General Data Protection Regulation 2016/679
1. Controller
Stala Oy
Yrittäjänkatu 4
FI-15170 Lahti, Finland
Tel. +358 3 882 110
www.stala.com
2. Name of the data file
Stala Oy customer, user and marketing data file
3. Purpose and storage time of data file and personal data
Personal data will be processed in connection with orders, loans, invoicing, debt collection, communication, transactions, customer surveys, service development, reporting, marketing and other measures related to customer relationships and potential customers.
Any purchase and transaction data as well as location data processed in connection with the data file, may be used for profiling and tailoring marketing measures and customer communications to the interests of the data subject. Personal data will also be processed in order to send newsletters and event invitations as well as for participation in other marketing measures. The controller shall always endeavour to store as little data as possible in the data file.
Registered data will be stored and processed in the data file for as long as the data are needed for the purpose they have been collected for.
4. Data file content and categories of personal data
The categories of personal data that may be processed include contact people of companies that are or were customers of the controller, potential customers, people who have contacted the controller, users of the Stala online shops, participants in Stala events or those who have opted in for marketing.
Any data relevant to the purpose of the data file belonging in the following data categories may be processed:
a) basic details of the companies that are or were or potentially could be customers of the controller, such as name and contact details (address, email address, telephone number, Business ID) and the names and contact details of their contact people;
b) information concerning the customer relationship between the controller and the data subject, such as orders, meetings and other facts relevant to the customer relationship, possible direct marketing opt-ins or opt-outs, and any other communication between the parties and information related to the customer relationship and services produced by Stala, such as customer satisfaction and marketing surveys;
c) registered purchases or transactions on the controller’s website, behaviour on the website and other similar activities, participation in events, information entered in relation to events, contact with customer service, contact with Stala employees, and services and newsletter subscription;
d) full name, and possible contact details of any data subject who registers for an event organised by the controller and any subsequent information entered in relation to said event. The details entered by the data subject when registering for an event may include the following data: email address, phone number, address, possible allergies, name of employer and job title.
5. Regular sources of data
Data entered by the customer, ERP and customer management system databases, user and transaction data related to websites, blogs and newsletters, customer service system data, user data from Stala online shops, partners, and companies that provide personal data services.
6. Regular disclosure of data
Personal data will not be transferred outside the European Union or European Economic Area.
7. Data file security principles
Data files are gathered into databases that are protected by firewalls, passwords and other technical methods. Server equipment is located in locked spaces that can only be accessed by Stala or service provider staff members. The data may only be accessed by Stala Group employees or persons authorised by Stala Group that require the data for their work. The data file is backed up securely, and it can be retrieved when necessary.
8. Right to access and rectify data stored in the data file
The data subject has the right to access their own data and the right to demand rectification of any inaccurate personal data.
The data subject who wants to gain access to their data must submit a hand-signed or similarly authenticated request to the controller or personally visit the controller.
Any requests for access should be sent in writing and signed to:
Stala Oy
Yrittäjänkatu 4
FI-15170 Lahti, Finland
9. Consent
The controller asks the person who has submitted personal data for express consent to process personal data, unless there is a legal basis for not requesting data. The data subject has the right to withdraw their consent at any time. Withdrawal of consent does not eliminate the right to process data, if there is a legal basis for processing of data.
10. Right to prohibit and restrict processing of personal data
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
a) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
b) the data subject withdraws consent;
c) the personal data have been unlawfully processed;
d) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject;
e) the personal data have been collected in relation to the offer of information society services;
The right to erasure does not apply, however, if data are processed on lawful grounds.
In addition, the data subject has the right to obtain from the controller restriction of processing where one of the following applies:
a) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
b) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
c) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;
d) the data subject has objected to processing pending the verification whether the legitimate grounds of the controller override those of the data subject.
Requests to erase personal data must be submitted to the contact person.
11. Right to lodge a complaint
The data subject has the right to lodge a complaint about the processing of personal data with the Office of the Data Protection Ombudsman.