Electronic Communication Registry
Privacy Statement

Last updated:
08.04.2024

Controller
Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara

Contact Person for Registry-related Matters
Akseli Juurinen
akseli.juurinen@metsaavain.fi
040 1606157

Legal Basis for Processing
Legitimate interest

Purpose of Data Processing
The purpose of the registry is to enable email communication for the controller organization. The data collected (email address and any possible contact information or other personal data found in the emails or attachments) will be used for establishing and maintaining customer relationships, as well as other communication needs of the controller.

Legitimate Interest Basis
Direct marketing is the controller’s legitimate interest under the EU General Data Protection Regulation. The controller must process personal data to carry out business-related tasks. The processing of personal data in this case may not be justified by legal obligations or contractual arrangements with the individual. The controller has conducted a balancing test and determined that the legitimate interest is the most appropriate legal basis for processing, given the nature, scope, and the impact on the rights and freedoms of the data subjects. The controller has assessed that processing based on legitimate interest will not result in substantial harm to the rights and freedoms of the data subjects.

Types of Personal Data Collected

  • Electronic contact information

Recipients and Groups of Recipients

  • The controller’s staff and external partners (e.g., financial administration, IT, etc.) as applicable

  • Communication parties

Contents of the Registry
The personal data registry contains the following information:

  • First and last name

  • Represented organization

  • Email address

  • Postal address

  • Phone number

  • Information about previous orders

  • Communication data between senders

  • Other personal data that may be contained in attachments

Regular Sources of Data
Data is collected from emails received from customers. Data may also come from other stakeholders, for example, through mass communication, messaging groups, or other communication scenarios. The data is not disclosed outside of the controller organization or to its partners except in matters related to credit applications, debt collection, or invoicing, or when required by law. Personal data is deleted upon the user’s request, unless legal obligations, customer relationship management, outstanding invoices, or debt collection efforts prevent deletion.

Data Retention Period
Data is retained for 10 years.

Regular Data Disclosures
The email list data is only used by the controller, except when an external service provider is used to deliver added-value services or to support credit decision-making. Data is not disclosed outside of the controller’s organization or to its partners except in matters related to credit applications, debt collection, or invoicing, or when required by law. Personal data is deleted upon the user’s request unless prohibited by legal obligations, customer relationship management, outstanding invoices, or debt collection efforts.

Transfer of Data Outside the EU or EEA
The registry’s data is not regularly transferred outside the EU or EEA. However, processing may involve service providers outside the EU/EEA or cloud services located outside the EU/EEA, in which case the transfer is based on standard contractual clauses (SCC) and additional safeguards such as internal guidelines (e.g., pseudonymization of personal data). If the organization processing the data is committed to the EU-US Privacy Shield (DPF), this will be used as the legal basis during its validity.

Data Protection Principles A: Manual Data
Manually processed documents containing customer data (e.g., printed emails or their attachments) are stored in locked, fireproof storage areas after initial processing. Only designated employees who have signed confidentiality agreements have access to manually stored customer data.

Data Protection Principles B: Electronic Data
Only authorized employees of the organization and its operational partners have access to email and maintain its data. Each authorized user has a personal username and password. All users have signed confidentiality agreements. The system is protected by a firewall to protect against external access. Access to multi-functional devices, such as scanners, and their stored data is restricted as appropriate.

Cookies
We use cookies on our website. A cookie is a small text file sent to the user’s computer and stored there. Cookies do not harm users’ computers or files. The main purpose of cookies is to improve and customize the user experience on the website, as well as to analyze and improve the website’s functionality and content. Data collected through cookies can also be used for targeting communications and marketing activities, and optimizing marketing measures. Visitors cannot be identified solely through cookies. However, the information collected via cookies can be linked with data the user has provided elsewhere, such as filling out a form on the website. The following information is collected via cookies:

  • Visitor’s IP address

  • Time of visit

  • Pages visited and viewing times

  • Visitor’s browser

Your Rights
Users visiting our website can disable cookies at any time by adjusting their settings in the cookie banner. Some web browsers also allow you to disable the cookie feature and delete any cookies already stored. Disabling cookies may affect the functionality of the website.

Automated Processing and Profiling
No automated processing or profiling of personal data takes place.

Right of Access to Personal Data
The data subject has the right to check what information about them is stored in the registry. A request for access must be made in writing or via a verifiable email address. The data subject has the right to object to the processing or disclosure of their data for direct marketing, distance selling, and market or opinion research by contacting the controller’s customer service.

Right to Transfer Data to Another System
The data subject has the right to request the transfer of their data to another system. Transfer requests can be addressed to the registry contact person.

Right to Request Correction of Data
Incorrect, unnecessary, incomplete, or outdated personal data in the registry must be corrected, deleted, or supplemented. The correction request should be made in writing with the signature of the requester or from a verifiable email address. The request must specify what data is to be corrected and on what grounds. The correction will be made without delay. The person who provided or received the incorrect data will be notified of the correction. If the correction request is denied, the responsible person in the registry will provide a written explanation detailing the reasons for the denial. The concerned individual can appeal the denial to the Data Protection Authority.

Right to Restrict Processing
The data subject has the right to request the restriction of data processing, for example, if the personal data in the registry is incorrect. Contact the registry’s responsible person.

Right to Object
The data subject has the right to object to the processing of their personal data and to request the correction or deletion of their data. Requests can be addressed to the registry contact person. If you are acting as a contact person for a company or organization, your data may not be deleted during this period.

Right to Lodge a Complaint with the Supervisory Authority
If you believe that the processing of your personal data violates the Data Protection Regulation, you have the right to file a complaint with the supervisory authority. You can also file a complaint in the country where you have your permanent residence or workplace. The contact details for the national supervisory authority are:
Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: P.O. Box 800, 00531 Helsinki
Phone switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

Other Rights Related to Personal Data Processing
The data subject has the right to object to the disclosure and processing of their data for direct marketing and other marketing purposes, request anonymization of their data where applicable, and the right to be completely forgotten.