Privacy policy

Valid from: 21.9.2020

1. Controller

The controller of the register is Wallius Welding Machines Ltd (business ID FI3008168-1)
The contact person for register matters is:
Lasse Paananen
Pooh. 040-720 5088

Wallius Welding Machines Ltd.
Muurlantie 510
25130 Muurla

2. Name of the register

The registry name is:
a) Wallius Welding Machines Oy Customer Register
b) Wallius Welding Machines Ltd Marketing and Communications Register

3. Purpose of processing personal data

Personal data is processed for purposes related to the management, management and development of customer relationships, the provision and delivery of services and the development and invoicing of services. Personal data is also processed for the purposes necessary for the investigation of possible complaints and other requirements.

In addition, personal data is processed in customer communications, such as information and news purposes and marketing, as part of which personal data is also processed for direct marketing and electronic direct marketing purposes.

The Customer has the right to prohibit direct marketing directed at him or her.

The controller processes the data itself and utilises subcontractors acting on behalf and on behalf of the controller in the processing of personal data.

4. Grounds for the proceedings

The legal basis for the processing of personal data is the following criteria in accordance with the EU's General Data Protection Regulation (hereinafter also referred to as the GDPR:

  1. the data subject has given his or her consent to the processing of his or her personal data for one or more specific purposes (GDPR 6, Art. 1.a);
  2. processing is necessary for the implementation of a contract to which the data subject is a party or for the implementation of pre-contract measures at the request of the data subject (GDPR 6, 1.b);
  3. processing is necessary for the real purpose of the legitimate interests of the controller or a third party (GDPR 6, 1.f).

The above-mentioned legitimate interest of the controller is based on a meaningful and appropriate relationship between the data subject and the controller as a result of the fact that the data subject is the controller's customer and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in the context of an appropriate relationship.

5. Data content of the register (categories of personal data to be processed)

The register contains the following personal data on all registered persons in principle:

  1. basic information and contact information of the person:
    a) Wallius Welding Machines Oy customer register : first name, last name, address, telephone number, email address
    b) Wallius Welding Machines Ltd marketing and communications register: first name, surname, email address
  2. information relating to the person's company or other organisation and the status or title of the person. in a company or organization
  3. direct marketing permits and prohibitions of the person.

6. Regular data sources

Personal data is collected from the data subject himself or herself.

Personal data is also collected and updated within the limits of applicable law from publicly available sources related to the implementation of the customer relationship between the controller and the data subject, through which the controller fulfils its obligations related to maintaining customer relationships. The Marketing and Communications Register also collects information about external services or applications such as Facebook, Instagram, other social media channels, Mailchimp, Campaign Monitor, possible trade fairs and events, customer meetings, partners.  

7. Retention period for personal data

The data collected in the register is stored only for as long as necessary in relation to the original or compatible purposes for which the personal data were collected.

The need to store personal data is assessed every three years and in any case the data concerning the data subject is removed from the register five years after the end of the data subject's customer relationship with the controller, and the obligations and measures related to the customer relationship have been completed. For example, accounting documents are kept for six years from the end of the financial year.

The controller regularly assesses the need to store data in accordance with its internal code of conduct. In addition, the controller shall take all reasonable steps to ensure that personal data inaccurate, inaccurate or outdated in relation to the purposes of processing are deleted or rectification without delay.

8. Recipients of personal data (categories of recipients) and regular disclosures

Personal data will not be disclosed to third parties.

9. Transfer of data outside the EU or EEA

The personal data contained in the register will not be transferred outside the EU or EEA.

10. Principles of registry security

Materials containing personal data are stored in locked spaces accessible only to designated persons and authorised to access their duties.

The database containing personal data is located on a server that is stored in a locked state accessible only to designated persons authorised to access their duties. The server is protected by an appropriate firewall and technical security.

Databases and systems are accessible only by separately issued personal user IDs and passwords. The controller has limited access rights and powers to information systems and other storage platforms so that the data can only be viewed and processed by persons necessary for their lawful processing. In addition, database and system usage transactions are registered in the controller's IT system logs.

The controller's employees and other persons are committed to secrecy and to keeping confidential the data received in connection with the processing of personal data.

11. Rights of the data subject

The data subject has the following rights under the EU's General Data Protection Regulation:

  1. the right to receive confirmation from the controller that personal data concerning him or her are being processed or not processed, and if such personal data are processed, the right to access personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom personal data have been or are to be disclosed; (iv) where possible, the envisaged retention period of personal data or, where that is not possible, the criteria for determining that period; (v) the data subject's right to request from the controller the rectification or erasure of personal data concerning him or her or the restriction of the processing of personal data or to object to such processing; (vi) the right to lodge a complaint with the supervisory authority; (vii) if personal data is not collected from the data subject, all available data on the origin of the data (GDPR Art. 15). This basic information described (i)–(vii) shall be provided to the data subject on a form;
  2. the right to withdraw consent at any time without prejudice to the lawfulness of the processing carried out on the basis of consent prior to its withdrawal (GDPR Art. 7);

  3. the right to require the controller to rectify, without undue delay, inaccurate and inaccurate personal data concerning the data subject and the right to have incomplete personal data supplemented, including by providing further information, taking into account the purposes for which the data were processed (GDPR Art. 16);
  4. the right to have the controller erase personal data concerning the data subject without undue delay, provided that (i) personal data are no longer needed for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no reasonable grounds for the processing or the data subject to object to the processing for direct marketing purposes; (iv) personal data have been processed unlawfully; or (v) personal data shall be erased in order to comply with a legal obligation applicable to the controller under Union or national law (GDPR Art. 17);
  5. the right for the controller to restrict processing if (i) the data subject disputes the accuracy of the personal data, in which case the processing is restricted for a period during which the controller can verify its accuracy; (ii) the processing is unlawful and the data subject objects to the erasure of personal data and instead requests that their use be restricted; (iii) the controller no longer needs such personal data for the purposes of processing, but the data subject needs it to establish, exercise or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation pending verification of whether the data controller's legitimate grounds supersede the data subject's grounds (GDPR Art. 18).

6. the right to obtain personal data relating to him or her provided by the data subject to the controller in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller, notwithstanding the controller to whom the personal data have been provided, if the processing is based on the consent referred to in the Regulation and the processing is carried out automatically (GDPR 20 Art.);

7. the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the EU's General Data Protection Regulation (GDPR 77).

Requests for the exercise of the data subject's rights shall be addressed to the controller's contact person mentioned in section 1.