Updated 13 July 2020
The careful and appropriate processing of your personal data is of primary importance to the Koskisen Group (Koskisen Oy, Koskitukki Oy, Kosava-Kiinteistöt Oy, Koskisen Sp.Zo.o.). We comply with data protection legislation and good data management and processing practices when processing your personal data, and we make sure that your privacy is not compromised.
Processing your personal data allows us to serve you better. We collect and utilise personal data to produce products and services and to develop and offer new services. This allows us to better respond to your needs.
We may periodically change our data protection practices as we develop our services or as legislation changes. You can find the latest version of our data protection practices on this page.
In this Privacy Statement, we describe in greater detail, for instance:
- the kind of data that is collected about our customers and the users of our web services
- the purpose for which the data is used
- how long the data will be stored
- how cookies are used in the service
- the opportunities of the customer and the user to influence
We recommend reading our Privacy Statement. By using our services, the user agrees to the terms of this Privacy Statement.
When processing our customers’ personal data, we always comply with the basic principles of the General Data Protection Regulation (GDPR):
- personal data must be processed lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
- personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“purpose limitation”)
- personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)
- personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (“accuracy”)
- personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (“storage limitation”)
- personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”)
For what purposes do we collect personal data?
We collect your personal data to enable us to offer you high-quality and personalised products and services, as well as better customer service. We want to continuously improve quality and develop our operations. Your personal data may be used to develop our products, services, customer service, sales and marketing. Your personal data may be used to offer products and services, to respond to your requests and enquiries, to activate sales and purchase agreements, to process orders and to complete other similar activities.
We also use your personal data for our customer communications. We may, for example, send you bulletins and notifications of a change concerning our products and services. We may use your personal data for product and service marketing and for market research with your permission or when otherwise allowed. We may furthermore use your personal data to target our products and services to you, for example, by recommending or displaying targeted content in our service.
With your consent and to the extent permitted by law, we may also combine the data collected in connection with a certain product and/or service of ours with the data collected in connection with our other products and/or services.
We process data on the following grounds based on data protection legislation:
- Contract: We process the data you provide in order to perform a contractual service or to provide you with a product you have ordered.
- Consent: We may process the data you provide or observed data with your consent or, based on the legitimate interest mentioned below, for marketing measures, among other things. We may also request your consent in a situation where the purposes of the processing would change.
- Legitimate interest: We process your data to manage and develop customer service, to verify customer transactions, to implement services, to develop the business, to prevent and detect abuse and for marketing. We consider these purposes to be essential to our business and thus in line with our legitimate interest.
- Statutory obligation: We may be obligated to store some of your personal data in order to comply with accounting legislation or other compelling legislation. In such cases, the processing of your personal data is based on compliance with a legal obligation.
What data do we collect?
We collect from you only personal data that is necessary for a pre-determined purpose. The purpose defines what kind of data is collected about you and in which situations. As we collect personal data, we tell you what data is required in order to use the service and what data you can consent to give.
Data given by the user or personally identifying information: We collect data given by users, for instance, in order to deliver and invoice an order or service, to manage and develop a customer account, and for marketing and opinion surveys. Without contact or invoicing data, we cannot deliver a product or service that a customer has ordered. We may also collect other user data in order to tailor our content and marketing to better correspond to the customer’s preferences. The following are examples of data given by the user or information that is otherwise personally identifying:
- data related to identifying and authenticating a person, such as name and personal identity code
- contact details, such as name, address, phone number, email address
- sign-in information, such as user IDs, usernames, passwords and other possible unique identifiers required for a digital account
- information concerning the customer relationship, such as invoicing and payment information, product and order information, customer feedback, enquiries and cancellation information
- profiling information and interests given by the user
- permissions and consent
- data about the blocking of content
- data entered in questionnaires and surveys
- data required to fulfil legal obligations
- other information collected with the user’s consent
Data observed through use of the services: We automatically collect data through cookies and similar technology which helps us to understand the number of users our services have, the content and ads that are popular, and how much time users spend looking at content and ads. This data helps us develop our services and our business, tailor content according to users’ probable areas of interest, target advertising and marketing communications and prevent and detect abuse. This data includes, e.g.
- usage and browsing data related to the features of the service
- the website from which the user accesses our website
- the type of device used
- an individual device and/or cookie ID
- the browser and browser version
- the IP address
- the time and duration of the session
- the operating system
- other information collected with the user’s consent
Data derived from use of the services: With the use of analytics, we can determine based on the data observed through the services and/or the data given by the user him-/herself, e.g. the possible areas of interest to the user, and segment the user into a specific group of users. We use the data for statistics and analyses, to develop services and business and to tailor content, advertising and marketing messages.
If we use data for purposes other than what is mentioned above, we make sure that the processing is compatible with the purpose for which the data was originally collected.
How do we collect personal data?
We collect your personal data primarily directly from you, either orally or in writing. Your personal data is collected, e.g., when you become our customer, in connection with the sale and use of products and services, in connection with marketing campaigns or surveys and when you otherwise do business with us. You give us data, e.g. when you request services, participate in surveys or campaigns or answer questions in connection with the services we offer. The data may also be observed or derived from the use of the services. The data may be collected by us or our partners through an assignment.
In addition, we obtain data from registers maintained by authorities, from credit information and customer default registers and other reliable public or private registers, e.g. the Business Information System (YTJ).
