Innoflame Oy as a controller – consumer customers
Data protection in general
Data protection in Innoflame Oy’s operations:
- Our customers’ privacy is very important to our business. We are committed to protecting the privacy of personal data and processing it appropriately and with a high standard of quality in all processing situations. We regularly work on both data protection and information security and enhance our operations to improve on these areas and entities.
- The privacy statements are available to everyone on our website and, if necessary, we will send the information to the data subject upon request. The data protection documentation may be updated if necessary, and we will announce changes on the website. The privacy statement shows the date when it was last updated.
- We actively follow the data protection practices in our field and ensure a high standard of data protection competence among our personnel. Competences are considered according to each person’s role – if a person’s job requires them to process significant amounts of personal data, they must have a high level of competence.
Processing personal data:
- We have analysed the processing of personal data and the related processes in our operations. We have prepared an internal description of processing activities within the organisation. For data processing based on a legitimate interest, we have prepared a balance test to ensure that the legitimate interest is appropriate. We take a risk-based approach to processing personal data, and we regularly assess the threats and risks of processing personal data. We have conducted impact assessments if we have identified a high risk to the data subject due to the processing.
- We do not process or retain personal data unnecessarily, and we erase all unnecessary data. Only a limited number of personnel process personal data, and the data can only be accessed by personnel whose job description requires them to process it. We use roles to limit the processing of personal data in different systems. This means that we only use the personal data that is necessary at the given time.
- We process personal data in accordance with data protection principles, which we employ on a practical level in our operations. We have trained our personnel to act in accordance with the principles.
Information security
- In addition to the processes related to processing personal data, we have paid attention to technical solutions to ensure that we only use secure technologies.
- We require all our subcontractors and contractual partners to meet our quality requirements.
- We ensure that firewall and antivirus solutions are up to date on all of our devices
- We have implemented multi-factor login.
- Our personnel are trained, and we use reliable, up-to-date systems and equipment.
- We engage in continuous research and development work to ensure that information security is up to date.
Innoflame Oy’s role
- Innoflame can act as both a controller and a processor of personal data.
Controller’s details:
Innoflame Oy (Business ID: 1055712-8)
Kornetintie 3
00380 Helsinki, Finland
Tel: +358 20 7433 601
Contact address for data protection matters: tietosuoja@innoflame.fi
Innoflame Oy acts as the controller for consumer customers who order from stores maintained by Innoflame Oy.
Why do we collect data and what is our basis for processing it?
- We only collect and process personal data that is necessary to maintain a customer relationship or to provide our services and products.
- Personal data is processed on various legal bases. The table below shows the legal bases.
- For data processing based on a legitimate interest, we have prepared a balance test to ensure that the legitimate interest is appropriate.
Where do we collect personal data?
- Personal data is collected from the data subject. The data subject provides the necessary information when placing an order.
- The data is only retained for as long as is necessary to meet the need for the intended purpose. The data retention periods are affected by business needs and statutory obligations.
Personal data retention periods and legal bases:
| Purpose of processing | Legal basis | Retention periods |
|---|---|---|
| Delivering orders from the online store | Agreement | Order information is retained for one year |
| Customer relationship management | Agreement, legitimate interest | Term of the agreement + 5 years |
What information do we collect?
- First and last name
- Contact details (address, telephone number, email address, country)
- Authentication data, identification data and electronic communication identification data related to the use of services
- Consent to marketing communications
- Invoicing information
- Selected payment method, identification details of payment instruments, and purchase details
- Contact related to the customer account
- Direct marketing permits and prohibitions and information related to the targeting of marketing
- User analysis data
- Changes/log data of previous, identified data
How do we handle data transfers and disclosures?
- We only disclose information within the limits permitted and required by the applicable legislation. In the event of an acquisition or merger, the acquiring party may have access to customer data.
- We may use third parties as processors of personal data. We have drawn up an agreement on the processing of personal data with each processor.
- Data will not be transferred outside the European Union or the European Economic Area unless there is an immediate need for the transfer, for example due to the technical implementation of the service. In this case, as the controller, we ensure the standard of data protection required by legislation and ensure a high standard of data protection through agreements. For transfers outside the EU or EEA, an appropriate transfer mechanism is always ensured.
How can I exercise my rights as a data subject?
- The exercise of the data subject’s rights depends on the legal basis on which personal data are processed at any given time. Personal data that is necessary for the purposes specified in this statement or whose retention is required by law cannot be erased.
- You can exercise your rights by filling in a subject access request or a rectification request on our website.
What do the data subject’s rights mean?
You have the right to:
- Receive information on the processing of personal data
- Access your data
- Adjust or rectify your data
- Request the erasure of data (right to be forgotten)
- Restrict the processing of data
- Object to the processing of data
- Transfer the data from one system to another
- Avoid being subjected to automated decision-making
Key rights of the data subject in accordance with the legal basis:
| Right of access | Right of rectification | Right of erasure | Restriction and objection | |
| Agreement | x | x | x | x |
| Consent | x | x | x | x |
| Statutory | x | x | – | x |
| Legitimate interest | x | x | x | x |
- If you feel that the processing of your personal data is not appropriate, you have the right to contact the Data Protection Ombudsman. You can find the contact details of the Data Protection Ombudsman on the Data Protection Ombudsman’s website: https://tietosuoja.fi/en/contact-information.