Skip to content
Privacy statement
Looking for a label solution?

Pekka Hälikkä

+358 (0)207 418 673
pekka.halikka@karico.fi
Contact us

Karico Oy – Customer Register

Information Document on the Processing of Personal Data in Karico Oy’s Customer Register in Accordance with the EU General Data Protection Regulation

1. Data Controller

Karico Oy, Business ID 9002984-2
Sinimäentie 10 B B, 02630 Espoo, Finland
+358 207 418 663, karico@karico.fi

2. Contact Person for Matters Related to the Register

For matters related to the register and the exercise of the data subject’s rights, the contact person is:

CEO Kimmo Palkonen, +358 207 418 663, kimmo.palkonen@karico.fi

3. Name of the Register

Customer register of Karico Oy

4. Legal Basis for Processing Personal Data

The processing of personal data in the customer register is based on a customer relationship with the data controller.

5. Purposes of Processing Personal Data

  • Customer relationship management

  • Customer communications

  • Sales and marketing of the data controller’s products and services

  • Development of the data controller’s business and customer service

6. Processed Personal Data

  • Customer company’s name and business ID

  • Contact person’s name

  • Phone number and email address of the customer and contact person

  • Customer’s address information

  • Customer’s payment and invoicing information

7. Sources of Personal Data

  • Directly from the data subject

  • Updated name and address information from address information systems

  • Publicly available internet sources

  • Use of services

8. Recipients or Categories of Recipients of the Personal Data

The following partners of the data controller may process personal data from the register, to the extent necessary to perform their services:

  • Don & Branco (advertising and marketing)

  • MailChimp (email marketing and communication)

Or other future partners selected for these tasks.

Data may be disclosed to authorities based on legal information requests.

9. Transfer of Data Outside the EU

Personal data may be transferred to a third party outside the EU as follows:

The partner responsible for direct marketing communication software, MailChimp (USA). MailChimp certifies to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, which legally allows the transfer of contact data from the EU to MailChimp in the U.S.

10. Retention Period of Personal Data

Personal data in the customer register is processed for the duration of the customer relationship. The data controller considers the customer relationship to have ended if the customer has not ordered products or services, requested a quote, or otherwise contacted the data controller within ten (10) years. The period is calculated from the end of the calendar year in which the customer last ordered, requested a quote, or contacted the company. Data is deleted within three (3) months after the end of the relationship, unless there is another reason to retain it.

When the customer relationship ends, the customer’s data may be transferred to the company’s marketing register for those individuals who have not objected to direct marketing.

11. Rights of the Data Subject

Personal data in the customer register is processed based on the data controller’s legitimate interest, which is the customer relationship.

The data subject has the right to:

  • Access their data (right of access)

  • Rectify data

  • Erase data

  • Object to the processing of data

  • Request restriction of processing

  • Transfer data from one system to another

Right to Object:
The data subject has the right to object at any time to the processing of their personal data for direct marketing. If the data subject objects, the data will no longer be processed for this purpose.

12. Register Protection

Data is stored in the data controller’s systems and databases, which are not accessible to unauthorized parties. Only designated persons employed by the data controller or otherwise authorized individuals who need the data to perform their duties have access to the register. They use personal usernames and passwords. The systems containing the register are protected by firewalls and other appropriate technologies.

13. Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority if they believe that the data controller has not complied with applicable data protection regulations.

14. Requests Regarding the Exercise of Data Subject Rights

For questions related to personal data processing or exercising their rights, the data subject may contact the person mentioned in section 2.

Requests to exercise the right of access or other data subject rights must be made in writing either by email or post. Requests can also be made in person at the data controller’s office.

The data controller may ask the data subject to specify which data or processing operations the request concerns.

To ensure that personal data is not disclosed to anyone other than the data subject, the controller may request that the access request be signed. The controller may also ask the requester to prove their identity with an official ID or by other reliable means.