This is a statement on the processing of personal data in accordance with the EU General Data Protection Regulation (679/2016).
Controller
Volar Plastic Oy
Business ID: 0929535-1
Address:Yrittäjänkatu 2, 15170 LAHTI, Finland
Person to contact concerning privacy policy matters
Emma Tuominen
Tel. +358 40 768 8733
Email: emma.tuominen@volar.fi
In all matters related to the processing of personal data and situations involving the exercise of their rights, the data subject is encouraged to contact the aforementioned contact person.
Name of personal data file
Customer and marketing data file of Volar Plastic Oy
Grounds for and purpose of personal data processing
The legal basis for processing personal data is:
- Consent of the data subject to the processing of their personal data
- Contractual relationship between the data subject and the controller
- Implementation of the controller’s legal obligations
- Legitimate interest of the controller
- The general interest or the exercise of official authority vested in the controller
- Protection of vital interests
We process personal data for the management, maintenance, development, and analysis of relationships related to customer and other relevant contexts. This includes providing, offering, and improving services, as well as developing and planning business operations and websites. Additionally, we engage in marketing, opinion and market research, and customer communication, which may also be carried out electronically and in a targeted way.
Regular sources of information
rocessed personal data is regularly obtained from the following sources:
- From the data subject themselves
- From the Trade Register
The collection of personal data is based on the customer relationship or other relevant connection with the data subject. We collect information during the conclusion of contracts, when a person registers, or when they use our services. We also track cookies, and a person’s visit to our website leaves a trace, including the IP address. We may also collect information through various marketing activities and from public sources.
Personal data processed
The controller collects from the data subjects only such personal data as is relevant and necessary for the purposes described in this privacy statement.
The following information about data subjects is processed:
- Name and function and/or position in the company
- Company name, contact details and sector of activity
- The person’s landline/mobile phone number and email address
- The person’s marketing permissions and prohibitions
- Information related to online behavior on the website, data collected through cookies
- Classification information provided by the person or data collected with the person’s consent
- Generally available classification information.
Disclosure of personal data
For example, data may be disclosed to public authorities as required by law.
Personal data is not disclosed to third parties for marketing purposes. Due to the technical or operational implementation of data processing, some of the information may be located with our subcontractors or partners who process the data only within the limits required for the provision of the service. The mentioned parties do not use the information for other purposes and do not disclose the information to third parties.
Transfers of personal data to third countries
Personal data is not generally transferred outside the European Union (EU) and the European Economic Area (EEA). If such a transfer is made for a specific reason, it will be carried out in accordance with the adequacy decision on data protection issued by the European Commission. The controller may transfer information outside the EU and EEA for various purposes, for example for technical maintenance and processing of data by a subcontractor.
Protection of personal data
The controller processes personal data in a manner aimed at ensuring the appropriate security of personal information, including protection against unauthorized processing, as well as accidental loss, destruction, or damage.
The controller employs appropriate technical and organizational security measures to ensure this objective, including the use of firewalls, encryption techniques, secure facility management, proper access control, careful management of user credentials in information systems, and guidance for personnel involved in the processing of personal data.
All employees processing personal data are bound by confidentiality obligations regarding matters related to the processing of the data subjects’ personal information, based on the Employment Contracts Act (55/2001) and supplementary confidentiality agreements.
Data retention period
The controller retains personal data only for as long as is necessary to fulfill the processing purposes defined in this privacy policy. Unnecessary and outdated personal data will be appropriately removed from the registry. The controller may have an obligation to process some of the personal data in the registry for a longer period to comply with legal requirements or regulatory obligations.
Rights of the data subject
Right of access to personal data
The data subject has the right to obtain confirmation of whether personal data concerning them is being processed, and if so, the right to obtain a copy of their personal data.
Right to rectification
The data subject has the right to request the correction of inaccurate and incorrect personal data concerning them. The data subject also has the right to have incomplete personal data supplemented by providing the necessary additional information.
Right to erasure
The data subject has the right to request the erasure of personal data concerning them if:
a. the personal data is no longer necessary for the purposes for which it was collected;
b. the data subject withdraws the consent on which the processing of personal data was based and there is no other lawful basis for the processing; or
c. the personal data has been unlawfully processed.
Right to restriction of processing
The data subject has the right to restrict the processing of personal data concerning them if:
a. the data subject contests the accuracy of the data subject’s personal data;
b. the processing is unlawful, and the data subject opposes the erasure of their personal data and instead requests the restriction of its use; or
c. the controller no longer needs the personal data for the original purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims.
Right to object
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of their personal data.
The controller may no longer process the data subject’s personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject, or for the establishment, exercise, or defense of legal claims. If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of their personal data for such marketing, including profiling to the extent that it is related to such direct marketing.
Right to withdraw consent
The data subject has the right to withdraw their consent to processing at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
The right to transfer data from one system to another
The data subject has the right to receive their personal data, which they have provided, in a structured, commonly used, and machine-readable format and has the right to transmit such data to another controller.
Right to lodge a complaint with a supervisory authority
The national supervisory authority for data protection matters operates within the Ministry of Justice and is called the Office of the Data Protection Ombudsman. You have the right to lodge a complaint with the supervisory authority if you believe that the processing of your personal data violates the relevant legislation.
Changing the privacy policy
The controller continuously develops its operations, and as a result may need to change and update its data protection practices from time to time as necessary. Changes may also be based on amendments to data protection legislation.
If the data protection practices regarding the processing of personal data change significantly, the controller will publish the updated privacy policy on its website and, if necessary, seek consent.