Last Updated
08.04.2024
Data Controller
Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara
Contact Person for Privacy Matters
Akseli Juurinen
akseli.juurinen@metsaavain.fi
+358 40 1606157
Legitimate Interest
The purpose of the registry is to support the data controller’s business activities, open new customer relationships, and manage related communications. The collected information will be used for creating and maintaining customer relationships, as well as other business-related needs of the data controller.
The data controller’s legitimate interest in processing the collected and used personal data is based on direct marketing needs and the freedom to conduct business. Direct marketing is considered a legitimate interest under the EU General Data Protection Regulation (GDPR). The data controller needs to process personal data to carry out business-related tasks. The processing of personal data cannot necessarily be justified by a legal obligation or a contract with the individual in this case. The data controller has assessed that the legitimate interest is the most suitable basis for processing in terms of the nature and scope of the processing and the protection of the rights and freedoms of the individuals concerned. The data controller has concluded that the legitimate interest will not cause significant harm to the rights and freedoms of the individuals (data subjects).
Representatives of B2B organizations
B2C consumer customers
Data controller’s staff
Outsourcing partners where applicable (e.g., finance, marketing, IT maintenance)
The personal register includes the following data:
First and last name
Organization represented
Email address
Postal address
Phone number
Website address
IP address
Information about previous orders
Discussion data from customer negotiations
Data is obtained from email communications received from customers, business cards, phone calls, or physical meetings. Information may also be collected from other stakeholders, such as through mass media, marketing, or contact forms on websites. The data will not be shared with entities outside the data controller’s organization or its partners, except in cases related to credit applications, debt collection, or invoicing, or as required by law. The data subject’s personal data will be deleted upon request, unless there are legal obligations, an ongoing customer relationship, outstanding invoices, or debt collection actions preventing data deletion.
Personal data will be retained only for as long as necessary to fulfill the purposes outlined above and in accordance with applicable legislation.
The data in the register is solely for use by the data controller and its staff, except where external service providers are used for value-added services or credit decisions. Data will not be transferred outside the data controller’s organization or to its partners, except for credit applications, debt collection, or invoicing purposes, or as required by law. Personal data will be deleted upon the user’s request unless prevented by legislation, the need to manage the customer relationship, open invoices, or debt collection actions.
Data is not regularly transferred outside the EU/EEA. However, it is possible that non-EU/EEA service providers are involved in processing or that service providers’ cloud services are located outside the EU/EEA. In such cases, Standard Contractual Clauses (SCCs) will be used as the legal basis for transfers, and additional safeguards, such as internal policies on pseudonymization and related measures, may be implemented. If the organization processing the personal data is committed to the EU-US Privacy Shield (DPF), that framework will be used as the basis for data transfers during its validity.
A: Manual Data
Manually processed documents containing customer information (e.g., printed emails, attachments, printed forms, etc.) are stored in locked, fireproof storage areas after initial processing. Only designated employees who have signed a confidentiality agreement are allowed to process manually stored customer data.
B: Electronic Data
Only designated employees of the organization and its contractors are allowed to use systems that can maintain potential customer data. Each user has a personal username and password, and each has signed a confidentiality agreement. The system is protected by a firewall to protect against unauthorized external access and by appropriate security software on workstations. Data protection and processing follow data protection laws, official regulations, and best practices.
We use cookies on our website. A cookie is a small text file sent to and stored on the user’s computer. Cookies do not damage the user’s computer or files. The primary purpose of cookies is to improve and personalize the visitor’s experience on the site, as well as to analyze and improve site functionality and content. Information collected through cookies can also be used for targeting communications and marketing efforts. A visitor cannot be identified by cookies alone. However, the information collected by cookies may be linked to data previously provided by the user, such as when the user fills out a form on the website. The following data is collected through cookies:
Visitor’s IP address
Time of visit
Pages visited and the duration of visits
Visitor’s browser
Your Rights
Website visitors can block the use of cookies at any time by changing the settings in the cookie banner. Some browser programs also allow users to disable cookies or delete already saved cookies. Disabling cookies may affect the website’s functionality.
There is no automated processing or profiling applied to the personal data handled.
The data subject has the right to check what personal data is stored about them in the register. The access request must be made in writing or from a verifiably identifiable email address. The data subject has the right to object to the processing and sharing of their data for direct marketing, remote selling, or market and opinion research by contacting the data controller’s customer service.
If processing is based on legitimate interest, the data subject does not have the right to transfer their data from one system to another.
If personal data in the register is incorrect, unnecessary, incomplete, or outdated for the purpose of processing, it must be corrected, deleted, or completed. The correction request must be made in writing, signed by hand, and sent to the data controller’s customer service or from a verifiably identifiable email address. The request should specify which data needs to be corrected and on what grounds. The correction will be made without delay. The data subject will be notified of the correction, and the source of the incorrect data will be informed. If the correction request is denied, the data controller will provide written justification. The data subject may appeal the denial to the Data Protection Authority.
The data subject has the right to request the restriction of processing if personal data in the register is incorrect. Contact the person responsible for the register.
The data subject has the right to request access to their personal data, as well as the right to request correction or deletion of their personal data. Requests can be directed to the contact person for the register. If you act as the contact person for a company or organization, your data may not be deleted during this period.
If you believe that your personal data has been processed in violation of the GDPR, you have the right to file a complaint with a supervisory authority. You can also file the complaint in the member state where you have your permanent residence or place of work. The contact details of the national supervisory authority are:
Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Postal address: PO Box 800, 00531 Helsinki
Phone switchboard: +358 29 566 6700
Registry: +358 29 566 6768
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi
The data subject has the right to object to the transfer and processing of their data for direct marketing and other marketing purposes, request anonymization of the data where applicable, and the right to be forgotten.