This privacy statement describes how personal data is processed at Termex-Eriste Oy and its subsidiary Vintit Kuntoon Oy. The data protection statement applies to the website of the controller and its subsidiary, the delivery of products and services, customer relationship management and marketing. This privacy statement also applies to subcontracting and other stakeholder cooperation. This privacy statement applies to the processing of personal data of business customers in addition to consumer customers.
We comply with applicable data protection legislation when processing personal data. Data protection legislation refers to valid data protection legislation, such as the European Union’s General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (December 5, 2018/1050). The terms related to data protection, which are not defined in this data protection statement, are interpreted in accordance with data protection legislation. Personal data refers to all data concerning natural persons (“data subject”) from which the person can be directly or indirectly identified, as defined in more detail in the data protection regulation. Information from which the registered person cannot be directly or indirectly identified is not personal information.
2. Controllers and contact information
Depending on the processing situation, the subsidiary Vintit Kuntoon Oy can also act as a data controller.
Registrar: Termex-Eriste Oy
Business ID: 0711231-2
Address: Ilolantie 14, 43100 SAARIJÄRVI, Finland
Phone: +358 207 809 880
Subsidiary: Vintit Kuntoon Oy
Business ID: 2275894-7
Address: Ilolantie 14, 43100 SAARIJÄRVI, Finland
Phone: +358 207 809 880
Data subjects subject to personal data processing:
- Representatives of customer companies and consumer customers
- Persons who submitted a contact request
- Potential customers (consumer customers and business customer representatives)
- Suppliers, service providers, other partners and their representatives
- Website visitors and users of other electronic services
4. Purposes and legal bases of personal data processing
We only process personal data that is necessary for each purpose of use. The main uses are described below:
- Delivering products and services and concluding customer contracts as well as handling orders and ensuring business transactions.
- Customer service and communication as well as customer satisfaction surveys and raffles.
- Invoicing, credit decisions and debt collection.
- Marketing (including market research), other marketing promotion and organization of events, references in marketing, analyzes and producing statistics and measuring the effectiveness of marketing.
- Direct marketing, including electronic direct marketing and telemarketing, planning and measuring the effectiveness of advertising and marketing, and combining and updating personal data for direct marketing purposes.
- Managing stakeholder relations and subcontracting and cooperation with service providers.
- Improving the user experience of our website and other services and monitoring user traffic and targeting marketing based on cookies and similar tracking technologies.
- Carrying out statutory obligations (for example accounting and tax legislation).
- Internal and group reporting and other administrative measures and business planning as well as personnel and stakeholder training.
- Dealing with warranty and fault liability matters, handling complaints and dealing with legal and official procedures.
- Preventing and investigating abuses, ensuring information security and the safety of people and property, as well as occupational safety.
- When we process personal data in order to deliver products and services and conclude customer contracts and to handle orders and related obligations, the legal basis for processing personal data is a contractual relationship or its preparation.
- The legal basis for processing personal data can also be the legitimate interests of the controller or a third party. Legitimate interests include, for example, customer relationship management, customer communication and processing of personal data related to marketing (including direct marketing) and processing of personal data related to, for example, reporting, business development and training, and handling claims and legal processes. When we process personal data based on a legitimate interest, we weigh the benefits and possible harms of the processing to the data subject and assess that the rights and interests of the data subjects do not override the legitimate interest. Upon request, we provide additional information regarding the processing of personal data related to the legitimate interest.
- When we process personal data to comply with the requirements of legislation, the legal basis for the processing is primarily compliance with a statutory obligation.
- The processing of personal data necessary for sending newsletters and other electronic direct marketing is based on the consent of the data subject in accordance with the requirements of the law.
5. Processed personal data and data sources
- Identification and contact information, such as the name and contact information of the customer or the customer’s representative
- Information about products and services and their orders, such as information about processed orders, delivery times and information related to contracts, financing and customer communication, as well as complaints.
- Information related to marketing (including direct marketing) and events, as well as consents and prohibitions given by the data subject. For example, the contact information of customers and potential customers for marketing purposes. Information collected in connection with events and occasions, as well as materials on the website and subscription to the newsletter. Consents and prohibitions regarding direct marketing.
- Information regarding the use of websites and other electronic services (IP address, device, browser and operating system information and registration information).
Personal information is necessary, for example, to deliver orders and provide services, manage customer relationships, communication and sales, organize events and meet legal obligations. The information collected based on cookies is voluntary to the extent that it concerns information collected based on cookies other than necessary.
We collect personal data, for example, when you do business with us, buy or order our products or services either yourself or on behalf of the organization you represent, or when you visit our website or our other electronic services, order our newsletter or other materials available on our website, respond to a customer satisfaction survey or otherwise communicate with us.
We also receive personal data from other external sources, such as registers maintained by authorities and, for direct marketing purposes, also from private register services.
Personal data can also be received from Vintit Kuntoon Oy or from our contractual partners, such as authorized Termex insulation service companies.
6. Retention of personal data
We keep personal data for as long as is necessary to fulfill the purposes defined in the data protection statement, however at least for the time required by legislation (for example, responsibilities and obligations related to accounting obligations or reporting obligations), or for the purpose of settling a lawsuit or a similar disagreement situation. When personal data are no longer needed for the purposes for which they were collected or for which they were otherwise processed, the personal data will be deleted or made anonymous within a reasonable time, no later than 10 years after the last customer contact.
