Skip to content

Registration and data protection

KATTOKESKUS GROUP’S REGISTRATION AND DATA PROTECTION

Register and Privacy Statement

This is the Kattokeskus group’s registration and data protection statement in accordance with the EU General Data Protection Regulation (GDPR). Latest change 31 January 2023.

  1. Controller
    Kattokeskus Group [later “Registrar”] the following companies:
  • Kattokeskus Suomi Oy; business ID 3188733-7
  • Kattokeskus Uusimaa Oy; business ID 2989439-4
  • Kattokeskus Itä-Suomi Oy; business ID 2721930-1
  • Kattokeskus Varsinais-Suomi Oy; business ID 2864113-3
  • Kattokeskus Keski-Suomi Oy; business ID 2853826-9
  • Kattokeskus Länsi-Uusimaa Oy; business ID 2853827-7
  • Kattokeskus Pirkanmaa Oy; business ID 3188734-5
  • Kattokeskus Huoltopalvelut Oy; business ID 3333472-8

Address: Koivistontie 1, 33960 Pirkkala, Finland
Phone: 010 2290190
Email: [email protected]
Contact person for data protection matters: Samuli Riihimäki ([email protected])

  1. Definition

Personal data refers to all data related to an identified or identifiable natural person (hereinafter “the registered person”). An identifiable person is considered to be a natural person who can be directly or indirectly identified, especially on the basis of identifying information, such as name, social security number, location information, online identification information.

The customer refers to the registered consumers and the contact persons of the companies and other entities (hereinafter “company”) with which the Controller has a customer relationship.

Potential customers are registered consumers and contact persons of companies with whom the Controller tries to create a customer relationship.

Stakeholders refer to consumers and contact persons of companies with whom the Controller has a cooperative relationship (for example, representatives of companies providing services to the Controller) or another connection (for example, media representatives as parties to information activities).

  1. Purpose and legal basis of personal data processing

The controller processes personal data of registered users for the following purposes (for one or more simultaneously):

  • Customer and stakeholder relationship management, analysis, and development
  • The controller can use your personal data to manage, analyze and develop the customer or stakeholder relationship formed directly with you or the company you represent.
  • Providing products and services
  • The controller can use your personal data to provide products and services, if you yourself or the company you represent has, for example, purchased a product or service from us, used our digital services, subscribed to our newsletter, or participated in installation demonstrations or other events. Personal data is used to fulfill the rights and obligations based on the contract or other commitment between the Controller and the customer.
  • Customer communication
  • The controller can use your personal data in its customer communications, for example to send you notifications related to products and services, to inform you about changes made to services and to request feedback on products and services.
  • Marketing
  • The controller may contact you to tell you about new products, services or benefits. The controller can use personal data to tailor its offerings and provide relevant content. This means, for example, that we may provide recommendations or display customized content and customized advertisements on our own and third-party services.
  • Development of products and services
  • The controller can use your personal data to develop its products and services.

The legal basis for the processing of personal data is the following subsections of Article 6 of the EU Data Protection Regulation:

  1. you have given your consent to the processing of your personal data for one or more specific purposes;
  2. the processing is necessary for the execution of a contract to which you are a party, or for the implementation of pre-contractual measures at your request;
  3. processing is necessary to comply with the Controller’s statutory obligation; and
  4. processing is necessary for the realization of the legitimate interests of the Controller or a third party, except when your interests or fundamental rights and freedoms that require the protection of personal data supersede such interests.

The data controller processes your data to implement the contract with you or the company you represent.

The Controller has legitimate interests related to the conduct of business, such as the right to promote the sale of its products and services through marketing and sales methods, and the Controller can, based on the legitimate interest, engage in direct marketing and sales using your contact information.

Due to internal administrative reasons, the controller has legitimate interests in accordance with the data protection regulation to transfer personal data within the group from one limited company to another.

In addition, the controller can process your personal data when required to do so by legislation, such as, for example, based on the retention obligation of the Accounting Act.

  1. Data content of the register

The personal data collected by the controller may include, among other things, the following types of data and changes made to them:

  • First and last name
  • contact information (postal address, email address, phone numbers)
  • details of the renovation site
  • Building type
  • date of renovation implementation
  • Information regarding the use of digital services of the registrar
  • communications aimed at the data subject and related activities
  • direct marketing options
  • Recordings of customer acquisition calls and customer service-related e-mail and online conversations, for example on social media channels

IP addresses of website visitors and cookies necessary for the functions of the service are processed on the basis of a legitimate interest, e.g. to take care of information security and for the collection of statistical data of website visitors in those cases when they can be considered as personal data. If necessary, consent is requested separately for third-party cookies.

  1. Regular sources of information

The information to be saved in the register is obtained from the customer, e.g. From messages sent via web forms, by e-mail, by phone, via social media services, contracts, customer meetings and other situations where the customer gives out their information. In addition, the Controller receives personal data from its group companies and partners, such as various financing, installation and maintenance service providers and other operators in the construction industry.

The controller can also receive personal information about possible potential customers from the staff and other customers for the purpose of contacting them.

