DUURI GROUP – PRIVACY POLICY
1. DATA CONTROLLERS
Duuri Group Oy, y-tunnus: 2495845–9
Duuri Oy, y-tunnus: 2984546–1
Pohjanmaan Rakennuspelti Oy, y-tunnus: 2023150–0
Scan-Mikael Oy, y-tunnus: 1720096–5
2. CONTACT INFORMATION
Our customer service answers questions and feedback regarding the processing of personal information:
Tapulikaupungintie 35, 00750 Helsinki
Phone number. 09 351 050
3. GENERAL
This privacy statement describes how Duuri Group Oy, Duuri Oy, Pohjanmaan Peltirakentajat Oy and Scan-Mikael Oy, which belong to the same group, process the personal data of the contact persons of their customers and potential customers.
In the following, the term “Data Controller” always refers to the group company whose (potential) customer the data subject represents.
4. PURPOSE AND LEGAL BASIS FOR PROCESSING PERSONAL DATA
The purpose of processing is:
• customer relationship management
• order processing
• invoicing and monitoring, along with the collection of payments
•marketing
• targeting online advertising and improving the user experience of the website
Personal data is not used for automated decision-making or profiling.
The legal basis for the processing of personal data under the EU General Data Protection Regulation is the legitimate interest of the controller (conducting and promoting business).
For cookies other than those necessary for the operation of the website, the legal basis is the consent of the data subject.
Personal data contained in accounting material is processed in order to fulfil the Controller’s statutory obligations (Accounting Act, 1336/1997).
5. PERSONAL DATA PROCESSED
The controller processes personal data according to the following categories:
• Name
• E-mail address
• Mobile phone number
• Company represented and position
• Address information of the represented company
• Information collected by cookies, such as IP address
6. REGULAR SOURCES OF INFORMATION
Personal data is mainly obtained from the data subject himself or from the company he or she represents in connection with transactions. The controller may also collect personal data, e.g. publicly available sources and contact lists of third parties.
7. REGULAR DISCLOSURE OF INFORMATION
The Controller discloses personal data to such external service providers it uses, i.e. processors of personal data, who process personal data on behalf of and on behalf of the Controller in accordance with the instructions given by the Controller. Such processors include, for example, accountants and service providers of software used by the Controller to process personal data. The Controller requires that processors of personal data comply with data protection legislation and appropriate measures to protect personal data. The processors of personal data do not have the right to use the personal data disclosed by the Controller for their own purposes.
8. TRANSFER OF DATA OUTSIDE THE EU/EEA
Some of the data processors used by the Controller or their sub-processors are located outside the EU and EEA. In this case, the Controller ensures the level of protection of personal data, for example, by requiring that standard clauses approved by the European Commission be included in the data protection of the Controller and the data processor in question, in which an agreement between the data processor or, in the case of US processors, by ensuring that such processor is committed to the EU-US Data Privacy Framework.
9. DATA RETENTION PERIOD
As a rule, personal data is stored for as long as the customer relationship is valid. If the Controller becomes aware of changes related to contact persons or their information, the information will be updated appropriately.
In order to fulfil the obligations under the Accounting Act, the personal data contained in the accounting material is stored for ten (10) years from the end of the financial year to which the accounting material relates.
10. RIGHTS OF DATA SUBJECTS
10.1. General
The data subject may exercise the rights described in this section by contacting the Data Controller using the contact details mentioned in section 2.
As a rule, the data subject will be informed of the measures taken on the basis of this request within one month of receiving the request. The data subject will also be informed if the request is not fulfilled for any reason.
As a rule, exercising the rights is free of charge.
To exercise the rights of the data subject, the controller may need to request additional information from the data subject in order to be able to identify the data subject in a sufficient manner.
10.2. Right of access to personal data
The data subject may request information from the Controller on whether personal data concerning him or her is being processed. The data subject may request information from the Controller about the personal data collected about him or her and access it.
10.3. Right to rectification
The data subject may request the Controller to rectify or supplement the data subject’s personal data if it is inaccurate, incorrect or incomplete.
10.4. Right to erasure
The data subject may request the Controller to erase the data subject’s personal data, for example, if the personal data is no longer necessary for the processing purposes for which they were collected. The Controller cannot erase personal data in all situations if storing them is a legal obligation of the Controller or if there are other legal grounds for storing them.
10.5. Right to restriction of processing
The data subject may request the restriction of the processing of his or her personal data in certain situations defined in data protection legislation, such as if the data subject has contested the accuracy of his or her personal data, in which case the processing will be restricted for the period during which the Controller verifies the accuracy.
Restricting the processing of personal data means that personal data can only be processed on very limited grounds defined in data protection legislation.
10.6. Right to object
The data subject may object to the processing of their personal data if the processing is based on the Controller’s legitimate interest. In this case, the Controller may no longer process the personal data in question, unless the Controller can demonstrate that there are compelling legitimate grounds for the processing that override the rights of the data subject.
The data subject always has the right to object to the processing of their data for direct marketing purposes.
10.7. Right to withdraw consent
If the processing of personal data is based on consent, the data subject may withdraw his or her consent at any time.
10.8. Right to lodge a complaint with a supervisory authority
The data subject may lodge a complaint with the national supervisory authority if, in the opinion of the data subject, the Controller does not process personal data appropriately or does not sufficiently implement the rights of the data subject. Notifications to the Finnish national data protection authority can be made at www.tietosuoja.fi/ilmoitus-tietosuojavaltuutetulle
11. CHANGES TO THE PRIVACY POLICY
The Privacy Statement may be updated when the Controller processes personal data and/or applicable legislation changes.