This Privacy Notice applies to the customers and potential customers including those visiting the web pages and included in the marketing activities (later “you” or “data subjects”) of Kekkilä Group (later “we”) that consist of the companies Kekkilä Oy, Hasselfors Garden Ab (Sweden) and Kekkilä Eesti Oü (Estonia). The Privacy Notice covers the business related to the products and services that we offer to you.
The purpose of this Privacy Notice is to inform you of what personal data we collect or obtain regarding you, and how this data is used including disclosure, retention and protection of the data. It also explains your rights to control the processing.
We are committed to respect your privacy and process your personal data according to the European Union’s General Data Protection Regulation (2016/679) (later “GDPR”) and other applicable privacy laws and regulations.
Personal data is information that directly or indirectly reveals your identity, such as a name, identification number, address and Internet Protocol (IP) address (later “personal data”). The definitions of the data privacy terms set out in Article 4 of the GDPR shall apply for this Privacy Notice.
Kekkilä Group is the controller of the personal data described in this notice. Kekkilä Group consist of the following three companies: Kekkilä Oy, Hasselfors Garden Ab (Sweden) and Kekkilä Eesti Oü (Estonia).
Kekkilä Group is a part of Vapo Group and has a shared data privacy governance with the Vapo Group. Vapo Group operates in Finland, Sweden and Estonia. It focuses on growing and recycling, the production of solid fuels, heating, electricity and steam as well as the provision of various energy solutions.
If you have any questions related to this Privacy Notice or data privacy in general concerning the companies in the Kekkilä Group, you can contact us at:
Data Privacy Officer (DPO) of the Vapo Group: Teijo Liimatainen, phone: +358 (0) 20 7905782
We process your personal data only for legitimate business purposes and to fulfil our legal obligations. The processing purposes include:
In addition, personal data is processed to fulfil legal obligations set out in laws and regulations such as fraud prevention.
When you order/purchase a product or service a contractual relationship is formed between us. This contractual relationship is the legal basis for processing your personal data for sales and related services.
We need your consent for certain types of processing such as processing of sensitive personal data, electronic direct marketing and automated decision making having a significant impact on you.
You can withdraw any consent you have given and end the further processing of the personal data processed with your consent any time by contacting us (see Contact information, Controller and Rights of the data subject).
The legal basis for customer relationships management, marketing, internal development, ensuring the security/safety of our data and property and protecting our legal rights is mainly our legitimate (business) interests. We want to offer better and safer services to you by developing our operations.
The other legal bases listed here apply in specific cases e.g. we ask for your consent for direct marketing and we perform security operations on your personal data due to legal obligations.
Personal data is processed to fulfil legal obligations such as fraud prevention and implementing an appropriate level of data security to ensure modern and efficient protection of your personal data.
We collect personal data from various sources:
We collect the following categories of personal data:
|Categories of personal data||Examples of personal data|
|Contact and identity information||name, address, phone numbers, email address, personal identity code, date of birth, language, title, position, name of a private trade, business id, country/nationality|
|Customer identification and relations data||Customer id, orders/purchases, invoice/payment details|
|Communications data including recordings||Feedback, reclamation, inquires, customer service recordings (chat messages and customer service phone calls)|
|Financial data||Payments, credit ratings|
|Consent and objection to processing of personal data||Marketing permissions|
|Additional information collected for specific events||Additional voluntary information provided to a specific event such as dietary information or need for services for people with disabilities|
|Additional information provided||Customer wishes and preferences|
We do not intend to process your sensitive personal data (such as health data), but you may submit such data voluntarily when you communicate with us, and thus the data is processed with your consent.
When you order/purchase our products and services or otherwise enter into a contract with us, we need your personal data to fulfil the contract and our legal obligations. We will inform you when we collect the data which personal data are mandatory to be provided by you.
6. RETENTION PERIODS
We retain your personal data as long as necessary for the purposes presented in this Privacy Notice, unless a longer retention time is required in the legislation.
