Compliant with the EU General Data Protection Regulation 2016/679.
Updated 7 April 2021.
1. Register controller
Kirami Oy (Business ID 1707445-2), Villiläntie 2, 32730 Sastamala
2. Contact person in matters related to the register
Kirami Oy, Eero Rantanen, firstname.lastname@example.org, 040 828 9973, Villiläntie 2, 32730 Sastamala
3. Name of the register
Kirami Oy’s register for the kirami.fi website and online shop and Kirami Oy’s marketing register.
4. Legal basis and purpose of processing personal data
Under the EU General Data Protection regulation, the legal basis for the processing of personal data is each data subject’s consent.
The controller or an authorised cooperation partner may use the personal information of customers or potential customers for the following purposes: customer contact, management of customer relationships, marketing and communications. The information can also be used for statistical purposes, developing the operations of Kirami Oy and producing targeted contents in our online services. The personal data is processed in accordance with the EU General Data Protection Regulation (2016/679 GDPR) and the Data Protection Act (1050/2018), as permitted and required by them.
The information in the register can be used in Kirami Oy’s internal registers for targeting advertising. Kirami Oy can utilise cooperation partners for the maintenance of customer relationships.
Kirami Oy is entitled to publish the information contained by the customer register as an electronic or hard copy list (e.g. mailing stickers for direct marketing), unless the customer specifically denies doing so.
The denial can be registered by emailing the customer service at email@example.com or notifying the register controller.
The processing of personal information is based on consent, and the data subject may at any time cancel their consent. The information will not be used for automated decision-making or profiling.
5. Information content of the register
The register collects the basic information entered by the user of the kirami.fi website: name, address, postal code and town, email address, and telephone number.
Other information: customer feedback; customer satisfaction information; campaign-specific information; information related to the use of services and purchasing behaviour; permission and denial information for direct advertising, remote sales and other direct marketing as required by legislation; other information acquired by the consent or authorisation of a customer or potential customer, which is necessary for producing the service they request.
6. Ordinary information sources
Information on customers and potential customers is acquired from the persons themselves in connection with online shop orders, newsletter subscriptions, product registrations, opinion and feedback surveys, competitions, and prize draws, for example. Only the information of persons who have given permission for marketing or contacting is stored. This means that the data processing is based on personal consent. Otherwise, campaign-specifically submitted information is only stored for the time listed in the rules of the campaign in question.
7. Disclosure, transfer and storage of information
Information can be disclosed to authorities as required by legislation. Information is not transferred outside the European Union or the European Economic Area, unless necessary for the technical production of the service. In such cases, the register controller shall ensure a sufficient level of data protection, as required by the applicable legislation. Data may be disclosed in ways allowed by the GDPR to cooperation partners and subcontractors of Kirami Oy who work by commission from and at the cost of Kirami Oy in matters related to Kirami Oy’s online service.
8. Principles of register protection
The information is stored in the register controller’s system and protected using the user interface protection software. User rights to the register can only be granted to those who have a personal user identification and password, which in turn are only granted to members of the register controller’s staff whose position and assignments require the possibility to use the register. The information contained by the register is located in a locked and protected facility.
9. Rights of the data subject
9.1. Right to acquire information
The data subjects are entitled to receive transparent information on the processing of the personal information.
This Data Protection Statement is used to inform the data subjects of the processing of personal information.
Data subjects are entitled to access to their own information. The request for information must be presented to the register contact person in writing. The register controller shall deliver the collected information within 30 days.
9.2. Right to correct information
Data subjects are entitled to correct their information and to request information to be removed without delay.
The request must be presented to the register contact person in writing. The register controller is obliged to remove information if any of the following criteria is met: 1) the personal information is no longer needed for the purposes they were collected for; 2) the data subject cancels their consent; 3) the data subject opposes the processing of the information and there is no legislation-based requirement to process the information, or the data subject opposes the direct marketing purpose; 4) the personal information has been processed in a way which violates legislation; 5) in order to comply with legislation-based obligations; 6) the personal information was collected in connection with offering information society services.
9.3. Right to limit information
Data subjects are entitled to limit the processing of their information if any of the grounds listed in Article 18 of the GDPR are met, e.g. if the data subject disputes the correctness of their personal information.
The register controller shall inform every recipient to whom personal information has been disclosed of any corrections, removals, or limitations of processing of personal information, unless doing so would cause unreasonable inconvenience. By separate request from the data subject, the register controller shall notify the data subject of any such recipients.
9.4. Right to transfer information
The data subject is entitled to receive their personal information and deliver it to another register controller. The right to transfer also covers transferring data directly between register controllers if technically possible. For the right to be applicable, the processing must be based on consent or agreement, and processing must be automated.
9.5. Right to oppose
The data subject is entitled to oppose the processing of their personal information at any time following giving permission to process the information. The data subject is also entitled to oppose at any time any processing of their personal information based on the company’s justified benefit or profiling.
Profiling refers to any automated processing of personal information, where the information is used to evaluate certain personal features, particularly to analyse or anticipate any features related to said natural person’s work performance, financial situation, health, personal preferences, interests, reliability, behaviour, location, or movement.
After receiving the denial, the register controller is not allowed to process the personal information unless they can prove a justified and significant reason for the processing.
The data subject is entitled to at any time oppose the processing of their personal information for direct marketing purposes, including profiling when related to direct marketing.
9.6. Automated decision-making
The data subject is entitled to not be the object of any decisions based solely on automated processing, such as profiling, which has a legal effect or similar significant effect on them. This does not apply if, for example, the decision is necessary for the making or carrying out of an agreement between the data subject and register controller, or is based on express consent from the data subject.
9.7. Right to be informed of data protection breaches
The data subject is entitled to be informed of any breaches to data protection regarding their personal information.
This right applies when the breach is likely to cause high risk for the rights and freedoms of the individual in the form of identity theft, electronic banking fraud or other criminal activity, for example.
9.8. Right of appeal
If the data subject feels that the GDPR is breached in the processing of their personal information, they are entitled to file an appeal to the monitoring authority, in this case primarily the Data Protection Ombudsman.
9.9. Right to compensation for damages
If a breach of the GDPR causes material or immaterial damage to a person, they are entitled to a compensation from the register controller or processor of the personal information. The register controller or processor of the personal information is exempt from liability if they are able to prove that they in no way are responsible for the event which caused the damage.
9.10 Other rights related to the processing of personal information
Persons in the register are entitled to request the removal of any personal data on them from the register (right to be forgotten). Correspondingly, data subjects have all of the other rights indicated in the GDPR. Relevant requests shall be sent to the controller in writing. If necessary, the controller may ask a person making a request to prove their identity. The controller shall respond to the customer within the time limit set forth in the GDPR (primarily within one month).