Evabaits.fi Customer Register Privacy Policy

1. Data Controller

The data controller is NVV Group Oy (3505814-9)

Contact person: Niilo Lahti

Website: evabaits.fi

Address: Elinbackanpolku 1, 01740, Vantaa, Finland

Phone: 045 263 4727

Email: info@evabaits.fi

2. Register Name

The name of the register is evabaits.fi customer register.

3. Purpose of Processing Personal Data

Personal data is processed for purposes related to customer service management, administration, service provision, development, and billing. Personal data is also processed to fulfill legal obligations and to verify customer transactions.

Additionally, personal data is used for direct marketing purposes, newsletters, and other communications with customers. As part of this, personal data may be processed for direct marketing via email or other electronic means.

Customers have the right to opt-out of direct marketing at any time.

The data controller may share personal data with authorized third-party service providers.

4. Legal Grounds for Processing

The legal basis for processing personal data is based on the EU General Data Protection Regulation (GDPR):

1. The data subject has given consent for one or more specific purposes (GDPR Article 6(1)(a)).
2. Processing is necessary for the performance of a contract (GDPR Article 6(1)(b)).
3. Processing is necessary to comply with legal obligations (GDPR Article 6(1)(c)).

The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, which arises from the fact that the data subject is a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably expect at the time of the collection of personal data and in the context of the relevant relationship.

5. Content of the Register (Categories of Personal Data Processed)

The register contains the following personal data, in principle, of all registered individuals:

1. Basic personal information and contact details: first name, last name, address, phone number, and email address.
2. Information related to the person’s company or other organization, and the person’s position or job title in the said company or organization;
3. The person’s direct marketing permissions and prohibitions.

6. Regular Sources of Data

Personal data is collected from the data subject themselves.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources related to the implementation of the customer relationship between the data controller and the data subject, and which enable the data controller to fulfill their obligations related to maintaining customer relationships.

7. Storage Period of Personal Data

The data collected in the register will be stored only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need to retain personal data is assessed every five years, and in any case, the data concerning the data subject will be deleted from the register once the customer relationship with the data controller has ended and all obligations and measures related to the customer relationship have been completed. For example, accounting records are retained for five years after the end of the financial year.

The data controller regularly assesses the necessity of data retention in accordance with its internal codes of conduct. In addition, the data controller takes all reasonably possible measures to ensure that inaccurate, incorrect, or outdated personal data, in relation to the purposes of processing, are promptly deleted or corrected.

8. Recipients of Personal Data (Categories of Recipients) and Regular Disclosures of Data

Personal data will not be disclosed to external parties.

9. Transfer of Data Outside the EU or EEA

Personal data contained in the register will not be transferred outside the EU or EEA.

10. Principles of Data Register Protection

Materials containing personal data are stored in locked premises, accessible only to designated persons who are authorized to access them due to their duties.

The database containing personal data is located on a server kept in a locked facility, accessible only to designated persons authorized to access it due to their duties. The server is protected by an appropriate firewall and technical safeguards.

Access to databases and systems is granted only with individually issued personal usernames and passwords. The data controller has restricted access rights and authorizations to the information systems and other storage platforms so that only those persons who need the data for lawful processing purposes are able to view and process it. In addition, all usage events of the databases and systems are recorded in the data controller’s IT system logs.

The data controller’s employees and other persons are committed to confidentiality and to keeping secret any information they receive in connection with the processing of personal data.

11. Rights of the Data Subject

The data subject has the following rights under the EU General Data Protection Regulation (GDPR):

1. The right to obtain from the data controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, the right to access the personal data as well as the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request from the data controller rectification or erasure of personal data concerning them, or restriction of processing, or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR Article 15). This basic information (i)–(vii) will be provided to the data subject with this form.
2. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
3. The right to require the data controller to rectify without undue delay inaccurate or incorrect personal data concerning the data subject, as well as the right to have incomplete personal data completed, including by providing additional information, taking into account the purposes for which the data were processed (GDPR Article 16);
4. The right to obtain from the data controller the erasure of personal data concerning the data subject without undue delay, provided that: (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased for compliance with a legal obligation under Union or national law applicable to the data controller (GDPR Article 17);
5. The right to obtain restriction of processing from the data controller if: (i) the data subject contests the accuracy of the personal data, in which case processing shall be restricted for a period enabling the controller to verify the accuracy of the data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of processing, but the data are required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to processing on grounds relating to their particular situation, pending the verification of whether the legitimate grounds of the controller override those of the data subject (GDPR Article 18);
6. The right to receive the personal data concerning oneself, which the data subject has provided to the data controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent as referred to in the Regulation and the processing is carried out by automated means (GDPR Article 20);
7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR Article 77).

Requests concerning the exercise of the data subject’s rights should be addressed to the data controller’s contact person mentioned in Section 1.

12. Web Analytics

The following services collect anonymized information about visits to the website without personal data, provided that you have accepted cookies:

Google Analytics, Google Tag Manager, Google AdWords and Meta.

13. Targeted Marketing

Based on your visit to our website, we may carry out targeted advertising in the following services, provided that you have accepted cookies:

Facebook, Instagram & Google.

14 Returns

You have the right to cancel your order and return the products within 14 days of receiving them. Returned products must be unopened, unused, and in resalable condition. The customer is responsible for the return shipping costs.

If you wish to return products, please contact our customer service: info@evabaits.fi.