Register and data protection statement
This is Sevitio oy’s register and data protection statement in accordance with the EU General Data Protection Regulation (GDPR). Prepared on 10 July 2023. Latest change 15 April 2024.
1. Registrar
Sevitio Oy
2167173-5
Tunturintie 16, 95970 Äkäslompolo
2. Contact person responsible for the register
Johanna Lyly
info@ylamakialamaki.fi
3. Registry name
Sevitio Oy’s marketing and online service customer register
4. Legal basis and purpose of personal data processing
Personal data is processed for managing and analyzing the relationship with the customer and other material connections, for providing services, for business development and planning, and for marketing and customer communication, which can also be carried out electronically and in a targeted manner.
General condition for the processing of personal data: Section 8, subsection 1, points 1, 2, 5, 6 and 7 of the Personal Data Act.
5. Data content of the register
First and last name
Contact information (postal address, telephone number, e-mail address)
Time and method of beginning and ending of customership and/or substantive relationship
Direct marketing permits and prohibitions
Electronic services and information regarding the utilization of the contents (e.g. subscribing to newsletters), technical data sent to the server by the registrant of the registered browser (e.g. IP address, browser, browser version, page from which the data subject has moved to our pages) as well as cookies sent to the browser of the registered user and related information.
Information related to marketing and sales promotion, such as marketing measures aimed at the data subject and participation in them (e.g. participation in marketing lotteries and contests and events) cancellation information, order information for free products and services, delivery information, feedback, complaints and recordings of customer service events, such as calls, emails, chat and text messages)
Information about online behavior on websites and services (e.g. link clicks, browsed internet pages, entry and exit websites)
In addition, the register can process the following information about those who have purchased a product and/or service or created a customer account:
customer number
personal identification number
invoicing and collection information
username
password
nickname
information related to the service of the identified user, such as usage information of the service’s features
6. Duration of data storage
We keep personal data only for the necessary time
By default, we store information about the customer’s order for 10 years from the moment the order is processed. After the retention period has expired, all information connecting the order to the customer is automatically deleted from the information about orders.
At any time, the customer can also ask Sevitio Oy to delete their customer account and the personal data they have processed.
The customer must log in to his customer account at least once every 3 years. Accounts that have not been logged in at least once in three years are considered inactive and will be automatically deleted.
7. Regular sources of information
Personal information about the registrant is collected from the registrant himself, from various services that the registrant uses (e.g. online services and social media channels) and in connection with various marketing measures such as marketing lotteries and contests and events. From messages sent via web forms, by e-mail, by phone, through social media services, contracts, customer meetings and other situations where the customer gives out their information.
The information of companies and other organizations’ contact persons can also be collected from public sources such as websites, directory services and other companies.
8. Regular transfers of data and transfer of data outside the EU or EEA
Based on the discretion of the data controller, data can be disclosed within the limits permitted and required by the legislation in force at that time, for example, to partners of Sevitio Oy, unless the data subject has prohibited the disclosure of data. In principle, data may only be disclosed for purposes that support the operational concept of Sevitio Oy’s customer register and where the purpose of use of the data is not incompatible with Sevitio Oy’s purposes of use.
Information can also be disclosed in a manner required by the requirements of competent authorities or other parties, based on valid legislation, and for historical or scientific research, provided that the information has been changed to a non-identifiable form.
9. Registry protection principles
Diligence is observed in the processing of the register and the information processed with the help of information systems is properly protected. When registry data is stored on Internet servers, the physical and digital data security of their hardware is taken care of accordingly. The controller ensures that stored data, server access rights and other data critical to the security of personal data are handled confidentially and only by those employees whose job description it is.
10. The right of inspection and the right to demand correction of information
Every person in the register has the right to check their information stored in the register and to demand the correction of any incorrect information or the completion of incomplete information. If a person wants to check the information stored about him or demand correction, the request must be sent in writing to the controller. If necessary, the registrar may ask the requester to prove his identity. The controller will respond to the customer within the time stipulated in the EU data protection regulation (generally within a month).
11. Other rights related to the processing of personal data
A person in the register has the right to request the removal of personal data about him from the register (“the right to be forgotten”). Those registered also have other rights according to the EU’s General Data Protection Regulation, such as limiting the processing of personal data in certain situations. Requests must be sent in writing to the controller. If necessary, the registrar may ask the requester to prove his identity. The controller will respond to the customer within the time stipulated in the EU data protection regulation (generally within a month).