the third year after the year your customership ended.

Then, the Controller can transfer the necessary personal data to our marketing register and treat you again as a potential business customer representative.

  • potential consumer customers and representatives of potential business customers

The Controller can process your personal data for the time being until you become our customer or until you require your information to be erased from our marketing register.

  •  interest group members

The Controller can process your personal data as long as you are a member of some interest group, such as a representative of the Controller's partner or the media.

10.  Is it necessary for you to submit your personal data to us?

To fulfil the contractual obligations related to your mutual relationship, the Controller needs to receive and process your personal data. Without the needed personal data, we cannot provide you with the products and services in conjunction with which it is necessary to process personal data.

11.  How can you use the rights related to your personal data?

As a data subject, you have various opportunities to influence the processing of your personal data. As a rule, we shall carry out your request within a month's time. With regard to exercising your rights, we request you to contact the person referred to in section 1 of this privacy statement. The rights that belong to you are:

 a)      The right to access the personal data collected about you. In practice, this is realised so that according to your appropriate and identified request, we will provide you with a report on the personal data which has been collected about you in the person register.

 b)      The right to request the rectification or erasure of the data collected about you. If you notice any errors or shortcomings in the data, you can submit a request for rectification to us.

 c)      The right to request the erasure of the data collected about you. If any of the following criteria are fulfilled and no obligation of data retention remains due to legislation or a regulation by the authorities, we shall have the obligation to erase the personal data you have requested from the person register:

 1.      your personal data are no longer needed for the purpose they were originally processed for;

 2.      you cancel the consent you have given and no other legal grounds remain for the processing;

 3.      you oppose the processing in relation to your specific situation and no justified reason for the processing exists or you oppose the processing of your personal data for direct marketing;

 4.      your personal data has been processed against the law;

 5.      your personal data must be erased to comply with a statutory obligation based on the court of the European Union or Finnish legislation applicable to the Controller; or

 6.      your personal data has been collected in conjunction with offering information society services, such as ordering digital services from the Controller.

 d)      The right to request the limitation of the data collected about you. You can ask the Controller to limit the processing of your personal data if:

 1.      you deny the correctness of the personal data the Controller has about you;

 2.      the processing is illegal and instead of data erasure you request the limitation of its use;

 3.      the Controller does not need the personal data in question for processing purposes, but you need them for composing, presenting or defending a legal claim;

 4.      you have opposed the processing of personal data while waiting for verification as to whether the Controller's legitimate grounds overrule yours.

e)      The right to oppose the processing of personal data concerning you. If the Controller processes your data on the basis of a legitimate interest, you shall have the right on the basis of the grounds related to your specific personal situation to oppose the processing of your personal data. All persons included in the registers covered by this privacy statement shall have the right to oppose the processing of their personal data for direct marketing.

 f)       The right to transfer the information you have given from one system to another. If the automatic processing of your personal data is based on your consent or an agreement, you shall have the right to receive the data you have submitted to the Controller in an organised, commonly used and machine-readable form and have the right to transfer the data to another controller.

 g)      The right to cancel your consent. If all or part of your personal data are processed in this register on the basis of your consent, you shall have the right to cancel the consent you have given.

 h)      The right to submit a complaint to supervisory authorities. If a potential dispute concerning the processing of your personal data is not settled in an amicable way between you and the Controller, you shall have the right to take the matter to be resolved by a data protection authority.

12.  Which country's legislation shall be applied to the processing of your data?

We are a Finnish organisation operating in Finland. The Finnish legislation and EU legislation, such as the GDPR, directly applicable in Finland shall be applied for this privacy statement and for the processing of the personal data included in it.

13.  How can we update this privacy statement?

We are continuously developing our business, and it may also mean changes related to the processing of personal data. When necessary, we shall update the privacy statement to correspond to the changes in measures. These changes may also be based on changes in the legislation. We recommend that you familiarise yourself with the content of this privacy statement on a regular basis.

If we begin to process your personal data for any purposes other than what your personal data were originally collected for, we shall notify you of the matter and of the updated privacy statement prior to the further processing in question. With regards to other changes, we shall notify you of updating the privacy statement on our website.