When the personal data are no longer needed for the purpose they were collected for, the data first gets passivated and its processing is limited (e.g. for legal purposes only). Later, the data are removed or rendered anonymous within a reasonable time. The length of the retention period depends on the purposes of the processing.
Sales and contract related data are stored at least 10 years after the sale due to legal obligations. Other customer data is stored at least 3 years after the last registered customer activity (product/service order, delivery) to ensure that reclamations and warranties can be processed properly.
Newsletter subscription data is removed from the newsletter service when the newsletter is cancelled.
Personal data of potential customers are removed within a year after they have been collected for a specific marketing activity.
Processing of personal data for other marketing purposes ends at latest 3 years after the last activity (the customer record is passivated).
We transfer personal data within the companies of the Kekkilä Group and Vapo Group if necessary for the purposes presented in this Privacy Notice.
We also transfer personal data to our partners and service providers in the following categories:
We may also disclose personal data due to a legal obligation related to e.g. security, safety and protection of legal rights.
If we are involved in a merger, sale, joint venture, acquisition or similar arrangement, we may transfer personal data to the parties involved. We will inform of any significant changes in the level of privacy.
If your personal data are transferred outside the European Union (EU) / European Economic Union (EEA), we ensure that the transfer is performed using the necessary safeguards (such as contract model clauses), which ensure that your data continues to be protected according to the GDPR.
Data subjects i.e. those whose personal data we process, have the rights stated in the GDPR to make the requests presented here. We may request additional information if necessary to confirm the identity of the requestor. We will answer the request at latest one month after the requestor has been identified and we have received enough information to fulfil the request.
You have the right to request us to inform you what personal data we process concerning you (or that no data is processed), and request us to correct your personal data that are incorrect or incomplete (or outdated).
You have the right to request us to erase (or render anonymous) or restrict the processing of personal data concerning you that we process. We will comply with your request unless we have a legitimate ground not to delete the data, in which case you will be informed.
You have the right to object to the use of all or some of your personal data for selected purposes. We will comply with your request unless we have a legitimate ground to continue the processing (e.g. legal obligation), in which case you will be informed.
You have the right to receive the personal data concerning you that you have provided in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller if the processing is based on consent or on a contract, and the processing is carried out by automated means.
If you have given your consent to certain processing, you have the right to withdraw your consent at any time regarding further processing of your personal data.
You can use these rights by contacting us using the contact information found in the beginning of this Privacy Notice. The requests must be submitted in writing and include enough information to confirm your identity. We may request additional information if necessary.
We will inform the recipients of your personal data if you have requested the data to be rectified, erased or restricted, unless this proves impossible or involves disproportionate effort.
We have the right to refuse to act on requests that are manifestly unfounded (obviously unjustified) or excessive, in particular because of their repetitive character, or charge a reasonable fee based on the costs to fulfil the request.
You have the right to complain to the competent supervisory authority if you believe your personal data has been processed incorrectly. Contact information:
Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki
Phone: +358 29 56 66700
We process personal data in accordance with applicable data protection laws and regulations, and ensure the compliance of the service providers (processors) with contractual measures (data processing agreements).
We have implemented modern technical and organizational security measures to protect personal data from unauthorised access or transfer and accidental or illegal destruction, loss or alteration. The information security and data protection of our systems and environments that contain personal data are managed appropriately as a whole. We ensure the security of the stored data, access rights and processing of the confidential and sensitive personal data.
Access to personal data is limited to those that need it for performing their job. Access is based on roles and the tasks and functions connected to that role. All persons processing personal data are required to treat the data as confidential. The users of the IT environment are identified and access to the systems is secured and limited by user rights. Access to the physical location is also based on individual access rights and access keys.
We modify and update this Privacy Notice whenever necessary due to e.g. changes in the sales or marketing processes, service providers or laws and regulations Change history is found in connection to the Privacy Notice. Significant changes can also be provided with a separate notice (e.g. email).
24.5.2018 – Version 1.0