Privacy policy
Privacy policy updated May 15, 2018.
YOUR PRIVACY IS IMPORTANT TO US
We have updated our privacy policy in accordance with the new General Data Protection Regulation (GDPR). View our updated statement in which we describe how we safely handle your personal information.
NIINMUN´DESIGN'S PRIVACY POLICY IN A NUTSHELL
This privacy policy statement explains how niinmun´design (SISUSTUSLIIKE MY COUNTRY HOME KY) handles customer and potential customer information.
-We collect personal information when you visit our online store, showrooms, sales events or order our newsletter or otherwise contact us.
-Information we collect may be provided by yourself when making purchases in our online store or our showrooms, or when participating in our campaigns. In addition, we handle personal information that is saved when you use our online services (such as cookies, location information, or IP information). This information is usually traceable to you only by utilizing additional information.
-We handle your personal information to deliver purchases and for customer management and development. Collected information helps us analyse customer preferences and requests.
-We handle your personal information when offering you customer service and sending you customer messaging. Additionally, we send you electronic direct marketing information to the extent permitted by law. When possible, we will handle pseudonymised information and segment data. We do not handle information directly traceable to you unless it is required for the purposes of fulfilling processing.
-You control how we process your data. We disclose your rights and how you may use them. You have the right to withdraw your consent to the processing of your personal data, the right to access your personal data and the right to rectification, erasure, restriction and transfer to another register holder. Additionally, you have the right to object to the processing of your personal data and the right to file a complaint with the data protection authority.
-Contact niinmun´design regarding our privacy policy by emailing virpi@niinmun.fi.
REGISTER STATEMENT
niinmun´design's customer registry privacy policy
1 Register holder
The register holder of this register is:
Niinmun´design / Sisustusliike My Country Home Ky Oy (business ID 2195640-7)
The contact person for the register holder is:
Virpi Kostiainen
Niinmun´design / My Country Home
Address: Pakastontie 71, 21710 Korppoo, Finland
Phone: +358 40 7561567
Email: virpi@niinmun.fi
2 The name of the register
The name of this register is niinmun´design's customer register
3 The purposes of handling personal information
Personal information is processed for purposes related to the management, administration and development of the customer relationship, the provision and delivery of services, and the development and billing of services. Personal data is also processed for the purposes of dealing with possible complaints and other claims.
In addition, personal information is processed for customer communications, such as information and news purposes and marketing, including for direct marketing and electronic direct marketing purposes.
The customer has the right to object to direct marketing directed at them.
The register holder processes the data itself and uses subcontractors acting for and on behalf of the register holder to process personal data.
4 Legal grounds for processing
The legal grounds for the processing of personal data are the following criteria in accordance with the EU General Data Protection Regulation (hereinafter also referred to as "GDPR"):
1. the data subject has given their consent to the processing of their personal data for one or more specific purposes (GDPR 6 Art. 1.a);
2. processing is necessary for the performance of a contract to which the data subject is a party in, or in order to carry out pre-contractual measures at the request of the data subject (GDPR 6 Art 1.b);
3. processing is necessary for the purposes of the legitimate interests pursued by the register holder or a third party (GDPR 6 Art 1.f).
The legitimate interest of the controller mentioned above is based on a relevant and proper relationship between the data subject and the register holder, which results from the fact that the data subject is a customer of the register holder, and where the processing is carried out for purposes which the data subject could reasonably have expected at the time of collection of the personal data and in the context of the relevant relationship.
5 Data content of the register (categories of personal data processed)
In principle, the register contains the following personal data of all data subjects:
1. basic personal data and contact information: [first name, last name, address, telephone number, email address];
2. information relating to the person's company or other organisation and the person's position or job title in that company or organisation;
3. the person's direct marketing authorisations and prohibitions.
6 Regular sources of information
Personal data are collected from the data subject himself/herself.
Personal data is also collected and updated, within the limits of applicable law, from publicly available sources related to the performance of the customer relationship between the register holder and the data subject and through which the register holder carries out its obligations in relation to the maintenance of the customer relationship.
7 Retention period of personal data
Data collected in the register will be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.
The need for the retention of personal data is assessed every three years and in any case the data relating to a data subject will be erased from the register once the customer relationship of that data subject with the register holder has ended and the obligations and measures relating to the customer relationship have been completed. For example, accounting records are kept for six years after the end of the accounting year.
The register holder will regularly assess the need for data retention in accordance with its internal code of conduct. In addition, the register holder shall take all reasonable steps to ensure that personal data which are inaccurate, incorrect, or out of date with regard to processing purposes are erased or rectified without undue delay.
8 Recipients (categories of recipients) of personal data and regular transfers of data
Personal data will not be disclosed to third parties.
9 Transfer of data outside the EU or EEA
Personal data contained in the register will not be transferred outside the EU or EEA.
10 Principles of register protection
Personal data files are kept in locked premises, accessible only to designated persons authorised by their functions.
The database containing personal data is stored on a server in a locked room, accessible only to designated and duly authorised persons. The server is protected by an appropriate firewall and technical protection.
Access to databases and systems is only possible with personal user IDs and passwords, which are issued separately. The register holder has limited the access rights and authorisations to the information systems and other storage platforms so that only persons necessary for their lawful processing have access to and can process the data. In addition, access events to the databases and systems are recorded in the log files of the controller's IT system.
The employees and other persons of the controller are bound by an obligation of confidentiality, and to respect the secrecy of the information obtained in connection with the processing of personal data.
11 Rights of the data subject
The data subject has the following rights under the EU General Data Protection Regulation:
1. The right to obtain confirmation from the register holder that personal data concerning them are being processed or not being processed and, if such personal data are being processed, the right of access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or are to be disclosed; (iv) where possible, the envisaged period of retention of the personal data or, if that is not possible, the criteria for determining that period; (v) the data subject's right to obtain from the register holder the rectification or erasure of personal data concerning them or the restriction of the processing of personal data or to object to such processing; (vi) the right to file a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information on the origin of the data (GDPR Art. 15). This basic information described in (i) to (vii) is provided to the data subject on this form;
2. the right to withdraw consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (GDPR Art. 7);
3. the right to obtain the rectification, without undue delay, of inaccurate or incomplete personal data concerning the data subject and the right to have incomplete personal data completed, inter alia, by providing further explanations, taking into account the purposes for which the data were processed (GDPR Art. 16);
4. The right to obtain from the register holder the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other lawful basis for the processing; (iii) the data subject objects on grounds relating to their particular personal circumstance and there is no legitimate ground for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data must be erased in order to comply with a legal obligation under Union or national law to which the register holder is subject (GDPR Art. 17);
5. the right to have processing limited by the register holder if (i) the data subject contests the accuracy of the personal data, in which case the processing is limited for a period of time within which the register holder can verify its accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of the personal data and requests instead the restriction of their use; (iii) the register holder no longer needs the personal data concerned for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to their particular circumstance, pending verification whether the legitimate grounds of the register holder override those of the data subject (GDPR Art. 18);
6. the right to obtain the personal data concerning the data subject, which the data subject has provided to the register holder in a structured, commonly used and machine-readable format and the right to transmit such data to another register holder without hindrance from the register holder to whom the personal data have been provided, when the processing is based on consent within the meaning of the regulation and the processing is carried out automatically (GDPR Art. 20);
7. the right to file a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning them infringes the EU General Data Protection Regulation (GDPR Art. 77).
Requests concerning the exercise of the rights of the data subject shall be addressed to the contact person of the register holder mentioned in section 1.