We use session cookies and persistent cookies. Session cookies are temporary, i.e. they exist only when you visit the website and are automatically erased when you close your browser. Persistent cookies remain for a certain period of time and are saved in the computer even after the session ends, unless you delete them yourself before then.
Cookies do not harm your device or your files.
You can adjust your cookies, e.g., through your browser settings. More information about cookies is contained in the data protection or instruction documentation of each browser.
How do we process your personal data?
We process your personal data in compliance with the General Data Protection Regulation (GDPR), in a manner that respects your rights and freedoms. We ensure compliance with data protection principles in all stages of personal data processing.
Your data is processed only by employees of the Koskisen Group or its partners who have the right to process personal data. We ensure the data protection awareness and knowledge of personnel through continuous training and up-to-date guidelines.
Your personal data may be processed in several IT systems that are administered by either Koskisen Group or its partners.
We have valid GDPR-compliant contracts in place with our partners. Under these contracts, we have received adequate guarantees from the personal data processors that the personal data processing performed by them fulfils the requirements of the GDPR.
How do we protect your personal data?
In connection with personal data processing, we have produced appropriate technical and organisational measures for the implementation of data protection principles. Such measures include the use of firewalls, encryption technology, use of secure IT areas, appropriate access control, restricted granting of user rights and monitoring of their use, providing instructions to personnel participating in personal data processing and careful selection of subcontractors.
To whom do we disclose your personal data?
In principle, we do not disclose your personal data.
Koskisen Group may purchase certain personal data processing services from partners. We have chosen as our partners only personal data processors that abide by good personal data processing practices, using appropriate technical and organisational measures, and which fulfil the requirements of the GDPR and are capable of ensuring the exercising of your rights.
A written contract is concluded with all partners, specifying the object, purpose and duration of the personal data processing, as well as the agreed personal data to be processed.
In addition, personal data is disclosed in a manner based on legislation in force at a given time, according to the statutory requirements of the competent authorities or other parties.
Do we disclose your personal data outside the EU or EEA?
In principle, we only process your personal data within the EU or EEA.
If, in certain exceptional cases, we transfer the personal data outside the EU or EEA, we ensure a sufficient level of personal data protection by, among other things, agreeing on matters related to the confidentiality and processing of personal data in the manner prescribed by legislation, for example, using the standard contractual clauses approved by the European Commission, and otherwise so that the processing of personal data takes place in accordance with this Privacy Statement.
How long do we keep your personal data?
The storage periods for personal data are based on legislation and on Koskisen Group’s data protection principles. We retain your data only for as long as is necessary for the purposes stated in this Privacy Statement in accordance with the legislation in effect at the time.
We will store your data for at least as long as the customer relationship lasts. After the customer relationship ends, the storage period depends on the data and its purpose. We may be obligated to store some of the customer’s personal data in order to comply with accounting or other compelling legislation also after the customer relationship ends or other grounds for processing personal data end.
We endeavour to keep the personal data that is in our possession correct and up to date by erasing unnecessary data and by updating obsolete data.
What are my opportunities to influence?
Your right as our customer
You have the right to access data that concern you, the right to demand that inaccurate or incomplete data are rectified, and the right to have register data that are unnecessary or obsolete in terms of the processing purpose erased.
You also have the right to object to your data being used in direct marketing and market research and in opinion surveys by contacting the controller or by changing the settings in the web service. You can also block advertising that is targeted to you based on your web browsing behaviour. After such blocking, you will be shown the same amount of ads as before, but the advertising will not be targeted based on your areas of interest.
Your right to access data
Under the GDPR, you have the right to receive a copy of the personal data that concerns you. There is no legally prescribed form for presenting this request. If necessary, we may ask you for additional data in order to confirm your identity.
If you present a request concerning a right electronically, we will deliver the data in a commonly used electronic format. In principle, there is no charge for fulfilling requests, but under certain conditions, we may charge administrative costs arising from performing the requested procedure or we may decline to perform the requested procedure.
Under the GDPR, the time limit for replying to a request made by you is one month. This time limit may, if necessary, be extended by no more than two months, taking into account the complexity and number of requests.
Your right to rectification and right to be forgotten
With certain exceptions, the GDPR guarantees you the right to have your data rectified and the right to the erasure of your personal data, i.e. “the right to be forgotten”.
You also have the right to cancel your consent on which the processing is based. In this case, you can present us with a request to erase the data that concerns you from our systems. If there are no other legal grounds for processing the personal data, we will erase it.
If a partner of ours is in possession of your data that is to be rectified or erased, we will request that the partner follow the same procedure.
Your right to data portability from one system to another
Under the GDPR, you have the right to data portability from one system to another. In practice, you have the right to obtain data that concerns you in a commonly used transmission format and deliver it to another controller. The law requires that the processing be based on consent or an agreement, and that the processing be automated.
Your right to object to processing, automatic decision-making and profiling
You have the right to object, on grounds relating to your particular situation, at any time to the processing of personal data that concerns you. This right does not concern public-sector registers, which are kept by law.
You have the right not to be subject to a decision which is based solely on automated processing, such as profiling, and which produces legal effects concerning you or similarly significantly affects you.
You have the right to receive notification of a breach of your personal data
We are required to communicate a personal data breach directly to the data subjects whose data the breach concerns. The right takes effect if the breach is likely to cause a high risk to the rights and freedoms of the individual, for example, in the form of identity theft, fraudulent transactions or other criminal activity.
Who can I contact?
Present any enquiries and requests you have concerning personal data processing first to the controller at the address: firstname.lastname@example.org