18.5.2018 | Updated 24.3.2023
Lappset Group Ltd's Privacy Statement regarding its customer and marketing register
Controller
Lappset Group Ltd
PL 8146, 96101 Rovaniemi
+358 20 775 0100 (switchboard)
(hereinafter “We” or “Lappset”).
Contact person in register-related matters
Eveliina Salmivuori
Lappset Group Ltd
PL 8146, FI-96101 Rovaniemi
+358 20 775 0100 (switchboard)
Name of the register
Lappset Group Ltd’s customer and marketing register
What is the legal basis for the processing of personal data and its purpose?
Lappset processes personal data of its customers for the following purposes and on the following legal bases:
What types of data do we process? | For what purpose do we process your personal data? | What is the legal basis for processing? |
|---|---|---|
Data subject’s basic information, such as name customer number, username and/or other individual identifier and password; Data subject’s contact details, such as an e-mail address, telephone number, street address; Information on companies and their contact persons, such as business identity code, names and contact details of contact persons, title, degree, customer segment, website, country, IP address, positioning data indicating company location; | Deliver and develop our products and services. Fulfil contracts and other service pledges and obligations. Engage in electronic direct marketing (including electronic surveys). Managing our customer relationships, including organizing events, sending out customer satisfaction surveys. | Legitimate interest related to customer relationships or other relevant context. Fulfilment of contract. Consent (private persons, (GDPR 6(1)(a) art.) or legitimate interest (companies). Legitimate interest related to customer relationships or other relevant context. |
Consents and prohibitions on direct marketing | Engage in electronic direct marketing (including electronic surveys). | Consent (private persons, (GDPR 6(1)(a) art.) or legitimate interest (companies). |
Personal data collected in connection with events, such as event registration, special diet, billing information. | Organise events. | Legitimate interest related to customer relationships or other relevant context. Consent (GDPR 6(1)(a) art.) |
Information relating to the customer relationships and contracts, such as information on past and existing contracts and orders, other transaction data, such as usage history of Lappset’s website, browser information, IP address, customer portal log data. | Fulfil contracts and other service pledges. Manage customer relationships. | Fulfilment of contract. Legitimate interest related to customer relationships or other relevant context. |
Information about the technical connection and the terminal device you are using, such as IP address, device ID or other identifying information, such as age and consumption habits, and other similar information collected through cookies. | Analyse the behavior, target marketing efforts in Lappset’s own online services and those of others. We use cookies to identify data subjects’ preferences and online behaviour, age and consumer patterns. We use this information to target marketing efforts and develop the services. | Consent (GDPR 6(1)(a) art.) |
Where do We gather the information from?
The primary sources of information are the data subjects themselves (for example website forms, chatbot discussions, etc.), the population register, the authorities, credit card companies, contact detail providers and other equivalent reliable parties. Additionally, personal data may also be collected and updated for the purposes indicated in this privacy statement from other public sources and government agencies or other third parties in compliance with the applicable legislation. The data is updated manually or automatically.
Are you being profiled?
We do not engage in automated profiling or make decisions based on solely on automated processing.
Who do we disclose the data to and do we transfer the data to outside the EU or EEA?
We do not disclose the data to third parties. We engage several subcontractors in processing personal data. We have outsourced IT management to an external service provider. The personal data is stored on the server managed and protected by said service provider.
We transfer personal data to a limited extend outside the EU/EEA to our network of subsidiaries and/or distributors in the United States, China, Hong Kong, Canada, Australia, Iraq, Israel, Kuwait, Arab Emirates, Qatar, Singapore, South Korea, Taiwan, Thailand, Turkey and Ukraine. We have drawn up written contracts with these subcontractors using standard contractual clauses approved by the European Commission. The standard contractual clauses can be found here.
How do We protect the data and how long will we retain it?
Access to the system containing personal data is limited to the employees entitled to process such data in the course of their work duties. Each user has a unique username and password to access the system. The data is saved in databases protected by firewalls, passwords and other technical means. The databases and back-up copies are located in locked premises and can only be accessed by predesignated individuals.
We retain personal data for as long as necessary for the intended purpose or as required by law. The personal data collected by the SharpSpring™ automated marketing system is retained for 18 weeks, after which the data is automatically erased unless the data subject is active on our website.
The personal data needed for individual events gathered by the Lyyti Event Management System is retained for 12 months after the event unless a data subject requests the erasure or his or her data. The data in the Lyyti Event Management System is anonymized when 12 months have elapsed from the event, after which such personal data can no longer be retrieved.
We assess the need for the retention of the data regularly with due regard to legal requirements. Additionally, we take other reasonable measures to ensure that the register does not contain any information on data subjects that is inconsistent with the purposes of processing or outdated or incorrect. We correct or destroy all such data promptly.
What are your rights as a data subject?
You always have the right to:
To have access to personal data concerning you in the register.
Request the correction of inaccurate personal data about you.
File a complaint with the competent supervisory authority.
Additionally, depending on the situation, you have the following rights:
When the processing of personal data is based on your consent (GDPR 6(1)(a) art.) | You have the right to withdraw your consent at any time. The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal. |
You have withdrawn your consent, or if (GDPR 17 art.) are met | You have the right to have your personal data erased. |
You have contested the accuracy of personal data, or if any other of the conditions to use the right to restriction of processing (art. 18 GDPR) are met | You have the right to have the processing of your personal data restricted e.g., while your requests related to your personal data are investigated and resolved. |
When the processing is based on your consent or a contract and where the processing is carried out by automated means | You have the right to transmit your data to system maintained by another controller if it is technically feasible and as far as your request concerns information provided to us by yourself |
When the processing is based on our legitimate interest (art. 6(1)(f) GDPR) or if the data is processed for direct marketing purposes. | You have the right to object to processing of your personal data on grounds relating to your particular situation. In addition, you always have the right to object to the processing of your data for direct marketing purposes. |
How to use your rights:
All requests, denials and withdrawals mentioned above can be made in writing to the contact person identified in section “Contact person in register-related matters” or to address privacy@lappset.com. Include your name and contact details in the request. To ensure data protection, you will be required to prove your identity when asked to do so.
We will respond to requests and enquiries about the exercise of data subjects’ rights within one month.
Who can you contact?
All the communications and requests related to this Privacy Statement should be addressed in writing to the designated contacts person identified in section “Contact person in register-related matters” above to privacy@lappset.com
Changes to this Privacy Statement
If We make any changes to this Privacy Statement, We will indicate them in an updated statement. If the changes are significant, we will also communicate the changes in other ways, such as by e-mail or by posting a notice on our website. It is advisable to check our website regularly for any changes.