In addition to the above, the Controller can use generally available sources to obtain personal data when acquiring new customers. In this case, the groups of personal data are name, telephone number and e-mail address, and the legal basis is the legitimate interest of the controller (Article 6 point f). The controller considers that it has a legitimate interest in using personal data available from public data sources in its own business and product marketing in order to secure its competitiveness in its industry.

  1. Regular transfers of data and transfer of data outside the EU or EEA

The controller will not give, sell or otherwise disclose your personal data to external third parties, unless otherwise stated below.

The Controller may share your personal data with third parties who perform services or deliver goods to the Controller. These services can be, for example, customer service, installation and maintenance service, software services, research activities, marketing and producing events. The controller may share your personal information to collect payments for products and services, and may, for example, transfer or sell unpaid invoices to third parties offering debt collection services

Protecting your personal data is important to the Controller, which is why it does not allow the parties in question to use the data for any purpose other than providing the services in question, and it requires the parties to protect the user’s personal data in accordance with this privacy policy and applicable legislation.

The Controller shares your personal data with partners with whom the Controller jointly manages and implements projects.

The controller may share your personal data with carefully considered third parties for joint or independent direct marketing purposes. Information can be shared for those purposes only when the third party’s planned purpose of use does not conflict with the purposes of use defined in this Data Controller’s privacy statement.

The controller may share your personal data in connection with a business acquisition or other business arrangement or when the service is transferred to another service provider. The controller may share your personal data on a court or similar order.

When providing services, the controller may use resources and servers located in different parts of the world. The controller may therefore transfer your personal data outside the country of use of the services and possibly also to countries outside the EU.

  1. Personal data processing and storage periods

The Controller processes your personal data in this register as long as the Controller has one of the grounds for data processing described in section 3 of this privacy policy valid, and for a reasonable period of time thereafter.

The processing time for the personal data of different groups of people is determined by the following criteria:

  • consumer customers
  • The registrar can process your personal data for the duration of your customer relationship and for the necessary time after that in order to handle warranty and error responsibilities.
  • After this, the Controller can transfer your necessary personal data to the marketing register and treat you as a potential customer again.
  • representatives of business customers
  • The data controller can process your personal data as long as you represent the business customer of the Data Controller, for the duration of your customer relationship, and for the necessary time after that to handle warranty and error responsibilities.
  • After this, the Controller can transfer your necessary personal data to the marketing register and treat you again as a representative of a potential business customer.
  • potential consumer customers and representatives of potential business customers
  • The controller can process your personal data for the time being until you become a customer or until you demand that your data be deleted from the controller’s marketing register. The storage period is long because our products have a long life cycle, making a purchase decision is a long process and it is not usual to make several similar purchases in a short time.
  • members of stakeholders
  • The Controller can process your personal data as long as you are a member of a stakeholder group, such as representing the Controller’s partner or the media.
  1. Principles of registry protection

Care is taken when processing the register and the information processed with the help of information systems is properly protected. When registry data is stored on Internet servers, the physical and digital data security of their hardware is taken care of accordingly. The registrar ensures that stored data as well as server access rights and other data critical to the security of personal data are handled confidentially and only by those employees whose job description it is.

  1. Rights of the data subject

The registered person has the following rights according to data protection legislation. However, the application of rights in each individual situation depends on the purpose and situation of use of personal data.

  • The right to access information
  • The registrant has the right to receive confirmation as to whether the registrant’s personal data will be processed, as well as other information on the processing of personal data in accordance with data protection legislation.

The registered person has the right to access the personal data and receive a copy of the personal data.

  • The right to correct personal data
  • Subject to certain restrictions, the registered person has the right to demand the correction or deletion of incorrect or inaccurate information.
  • The right to delete personal data
  • In accordance with the requirements of data protection legislation, the registrant has the right to request the deletion of personal data. Upon request, we will delete personal data, unless the legislation requires us to keep it, or some other exceptional basis according to data protection legislation applies.
  • The right to restrict processing
  • In accordance with the requirements of data protection legislation, the data subject has the right to request the restriction of the processing of personal data in certain situations.
  • The right to transfer data
  • The registered person has the right to demand the transfer of personal data to another controller. The right to transfer basically applies to such personal data that the data subject has provided to the controller in a structured and machine-readable format, and whose processing is based on the consent or agreement of the data subject, and whose processing is carried out automatically.
  • The right to object to processing
  • The registered person has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We can refuse the request if the processing is necessary to fulfill the compelling and legitimate interests of the controller or a third party. However, the registered person always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
  • The right to withdraw consent
  • If the processing of personal data is based on the consent given by the data subject, the data subject has the right to withdraw his consent. Withdrawal of consent has no effect on the processing carried out before it.
  1. Exercising Rights

You can send a request regarding the registered person’s rights by letter or e-mail using the contact information mentioned in this privacy statement.

Identity is checked before the request is processed. The request will be answered within the time stipulated in the EU data protection regulation (generally within a month). If the request cannot be agreed to, the refusal will be notified separately.

  1. Changes to the data protection statement

This privacy statement may need to be changed from time to time. Changes may also be based on changes in data protection legislation. Changes can be made without notification or the data subject’s consent. We therefore encourage you to regularly check the privacy policy to detect changes. The latest version is available on our website.

Search