Latest update: 20 April 2018
Haaja & Arwo Design Oy
Hallituskatu 17 A 21 A
FI-50100 Mikkeli, Finland
Users of the website and online store customers
We collect personal data for the purpose of maintaining customer relationships. The legal bases for the processing of personal data are an agreement between us and the statutory obligations pertaining to the agreement. Providing the personal data is required for the conclusion of the agreement. In other words, if you choose not to provide your personal data, you cannot use our online store to order the items in it.
The data stored in the register only include the data you provide us with, for example:
Your personal data are received by, for example:
Our online store and its employees, the settlement agent in charge of receiving your payment,
the transport company in charge of delivering the items to you, the accounting employees of the online store and the IT company in charge of administrating our website
The data stored in the register are retrieved, based on the customer’s consent, from sources such as messages sent via online forms, email messages, telephone calls, social media services, agreements and other events where the customer hands over their data.
The default data retention period is the duration of the validity of the customer relationship agreement maintained with the use of the data. The default personal data retention period for marketing purposes is six (6) months, after which the data will be erased.
Possible parties include MailChimp, Paytrail, Woocommerce, Microsoft, Posti, Matkahuolto, for example
The data are not regularly disclosed to other parties. The data can be made public insofar as agreed upon with the customer.
Whenever possible, your data will be stored in data centres located in Europe (Finland). Some of the service providers mentioned above might create back-up copies of their data outside the EU or EEA.
The management of the register is performed carefully and all data processed by automated means are protected appropriately. Whenever the register’s data is stored on Internet servers, the level of sufficient physical and digital data protection is appropriately ensured by the third party (service provider). The controller sees to it that the stored data, server access credentials and other critical information concerning the security of the personal data are processed confidentially and only by those employees who are required to perform these tasks in order to fulfil their role of employment.
All persons included in the register have the right to inspect the data on them stored in the register and to request the rectification of inaccurate data or the completion of incomplete data. If a person wants to inspect the stored data on them in the register or request a rectification, the request must be sent to the controller by email. If necessary, the controller may request the requester to provide a proof of their identity. The controller shall reply to the customer within the time period defined in the General Data Protection Regulation (EU) (default period one month).
Persons included in the register have the right to request the erasure of the personal data concerning them from the register (“the right to be forgotten”). Likewise, data subjects have other rights defined in the General Data Protection Regulation (EU) such as requesting the restriction of the processing of personal data in certain circumstances. The requests must be submitted to the controller by email. If necessary, the controller may request the requester to provide a proof of their identity. The controller shall reply to the customer within the time period defined in the General Data Protection Regulation (EU) (default period one month).
Source and additional information (Finnish Communications Regulatory Authority)