Customer register privacy statement
Grano Ltd (hereinafter referred to as ‘Grano’)
Business ID: 2197935-0
Tel. + 358 (0)29 1800 400
2 Contact person for register matters
Tel. +358 29 1800 400
3 Name of the register
Grano customer register
4 Basis and purpose of processing personal data
The processing of personal data is based on Grano’s privileged interest, agreement or other substantive connection. The purpose of the personal data is to take care of, maintain, develop, analyse and keep statistics of customer relationships between Grano and its customers. Furthermore, the data may be used for direct marketing (including newsletter subscriptions), organisation of marketing contests, profiling, distance sales as well as opinion and market surveys by Grano and its allied companies and co-operation partners. The data may also be used for planning and developing Grano’s business operations and services.
5 Data contents of the register
The register contains the following personal data on consumer customers:
• The customer’s basic information: customer number, first and last name, postal address, telephone number, e-mail address
• Customer and order history (e.g. monitoring information for deliveries, information related to invoicing and debt collection)
• Information about personal interests and related to profiling (e.g. Grano products and services relevant to the customer’s interests), segment information and other similar information
• Cookie and usage information
• Customer feedback and contacts
• Direct marketing restrictions and consents.
The register contains the following personal data regarding the decision-makers and contact persons of companies and communities:
• Name, title, company, postal address, e-mail address, telephone number
• Customer history (e.g. contacts, orders, feedback, information related to invoicing and debt collection)
• Interest and profiling data
• Usage data, e.g. information regarding the use of services, such as browsing and search information, cookies
• Customer feedback and contacts
• Direct marketing prohibitions
• Any other data necessary for the purpose of the register.
6 Regular sources of data
The data in the register is collected regularly directly from the customer, consisting of data gathered from the customer’s use of services and the online service or other business conducted with Grano, as well as data gathered from and during making an agreement.
Personal data can also be collected and updated from the population register, the credit information register and other similar public and private registers.
7 Regular disclosures of data and transfer of data outside the EU or the EEA
Grano does not regularly disclose data in the register to external parties. However, data may occasionally be disclosed in accordance with Finnish law.
Grano may transfer a registered person’s personal data to Grano’s direct marketing register after the substantive connection has ended.
In order to carry out its services, Grano utilises co-operation partners operating outside the EU and the EEA. For this reason, usage data and personal data related to using the service is partially transferred to the USA. A sufficient level of data protection in processing the data is ensured by using the European Commission’s standard contractual clauses. A copy of these clauses is available upon request from the contact person specified in Section 2.
8 Principles of protecting the register and storage time of the data
Only employees whose job description entitles them to process customer data are entitled to use the system containing customer data. Each user has a personal username and password for the system. The data is collected into databases that are protected with firewalls, passwords and other technical means. The databases and their back-ups are located in locked facilities, and the data can only be accessed by certain persons designated in advance.
Personal data is stored as long as necessary for its purpose, with storage times prescribed by laws such as the Consumer Protection Act, the Accounting Act and the Prepayment Act taken into consideration.
9 Right of access and the right to have data corrected
The data subject has the right to access and inspect his/her personal data recorded into the register, as well as the right to demand to have data corrected or removed. Requests concerning this matter must be submitted personally or in writing to the contact person mentioned in Section 2.
10 Other rights related to the processing of personal data
The data subject has the right to prohibit the controller from processing his/her data for direct marketing or marketing and opinion surveys. Such a prohibition can be submitted to the contact person mentioned in Section 2 at any time.
In accordance with the General Data Protection Regulation (starting from 25 May 2018), the data subject has the right to object or request restrictions to the processing of his/her personal data, as well as the right to file a complaint regarding the processing of personal data to the supervisory authority.