Privacy Notice


1. Scope and purpose of this Privacy Notice 

This Privacy Notice applies to the customers and potential customers including those visiting the web pages and included in the marketing activities (later “you” or “data subjects”) of Vapo Oy and its affiliates Neova AB (Sweden) and AS Tootsi Turvas (Estonia) (later “Vapo”, “we”). The Privacy Notice covers the business related to the products and services that we offer to you.

The purpose of this Privacy Notice is to inform you of what personal data we collect or obtain re-garding you, and how this data is used including disclosure, retention and protection of the data. It also explains your rights to control the processing.

We are committed to respect your privacy and processes your personal data according to the Eu-ropean Union’s General Data Protection Regulation (2016/679) (later “GDPR”) and other applicable privacy laws and regulations.

Personal data is information that directly or indirectly reveals your identity, such as a name, identifi-cation number, address, and Internet Protocol (IP) address (later “personal data”). The definitions of the data privacy terms set out in Article 4 of the GDPR shall apply for this Privacy Notice.

2. Contact information, controller 

Vapo Oy is the controller of the personal data described in this Privacy Notice. If you have any questions related to this notice or data privacy in general concerning Vapo Oy and its affiliates, you can contact us at:

Vapo Oy
Business ID: 0174817-6
P.O. Box 22, Yrjönkatu 42
FI-40101 JYVÄSKYLÄ
Finland

Email: privacy (at) vapo.fi

Data Privacy Officer (DPO) of the Vapo Group: Teijo Liimatainen, phone: +358 (0) 20 7905782

3. Purposes of processing of personal data 

We process your personal data only for legitimate business purposes and to fulfil our legal obligations. The processing purposes include:

  • Customer sales and services
    • Sales processing such as order/purchase, delivery, invoicing, debt collection, credit limit check
    • Warranties, quality assurance, reclamation, feedback, inquires and other communications with you
    • Providing and maintaining the web shop services
    • Collecting service usage information for resolving service fee (district heating service)
  • Customer relationships management
    • Communications & PR (e.g. delivering annual report or company news)
  • Marketing including tracking technologies and personalized offers
    • Various customer and potential customer marketing activities (including direct mar-keting) in different media (mail, phone calls, email, web pages, social media, and online chat)
    • Opinion and market research
    • Promotional events and competitions
    • Tracking of service usage and web page behaviour for market analysis, research, personalised services and targeted marketing
  • Internal development of the business
    • Product and service analysis, statistics and development
    • Tracking of service usage and user behaviour on web pages for the purpose of service development and optimisation
    • Internal training
  • Information security
    • Ensuring the security of our IT environments
  • Protection of our legal rights e.g. to be able to defend a claim or solve a dispute

In addition, personal data is processed to fulfil legal obligations set out in laws and regulations such as fraud prevention.

4. Legal basis for processing of the personal data 

4.1 Contract
When you order/purchase a product or service a contractual relationship is formed between us. This contractual relationship is the legal basis for processing your personal data for sales and related services.

4.2 Consent
We need your consent for certain types of processing such as processing of sensitive personal data, electronic direct marketing and automated decision making having a significant impact on you.

You can withdraw any consent you have given and end the further processing of the personal data processed with your consent at any time by contacting us (see Contact information, Controller and Rights of the data subject).

4.3 Legitimate interest
The legal basis for customer relationships management, marketing, internal development, ensuring the security/safety of our data and property and protecting our legal rights is mainly our legitimate (business) interests. We want to offer better and safer services to you by developing our operations.

The other legal bases listed here apply in specific cases e.g. we ask for your consent for direct marketing and we perform security operations on your personal data due to legal obligations

4.4 Legal obligations
Personal data is processed to fulfil legal obligations such as fraud prevention and implementing an appropriate level of data security to ensure modern and efficient protection of your personal data.

5. The personal data processed and the sources 

We collect personal data from various sources:

  • You are the most important source of personal data. You provide personal data when order-ing/purchasing our products or services, participating in our promotional events, games or opin-ion/marketing research, visiting us, contacting us or communicating with us
  • When you visit our web pages and online shop, we receive information from third parties tracking web site activities (see the Cookie Policy on our web site, www.vapo.com/en/cookies)
  • We collect and update contact information (e.g. address, phone number) from third party public sources such as Fonecta Enterprise Solutions Oy and Yritystietojärjestelmä (YTJ, Finland) (business customers’ contact information)
  • We also receive personal data from third parties such as credit rating companies (credit limit), partners (sales orders for our products and services) and marketing information providers (con-tact and identity information of potential customers interested in us)

We collect the following categories of personal data:

We do not intend to process your sensitive personal data (such as health data), but you may submit such data voluntarily when you communicate with us, and thus the data is processed with your consent.

When you order/purchase our products and services or otherwise enter into a contract with us, we need your personal data to fulfil the contract and our legal obligations. We will inform you when we collect the data which personal data are mandatory to be provided by you.

6. Retention periods 

We retain your personal data as long as necessary for the purposes presented in this Privacy Notice, unless a longer retention time is required in the legislation.

When the personal data are no longer needed for the purpose they were collected for, the data first gets passivated and its processing is limited (e.g. for legal purposes only). Later, the data are removed or rendered anonymous within a reasonable time. The length of the retention period depends on the purposes of the processing.

