Privacy policy

Privacy policy

Privacy Policy of Kotileipomo Sorsa

Updated: 9 November 2021

1. Data Controller

Kotileipomo Sorsa Oy Metsätie 4, 83100 Liperi Business ID: 0805409-7 Tel: +358 50 472 8659

2. Data Protection Contact

Our customer service will respond to questions and feedback regarding the register as quickly as possible. For further information about data protection and the processing of personal data, please contact us by email at: posti@kotileipomosorsa.fi.

3. Name of the Register

Customer, marketing and stakeholder register of Kotileipomo Sorsa Oy.

4. Purpose of Processing Personal Data

The purpose of processing personal data is to manage customer relationships, to implement the rights and obligations of both the customer and the data controller, and to process personal data in accordance with applicable data protection legislation for purposes related to online services, research activities, and the targeting of advertising and/or direct marketing by the data controller and/or its partners based on customer data through the data controller’s communication channels and services, without disclosing personal data to external parties.

5. Data Content of the Register

The register may contain the following information about customers:

  • Name
  • Email address
  • Mobile and/or other telephone number
  • Organization and position
  • Organization address details
  • Customer and order history
  • Communication log

Personal data is stored for at least the duration of the customer relationship. Longer retention periods comply with statutory obligations.

6. Regular Sources of Information

The register is compiled from the data controller’s customer information system, publicly available internet sources, and other possible public sources. As a rule, address sources are specified if they differ from those primarily mentioned.

7. Regular Disclosure of Data

As a rule, personal data is processed by employees of our company in the course of their duties. We may disclose certain necessary information to third parties to ensure deliveries and for marketing purposes. Information may also be transmitted to a credit provider in connection with a credit decision.

The data controller does not disclose customers’ personal data to external parties except when required by Finnish authorities.

In certain situations, data may be transferred outside the EU. Some cloud services used may be located outside the EU. If data is transferred outside the European Union or the European Economic Area, we ensure that the destination country has been deemed by the European Commission to provide an adequate level of data protection, or that the recipient is certified under the Privacy Shield framework (USA), or that the transfer is carried out using standard contractual clauses published by the European Commission. We always ensure that any transfer of data is carried out on lawful grounds and with adequate safeguards.

8. Deletion of Data

Data may be deleted at the request of the individual or due to the termination of the customer relationship. The retention period varies depending on the purpose and situation, and retention periods may also be based on legislation, such as the Accounting Act. Unnecessary data is deleted from the registers.

9. Principles of Register Protection

Personal data is kept confidential. The data controller’s network and hardware, as well as those of any IT partners where the register is stored, are protected by firewalls and other necessary technical measures.

Personal data is processed by the data controller and its employees. We may also partially outsource the processing of personal data to third parties, in which case we ensure through contractual arrangements that personal data is processed in accordance with applicable data protection legislation and otherwise appropriately.

10. Right to Object

The data subject has the right to prohibit the data controller from processing their personal data for direct marketing, distance selling, other direct marketing, and market or opinion research purposes. The objection must be made in writing and addressed to the person responsible for data protection matters.

11. Right of Access

The data subject has the right to inspect the personal data stored about them in the register and to receive copies of such data. The request must be made in writing and addressed to the person responsible for data protection matters.

12. Rectification of Data

The data controller shall, on its own initiative or at the request of the data subject, rectify, delete, or supplement personal data in the register that is incorrect, unnecessary, incomplete, or outdated for the purposes of processing. The data subject must contact the person responsible for data protection matters to request rectification.

13. Changes to the Privacy Policy

The date of the latest update to this Privacy Policy is always indicated. We reserve the right to make changes to this Privacy Policy, including changes due to amendments in legislation, at any time without prior notice.

The data subject is responsible for reviewing the Privacy Policy currently in force. By submitting a form, the data subject accepts this Privacy Policy.