Privacy Policy
1. GENERAL
This privacy policy describes how Vestera Oy (“Vestera” or the “controller”) processes personal data. This privacy policy applies to the processing of personal data related to our websites, marketing, customer relationship management, and the products and services we offer.
In all personal data processing, we comply with applicable data protection legislation. Data protection legislation refers to current data protection legislation, such as the European Union’s General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Concepts related to data protection not defined in this privacy policy shall be interpreted in accordance with data protection legislation.
Our services and website may also contain links to external websites and services operated by other organizations. This privacy policy does not apply to their use, so we encourage you to review their respective privacy policies separately. “Personal data” refers to all information concerning natural persons (“data subject”) from which a person can be directly or indirectly identified, as further defined in the GDPR.
2. CONTROLLER AND DATA PROTECTION OFFICER
Rekisterinpitäjä: Vestera Oy
Y-tunnus: 2324076–0
Osoite: Piilipuunkatu 1, 21200 Raisio, Finland
Contact Person for Data Protection:
Sanna Heinonen
Phone +35850 309 3581
sanna.heinonen@vestera.fi
3. PURPOSES AND LEGAL BASES FOR PROCESSING PERSONAL DATA
The purposes (and legal bases in parentheses) for processing personal data are:
- delivery of products and services, entering into customer agreements, and managing orders (contractual relationship or its preparation)
- customer service and communication (legitimate interest, contractual relationship), and
- customer satisfaction surveys (consent)
- invoicing, credit decisions, and debt collection (legitimate interest)
- marketing, including market research, other marketing promotion and analyses, as well as producing statistics and measuring marketing effectiveness (legitimate interest)
- direct marketing, including electronic direct marketing and telemarketing, as well as planning and measuring the effectiveness of advertising and marketing, and combining and updating personal data for direct marketing purposes (legitimate interest, consent)
- managing stakeholder relationships, as well as subcontracting and cooperation with service providers (legitimate interest, contractual relationship or its preparation)
- improving the user experience of our website and other services and monitoring user traffic (consent)
- internal reporting and other administrative measures (compliance with a legal obligation)
- handling warranty and liability for defects matters, as well as handling complaints and managing litigation and official procedures (compliance with a legal obligation)
- prevention and investigation of misuse, as well as ensuring data security, the safety of individuals, and property (legitimate interest)
- Fulfilling other legal obligations (e.g., actions related to accounting and taxation) and reporting obligations (compliance with a legal obligation)
When we process personal data based on legitimate interest, we assess the benefits and potential harms of the processing to the data subject and have assessed that the rights and interests of the data subjects do not override the legitimate interest. We provide further information on request regarding personal data processing based on legitimate interest.
4. PERSONAL DATA PROCESSED AND DATA SOURCES
| Data Category | Examples of Data Content |
|---|---|
| Identification and Contact Information | Customer and/or representative’s name, company name, address, phone number, email address, business ID. |
| Information concerning products and services, their orders, and customer communication | Information on processed orders, order delivery time, invoicing information, as well as information related to agreements, customer communication, and complaints. |
| Information related to marketing (including direct marketing) and events, as well as consents and prohibitions given by the data subject | Contact information for marketing purposes, as well as data collected in connection with events and occasions. Consents and prohibitions concerning direct marketing. |
| Information concerning the use of websites and other electronic services | IP address, electronic communication identification data, search and browsing data, browser and operating system data, and registration data |
We collect personal data directly from the data subject, for example, in connection with transactions, or when the data subject purchases or orders our products or services either personally or on behalf of an organization they represent, or in connection with registration, when the data subject visits our website or other electronic services, subscribes to our newsletter, responds to a customer satisfaction survey, or otherwise contacts us.
We also receive personal data from other external sources, such as private registry services and registers maintained by authorities.
