Privacy notice for Dometal Oy’s online store, spare parts store and websites
In this privacy notice, we explain how we process the personal data of data subjects, when
- we sell to them agricultural products and their spare parts in our online store and spare parts store,
- we purchase from suppliers products for the online store and spare parts store,
- we provide data subjects with electronic services
- data subjects use our websites
The controller of the personal data register is Dometal Oy, business ID FI2215928-2, address Kotimäentie 1, 32210 Loimaa, Finland.
Depending on the personal data register and context, ‘data subject’ means a natural person who can be directly or indirectly identified from the data contained in the file. Such natural persons are, for example, customers of our online store and spare parts store, their suppliers, and users of our websites and other electronic services.
Personal data registers and personal data categories
The personal data that we gather comprises the personal data registers below. For each personal data register, we have described the purpose for which the register was created and, by way of example, the personal data and categories of personal data contained in each personal data register.
- The customer register consists of the personal data of our customers, which we need to establish, develop, maintain and terminate the customer’s relationship with us, and to fulfil the rights and obligations of the contracting parties in relation to orders and deliveries from our online store or spare parts store. The information in the customer register is also used for direct marketing purposes (for example, to send newsletters and text messages to the customer).
The customer register contains, among other things, the following categories of personal data: contact details of the customer or the customer’s contact person, information on products ordered by the customer (e.g. order quantities and warranty information), information on payment transactions, customer contacts (e.g. product enquiries), complaints and returns. If the customer has registered as a user of Dometal’s online store, the customer’s personal data collected by the online store at any given time is also collected.
The legal basis for the processing of personal data is the execution of a commercial contract between us and the customer and the express consent of the data subject.
- The service provider/supplier register consists of personal data that we collect and process about our service providers and suppliers that provide us with services and other services related to our business, or with which we plan to procure services related to our business.
The supplier register contains, for example, personal data arising from contracts, invoices, emails, correspondence, and complaints or other communications between us and the service provider. The supplier register may also contain personal data concerning subcontractors or partners used by the service provider/supplier.
For example, the supplier register contains the following categories of personal data concerning service providers/suppliers: supplier contact details, payment transaction data, supplier contact data and complaint handling data.
The legal basis for the processing of personal data is the execution or performance of a service or supply contract, the explicit consent of the data subject and/or our legal obligations.
- The registers of websites consist of the personal data gathered from visitors to our websites, which we collect and process to ensure the functionality of our websites and for the development of our websites.
The personal data contained in the registers of websites is set out in the cookie descriptions of the websites in force at any given time.
- The online store register consists of personal data that we collect from visitors to the online store and process to ensure the functionality of the online store.
The personal data contained in the online store register is set out in the cookie descriptions of the websites in force at any given time.
The legal basis for the processing of personal data is the explicit consent given by the data subject.
Legal grounds for processing personal data and the purpose of processing
We process data subjects’ personal data on the processing grounds described below in accordance with the EU General Data Protection Regulation (Regulation 2016/679 of the European Parliament and of the Council, “GDPR”):
- the explicit consent given by the data subject;
- to enforce a contract to which the data subject is a party
- to comply with the statutory obligations of a data controller; and
- on the basis of legitimate interest.
We endeavour to ensure that we do not process sensitive personal data groups. In an exceptional case, we may, however, process such personal data if it is essential for us to do so. We undertake to process sensitive personal data according to the legislation applicable at the time.
The purpose of processing the personal data of data subjects is to enable us to serve our current and potential customers, to market and develop our services, to monitor and compile statistics on the use of our services and to fulfil our legal obligations.
Recipients of personal data
We may transfer or disclose data subjects’ personal data within the Group or to our contractual partners that process data subjects’ personal data on our behalf on the basis of a personal data processing agreement between us and the processing party.
We may disclose or transfer data subjects’ personal data to third parties such as potential buyers and/or their advisors, as required by the competent authorities or other bodies in accordance with applicable law and in the context of any corporate restructuring.
As a rule, we do not disclose the personal data of data subjects to third parties other than for a justified reason resulting from the above or from legislation.
The transfer of personal data abroad
We do not disclose the personal data of data subjects outside the EU or EEA. If we have to disclose the personal data of data subjects outside the EU or EEA, we check that a sufficient level of data protection is ensured by applying the protection measures required by data protection legislation (e.g. model contract clauses drawn up by the EU commission).
The retention of personal data
We retain the personal data of data subjects for as long as necessary for each of the purposes described in this privacy notice and for the purposes of our legal obligations, contractual relationships, reporting and with the consent of the data subject. The personal data of data subjects can be retained either on paper or electronically according to Dometal Oy’s operating policy in force at the time.
Personal data in the customer register and the service provider/supplier register will be kept for as long as the contractual relationship between the data subject and us is in force, and thereafter for as long as required for the defence of the rights and obligations of the parties and for the limitation period, unless a longer processing period is required by law or reporting obligations imposed on us.
