GDPR Register and Data protection policy

GDPR Register and Data protection policy of Ethical Luxury Ltd.

This is the register and data protection policy of Eettinen Luksus Oy (Ethical Luxury Ltd.) in accordance with the Finnish data protection law (10 ja 24 §) and the General Data Protection Regulation of the European Union. (GDPR) Prepared on 24 May 2018. Last modification 14 November 2022.

1. Data Controller

Eettinen Luksus Oy (jäljempänä “Rekisterinpitäjä”)
VAT FI21402789
Vilhonvuorenkatu 12
FI-00500 Helsinki

2. Processor

Päivi Peltoniemi

3. Register name

Eettinen Luksus Oy:n asiakkuuteen ja muuhun asialliseen yhteydenpitoon tarkoitettu rekisteri. (jäljempänä “Asiakasrekisteri”)

4. Legitimate interest and purposes of processing of personal data

The legal basis for the processing of personal data in accordance with the EU's General Data Protection Regulation:

  • - processing is necessary for the performance of a contract to which the Data Subject is party and
  • - processing is necessary for the purposes of the legitimate interests pursued by the Data Controller, i.e., an appropriate and meaningful relationship (customer relationship).

The Data Controller shall consider the fundamental rights and freedoms of the Data Subject.

The purpose of the Data Controller's data processing is to maintain good relations with customers, potential customers, employees of its customers or other interested parties, such as beneficial owners, authorised representatives and responsible persons, and to provide them with marketing information and material on the services provided by the Data Controller.

The Data Controller stores and uses personal data in its Customer Register to:

  • - fulfil its legal and contractual obligations
  • - make offers and marketing, product, and customer analyses
  • - give advice and to provide required services
  • - develop processes, business, and systems to improve product range and
  • - to optimise services for customers
  • - marketing actions and
  • - comply legal obligations, to resolve disputes or to implement contracts

5. Customer Register data content

The Data Controller collects the following personal data in its Customer Register:

Identification details: Name of natural or legal person, other unique identifier or name, position, area of responsibility of representative or similar
Contact details: Postal address, email, website, telephone number
Taloudelliset tiedot: nature and type of legal action, credit rating, and other transaction information and changes thereto (purchase, sale, invoicing)
Other information: Feedback or requests received through digital channels to confirm assignments or for documentation, quality control and development purposes. Other information related to customer relations or ordered products or services.

6. Regular data sources

The Data Controller stores in its Customer Register the personal data, that the customer has provided when contacting or ordering products or services by e-mail, telephone, in customer meetings, through various legal acts or other situations. Personal data can also be collected and updated from publicly available data sources, such as public and private registers. Due to up-to-date information and its accuracy, the Data Controller reserves the right to update its data, if necessary, and to verify its accuracy from the customer.

7. Regular disclosures and transfer of data outside the EU or EEA

Principally, data collected and stored in Customer Register is not transferred or given to third parties.

However, data can be transferred from the European Union to

  • - vendors and service providers who comply with confidentiality obligations in their operations and where the delivery, provision or compliance with contracts of the goods or services requires the disclosure of personal data
  • - with the Data Subject’s consent
  • - in force majeure situations
  • in connection with mergers and acquisitions to the buyer, if Data Controller sells or otherwise makes business arrangements
  • - authorities or to other parties according to their demands if demand is based on a legal obligation.

Additionally, the controller or processor has provided appropriate safeguards, and on condition that enforceable Data Subject rights and effective legal remedies for Data Subjects are available. These safeguards include binding corporate rules, standard data protection clauses adopted by a supervisory authority and approved by the Commission, an approved code of conduct together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards, including as regards Data Subjects’ rights.

8. Principles of Customer Register security

Care is taken in the processing of the Customer Register and the stored personal data is handled confidentially. Only persons authorised by the Data Controller and whose job description the Customer Register data belong to can process, view, edit and delete the data in the Customer Register.

The data in the Customer Register is stored in a database protected by firewalls, passwords and other technical means related to data security. Servers are protected against data breaches and denial of service attacks. The physical and digital security of the equipment is adequately ensured. The purpose of security measures and procedures is to prevent and protect the unintentional loss, misuse, unauthorised use, disclosure, modification and destruction of data.

Outdated and unnecessary data shall be disposed of in an appropriate manner. Personal data will only be stored for as long as it is necessary for the purposes of processing personal data as defined in this register and data protection policy. Due to the obligations of the Accounting Act or other applicable law, data may need to be stored for longer than the aforementioned period.

9. Right of access and right to demand rectification of data

In accordance with the European Union’s General Data Protection Regulation (GDPR), anyone stored in the Data Controller’s Customer Register is entitled at any time to:

  • - receive transparent information on the processing of personal data
  • - have access to information concerning himself/herself or the person he/she represents
  • - verify the timeliness and accuracy of personal data concerning them
  • - require the rectification of inaccurate personal data and the supplementing of the data
  • - request the complete erasure of their personal data.
  • - require restrictions on the processing of their personal data on grounds relating to a specific personal situation, to the extent that the basis for processing is a legitimate interest or the processing of personal data is based on the consent of the person himself or herself
  • – transfer that data to another controller, provided that the processing of the data is based on a contract or consent, not on a legitimate interest and that the processing is carried out automatically

The Data Controller has the right to request further detailed information regarding the customer’s request and, if necessary, to ask the applicant to prove his or her identity before processing the request. The processing of the request may be refused on the grounds laid down by law.
The request for rectification or correction must be sent in writing to the Data Controller. The Data Controller will reply to the customer within the time limit set in the General Data Protection Regulation (GDPR) of the European Union (as a rule within one month).

10. Other rights related to the processing of personal data

Without prejudice to any other administrative or judicial remedy, every Data Subject shall have the right to lodge a complaint with a supervisory authority, in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the Data Subject considers that the processing of personal data relating to him or her infringes this Regulation.

If necessary, the Data Controller may ask the applicant to prove his or her identity. The Data Controller will reply to the customer within the time limit set in the EU’s Data Protection Regulation (as a rule, within one month)

11. Amendment of the register and privacy policy

The Data Controller reserves the right to make changes to the register and data protection policy due to continuous business improvement and development work.

The Data Controller

  • – ei rajoita rekisteri- ja tietosuojaselosteessa kuvattuja tai soveltuvien tietosuojalakien mukaisia asiakkaan oikeuksia niillä lainkäyttöalueilla, joilla Rekisterinpitäjä toimii ja
  • – ottaa lainsäädännön muutokset huomioon tietosuojaselosteen sisällössä

Data Controller recommends that you read the register and privacy policy from time to time so that up-to-date information on possible changes is always available.

12. Contact Data Controller or supervisory authority

If you have any question regarding the register and data protection policy, please contact the customer service of Data Controller by

  • - email info(at) or
  • - mail Eettinen Luksus Oy Vilhonvuorenkatu 12, FI-00500 Helsinki

If you want to contact the supervisory authority of the member state of the European Union, please

  • - send mail to Tietosuojavaltuutetun toimisto, PL 800, 00521 Helsinki tai
  • - call +358 29 566 6700