Customer Register B2B
Privacy Policy
Last Updated:
April 8, 2024
Data Controller:
Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara
Contact Person for Data Protection Matters:
Akseli Juurinen
akseli.juurinen@metsaavain.fi
040 1606157
Legitimate Interest
The purpose of this register is to maintain the organization’s B2B customer register, manage customer orders, archiving and processing, as well as customer relationship management. The data may be used for business development, statistical purposes, and to create more personalized targeted content on our online services. Personal data will be processed within the limits and requirements set by data protection regulations. The information in the register may be used in the organization’s own databases, for example, for targeted advertising, without disclosing personal data to external parties. The organization may use partners to maintain customer and service relationships, and in such cases, parts of the data may be transferred to the partner’s servers due to technical requirements. Data will be processed solely through technical interfaces to maintain the customer relationship. The organization reserves the right to publish data contained in the customer register in electronic or written form, unless the customer specifically objects. This list may refer, for example, to mailing labels for direct mail or similar uses. The customer has the right to object to such publication by contacting the data controller’s customer service via email (email address) or by contacting the person responsible for the register.
The data controller’s legitimate interest for processing collected and used personal data is based on the freedom to conduct business. The controller must process personal data in order to perform tasks related to business operations. In this case, processing cannot necessarily be justified by a legal obligation or a contract with the individual. The data controller has assessed that the legitimate interest is the most appropriate basis for processing, considering the nature and scope of the processing and the rights and freedoms of the data subjects. The controller has determined that the processing will not cause significant harm to the data subject’s rights and freedoms.
Personal data of individuals representing business customers
Previous user data
Data controller’s staff and external partners (e.g., financial administration) as applicable.
The personal register includes the following information:
First and last name
Represented company
Email address
Postal address
Phone number
Website address
IP address
Details of previous orders
Login details in cases where this functionality is provided.
Information is obtained from customer registrations and notifications made during the customer relationship. Name and contact details may also be updated from services provided by authorities and companies offering update services. Data may also be obtained from subcontractors related to service use or delivery. Other customer activities in the digital environment may generate data from partner websites, systems, or other digital sources where the user logs in via electronic invitation (link), cookies, or using customer-specific credentials. The customer register data is only used within the organization, except when using an external service provider for value-added services or credit decisions. Data will not be disclosed to external parties or its partners, except in matters related to credit applications, debt collection, invoicing, or as required by law. Registered personal data will be erased upon user request unless prohibited by legislation, open invoices, or debt collection activities.
Data will be retained for 10 years after the end of the customer relationship.
The data in the customer register is only used within the organization, except when an external service provider is used for value-added services or credit decision support. Data will not be disclosed to third parties or partners, except for matters related to credit applications, debt collection, invoicing, or when required by law. Personal data will be deleted upon the user’s request unless prohibited by law, open invoices, or debt collection.
The data in the register is not regularly transferred outside the EU/EEA. However, it is possible that service providers outside the EU/EEA area may be used, or the service providers’ clouds may be located outside the EU/EEA. In such cases, the transfer will be based on SCC (Standard Contractual Clauses), and additional protective measures such as internal guidelines (e.g., pseudonymization of personal data) and possibly a TIA (Transfer Impact Assessment) will be implemented when necessary. If the organization processing personal data is committed to the EU-U.S. Privacy Shield Framework (DPF), that will be used as the transfer basis during its validity.
A: Manual Data
Customer contact details and other documents containing manually processed customer data collected in transactions are stored after initial processing in locked and fireproof storage areas. Only designated employees who have signed a confidentiality agreement are authorized to handle manually stored customer data. The data protection law regulations and principles, as well as the authorities’ instructions and best practices in data processing, will be followed.
B: Electronic Data
Only authorized employees of the organization and its appointed partners can access the customer and customer register and maintain its data. Each authorized user has a personal username and password. All users have signed confidentiality agreements. The system is protected by a firewall that prevents unauthorized access from outside. Data protection laws, regulations, and best practices in data handling are followed to ensure the security of the information.
We use cookies on our website. A cookie is a small text file sent to and stored on the user’s computer. Cookies do not harm the user’s computer or files. The primary purpose of using cookies is to improve and personalize the visitor’s experience on the site and to analyze and enhance the website’s functionality and content. Data collected through cookies may also be used for targeted communication and marketing as well as for optimizing marketing actions. Visitors cannot be identified solely by cookies, but the information gathered can be linked to other data provided by the user, for example, when the user fills out a form on the site. The cookies may collect the following information:
Visitor’s IP address
Time of visit
Pages visited and duration of page views
Browser used
You have the right to block the use of cookies at any time by changing the settings in the cookie banner. Some browser programs also allow disabling the cookie function and deleting already stored cookies. Blocking cookies may affect the functionality of the website.
No profiling or automated processing applies to the personal data being processed.
The data subject has the right to check what information is stored about them in the register. The request for access must be made in writing by contacting the data controller’s customer service or the contact person for the register, either in Finnish or English. The request must be sent from an identifiable email address. The data subject has the right to object to the processing and disclosure of their information for direct marketing, remote selling, direct advertising, and market research by contacting the data controller’s customer service.
The data subject has the right to request that their data be transferred to another system. The request for data portability can be directed to the contact person for the register.
Personal data that is incorrect, unnecessary, incomplete, or outdated for the purposes of processing must be corrected, deleted, or completed. The request for rectification must be made in writing, either hand-signed and sent to the organization’s customer service or to the data controller’s contact person, or sent from an identifiable email address. The request must specify what data is to be corrected and on what grounds. The correction will be made without undue delay. The individual who provided the incorrect data or to whom the data was transferred will be informed of the correction. If the request for correction is denied, the responsible person will provide a written statement with reasons for the refusal. The individual may bring the issue to the attention of the data protection authority.
The data subject has the right to request a restriction on the processing of their personal data, for example, if the data held is inaccurate. Contact the register’s responsible person for such requests.
The data subject has the right to object to the processing of their personal data, and they also have the right to request the correction or deletion of their personal data. Requests should be directed to the contact person for the register. If you are acting on behalf of a business or organization, your data cannot be deleted at this time.
If you believe that the processing of your personal data violates data protection regulations, you have the right to file a complaint with the supervisory authority. You may file the complaint in the member state where you are permanently resident or where you work. The contact details of the national supervisory authority are as follows:
Data Protection Ombudsman’s Office
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00531 Helsinki
Switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi
The data subject has the right to object to the disclosure and processing of their data for direct marketing and other marketing purposes, request the anonymization of their data where applicable, and the right to be forgotten.