Personal data obtained from external registry services is stored in accordance with the agreement with the party that provided the personal data.
Deviating from the general rules described above, personal data can be stored for the necessary time, if they are needed, for example, in connection with the investigation of a complaint or a similar matter or in connection with a trial.
Upon request, we will provide more information on personal data retention periods and retention criteria.
7. Recipients of personal data
Personal data may be disclosed, combined or otherwise processed between companies belonging to the same group as the controller or in a contractual relationship related to the supply of thermal insulation, such as authorized Termex insulation companies, in accordance with the requirements of data protection legislation for the purposes described in this data protection statement.
Various service providers and other third parties may also be used in the processing of personal data, such as providers of technical solutions or server space or accounting, collection and financial administration service providers. Group companies can also process personal data on behalf of another group company.
We take care of the agreements required by data protection legislation with the entities we use in processing personal data.
Personal data can be handed over to third parties in situations required by legislation or authorities, or to investigate abuses and ensure security. In addition, personal data may have to be disclosed in connection with legal proceedings or similar legal proceedings.
If the controller or its subsidiary is involved in a merger, business transaction or other business arrangement, personal data may be disclosed to other parties to the arrangement or to entities assisting in the arrangement.
Upon request, we provide additional information about recipients of personal data.
8. Joint data controller Vintit Kuntoon Oy
Vintit Kuntoon Oy, which belongs to the same group as Termex-Eriste Oy, can act as a joint data controller within the meaning of data protection legislation when processing personal data for joint purposes. As joint controllers, they decide together how and for what purposes personal data is processed.
The companies of the group have agreed that Termex-Eriste Oy is responsible for handling all the obligations set for the joint data controller in the data protection legislation, and the data subjects can contact Termex-Eriste Oy for questions related to the joint data controller.
9. Joint data controller in relation to META’s services
When we maintain META BUSINESS company pages (Facebook and Instagram), META and the data controller according to this data protection statement are joint data controllers within the meaning of the data protection legislation, as far as the personal data of the visitors of that META page is concerned.
You can find more information about the processing of personal data by METAN and the website administrator and the division of responsibilities between the joint data controllers in METAN’s addendum regarding data controllers and also here.
10. User tracking
you don’t want to be tracked, you can clear your browser’s cache. For more information on how Leadoo works, check https://leadoo.com/privacy-policy-processor/
11. Transfer of personal data outside the European Economic Area
As a rule, we process personal data within the European Economic Area (“EEA”), but it can also be processed outside the EEA. If personal data is transferred outside the EEA, we ensure that the transfer of personal data complies with the law with a suitable protection mechanism, such as using the European Commission’s model contract clauses.
Upon request, we will provide additional information regarding the transfer of personal data and the protection mechanisms used.
12. Protection of personal data
The data is stored on appropriately protected servers, whose technical data security is managed in several different ways. Access to personal data is managed, for example, with work role-based access rights management. Any manual material is stored in a locked space, to which only persons who have received the right have access. Entities processing personal data have a duty of confidentiality regarding matters related to the processing of personal data.
13. Automatic decision-making and profiling
We do not use the data for automatic decision-making or profiling that would have legal or similar effects on the data subject.
14. Rights of the registrant
The registered person has the following rights according to data protection legislation. However, the application of rights in each individual situation depends on the purpose and situation of use of personal data.
- The right to access information (right to inspect). The registrant has the right to receive confirmation as to whether the registrant’s personal data is being processed, as well as other information on the processing of personal data in accordance with data protection legislation. The registered person has the right to access the personal data and receive a copy of the personal data.
- The right to rectification of personal data. Subject to certain restrictions, the registered person has the right to demand the correction or deletion of incorrect or inaccurate information.
- The right to delete personal data (the right to be forgotten). In accordance with the requirements of data protection legislation, the registered person has the right to demand the deletion of personal data. Upon request, we will delete personal data, unless the legislation requires us to keep it, or some other exceptional basis according to data protection legislation applies.
- The right to restrict processing. In accordance with the requirements of the data protection legislation, the registered person has the right to request the restriction of the processing of personal data in certain situations.
- The right to transfer data. The registered person has the right to demand the transfer of personal data to another controller. The right to transfer basically applies to such personal data that the data subject has provided to the controller in a structured and machine-readable format, and whose processing is based on the consent or agreement of the data subject, and whose processing is carried out automatically.
- The right to object to processing. The registered person has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We can refuse the request if the processing is necessary to fulfill the compelling and legitimate interests of the controller or a third party. However, the registered person always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
- The right to withdraw consent. If the processing of personal data is based on the consent given by the data subject, the data subject has the right to withdraw his consent. Withdrawal of consent has no effect on the processing carried out before it.
15. Exercising rights
Requests regarding the rights of registered persons are made in writing or electronically to the administrator of this register (see section 2). Identity is checked before providing information, which is why we may have to ask for additional information. If the data subject’s request cannot be agreed to, the data subject will be informed of the refusal in writing.
16. The right to file a complaint with the supervisory authority
We hope that you will contact us if you have any questions regarding the processing of your personal data.
The data subject has the right to file a complaint with the competent data protection authority, if the data subject considers that his personal data has been processed in violation of data protection legislation.
You can find the contact information of the Finnish Data Protection Authority here.
17. Changes to the privacy statement
This Privacy Statement has been published on 17 December 2022.