Privacy policy

The General Data Protection Regulation compliant privacy policy on protection of individuals with regard to the processing of personal data and to the free movement of such data


Controller

Varuste.net / Aalto Group Oy, identity code 1702286-3
Malminkartanontie 1, 00390 Helsinki
data protection officer: Antti S.tel. +358 9 454 0707

The data are filed in the Shuriken ERP system of Creaction Finland Oy. Creaction Finland Oy is responsible for the system implementation and controlling, data protection, and data backups. All data are stored and processed in the same filing system (i.e. in one database).


Name of the filing system

Varuste.net customer, order, invoice and marketing data filing system.


Personal data processing policy

We comply with the following principles relating to processing of personal data:

Personal data shall be

a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Client shall have right to obtain information about their personal data stored in the system, right to correct it, and right and possibility to delete it. Data will not be processed outside the EEA, except for anonymous web analysis (Google Analytics, Facebook, etc.). Data is stored until the client asks us to delete it. We store data for web analysis, for example, (statistical reasons), and to facilitate new orders (client's interest).


Purpose of storing data

Customer data are stored for the following purposes: communicating with clients, maintaining and improving the commercial and customer relations, and creating statistical reports. Varuste.net uses this and other data obtained during the customership in order to plan and target their products and services.

Personal data are used within the framework of the Personal Data Protection Act. Information will not be disclosed to any outside parties.

The e-mail address of those who have subscribed to the newsletter will be used to deliver the newsletter to them. The information given in the contact form will be used to reply to the contact request.


Stored data

The customer register consists of several separate files created based on their main purpose. The data in all of these files constitute client-specific data sets in the following manner:

- Client's contact information and information needed for orders: first and last name, street address, postal code, city, country, language, telephone number, e-mail address, and national identity number. In the case of company, society and organisation customers, also the name of the company and the business identity code.
- Client group information, discount group, and other additional client-specific information.
- Invoicing address and other invoice information.
- Possible approval of direct marketing.
- Information on client's orders, deliveries, and returns.
- Codes needed for logging in.
- IP address or other identifier.
- Textual data related to customership, such as purpose of contact request or wish of delivery date.

Personal data will be deleted if the customer asks us to do it.


Data disclosure and transmission

Data will not be shared with outside parties, except for public authorities if needed. For data processing reasons, some of the information may be shared with our subcontractors.


Regular data sources

Contact and customer data are gathered at the beginning and during the customership from the announcements given by the client. Customership begins when the client registers in the system, creates an order, orders direct marketing, or makes a purchase. Customership can be started also on client's request, e.g. after a telephone conversation.

Approval to electronic direct marketing (e-mail and sms marketing) will be asked separately according to the Personal Data Act. Information on client's creditworthiness at the moment of order is obtained from the system of Checkout Finland Oy (business identity code 2196606-6), that of DFC Nordic Oy (1998514-5) and/or that of Suomen Asiakastieto Oy (0111027-9).


Anonymous web analysis

In order too gather anonymous data on web visit, we can use the following tools and services:
Google Analytics: https://analytics.google.com/analytics/web/
Google Remarketing: https://support.google.com/adwords/answer/2453998?hl=en
Facebook Pixel: https://www.facebook.com/business/a/facebook-pixel
Microsoft Bing Adds: https://advertise.bingads.microsoft.com/en-us/resources/policies


Legal basis for processing personal data

You must have a legal basis for processing personal data. We process personal data on the basis of approval (e.g. subscribing to newsletter), contract (e.g. making an order), controller's legal obligation (e.g. acquisition and possession of products subject to authorisation), protection of vital interests (e.g. participation in lesson or course that requires information on personal health), legitimate interest of controller or third party (e.g. web analysis).


Cookies

We use cookies, they help us to develop our website for you. The purpose of cookies is to improve and speed up the shopping experience. Cookies can also be used for providing better offers and more personal product recommendations for clients. A cookie is a small text file that network servers save to users' hard drives. You may have to approve cookies in order to have access to some of the website functions. User's web browser probably approves cookies by default, but user can also block cookies in the browser settings or by removing them from the browser after use. Additional information on browser-specific user's manuals can be found in the instructions of browser manufacturer.


Securing personal data

Access to personal data filing system requires special access rights. Access is limited to data that a person needs according to their job description, and it requires personal login codes. The customer register and the hardware processing it are located in closed computer halls. Hardware and software are updated regularly and appropriately, and we react to possible threats immediately. In case of incidents, data are backed up regularly. The system is secured with firewall against outside threats.

Personnel is obliged to keep the information of the personal data which they obtain in their work confidential. Information can be disclosed in case of legal notification obligation only, e.g. on client's or public authority's request.


Storing of customer data

We store customer data for 20 years. The storing time is based on authorities’ recommendations, customers’ interest, the average duration of customer relationships, and sellers’ responsibilities to ensure compliance with legislation (including Product Liability Directive). The need to store data has been discussed with trade representatives. We delete personal data on request without undue delay or, at the latest, when they are no longer necessary for the purpose of their use.


Other registers

- Information on tax-free purchases in the physical shop, refunds, and proofs of payment signed by customer. The purchase information signed by customer mentioned above are stored in the register for accounting and later document requirement purposes.
- Printout of invoicing information for accounting.
- Register of customer return forms. Forms are stored in order to correct possible clerical errors and clarify other ambiguous situations. All the printouts older than a year are destroyed.
- Account information of customers' refunds. Register enables refunds.
- Archive of diving course participants. Data are stored for responsibility and security reasons for 7 years at least, after which the data can be erased on client's request
- Register of prepayed and signed pick up orders. Register is maintained to speed up the pickups.
- Surveillance Camera Recordings: The register is maintained as a measure to support employee occupational safety.
- Customer Service Register: Emails and call information are processed in the Zendesk customer relationship management system to expedite customer service.
- Newsletter Register: The email marketing register and subscription information are processed on the Custobar marketing automation platform.

Change cookie settings