Description of handling operations
EU general data protection regulation (2016/679), articles 13, 14, 15, 16, 17, 18, 20, 21 ja 30
Prepared: 18.03.2021
Updated: 15.11.2021
We may update or change this Privacy Statement at any time. The description is valid from 18.03.2021.
1. Registrar
Café Uksakka
Y-tunnus: 2764319-6
Pyhä-Luostontie 1266
99555 Luosto
+358 400 920 918
2. Contact persons responsible for registry matters
Contact person: Anu Magga
Pyhä-Luostontie 1266
99555 Luosto
+358 400 920 918
3. Register name
Café Uksakka customer and contact information register.
4. Purpose of the processing of personal data / recipients (or groups of recipients) / legal basis for the processing of personal data
The purpose of the register is to process the information needed to process orders and communicate with Café Uksakka's customers. On a case-by-case basis, we may transfer contact information related to the delivery of orders to third parties who are responsible for the delivery of products to the end customer. The information stored in the online store is stored in server rooms in the EU. The servers are protected by an intelligent firewall and technologies that keep the server safe from attacks. Solinum Oy stores and processes personal data in accordance with the EU GDPR and the current Personal Data Act (523/1999).
5. Information content of the register
- Full name
- Pos. Company
- Telephone
- Street address
- Postal code and location
- Possible Business ID
- Consent to marketing communications (yes or no)
- Possible billing information incl. e-invoicing or e-mail billing address
As well as information stored only in the online store database:
- Registration time (date and time)
- Last login (date and time)
- Activity status (active / blocked)
- Possible notes from the administrator, such as special requests made by the customer
- Communication with the online store
- Order history and purchase statistics
- Coupons
- Shopping carts
- Landing pages and current IP address
- Customer group
- Selected language
6. Information sources
Information provided by the data subject.
7. Disclosure of information
Customer data will not be disclosed to third parties. On a case-by-case basis, we may transfer contact information related to the delivery of orders to third parties who are responsible for the delivery of products to the end customer.
8. Data transfer outside the EU or the EEA and data protection principles
Data will not be transferred outside the EU or the EEA. Café Uksakka is responsible for maintaining the register. Only employees of the company have access to the maintenance of the data if the work duties requires. Café Uksakka is responsible for and centrally manages the rights to access the register in accordance with the security guidelines.
9. Retention period of personal data
The data controller retains personal data for the time being and as the customer relationship continues. However, at least the time required for shipments of the order to be delivered or for invoicing, the time required to verify payment of the invoice.
10. Registry security principles
A. Manual material
Manual material is stored carefully so that it cannot be accessed by third parties. Manual material is destroyed when it is no longer needed.
B. Electronically stored data
The data is technically and physically protected in such a way that, in addition to the registry administrators, third parties do not have access to the data. Each system user has their own ID and password. The manual material as well as the means for accessing the electronically stored data are in a controlled state, to which only our limited personnel have access.
11. Right of inspection and exercise of the right of inspection, the right to transfer data from one system to another
The data subject shall have the right, after notifying the facts necessary to search for the information, to know what information concerning him or her has been stored in this register or whether there is no information concerning him or her in the register. At the same time, the registrar must inform the data subject of the sources of information in the register and where the information in the register is used and disclosed.
A data subject wishing to verify his or her personal data as described in the previous paragraph must submit a request to this effect to Café Uksaka in a handwritten document or equivalent certified by the person in charge of this register. Café Uksakka may charge a service fee for compiling the data, as it requires significant work. The data subject shall have the right to obtain personal data concerning him which he has supplied to the controller in a commonly used and machine-readable form and to transfer such data to another controller if the processing is based on consent or an agreement between the controller and the data subject.
12. Correction, deletion and restriction of data processing
The data subject has the opportunity to change the information provided by logging in to the online store or requesting it in writing (by e-mail or letter to customer service). The controller shall, without undue delay or on his own initiative or at the request of the data subject, correct, delete or supplement personal data in the register which are incorrect, unnecessary, incomplete or out of date for the purpose of processing. The controller shall also prevent the dissemination of such information if the information may jeopardize the protection of the data subject's privacy or his or her rights.
The controller shall also, at the request of the data subject, restrict the processing if the data subject has disputed the accuracy of his personal data, if the data subject has objected to the processing unlawful and objected to the deletion and that they are necessary for the preparation, presentation or defense of a legal claim or if the data subject has objected to the processing of personal data under the Data Protection Regulation pending verification that the data subject's legitimate grounds outweigh those of the data subject. If the controller has restricted the processing on the above grounds, the controller shall notify the data subject before the processing restriction. If the controller does not accept the data subject's request for rectification, he shall provide written confirmation. The certificate shall also state the reasons why the claim has not been accepted. The data subject may refer the matter to the Data Protection Officer. The controller shall notify the rectification of the information to the person to whom the controller has provided or from whom the controller has received incorrect personal data.
