1. General

This Privacy Notice contains information required by the EU General Data Protection Regulation (hereinafter the GDPR) and the national law for data subjects, that is, for the controller’s customers, employees, and the supervisory authority.

2. Controller and its contact details

The controller is Calefa Oy as specified in this privacy policy.

Address: Muovitie 1, 15860 Hollola, Finland

The controller’s contact person:

CEO Petri Vuori, +358 40 553 4427, petri.vuori@calefa.fi

3. Name of the data file

Customer data register.

The register is used to manage contacts to existing and potential customers. 

4. Purposes of personal data processing and legal basis for processing

The table below describes the categories of personal information, their purposes, and their lawful bases.

PurposeLawful basisType of Personal data
MarketingThe individual has given their consentName, position, work address, work email, work phone number
SalesThe individual has given their consentName, position, work address, work email, work phone number
Customer serviceThe individual has given their consentName, position, work address, work email, work phone number

5. Personal data retention period or criteria for determining the period

The information is retained for the duration of the marketing-delivery projects.

6. Data recipients 

Personal data is never disclosed to a third party.

7. Transfer of data to suppliers

The controller uses suppliers which process personal data for its account. The controller concludes appropriate agreements on personal data processing with such suppliers. 

As a rule, the controller does not transfer data in this data file outside of the EU / EEA.

8. Personal data sources and updates

Personal data is collected primarily from the data subjects themselves. Personal data may also be collected when the data subject uses certain controller services, such as online services.

Personal data can also be collected and updated within the limits permitted by law from the personal data files of third parties, such as Vainu, Fonecta information service, and MailChimp.

9. Data subject’s rights

9.1 Right of access

Data subjects have the right to receive the controller’s confirmation of whether their personal data will be processed or not, or whether they have already been processed. If the controller processes a data subject’s personal data, the data subject has the right to receive the information in this document and a copy of the personal data being processed or already processed. The controller may charge a reasonable administrative fee for additional copies requested by the data subject. If the data subject submits a request electronically and has not requested any other form of delivery, the data will be delivered in a commonly used electronic format.

9.2 Right to rectification, erasure, and restriction of processing

The data subject also has the right to request the controller to rectify or erase their personal data and prohibit the processing of their personal data for direct marketing purposes. The data subject may, in certain cases, also have the right to request the controller to restrict the processing of their personal data or to otherwise oppose the processing. In addition, under the GDPR, the data subject may request that the data they have provided themselves be transferred in a machine-readable format.

9.3 Right to cancel prior consent

If the controller processes the data subject’s personal data on the basis of consent, the data subject has the right to cancel such consent by contacting the customer service of the data controller. The cancellation of consent does not affect the lawfulness of processing performed based on the consent prior to its cancellation.

9.4 Right to file a complaint with the supervisory authority

If a data subject considers that his /her personal data is not processed legally, he/she has the right to file a complaint with the supervisory authority.

9.5 Exercising your rights

All requests are to be addressed to the controller’s contact person. Please be prepared to prove your identity when exercising your data subject’s rights. 

10. Organisation of protection of data file

The data file is stored in a cloud server with a standardized VPN connection. The only access to the data is via a user ID and a password. The terminals are protected according to common practice.