The General Data Protection Regulation
Varuste.net / Aalto Group Oy, business identity code 1702286-3
Malminkartanontie 1, 00390 Helsinki
data protection officer: Ville J.tel. +358 9 454 0707
Data are registered in the Shuriken ERP system
of Creaction Finland Oy. Creaction Finland Oy is responsible for the system implementation and controlling, data protection, and data backups. All data are stored and processed in the same register (i.e. in one database).
Name of the register
Varuste.net customer, order, invoice and marketing data register.
Personal data processing policy
We comply with the following principles relating to processing of personal data:
Personal data shall be
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Customers shall have right to obtain information about their personal data stored in the system, right to have them corrected, and right and possibility to have them erased. Data will not be processed outside the EEA, except for anonymous web analysis (Google Analytics, Facebook, etc.). Data are stored until the customer asks us to erase them. We store data for web analysis, for example (statistical reasons), and to facilitate new orders (client's interest).
Purpose of storing data
Customer data are stored for the following purposes: to communicate with customers, to maintain and improve commercial and customer relations, and to create statistical reports. Varuste.net uses this and other data obtained during the customership in order to plan and target their products and services.
Personal data are used within the framework of the Personal Data Protection Act. Information will not be disclosed to any outside parties.
The e-mail addresses of those who subscribe to the newsletter are used to deliver the newsletter to them. The information which customers give in the contact form is used to reply to their contact requests.
Data collected in the register
The customer register consists of several separate registers collected and created based on their main purposes. The data in all of these registers constitute customer-specific data sets in the following manner:
- Customer's contact information and information needed for orders: first and last name, street address, postal code, city, country, language, telephone number, e-mail address, and national identity number. In case of business and association customers, we also store their names and business identity codes.
- Customer group information, discount group, and other additional customer-specific information.
- Invoicing address and other invoice information.
- Possible approval to direct marketing.
- Information on customer's orders, deliveries, and returns.
- Codes needed for logging in.
- IP address or other identifier.
- Textual data related to customership, such as purpose of contact request or wish of delivery date.
Personal data will be erased if the customer asks us to do it.
Data disclosure and transmission
Data will not be shared with outside parties, except for public authorities if required. For data processing reasons, some of the information may be shared with our subcontractors.
Regular data sources
Contact and customer data are collected at the beginning and during the customership from the announcements given by the customer. Customership begins at the moment when the customer registers in the system, creates an order, orders direct marketing, or makes a purchase. Customership can be started also on customer's request, e.g. after a telephone conversation.
Approval to electronic direct marketing (e-mail and SMS marketing) will be asked separately according to the Personal Data Act. Information on customer's creditworthiness at the moment of order is obtained from the system of Checkout Finland Oy (business identity code 2196606-6), that of DFC Nordic Oy (1998514-5) and/or that of Suomen Asiakastieto Oy (0111027-9).
Anonymous web analysis
In order to collect anonymous data relating to web visits, we can use the following tools and services:
Google Analytics: https://analytics.google.com/analytics/web/
Google Remarketing: https://support.google.com/adwords/answer/2453998?hl=en
Facebook Pixel: https://www.facebook.com/business/a/facebook-pixel
Microsoft Bing Adds: https://advertise.bingads.microsoft.com/en-us/resources/policies
Legal basis for processing personal data
One must have a legal basis for processing personal data. We process personal data on the basis of approval (e.g. subscribing to newsletter), contract (e.g. making an order), controller's legal obligation (e.g. acquisition and possession of products subject to authorisation), protection of vital interests (e.g. participation in lesson or course requiring information on personal health), legitimate interest of controller or third party (e.g. web analysis).
Securing personal data
Our personnel need to have special access rights and personal login codes in order to have access to the personal data register. There is different access rights so that a person only has access to data which are necessary according to their job description. The customer register and the hardware processing it are located in closed computer halls. The hardware and the software are updated regularly and appropriately, and we react to possible threats immediately. In case of incidents, data are backed up regularly. The system is secured against outside threats with a firewall.
The personnel are obliged to keep the information of the personal data which they obtain in their work confidential. Information can be disclosed in case of legal notification obligation only, e.g. on customer's or public authority's request.
- Information on tax-free purchases in the physical shop, refunds, and proofs of payment signed by customer. The purchase information signed by customer mentioned above are stored in the register for accounting and later document requirement purposes. Responsible:
- Printout of invoicing information for accounting. Responsible:
- Register of customer return forms. Forms are stored in order to correct possible clerical errors and clarify other ambiguous situations. All the printouts older than a year are destroyed. Responsible:
- Account information of customers' refunds. Register enables refunds. Responsible:
- Archive of diving course participants. Data are stored for responsibility and security reasons for 7 years at least, after which the data can be erased on client's request. Responsible:
- Register of prepayed and signed pick up orders. Register is maintained to speed up the pickups. Responsible:
- Register of order confirmations in pick-up stock. Register is maintained to speed up processing of pick-up orders. Responsible: