Online Visitor Registry

Privacy Policy

Last updated: 08.04.2024

Data Controller

Metsäavain Oy (2908433-2)
Tervasuontie 211 A
82110 Heinävaara

Contact person for data protection matters

Akseli Juurinen
akseli.juurinen@metsaavain.fi
+358 40 1606157

Legal basis for processing

Legitimate interest

Purpose of data processing

The purpose of the registry is to ensure the security of the company’s website. The collected data (IP address) is used only in case of errors or for investigating data breaches. The legal basis for processing is legitimate interest, and consent is required for the use of cookies and similar tracking technologies.

Legitimate interest

The data controller must process personal data to perform business-related tasks. In this case, the processing cannot necessarily be justified by a legal obligation or a contract with the individual. The data controller has assessed that legitimate interest is the most appropriate basis for processing, given the nature, scope, and implementation of the rights and freedoms of the data subjects. The data controller has determined that the legitimate interest does not cause significant harm to the rights and freedoms of the individuals (data subjects).

Personal data categories

IP address, visit time, and pages visited.

Recipients and recipient groups

Authorized personnel of the company providing the website maintenance server.

Consent

Consent is provided through the banner on the website and can be revoked via the ”cookie settings” section.

Contents of the registry

The personal data registry includes the following information:

  • IP address

  • Website visit time

  • Pages visited and viewing duration

Regular sources of information

Information is obtained from the visitor’s web activity on the organization’s website.

Retention period of personal data

The data is never specifically deleted.

Regular disclosures of data

The data is only used by the company, except when using an external service provider, in which case the service provider’s authorized personnel have access to it. The data will not be disclosed to third parties or the company’s partners except in cases of data breaches and similar incidents.

Transfer of data outside the EU/EEA

The registry data is not regularly transferred outside the EU/EEA. However, it is possible that non-EU/EEA service providers are involved in the processing, or the cloud services of providers are located outside the EU/EEA. In such cases, standard contractual clauses (SCC) are used as the basis for data transfers, and additional protective measures such as internal guidelines (e.g., pseudonymization of personal data) or possibly a Transfer Impact Assessment (TIA) are implemented, if necessary. If the organization processing personal data is committed to the EU-U.S. Privacy Shield framework, this will serve as the transfer basis during its validity.

Protection principles for the registry: B: Electronic data

Only designated employees of the organization and companies operating on its behalf have access to the website’s maintenance server. Each designated user has their own personal username and password. All users have signed a confidentiality agreement. The system is protected by a firewall that safeguards against external access. Personal data protection and processing follow the provisions and principles of the Data Protection Act, orders from authorities, and best practices in data processing.

Cookies

We use cookies on our website. A cookie is a small text file sent to and stored on the user’s computer. Cookies do not harm the user’s computer or files. The primary purpose of using cookies is to improve and personalize the visitor’s experience on the website and to analyze and improve the website’s performance and content. The information gathered through cookies may also be used for targeted communication and marketing and for optimizing marketing efforts. Visitors cannot be identified solely through cookies. However, the information gathered via cookies can be linked to other data collected from the user, for example, when the user fills out a form on the website.

The following data is collected via cookies:

  • Visitor’s IP address

  • Visit time

  • Pages viewed and viewing duration

  • Visitor’s browser

Your Rights

Visitors on our website have the option to block cookies at any time by changing the cookie settings via the cookie banner. Some browsers also allow users to disable cookies and remove previously stored cookies. Disabling cookies may affect the functionality of the website.

Right of Access (Right to access personal data)

The data subject has the right to check what data is held about them in the registry. Requests for access must be made in writing to the company’s customer service or via a verifiably identifiable email address. The data subject has the right to object to the processing and disclosure of their personal data for direct marketing, distance selling, and market or opinion research by contacting the company’s customer service. The data controller may charge a fee for the request if it incurs any costs for retrieving the information.

Right to data portability

When processing is based on legitimate interest, the data subject does not have the right to transfer their data to another system. However, if consent is used as the legal basis, the data subject has the right to transfer their data to another system. Requests for data transfer can be directed to the contact person for the registry.

Right to request correction of data

Personal data in the registry that is incorrect, unnecessary, incomplete, or outdated must be corrected, removed, or completed. Requests for correction should be made in writing and signed by hand or from a verifiably identifiable email address. The request must specify which data is being corrected and on what grounds. Corrections will be made without undue delay. The data subject will be informed of any correction. If a correction request is denied, the responsible person will provide written reasons for the refusal. The individual may refer the matter to the Data Protection Ombudsman if the request is denied.

Right to restrict processing

The data subject has the right to request the restriction of processing, for example, if the personal data held in the registry is incorrect. Please contact the responsible person for the registry.

Right to object to processing

The data subject has the right to object to the processing of their personal data, and to request corrections or deletions of the data. Requests can be directed to the contact person for the registry. If you act as a company or organization contact person, your data cannot be deleted during this period.

Right to lodge a complaint with the supervisory authority

If you believe that your personal data has been processed in violation of the data protection regulations, you have the right to file a complaint with the supervisory authority. You can file the complaint in the member state where you reside or work. The contact details of the national supervisory authority are:
Office of the Data Protection Ombudsman
PO Box 800, Ratapihantie 9, 00521 Helsinki
Tel. +358 29 56 66700
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

Other rights related to personal data processing

The data subject has the right to object to the transfer and processing of their data for direct marketing and other marketing purposes, to request anonymization of the data, and the right to be forgotten in applicable cases.