Privacy policy
This is the register and data protection statement of LappiArt.fi, compliant with the EU General Data Protection Regulation (GDPR). The data protection statement is based on the EU Data Protection Regulation (GDPR, The General Data Protection Regulation, 2016/679), which governs the rights of EU citizens regarding data protection and the confidential handling of personal data.
Prepared on 06/06/2022. Last modified on 05/19/2022.
Data controller
Janneli Oy
Aku Rädyn tie 4
74700 Kiuruvesi
+358405912195
FI33301846
Contact person responsible for the register
Jaana Kurkkio
Phone: +358 40 591 2195
Name of the register and registered individuals
Customer and marketing register of the LappiArt.fi online store.
We process the personal data of our customers, potential customers, and their representatives in the register.
Legal basis and purpose of processing personal data
The data collected in the register is used for managing customer relationships, customer communication, and producing and improving the services offered by the LappiArt.fi website. The aim is to target communications so that the registered person receives relevant messages. The data is also used for marketing purposes.
Our legal basis for processing is legitimate interest for marketing purposes (GDPR 2016/679, Article 6, Section F) and a contract between the supplier and the customer for managing customer relationships (GDPR 2016/679, Article 6, Section B).
LappiArt may send email marketing to customers who have placed an order, but the customer has the option to unsubscribe from the emails. Unsubscribing instructions are provided with each marketing message, and it can also be done by contacting LappiArt.fi customer service (asiakaspalvelu@lappiart.fi).
Content of the register
The register may include the customer's name, phone number, email address, street address, and other information provided by the registered individual.
The following information may be recorded about the registered individual:
- Person's name and title
- Person's email address
- Company name
- Contact details
- Information related to managing the customer relationship and communication
- Contract-related information, such as purchased products and services
- Information related to online behavior on websites and services
- Any other information collected with the explicit consent of the customer
- Information related to marketing and sales promotion, such as marketing activities directed at the registered individual and participation in them (e.g., newsletters and competitions)
The IP addresses of website visitors and cookies necessary for the functioning of the service are processed based on legitimate interest, for example, to ensure information security and collect statistical data on website visitors in cases where they can be considered personal data. Consent for third-party cookies is requested separately if necessary.
Regular data sources
The information stored in the register is obtained from the customer through, for example, online store orders, messages sent via web forms, emails, phone calls, social media services, contracts, customer meetings, and other situations where the customer provides their information.
Contact details of company representatives and other organizations can also be collected from public sources such as websites, directory services, and other companies.
Regular data disclosures and data transfers outside the EU or EEA
Data is not disclosed to third parties for marketing purposes. The company's own services are produced on servers located in Finland. Service providers that may have access to personal data from outside the EU/EEA, such as the United States, may be used for processing personal data. The company ensures that transfers are carried out in accordance with relevant laws on personal data.
Personal data is transferred outside the EU/EEA only based on one of the lawful grounds mentioned below:
- The European Commission has decided that the receiving country ensures an adequate level of data protection.
- Appropriate safeguards have been implemented for the transfer of your personal data using standard data protection clauses approved by the European Commission. In this case, you have the right to obtain a copy of these standard clauses by contacting us.
- You have given explicit consent to the transfer of your personal data.
- There is another lawful basis for transferring your personal data outside the EU/EEA, such as the Privacy Shield arrangement approved by the European Commission for the United States.
Principles of register protection
Due care is exercised in the processing of the register, and data processed via information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital security of the equipment is properly taken care of. The data controller ensures that stored data, server access rights, and other information critical to the security of personal data are treated confidentially and only by employees whose job description includes it.
Right to inspect and request for data correction
Every person in the register has the right to inspect the data stored about them and request the correction of any incorrect information or the completion of incomplete information. If a person wants to inspect the data stored about them or request correction, the request must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller responds to the customer within the time stipulated by the EU Data Protection Regulation (generally within a month).
Other rights related to the processing of personal data
A person in the register has the right to request the deletion of their personal data from the register ("right to be forgotten"). Similarly, the registered person has other rights under the EU General Data Protection Regulation, such as restricting the processing of personal data in certain situations. Requests must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller responds to the customer within the time stipulated by the EU data protection regulation (generally within a month).