Personal data contained in the registers of websites and the online store will be retained for as long as the data subject’s consent is valid and in accordance with the cookie notice on the websites.
We will delete the personal data of data subjects when we no longer need to process it for legal, contractual, reporting, data subject consent reasons or for the purposes described in the privacy notice. If a data subject has requested the deletion of his/her personal data following the withdrawal of consent, we will delete the personal data without undue delay, unless we have other grounds for processing the data subject’s personal data under this privacy notice.
The protection of personal data
We protect data subjects’ personal data against unauthorised access and unlawful processing through organisational and technical measures, such as passwords, access restrictions and internal operating procedures. We keep personal data confidential.
We store personal data in manual or electronic form. Printouts in manual form that contain personal data are destroyed in a data-secure way.
Electronically stored personal data is on one or more protected servers within a secure data network. Access to personal data and its processing are protected by usernames, passwords and user rights. Personnel involved in processing personal data are bound by contractual and/or legal obligations of secrecy and confidentiality with regard to personal data.
The rights of the data subject
The right to access personal data
|Based on data protection legislation, a data subject has the right to check what personal data concerning him/her is stored in personal data registers, or to check that there is no personal data concerning him/her in the registers.|
|The right to correct data||If there are errors in the personal data of a data subject, the data subject may ask the data controller to correct them.|
|The right to delete data||The data subject has the right to ask for the deletion of personal data concerning him/her from the register, if there are no legal grounds for processing the personal data.|
|The right to restrict processing||The data subject may request the restriction of the processing of his/her personal data for reasons prescribed in law.|
|The right of objection||The data subject has the right to forbid the data controller from processing personal data concerning him/her for the purposes of direct mail advertising, telesales, other direct marketing and market and opinion surveys.|
|The right to transfer data from one system to another||Insofar as a data subject has delivered to the data controller data, which is processed based on consent, the data subject has the right to receive such data him/herself mainly in machine-readable form, and the right to transfer such data to another data controller.|
|The right to withdraw
|If the processing of personal data is based on consent given by the data subject, the data subject has the right to withdraw the consent given by him/her at any time. The processing of the data subject’s personal data prior to the withdrawal of the consent, however, remains legitimate even when consent has been withdrawn.|
|The right to lodge a complaint with the appeal authority||The data subject has the right to lodge a complaint with the competent supervisory authority if he/she considers that the data controller has not observed the data protection legislation applicable to the business. The national appeal authority is
the Office of the Data Protection Ombudsman (www.tietosuoja.fi)
The processing of personal data is a contractual requirement, for example, when we process personal data under a commercial contract to provide our services to the data subject or when we process the supplier’s/service provider’s personal data under a service or supply contract for our procurements.
If we require a data subject to provide us with his/her personal data and the data subject refuses to do so, we cannot, for example, sell agricultural products or spare parts to the data subject or obtain services from the data subject.
If consent is required for the provision of personal data and the data subject does not give consent, the data subject’s experience of the websites, online store or electronic services may be different from what it would have been if consent had been given.
We are not liable for any direct or indirect consequences or damages that the data subject suffers or may suffer if the data subject refuses to disclose his/her personal data to us.
We do not engage in profiling and automatic decision-making.
The privacy policies of third parties
Dometal’s services may have links to websites and content owned or maintained by third parties. When a data subject visits such websites or services, he/she must read and accept any privacy policies. Such websites or services are not owned by Dometal and Dometal is not responsible for their content or privacy policies.
Cookies are small text files that Dometal’s electronic services, such as websites and the Online Store, retain on the data subject’s computer or mobile device when the data subject uses our electronic services.
The first-party cookies placed by Dometal can be essential functional cookies. Such cookies are needed for the operation of the website and online store as it was planned. Dometal may also place non-essential cookies. They can be, for example, consent-based analytical, marketing or unclassified cookies chosen by the user him/herself and used for purposes such as website and online store development and the tracking and monitoring of the data subject’s movements on the websites.
When using the websites and online store, the data subject may select the non-essential cookies to which he/she gives his/her consent. Essential cookies may be placed without regard to the consent of the data subject.
The data subject may also change his/her browser settings, and delete the set cookies from the browser after having used the online store and website.
Where personal data is obtained from
We receive personal data about data subjects from the data subject when, for example, the data subject contacts us, uses our online store, shops in our spare parts store on the basis of their consent, or otherwise discloses it to us.
We may also collect and update the personal data of data subjects from the registers of our partners and from authorities and companies providing services to us, such as our subcontractors that provide us with services.
If the data subject wishes to ask anything concerning our data protection practices, or the data subject wishes to use his/her rights, we ask the data subject to contact us on firstname.lastname@example.org.
We may update this privacy notice by announcing it on our website or by some other electronic means.
This privacy notice was last updated on 27 September 2021.