5. RETENTION OF PERSONAL DATA
We retain personal data for as long as necessary to fulfill the purposes defined in this privacy policy and always for the period required by law (for example, responsibilities and obligations related to accounting or reporting obligations), or for the purpose of litigation or resolving a similar dispute. We retain personal data of inactive customers for a maximum of five years from the last contact. After the purpose of use ends, personal data will be deleted or anonymized within a reasonable time.
We provide further information on personal data retention practices upon request.
6. RECIPIENTS OF PERSONAL DATA
Various service providers and other third parties may also be used in the processing of personal data, such as providers of technical solutions or server space, or accounting and financial administration service providers. We ensure that agreements required by data protection legislation are in place with the parties we use for personal data processing.
Personal data may be disclosed to third parties in situations required by law or by an authority, or for the investigation of misuse, and to ensure security. Furthermore, personal data may need to be disclosed in connection with litigation or similar legal proceedings.
If the controller or a company belonging to the same group is involved in a merger, business acquisition, or other corporate arrangement, personal data may be disclosed to the parties of the arrangement or to parties assisting in the arrangement.
We provide further information on the recipients of personal data upon request.
7. TRANSFER OF PERSONAL DATA OUTSIDE THE EUROPEAN ECONOMIC AREA
When data is transferred outside the European Union or the European Economic Area, the company ensures an adequate level of personal data protection, for example, by agreeing on matters related to personal data processing in the manner required by data protection legislation, such as by using standard contractual clauses approved by the European Commission.
We provide further information on personal data transfers and the protection mechanisms used upon request.
8. PROTECTION OF PERSONAL DATA
Data security and the protection of personal data are of paramount importance to us. We use appropriate technical and organizational safeguards to protect personal data. We also ensure the fault tolerance of our systems and the possibility of data recovery. Access to personal data is restricted only to specifically authorized parties. Parties processing personal data are bound by confidentiality regarding matters related to personal data processing.
9. RIGHTS OF DATA SUBJECTS
Data subjects have rights regarding their personal data in accordance with data protection legislation. However, the application of these rights in each individual case depends on the purpose and situation of personal data use.
- Right of access to personal data. The data subject has the right to obtain confirmation as to whether personal data concerning them is being processed, as well as other information regarding personal data processing in accordance with data protection legislation. The data subject has the right to obtain a copy of the personal data.
- Right to rectification of personal data. The data subject has the right, with certain restrictions, to demand the correction or deletion of inaccurate or incomplete data.
- Right to erasure of personal data. The data subject has the right to request the erasure of their personal data in accordance with the requirements of data protection legislation. Upon request, we will erase personal data unless legislation or some other applicable exception under data protection legislation requires us to retain the personal data.
- Right to restriction of processing. The data subject has the right, in certain situations, to request the restriction of personal data processing in accordance with the requirements of data protection legislation.
- Right to data portability. The data subject has the right to request the transfer of their personal data to another controller. The right to portability primarily applies to personal data that the data subject has provided to the controller in a structured, commonly used, and machine-readable format, and where the processing is based on the data subject’s consent or a contract, and/or where the processing is carried out by automated means.
- Right to object to processing. The data subject has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for the compelling and legitimate interests of the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw their consent for the processing of personal data concerning them. The withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.
Exercising your Rights
We hope you will contact us if you have any questions regarding the processing of your personal data.
You can send a request concerning data subject rights by mail or email using the contact information mentioned in this privacy policy.
The identity of the requester may be verified before processing the request. The request will be responded to within a reasonable time, and generally within one month from the submission of the request and verification of identity. If the request cannot be granted, a separate notification of refusal will be provided.
10. RIGHT TO LODGE a COMPLAINT WITH a SUPERVISORY AUTHORITY
The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that their personal data has been processed contrary to data protection legislation.
You can find the contact information for the Finnish data protection authority here.
11. CHANGES TO THE PRIVACY POLICY
This privacy policy may be subject to changes from time to time. Changes may also be based on amendments to data protection legislation. We therefore encourage you to regularly review the privacy policy to detect any changes. The latest version is available on our website.
This privacy policy was published on April 26, 2023.