Sales/contract purposes:
Sales and contract related data are stored at least 10 years after the sale due to legal obligations. Other customer data is stored at least 3 years after the last registered customer activity (prod-uct/service order, delivery) to ensure that reclamations and warranties can be processed properly.

Marketing and communications purposes:
Newsletter subscription data is removed from the newsletter service when the newsletter is cancelled.
Personal data of potential customers are removed within a year after they have been collected for a specific marketing activity.
Processing of personal data for other marketing purposes ends at latest 3 years after the last activi-ty (the customer record is passivated).

Electronic identification and web page tracking purposes:
See the Cookie Policy on our web site, www.vapo.com/en/cookies.

7. Data transfers and recipients  

Vapo transfers personal data between Vapo Oy and its affiliates: Kekkilä Oy, Neova AB (Swe-den), AS Tootsi Turvas (Estonia), Suo Oy, Piipsan Turve Oy, Hasselfors Garden Ab (Sweden), Kekkilä Eesti Oû (Estonia) and Salon Energiatuotanto Oy if necessary for the purposes presented in this Privacy Notice.

We also transfer personal data to our partners and service providers in the following categories:

Categories of recipients

  • Financial service providers
  • Accounting service providers
  • IT service providers
  • Service or product delivery (logistics)
  • Service delivery and contractors
  • Marketing, customer relationships & PR ser-vice providers
  • Tracking technologies

The companies that perform tracking on our web sites are found in the Cookie Policy on our web site, www.vapo.com. Information on the other recipients can be obtained by contacting us.

We may also disclose personal data due to a legal obligation related to e.g. security, safety and pro-tection of legal rights.

If we are involved in a merger, sale, joint venture, acquisition or similar arrangement, we may trans-fer personal data to the parties involved. We will inform of any significant changes in the level of privacy.

7.1 Personal data transfer(s) outside EU/EEA
If your personal data are transferred outside the European Union (EU) / European Economic Union (EEA), we ensure that the transfer is performed using the necessary safeguards (such as contract model clauses), which ensure that your data continues to be protected according to the GDPR.

8. Rights of the data subject

Data subjects i.e. those whose personal data we process, have the rights stated in the GDPR to make the requests presented here. We may request additional information if necessary to confirm the identity of the requestor. We will answer the request at latest one month after the requestor has been identified and we have received enough information to fulfil the request.

8.1 Right to access and rectification
You have the right to request us to inform you what personal data we process concerning you (or that no data is processed), and request us to correct your personal data that are incorrect or incom-plete (or outdated).

8.2 Right to erasure (‘right to be forgotten’) and right to restriction of processing
You have the right to request us to erase (or render anonymous) or restrict the processing of per-sonal data concerning you that we process. We will comply with your request unless we have a legitimate ground not to delete the data, in which case you will be informed.

8.3 Right to object to processing
You have the right to object to the use of all or some of your personal data for selected purposes. We will comply with your request unless we have a legitimate ground to continue the processing (e.g. legal obligation), in which case you will be informed.

8.4 Right to data portability
You have the right to receive the personal data concerning you that you have provided in a struc-tured, commonly used and machine-readable format, and have the right to transmit those data to another controller if the processing is based on consent or on a contract, and the processing is car-ried out by automated means.

8.5 Right to withdraw consent
If you have given your consent to certain processing, you have the right to withdraw your consent at any time regarding further processing of your personal data.

8.6 How to use these rights
You can use these rights by contacting us using the contact information found in the beginning of this Privacy Notice. The requests must be submitted in writing and include enough information to confirm your identity. We may request additional information if necessary.

We will inform the recipients of your personal data if you have requested the data to be rectified, erased or restricted, unless this proves impossible or involves disproportionate effort.

We have the right to refuse to act on requests that are manifestly unfounded (obviously unjustified) or excessive, in particular because of their repetitive character, or charge a reasonable fee based on the costs to fulfil the request.

8.7 Right to lodge a complaint with a supervisory authority
You have the right to complain to the competent supervisory authority if you believe your personal data has been processed incorrectly. Contact information:

Supervisory authority:

Finland:
Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki
Phone: +358 29 56 66700
E-mail: tietosuoja (at) om.fi

9. Security measures 

We process personal data in accordance with applicable data protection laws and regulations, and ensure the compliance of the service providers (processors) with contractual measures (data processing agreements).

We have implemented modern technical and organizational security measures to protect personal data from unauthorised access or transfer and accidental or illegal destruction, loss or alteration. The information security and data protection of our systems and environments that contain personal data are managed appropriately as a whole. We ensure the security of the stored data, access rights and processing of the confidential and sensitive personal data.

Access to personal data is limited to those that need it for performing their job. Access is based on roles and the tasks and functions connected to that role. All persons processing personal data are required to treat the data as confidential. The users of the IT environment are identified and access to the systems is secured and limited by user rights. Access to the physical location is also based on individual access rights and access keys.

10. Changes to this Privacy Notice 

We modify and update this Privacy Notice whenever necessary due to e.g. changes in the sales or marketing processes, service providers or laws and regulations Change history is found in conne-tion to the Privacy Notice. Significant changes can also be provided with a separate notice (e.g. email).

11. Version history  

Published 23.5 version 1.0

Version  | Changes | Date