Content
Finnish honey products

Customer Register Privacy Statement

1. DATA CONTROLLER
The controller of the register is Hunajayhtymä Oy (business ID 0204045-2).

The contact person for registration matters is:
Aapo Savo, CEO

Honey Conglomerate Ltd.
Address: Kojonperäntie 13, 32250 Kojonkulma
Phone: 0207 769 680
Email: hunaja@hunaja.fi

2. REGISTER NAME
The name of the register is Hunajayhtymä Oy's customer register.

3. PURPOSE OF PERSONAL DATA PROCESSING

Personal data is processed for purposes related to the management, administration, and development of customer relationships, as well as for the provision, sale, and delivery of products and supplies, and for the development and billing of products and supplies. Personal data is also processed for purposes necessary to resolve potential complaints and other claims.

In addition, personal data is processed in customer communications, such as for information and news purposes, as well as for marketing, as part of which personal data is also processed for direct marketing and electronic direct marketing purposes.

The customer has the right to refuse direct marketing targeted at them.

The controller processes data themselves and utilizes subcontractors acting on behalf of and for the controller in the processing of personal data.

4. LEGAL BASIS FOR PROCESSING
The legal bases for the processing of personal data are the following grounds under the EU's General Data Protection Regulation (hereinafter also referred to as ”GDPR”):

  • the data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Art. 6(1)(a));
  • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
  • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).

The aforementioned legitimate interest of the controller is based on a relevant and appropriate relationship between the data subject and the controller, which arises from the fact that the data subject is a customer of the controller and the processing is carried out for purposes which the data subject could reasonably have expected at the time of the collection of personal data and in the context of the appropriate relationship.

5. REGISTER CONTENT (PERSONAL DATA GROUPS PROCESSED)
The registry contains the following personal data for all registered individuals:

  • person's basic information and contact details: first name, last name, address, phone number, email address;
  • information regarding the individual’s affiliation with a company or other organization, and the individual’s position or job title within that company or organization;

6. REGULAR INFORMATION SOURCES
Personal data is collected from the registered individual themselves.

Personal data is also collected and updated within the limits of applicable legislation from generally available sources related to the implementation of the customer relationship between the controller and the data subject, and by which the controller fulfills its obligations related to the maintenance of customer relationships.

7. PERSONAL DATA RETENTION PERIOD
Data collected in the register shall be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.

The need for personal data retention is assessed every three years; and in any case, data concerning a registered individual shall be deleted from the register six years after the termination of said registered individual's customer relationship with the controller, once all obligations and actions related to the customer relationship have been completed.

The data controller regularly assesses the necessity of retaining data in accordance with its internal policies. In addition, the controller shall take all reasonable measures to ensure that personal data that is inaccurate, inaccurate, incorrect, or outdated personal data is erased or rectified without delay.

8. RECIPIENTS OF PERSONAL DATA (RECIPIENT GROUPS) AND REGULAR DISCLOSURES OF DATA
Personal data will not be disclosed to external parties.

9. TRANSFER OF DATA OUTSIDE THE EU OR EEA
Personal data included in the register is not transferred outside the EU or EEA.

10. PRINCIPLES OF REGISTER PROTECTION
Materials containing personal data are stored in locked facilities to which access is restricted to designated individuals who have been authorized to enter for the purposes of their duties.

A database containing personal data is on a server, which is kept in a locked room with access limited to designated individuals authorized for access due to their duties. The server is protected by an appropriate firewall and technical security measures.

Access to databases and systems is granted only with individually authorized personal user IDs and passwords. The controller has restricted the access rights and authorizations to information systems and other storage platforms so that only individuals necessary for the lawful processing of data can view and process it. Furthermore, usage events of databases and systems are logged in the controller's IT system logs.

The controller's employees and other individuals are committed to complying with confidentiality obligations and keeping secret the information they receive in connection with the processing of personal data.

11. RIGHTS OF THE DATA SUBJECT
The registered person has the following rights under the EU's General Data Protection Regulation:

  • the right to obtain confirmation from the controller as to whether or not personal data concerning him or her is being processed, and where that is the case, to obtain access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period; (v) the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (Article 15 GDPR). These described essential pieces of information (i)-(vii) are provided to the data subject on this form;
  • right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7 GDPR);
  • the right to request that the controller rectify, without undue delay, any inaccurate or incorrect personal data concerning the data subject, as well as the right to have incomplete personal data completed, including by providing additional information, taking into account the purposes for which the data was processed (GDPR Article 16);
  • the right to obtain from the controller the erasure of personal data concerning him or her without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent to which the processing is based and there is no other legal ground for processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation to which the controller is subject under Union or national law (Art. 17 GDPR);
  • the right to have the controller restrict processing if (i) the data subject disputes the accuracy of the personal data, in which case processing shall be restricted for a period during which the controller can verify their accuracy; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests, instead, the restriction of their use; (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation pending verification of whether whether the controller’s legitimate grounds override those of the data subject (GDPR Article 18);
  • the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and is carried out by automated means (GDPR Art. 20);
  • the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning them infringes the EU's General Data Protection Regulation (GDPR Art. 77).

Requests concerning the exercise of data subject rights shall be addressed to the data controller's contact person mentioned in Section 1.

Mailing address:
PL 110, 32201 Loimaa
Street address
Kojonperäntie 13, 32250 Kojonkulma
Open
Mondays to Fridays from 8:00 AM to 4:00 PM
Phone: 0207 769 680
GSM: 0400 193 941
Email:
hunaja@hunaja.fi