However, there is no obligation to notify if notification is impossible or requires unreasonable effort. Requests for rectification must be submitted to the representative appointed by the controller in section 2, see contact information above. It should be noted that the controller may have a statutory or other right not to delete the requested information. The registrar is obliged to keep the accounting material in accordance with the period (10 years) specified in the Accounting Act (Chapter 2, 10). Therefore, the accounting material cannot be deleted before the deadline.
13. Marketing
Customer information will not be used or disclosed for marketing purposes.
14. Descriptions of online store payment intermediaries
Online store uses payment intermediaries that secure the payment transaction for the customer (consumer / business) and the seller (online store). After selecting the payment method, the personal data is transmitted securely to the service provider to secure the payment transaction. The payment intermediary stores basic information in its system to secure the order and the payment transaction. See section 14.1 for a detailed description.
14.1 Paytrail
14.2 Privacy Statements
Paytrail's activities as a payment intermediary are essentially data protected, and Paytrail handles the personal data of both merchants and consumers carefully and as required by law.
14.3 Paytrail's privacy and processing of personal information
Paytrail acts as an intermediary for our online payments. As part of our day-to-day payment and business operations at Paytrail, we process personal information related to payments. In all its activities, Paytrail strives to ensure that personal information is processed in a secure, privacy-compliant and law-abiding manner. Paytrail is committed to the requirements of the EU Data Protection Regulation (GDPR) and will develop its data protection accordingly. Data protection is taken into account in all security-related solutions. Data protection refers to the processing of personal data in a way that guarantees the individual's right to privacy and his or her own data. Paytrail's management accepts the principles mentioned here and is committed to data protection in all its activities.
14.4 Paytrail as registrar
The processing of personal data by Paytrail is based on the criteria defined in the laws governing the activities of payment institutions or the person's own consent. Personal data is processed in accordance with the principles of good data processing and the Data Protection Regulation. Paytrail's personnel are constantly trained and instructed to operate in a secure manner and with data protection in mind. The staff is also bound by bank secrecy. Personal data will be used for the purposes described in the collection to the extent permitted by law. The processing of data and the rights of the data subject are described in more detail in the register-specific data protection statements. The processing of personal data by Paytrail is governed by documented procedures. The use of information systems is controlled by a user management solution and the principle of a minimum right of access.
14.6 Paytrail as a processor of personal data
In payment transactions where payer's personal data is disclosed to Paytrail, the party providing the payment information (eg Café Uksaka's online store) is the registrar and Paytrail acts as the processor of this personal data. Paytrail offers a data processing agreement attached to the payment service agreement, which instructs merchants on the processing of personal data. The agreement shall also define the rights and obligations between the controller and the processor with regard to personal data processed in the payment service.
14.7 Action in emergency situations
Paytrail has a security policy that sets out policies for possible exceptional situations. As a payment institution, Paytrail is also bound by the regulations and instructions of the Financial Supervisory Authority related to data security. If Paytrail suspects or discovers that data protection has been compromised, it will investigate the matter without delay. Possible personal data breaches will be notified to the supervisory authority, the potential controller and, if necessary, the data subject as soon as required by the Data Protection Regulation.
14.8 Cookies
Paytrail's website uses cookies to improve the user experience and to collect information about your use of the website. Cookies are files that are stored on a user's terminal device. Cookies provide Paytrail with information about, among other things, how users navigate the site, which online content is most used and how Paytrail can improve its service. You can prevent the use of cookies by changing your browser settings. However, blocking the use of cookies may impair the functionality of the website.
14.9 Questions about Paytrail's privacy?
If you have any questions about Paytrail's privacy, please get in touch: privacy@paytrail.com / 020 718 1830
15. Yleisen tietosuoja-asetuksen nojalla sinulla on muun muassa seuraavat oikeudet:
- Right of access - Under Article 15 of the General Data Protection Regulation, you have the right to access the Data as well as certain information about the processing. This information is included in this document.
- Right of rectification - Under Article 16 of the General Data Protection Regulation, you have the right to have inaccurate information about yourself rectified and incomplete information supplemented.
- Right to delete - In certain situations, you have the right to have the Data deleted in accordance with Article 17 of the General Data Protection Regulation. This is called the "right to be forgotten."
- Right to Restrict Processing - In certain circumstances, you have the right to restrict the processing of Data by Paytrail under Article 18 of the General Data Protection Regulation.
- Right to transfer data - Under Article 20 of the General Data Protection Regulation, you have the right to receive Data from Paytrail in a structured, commonly used and machine-readable form (or the right to transfer it to another controller).
- Right to object - Under Article 21 of the General Data Protection Regulation, you have the right to object to certain processing operations carried out by Paytrail, such as processing operations based on a legitimate interest of Paytrail. In addition, you have the right to lodge a complaint with the supervisory authority, the Finnish Data Protection Supervisor's Office.