1. Scope and purpose of this privacy notice
This Privacy Notice applies to the customers and potential customers including those visiting the web pages and included in the marketing activities (later “you” or “data subjects”) of Kekkilä-BVB (later “we”) that consist of the companies Kekkilä Oy (Finland), Hasselfors Garden Ab (Sweden) and Kekkilä Eesti Oü (Estonia). The Privacy Notice covers the business related to the products and services that we offer to you.
The purpose of this Privacy Notice is to inform you of what personal data we collect or obtain regarding you, and how this data is used including disclosure, retention and protection of the data. It also explains your rights to control the processing.
We are committed to respect your privacy and process your personal data according to the European Union’s General Data Protection Regulation (2016/679) (later “GDPR”) and other applicable privacy laws and regulations.
Personal data is information that directly or indirectly reveals your identity, such as a name, identification number, address and Internet Protocol (IP) address (later “personal data”). The definitions of the data privacy terms set out in Article 4 of the GDPR shall apply for this Privacy Notice.
2. Contact information, Controller
Kekkilä-BVB is the controller of the personal data described in this notice. Kekkilä-BVB consist of the following three companies: Kekkilä Oy, Hasselfors Garden Ab (Sweden) and Kekkilä Eesti Oü (Estonia).
Kekkilä-BVB is a part of Vapo Group and has a shared data privacy governance with the Vapo Group. Vapo Group operates in Finland, Sweden and Estonia. It focuses on growing and recycling, the production of solid fuels, heating, electricity and steam as well as the provision of various energy solutions.
If you have any questions related to this Privacy Notice or data privacy in general concerning the companies in the Kekkilä-BVB, you can contact us at:
Data Privacy Officer (DPO) of the Vapo Group: Teijo Liimatainen, phone: +358 (0) 20 7905782
3. Purposes of processing of personal data
We process your personal data only for legitimate business purposes and to fulfil our legal obligations. The processing purposes include:
- Customer sales and services
- — Sales processing such as order/purchase, delivery, invoicing, debt collection, credit limit check
- — Warranties, quality assurance, reclamation, feedback, inquires and other communications with you
- — Providing and maintaining the web shop services
- Customer relationships management
- — Communications & PR (e.g. delivering annual report or company news)
- Marketing including tracking technologies and personalized offers
- — Various customer and potential customer marketing activities (including direct marketing) in different media (mail, phone calls, email, web pages, social media and online chat)
- — Opinion and market research
- — Promotional events and competitions
- — Tracking of service usage and web page behaviour for market analysis, research, personalised services and targeted marketing
- Internal development of the business
- — Product and service analysis, statistics and development
- — Tracking of service usage and user behaviour on web pages for the purpose of service development and optimisation
- — Internal training
- Information security
- — Ensuring the security of our IT environments
- Protection of our legal rights e.g. to be able to defend a claim or solve a dispute
In addition, personal data is processed to fulfil legal obligations set out in laws and regulations such as fraud prevention.
4. Legal basis for processing of the personal data
When you order/purchase a product or service a contractual relationship is formed between us. This contractual relationship is the legal basis for processing your personal data for sales and related services.
We need your consent for certain types of processing such as processing of sensitive personal data, electronic direct marketing and automated decision making having a significant impact on you.
You can withdraw any consent you have given and end the further processing of the personal data processed with your consent any time by contacting us (see Contact information, Controller and Rights of the data subject).
4.3 Legitimate interest
The legal basis for customer relationships management, marketing, internal development, ensuring the security/safety of our data and property and protecting our legal rights is mainly our legitimate (business) interests. We want to offer better and safer services to you by developing our operations.
The other legal bases listed here apply in specific cases e.g. we ask for your consent for direct marketing and we perform security operations on your personal data due to legal obligations.
4.4 Legal obligations
Personal data is processed to fulfil legal obligations such as fraud prevention and implementing an appropriate level of data security to ensure modern and efficient protection of your personal data.
5. The personal data processed and the sources
- We collect personal data from various sources:
- — You are the most important source of personal data. You provide personal data when ordering/purchasing our products or services, participating in our promotional events, games or opinion/marketing research, visiting us, contacting us or communicating with us
- — We collect and update contact information (e.g. address, phone number) from third party public sources such as Fonecta Enterprise Solutions Oy and Yritystietojärjestelmä (YTJ, Finland) (business customers’ contact information)
- — We also receive personal data from third parties such as credit rating companies (credit limit), partners (sales orders for our products and services) and marketing information providers (contact and identity information of potential customers interested in us)
|Categories of personal data||Examples of personal data|
|Contact and identity information||name, address, phone numbers, email address, personal identity code, date of birth, language, title, position, name of a private trade, business id, country/nationality|
|Customer identification and relations data||Customer id, orders/purchases, invoice/payment details|
|Communications data including recordings||Feedback, reclamation, inquires, customer service recordings (chat messages and customer service phone calls)|
|Financial data||Payments, credit ratings|
|Consent and objection to processing of personal data||Marketing permissions|
|Additional information collected for specific events||Additional voluntary information provided to a specific event such as dietary information or need for services for people with disabilities|
|Additional information provided||Customer wishes and preferences|
We do not intend to process your sensitive personal data (such as health data), but you may submit such data voluntarily when you communicate with us, and thus the data is processed with your consent.
