VILPE Oy is committed to the responsible management, use, and protection of your personal information. This text sets out VILPE Oy’s Customer and Potential Customer Privacy Policy, which applies both during and after your customer relationship with us.

Privacy Policy: Customer and Potential Customer Register

Section 24 of the Personal Data Act (523/1999)

Section 7 of the Act on the Protection of Privacy in Electronic Communications

1. Controller

VILPE Oy (0558172-1)
Kauppatie 9, FIN-65610 Mustasaari, Finland
Sales and technical support tel. +358 20 123 3222

2. Contact Person in Data File-Related Matters

VILPE Oy
Chief Sales Officer Ville Sarmesto
Kauppatie 9, FIN-65610 Mustasaari, Finland
Tel. +358 40 482 7109
firstname.lastname(at)vilpe.com

3. Name of the Date File

4. Purpose and Legal Basis for the Processing of Personal Data

The personal data collected into the registry is used to control, manage and maintain customer relationships, produce and facilitate services, customer communication, invoicing, billing and debt collection, as well as directing marketing and advertising and providing the data to a suitable VILPE Oy representative. In addition, the feedback and data gathered from customers is used in analysing market trends, product applications and research and development.

The legal bases for the processing of personal data are:

contract or implementation of contract (EU General Data Protection Regulation, Article 6.1.b)
the legitimate interests of the data controller (Article 6.1.f)
the consent given by the data subject (Article 6.1.a)

The data controller has carried out a legitimate interest assessment (balancing test). Consent is used in particular for electronic direct marketing and in connection with cookies and monitoring of online services where required by law.

5. Data Content of the File

The following data may be stored in VILPE Oy’s corporate information system’s personal data register:

Date and time of registration
Person’s name
Person’s phone number
Person’s email address
Person’s gender
Department in organisation
Title
Responsibilities within the organisation
Date of birth
Open text, focused information for customer relationship management
Log of communications
- Agreement to/ban of marketing
- Clicking and opening of e-mails
- Clicking on call-to-action

The following information about a visit to the vilpe.com website might also be stored in the register:

Date and time of the website visit
IP address
Survey information
Agreement to/ban of marketing
Opening of e-mails and clicks
Clicks on call-to-action requests
Information related to website use
Information about activities related to website use (dates, quantities, traffic sources)

6. Storage Time Of Personal Data

Personal data is stored for as long the customer relationship exists. After the customer relationship has been terminated, the customer’s personal data is stored for a maximum of three (3) years after the date of termination. Personal information of potential customers is stored in the direct marketing register for as long as the subject of the information holds the position, to which the marketable product or service is relevant to, or until the subject of the information withdraws the consent for the use of data for direct marketing purposes. In this case the information of the withdrawal of consent will be stored. Personal information can be stored for longer periods of time, when the applicable law and regulations or the Company’s contractual obligations towards third parties require it.

7. Sources of Personal Data

Personal data is collected when the customer relationship is formed, during the customer relationship, and during the work which is done to form the customer relationship. Personal data can be collected and supplemented with consent from the subject of the data (e.g. with the use of cookies), from a civil register, or from other third-party registers. Data can also be collected with the use of various marketing activities such as events.

8. Transfer of Personal Data

The data can be transferred to the register holder’s parent and daughter companies for the purposes described in this document’s article 4., for the register holder’s direct marketing purposes, or to the register holder’s personal data records. Transfers are always made in accordance with current data protection and security regulations. The following service providers from other companies also handle and use personal data:

Providers of IT services
Providers of logistic services
Providers of paid services
Providers of marketing services

9. Transfer of Personal Data to Outside the EU or EAA

Personal data may be transferred outside the EU or the EEA. In such cases, the transfers are carried out in accordance with the safeguards required by EU data protection legislation, such as the standard contractual clauses approved by the European Commission.

10. Principles of Securing the Data File

A. Manual material
Manual records are stored in locked premises and/or locked storage units in such a way that only persons who, based on their job duties, have a need to process the data have access to the records.

B. Electronically recorded data
The data are stored in an appropriate electronic system. Access to the data is restricted through access rights and role-based controls to only those persons who, based on their job duties, need to process personal data. Use of the register is protected by user IDs and passwords and, where necessary, by multi-factor authentication.
Personnel of the data controller who process personal data, as well as external service providers acting on behalf of the data controller, are subject to a professional secrecy. The confidentiality and integrity of the data are further safeguarded by appropriate technical and organisational measures, such as logging, regular backups, and up-to-date security updates of the systems.

11. Customer Profiling

The register holder can use the data for customer profiling. Customer profiling is achieved with the help of identifiers, with which the data generated by the service, concerning the subject of the data, can be combined. The resulting profile can be used, for example, for comparisons with other profiles created in a similar manner. The purpose of customer profiling is to examine the demand of products and services and customer behaviour. Profiling does not produce legal effects concerning the data subject nor similarly significantly affect the data subject.

12. Data Subject Right to Object to Handling of Data and Direct Marketing

The data subject has the right to object to profiling and other data processing activities relating to their personal data where the legal basis for the processing is the legitimate interest of the data controller. The subject of the data can present their objections by the means specified in this document’s article 14. (‘Contact’). The subject of the data will need to specify the particular instances which their objections are based on. The register holder can abstain from carrying out requests regarding objections on the basis of current laws and regulations. The subject of the data can at any time accept or withdraw their consent for the use of their data for direct marketing and customer profiling purposes.

13. Other Rights of the Subject of the Data

Right to Inspection

The subject of the data has the right to inspect what data concerning them has been stored in the register holder’s register. The request for inspection must be made according to this document’s article 14. (‘Contact’). The register holder can abstain from requests to inspect the data on the basis of current laws and regulations. Data inspection requests are usually free of charge when made only once a year.

The Right to Demand Correction of Data, Removal of Data or to Restrict its Use

The subjects of the data have the right to demand the correction of incorrect data, as well as the right to prohibit the use of their data for direct marketing or similar purposes. Such requests must be made according to this document’s article 14. (‘Contact’). The subject of the data also has the right to restrict the handling of their data: for example, during the process of requesting the removal or correction of data concerning them.

The Right to Transfer Data From the Register

The subject of the data has the right to acquire any information which they have provided to the register (which has been used with their consent or mandate) in primarily machine-readable format to themselves or to be transferred to another register holder.

The Right to Make a Complaint to a Supervisory Authority

The subject of the data has the right to make a complaint to a supervisory authority when the register holder has not acted in accordance with the applicable privacy and data security regulations.

Other Rights

When personal data is being handled on the basis of the consent given by the subject of the data, this subject has the right to withdraw their consent by informing the register holder according to this document’s article 14. (‘Contact’).

14. Contact

In all matters regarding the handling of personal data and in all cases which involve evoking their rights, the subject of the data will need to contact the person specified in article 2. of this document. The register holder or the person specified in article 2. can then, when necessary, ask the subject of the data in writing to clarify their request. The subject of the data’s identity can also be verified, if necessary, before taking action on the request.

15. Changes to this Privacy Policy

This privacy policy will be updated if the methods or purposes of processing personal data change. Data subjects are encouraged to review the contents of the policy regularly.