The General Data Protection Regulation
Paperimuru, identity code 2850166-7
Mechelininkatu 42, 00250 Helsinki
The data are filed in the Shuriken ERP system
of Creaction Finland Oy. Creaction Finland Oy is responsible for the system implementation and controlling, data protection, and data backups. All data are stored and processed in the same filing system (i.e. in one database).
Name of the filing system
Paperimuru customer, order, invoice and marketing data filing system.
Personal data processing policy
We comply with the following principles relating to processing of personal data:
Personal data shall be
a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);
c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
Client shall have right to obtain information about their personal data stored in the system, right to correct it, and right and possibility to delete it. Data will not be processed outside the EEA, except for anonymous web analysis (Google Analytics, Facebook, etc.). Data is stored until the client asks us to delete it. We store data for web analysis, for example, (statistical reasons), and to facilitate new orders (client's interest).
Purpose of storing data
Customer data are stored for the following purposes: communicating with clients, maintaining and improving the commercial and customer relations, and creating statistical reports. Paperimuru uses this and other data obtained during the customership in order to plan and target their products and services.
Personal data are used within the framework of the Personal Data Protection Act. Information will not be disclosed to any outside parties.
The e-mail address of those who have subscribed to the newsletter will be used to deliver the newsletter to them. The information given in the contact form will be used to reply to the contact request.
The customer register consists of several separate files created based on their main purpose. The data in all of these files constitute client-specific data sets in the following manner:
- Client's contact information and information needed for orders: first and last name, street address, postal code, city, country, language, telephone number, e-mail address, and national identity number. In the case of company, society and organisation customers, also the name of the company and the business identity code.
- Client group information, discount group, and other additional client-specific information.
- Invoicing address and other invoice information.
- Possible approval of direct marketing.
- Information on client's orders, deliveries, and returns.
- Codes needed for logging in.
- IP address or other identifier.
- Textual data related to customership, such as purpose of contact request or wish of delivery date.
Personal data will be deleted if the customer asks us to do it.
Data disclosure and transmission
Data will not be shared with outside parties, except for public authorities if needed. For data processing reasons, some of the information may be shared with our subcontractors.
Regular data sources
Contact and customer data are gathered at the beginning and during the customership from the announcements given by the client. Customership begins when the client registers in the system, creates an order, orders direct marketing, or makes a purchase. Customership can be started also on client's request, e.g. after a telephone conversation.
Approval to electronic direct marketing (e-mail and sms marketing) will be asked separately according to the Personal Data Act. Information on client's creditworthiness at the moment of order is obtained from the system of Checkout Finland Oy (business identity code 2196606-6), that of DFC Nordic Oy (1998514-5) and/or that of Suomen Asiakastieto Oy (0111027-9).
Anonymous web analysis
In order too gather anonymous data on web visit, we can use the following tools and services:
Google Analytics: https://analytics.google.com/analytics/web/
Google Remarketing: https://support.google.com/adwords/answer/2453998?hl=en
Facebook Pixel: https://www.facebook.com/business/a/facebook-pixel
Microsoft Bing Adds: https://advertise.bingads.microsoft.com/en-us/resources/policies
Legal basis for processing personal data
You must have a legal basis for processing personal data. We process personal data on the basis of approval (e.g. subscribing to newsletter), contract (e.g. making an order), controller's legal obligation (e.g. acquisition and possession of products subject to authorisation), protection of vital interests (e.g. participation in lesson or course that requires information on personal health), legitimate interest of controller or third party (e.g. web analysis).
Securing personal data
Access to personal data filing system requires special access rights. Access is limited to data that a person needs according to their job description, and it requires personal login codes. The customer register and the hardware processing it are located in closed computer halls. Hardware and software are updated regularly and appropriately, and we react to possible threats immediately. In case of incidents, data are backed up regularly. The system is secured with firewall against outside threats.
Personnel is obliged to keep the information of the personal data which they obtain in their work confidential. Information can be disclosed in case of legal notification obligation only, e.g. on client's or public authority's request.