When you order/purchase our products and services or otherwise enter into a contract with us, we need your personal data to fulfil the contract and our legal obligations. We will inform you when we collect the data which personal data are mandatory to be provided by you.
6. Retention periods
We retain your personal data as long as necessary for the purposes presented in this Privacy Notice, unless a longer retention time is required in the legislation.
When the personal data are no longer needed for the purpose they were collected for, the data first gets passivated and its processing is limited (e.g. for legal purposes only). Later, the data are removed or rendered anonymous within a reasonable time. The length of the retention period depends on the purposes of the processing.
Sales and contract related data are stored at least 10 years after the sale due to legal obligations. Other customer data is stored at least 3 years after the last registered customer activity (product/service order, delivery) to ensure that reclamations and warranties can be processed properly.
Marketing and communications purposes
Newsletter subscription data is removed from the newsletter service when the newsletter is cancelled.
Personal data of potential customers are removed within a year after they have been collected for a specific marketing activity.
Processing of personal data for other marketing purposes ends at latest 3 years after the last activity (the customer record is passivated).
Electronic identification and web page tracking purposes
7. Data Transfers AND Recipients
We transfer personal data within the companies of the Kekkilä-BVB and Vapo Group if necessary for the purposes presented in this Privacy Notice.
We also transfer personal data to our partners and service providers in the following categories:
|Categories of recipients|
|Financial service providers|
|Accounting service providers|
|IT service providers|
|Service or product delivery (recycling, gardening, logistics), customer service and quality assurance|
|Marketing, communications & PR service providers|
We may also disclose personal data due to a legal obligation related to e.g. security, safety and protection of legal rights.
If we are involved in a merger, sale, joint venture, acquisition or similar arrangement, we may transfer personal data to the parties involved. We will inform of any significant changes in the level of privacy.
7.1 Personal data transfer(s) outside EU/EEA
If your personal data are transferred outside the European Union (EU) / European Economic Union (EEA), we ensure that the transfer is performed using the necessary safeguards (such as contract model clauses), which ensure that your data continues to be protected according to the GDPR.
8. Rights of the data subject
Data subjects i.e. those whose personal data we process, have the rights stated in the GDPR to make the requests presented here. We may request additional information if necessary to confirm the identity of the requestor. We will answer the request at latest one month after the requestor has been identified and we have received enough information to fulfil the request.
8.1 Right to access and rectification
You have the right to request us to inform you what personal data we process concerning you (or that no data is processed), and request us to correct your personal data that are incorrect or incomplete (or outdated).
8.2 Right to erasure (‘right to be forgotten’) and right to restriction of processing
You have the right to request us to erase (or render anonymous) or restrict the processing of personal data concerning you that we process. We will comply with your request unless we have a legitimate ground not to delete the data, in which case you will be informed.
8.3 Right to object to processing
You have the right to object to the use of all or some of your personal data for selected purposes. We will comply with your request unless we have a legitimate ground to continue the processing (e.g. legal obligation), in which case you will be informed.
8.4 Right to data portability
You have the right to receive the personal data concerning you that you have provided in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller if the processing is based on consent or on a contract, and the processing is carried out by automated means.
8.5 Right to withdraw consent
If you have given your consent to certain processing, you have the right to withdraw your consent at any time regarding further processing of your personal data.
8.6 How to use these rights
You can use these rights by contacting us using the contact information found in the beginning of this Privacy Notice. The requests must be submitted in writing and include enough information to confirm your identity. We may request additional information if necessary.
We will inform the recipients of your personal data if you have requested the data to be rectified, erased or restricted, unless this proves impossible or involves disproportionate effort.
We have the right to refuse to act on requests that are manifestly unfounded (obviously unjustified) or excessive, in particular because of their repetitive character, or charge a reasonable fee based on the costs to fulfil the request.
8.7 Right to lodge a complaint with a supervisory authority
You have the right to complain to the competent supervisory authority if you believe your personal data has been processed incorrectly. Contact information:
Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki
Phone: +358 29 56 66700
9. Security measures
We process personal data in accordance with applicable data protection laws and regulations, and ensure the compliance of the service providers (processors) with contractual measures (data processing agreements).
We have implemented modern technical and organizational security measures to protect personal data from unauthorised access or transfer and accidental or illegal destruction, loss or alteration. The information security and data protection of our systems and environments that contain personal data are managed appropriately as a whole. We ensure the security of the stored data, access rights and processing of the confidential and sensitive personal data.
Access to personal data is limited to those that need it for performing their job. Access is based on roles and the tasks and functions connected to that role. All persons processing personal data are required to treat the data as confidential. The users of the IT environment are identified and access to the systems is secured and limited by user rights. Access to the physical location is also based on individual access rights and access keys.
10. Changes to this Privacy Notice
We modify and update this Privacy Notice whenever necessary due to e.g. changes in the sales or marketing processes, service providers or laws and regulations Change history is found in connection to the Privacy Notice. Significant changes can also be provided with a separate notice (e.g. email).
11. Version history
Version 1.0 – 24.5.2018
Version 1.1 – 22.1.2019