Privacy Statement of Kevra Oy's Customer Register
1 Data Controller
The data controller of the register is Kevra Oy (Business ID 0220078-6)
Contact person for register matters: Pilvi Litsilä Kevra Oy
Address: Ylästöntie 121 A, 01740 Vantaa
Phone: +358 9 6126 820
Email: kevra@kevra.fi
2 Name of the Register
The name of the register is Kevra Oy’s Customer Register, which includes the customer registers of: kevytrakentajanverkkokauppa.fi
and epoxiofiber.se .
3 Purpose of Processing Personal Data
Personal data is processed for purposes related to managing, administering, and developing customer relationships, providing and delivering services, developing services, and handling invoicing. Personal data is also used to process complaints and other claims. Additionally, personal data is processed for customer communication, such as information bulletins, news updates, and marketing.
This includes direct marketing and electronic direct marketing purposes. Customers have the right to opt out of direct marketing. The data controller processes the data and may also use subcontractors acting on behalf of and under the authority of the data controller for processing personal data.
4 Legal Basis for Processing
The legal bases for processing personal data under the EU General Data Protection Regulation (GDPR) are:
1. The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a));
2. Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
3. Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party (GDPR Article 6(1)(f)). The legitimate interest is based on a relevant and appropriate relationship between the data subject and the controller due to the customer relationship, and when processing occurs for purposes the data subject could reasonably expect at the time of data collection.
5 Data Content of the Register (Categories of Personal Data) The register may include the following personal data of all data subjects:
1. Basic and contact information: first and last name, postal address, email address, phone number;
2. Information related to the person's company or organization, including position or title;
3. Permissions and prohibitions for direct marketing.
6 Regular Sources of Data
Personal data is collected primarily from the data subject themselves. Data is also collected and updated from publicly available sources within the limits of applicable legislation, in connection with fulfilling the customer relationship between the data controller and the data subject.
7 Data Retention Period
Data collected in the register is retained only as long as necessary for the original or compatible purposes for which the personal data was collected.
The need to retain data is assessed every six years. Personal data will be deleted six years after the end of the customer relationship and completion of related obligations, unless legislation requires longer retention. For example, accounting documents must be retained for six years from the end of the financial year.
The controller regularly reviews the necessity of data in accordance with internal policies. The controller also takes reasonable steps to ensure that inaccurate, incorrect, or outdated personal data is rectified or deleted without delay.
8 Recipients of Personal Data (Categories of Recipients) and Regular Disclosures
Personal data is not disclosed to third parties.
9 Data Transfers Outside the EU or EEA
Personal data in the register is not transferred outside the EU or EEA.
10 Principles of Register Security
Personal data is stored in locked premises accessible only to designated individuals with appropriate authorization. The personal data database is stored on a secure server located in a locked room with restricted access. The server is protected by a firewall and other technical safeguards. Access to databases and systems is controlled with individual usernames and passwords. Access rights are limited so that only personnel with a legal need to process the data can do so. All access is logged.
All employees and other persons processing personal data are bound by confidentiality obligations.
11 Rights of the Data Subject
Under the EU General Data Protection Regulation, the data subject has the following rights:
1. The right to obtain confirmation whether personal data concerning them is being processed and, where that is the case, access to the personal data and information such as: (i) purposes of processing; (ii) categories of personal data; (iii) recipients or categories of recipients; (iv) retention period or criteria for determining it; (v) the right to request rectification or erasure, or restriction or objection to processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) the source of the data if not collected from the data subject (GDPR Article 15);
2. The right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
3. The right to have inaccurate or incomplete personal data rectified without undue delay (GDPR Article 16);
4. The right to have personal data erased without undue delay where: (i) it is no longer necessary for the purposes collected; (ii) consent is withdrawn and no other legal basis exists; (iii) the data subject objects to processing and no legitimate grounds exist; (iv) data has been unlawfully processed; or (v) data must be deleted to comply with legal obligations (GDPR Article 17);
5. The right to restrict processing where: (i) the accuracy of the personal data is contested; (ii) processing is unlawful, and erasure is opposed; (iii) the controller no longer needs the data, but the data subject requires it for legal claims; (iv) the data subject has objected to processing pending verification of legitimate grounds (GDPR Article 18);
6. The right to receive personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller if processing is based on consent and carried out by automated means (GDPR Article 20);
7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning them infringes the GDPR (GDPR Article 77).
All requests related to the data subject’s rights should be addressed to the contact person mentioned in Section 1.