Data Protection and Registry Statement
Premium Slavic Hair CUSTOMER REGISTER PRIVACY STATEMENT
1 Registrar
The registry’s controller is Premium Slavic Hair (business ID 3304510-9) The contact person for registry matters is: Nina Melanen, entrepreneur, Premium Slavic Hair Address: Haarakuja 8B 02320 Espoo, Finland Phone: +358-445133210 Email: info@premiumslavichair.fi
2 Register name is Premium Slavic Hair customer register.
3 Purpose of personal data processing
Personal data is processed for purposes related to managing, maintaining and developing customer relationships, providing and delivering services, and developing and invoicing services. Personal data is also processed for the purposes necessary to investigate possible complaints and other requirements/reclamatons. In addition, personal data is processed for communications aimed at customers, such as for information and news purposes, as well as in marketing, as part of which personal data is also processed for purposes related to direct marketing and electronic direct marketing. The customer has the right to refuse direct marketing aimed at her/him. The data controller processes the data herself .
4 Legal grounds for processing
The legal bases for the processing of personal data is in line with the following articles/principles of the EU General Data Protection Regulation (hereinafter also “GDPR”):
the data subject has given his consent to the processing of his personal data for one or more specific purposes (GDPR 6 art. 1.a); the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of measures prior to the conclusion of the agreement at the request of the data subject (GDPR 6 art. 1. b); the processing is necessary to fulfill the legitimate interests of the controller or a third party (GDPR 6 art. 1.f).
The aforementioned legitimate interest of the data controller is based on a meaningful and appropriate relationship between the data subject and the data controller, which is a consequence of the fact that the data subject is a customer of the data controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in connection with the relevant relationship.
5 Data content of the register (groups of personal data to be processed)
The register contains the following personal information about registered persons:
the person’s basic information and contact information: First name, last name, address, phone number, email address; information related to the person’s company or other organization and the person’s position or job title in that company or organization; the person’s direct marketing permits and prohibitions.
6 Regular data sources Personal data is collected from the registered person himself. Personal data is also collected and updated within the limits of the applicable legislation from generally available sources, which are related to the implementation of the customer relationship between the data controller and the registered person and with which the data controller fulfills its obligations related to maintaining customer relationships.
7 Personal data retention period
The information collected in the register is kept only for as long and to the extent that is necessary in relation to the original or compatible purposes for which the personal data was collected. The need to retain personal data is assessed at intervals of four years and in any case the information about the registered person is removed from the register after 5 years, when the customer relationship of the registered person with the controller has ended, and the obligations and measures related to the customer relationship have been completed. For example, accounting documents are stored for five years after the end of the accounting period. The registrar evaluates the necessity of storing data regularly in accordance with its internal code of conduct. In addition, the controller takes all possible reasonable measures to ensure that personal information that is inaccurate, incorrect or outdated in relation to the purposes of the processing is deleted or corrected without delay.
8 Recipients of personal data (recipient groups) and regular transfers of data
Personal data will not be disclosed to external parties.
9 Transfer of data outside the EU or EEA
Personal data included in the register will not be transferred outside the EU or EEA. 10 Principles of register protection
Materials containing personal data are stored in locked rooms that can only be accessed by persons named and authorized to access due to their duties. The server is protected with an appropriate firewall and technical protection. Databases and systems can only be accessed with separately issued personal usernames and passwords. The registrar has limited access rights and authorizations to information systems and other storage platforms in such a way that the data can be viewed and processed only by the persons necessary for their legal processing.
10. Rights of the data subject
The data subject has the following rights according to the EU General Data Protection Regulation:
The right to receive confirmation from the data controller that the personal data concerning him or her is being processed or that it is not being processed, and if this personal data is being processed, the right to have access to the personal data and the following information: (i) the purposes of the processing; (ii) the groups of personal data in question; (iii) recipients or groups of recipients to whom personal data has been disclosed or is intended to be disclosed; (iv) if possible, the planned retention period of personal data or, if it is not possible, the criteria for determining this period; (v) the right of the data subject to request from the controller the correction or deletion of personal data concerning him or her or to limit the processing of personal data or to object to such processing; (vi) the right to file a complaint with a supervisory authority; (vii) if personal data is not collected from the data subject, all available information about the origin of the data (GDPR art. 15).
These described basic information (i)–(vii) are given to the registered person with this form; the right to withdraw the consent at any time without affecting the lawfulness of the processing carried out on the basis of the consent before its withdrawal (GDPR 7 art.); the right to demand that the data controller correct inaccurate data concerning the registered person without undue delay and incorrect personal data and the right to have incomplete personal data completed, including by submitting an additional explanation taking into account the purposes for which the data was processed (GDPR 16 art.); the right to have the data controller delete the personal data concerning the data subject without undue delay, provided that (i) the personal data is no longer needed for them the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing was based, and there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds related to his personal special situation and there is no justified reason for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) personal data must be deleted in order to comply with a statutory obligation applicable to the data controller based on Union law or national legislation (GDPR 17 art.); the right for the data controller to restrict processing if (i) the data subject disputes the accuracy of the personal data, in which case the processing is limited to a period during which the data controller can verify their accuracy; (ii) the processing is illegal and the data subject objects to the deletion of personal data and instead demands the restriction of their use; (iii) the controller no longer needs the personal data in question for the purposes of processing, but the data subject needs them to prepare, present or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on grounds related to his personal special situation, pending verification of whether the data controller’s legitimate grounds supersede the data subject’s grounds (GDPR 18 art.) the right to receive the personal data concerning himself, which the data subject has provided to the data controller, in a structured, commonly used and machine-readable format, and the right to transfer the data in question to another data controller without the hindrance of the data controller to whom the personal data has been delivered, if the processing is based on the consent referred to in the regulation and the processing is carried out automatically (GDPR 20 art.); the right to file a complaint with the supervisory authority if the data subject considers that the processing of personal data concerning him violates the EU’s general data protection regulation (GDPR art. 77).
Requests regarding the exercise of the data subject’s rights are addressed to the controller’s contact person mentioned in point 1.
11. Cookies
We use the Google Analytics service on our website to analyze visitor tracking. With the help of the service, we get statistical information about the user’s activity on our website. Based on the received data, we are able to offer an even better user experience to our customers.