Privacy Policy
Kulta-Aika Oy PRIVACY POLICY FOR CUSTOMER REGISTER
1 Data Controller
The data controller of the register is Kulta-Aika Oy (business ID 0603918-4)
The contact person for register matters is: Henri Meskanen
Kulta-Aika Oy
Address: Säätökuja 2 B, 01510 Vantaa
Email: verkkokauppa@kulta-aika.fi
2 Name of the Register
The name of the register is Kulta-Aika Oy's customer register.
3 Purpose of Personal Data Processing
Personal data is processed for purposes related to the management, administration, and development of customer relationships, the provision and delivery of services, and the development of services and invoicing. Personal data is also processed for purposes required for the investigation of potential complaints and other claims.
In addition, personal data is processed for customer communication, such as informational and news purposes, and for marketing, including direct marketing and electronic direct marketing.
The customer has the right to prohibit direct marketing targeted at them.
The data controller processes data itself and also utilizes subcontractors acting on behalf and for the account of the data controller in the processing of personal data.
4 Legal Basis for Processing
The legal bases for processing personal data are the following grounds in accordance with the EU General Data Protection Regulation (hereinafter also "GDPR"):
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (GDPR Art. 6 (1)(a));
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Art. 6 (1)(b));
- processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party (GDPR Art. 6 (1)(f)).
The legitimate interest of the data controller mentioned above is based on a significant and appropriate relationship between the data subject and the data controller, which arises from the data subject being a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably expect at the time of data collection and in the context of the appropriate relationship.
5 Data Content of the Register (Categories of Personal Data Processed)
The register contains the following personal data for all registered persons as a starting point:
- basic personal data and contact information: first name, last name, address, telephone number, email address;
- information related to the person's company or other organization and the person's position or job title in the said company or organization;
- the person's direct marketing permissions and prohibitions.
6 Regular Data Sources
Personal data is collected from the data subject themselves.
Personal data is also collected and updated, within the limits of applicable law, from generally available sources related to the realization of the customer relationship between the data controller and the data subject, and by means of which the data controller fulfills its obligations related to maintaining customer relationships.
7 Personal Data Retention Period
Data collected in the register will be stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.
The need to retain personal data is assessed every five years, and in any case, data concerning a registered person will be removed from the register 5 years after the customer relationship of that registered person with the data controller has ended, and obligations and measures related to the customer relationship have been completed. For example, accounting records are kept for five years from the end of the financial year.
The data controller regularly assesses the necessity of data retention in accordance with its internal codes of conduct. In addition, the data controller takes all possible reasonable measures to ensure that inaccurate, incorrect, or outdated personal data are deleted or rectified without undue delay in relation to the purposes of processing.
8 Recipients of Personal Data (Categories of Recipients) and Regular Disclosures of Data
Personal data will not be disclosed to external parties.
9 Transfer of Data Outside the EU or EEA
Personal data contained in the register will not be transferred outside the EU or EEA.
10 Principles of Register Protection
Materials containing personal data are stored in locked facilities, access to which is limited to designated personnel authorized for access due to their duties.
The database containing personal data is on a server stored in a locked facility, access to which is limited to designated personnel authorized for access due to their duties. The server is protected by an appropriate firewall and technical security measures.
Access to databases and systems is only granted with separately issued personal user IDs and passwords. The data controller has restricted access rights and authorizations to information systems and other storage platforms so that only personnel necessary for their lawful processing can view and process the data. In addition, user events in databases and systems are recorded in the data controller's IT system log data.
The data controller's employees and other personnel have committed to observing confidentiality and keeping secret information obtained in connection with the processing of personal data.
11 Rights of the Data Subject
The data subject has the following rights under the EU General Data Protection Regulation:
- the right to obtain from the data controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the data controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Art. 15). This basic information described in (i)–(vii) is provided to the data subject on this form;
- the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Art. 7);
- the right to obtain from the data controller without undue delay the rectification of inaccurate personal data concerning him or her and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes of the processing (GDPR Art. 16);
- the right to obtain from the data controller the erasure of personal data concerning him or her without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based, and where there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the data controller is subject (GDPR Art. 17);
- the right to obtain from the data controller restriction of processing where (i) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests instead the restriction of their use; (iii) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject (GDPR Art. 18);
- the right to receive the personal data concerning him or her, which he or she has provided to a data controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where the processing is based on consent as referred to in the regulation and the processing is carried out by automated means (GDPR Art. 20);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR Art. 77).
Requests concerning the exercise of data subject rights should be addressed to the data controller's contact person mentioned in section 1.

