CUSTOMERS AND POTENTIAL CUSTOMERS

INTRODUCTION

We at Kuusakoski (Kuusakoski Oy, business ID 1589236-3) (Kuusakoski) respect your privacy.

This page contains information about how we process your personal data as the data controller if you are our customer, a potential customer, or represent a customer company. For information on personal data processing, see here for other stakeholders, here for other Kuusakoski group companies, and here for personal data related to our website. We also treat you or the company that you represent as a customer of Kuusakoski if you deliver recyclable materials to us and we either pay you or the company for the materials.

For information about your rights, see Information about data subject rights and how to exercise them below.

We may update this privacy policy as needed to keep up with legislation, for example, and we will announce all material changes.

WHAT PERSONAL DATA IS PROCESSED?

Kuusakoski serves both businesses and private individuals. In addition to customer data, we process the personal data of potential customers and company representatives.

We collect the following basic details about every customer:

  • customer name (private customers) or contact person name (corporate customers)

  • personal identity code (collected from private customers as necessary for reporting to the authorities)

  • contact information (street address, phone number and email address)

  • banking information

  • employer and position or job information (corporate customers).

In addition, we collect other data related to the customer relationship and other appropriate connections, such as targeted marketing information for potential customers, including:

  • credit rating (when a credit check is justified)

  • contract, order and invoicing information

  • registration information for scrap vehicles

  • registration numbers of vehicles bringing materials for weighing

  • direct marketing permissions and restrictions

  • information regarding sales or sales project meetings, phone calls, and other conversations, including email correspondence

  • information regarding realised marketing actions

  •  online browsing information (for more information on this type of collection and processing, see here).

WHAT IS THE PURPOSE AND BASIS FOR PROCESSING PERSONAL DATA?

We process personal data based on the following:

  • Fulfilling an agreement for a product or service that you have ordered (or was ordered by the organisation that you represent). This basis also includes measures related to invoicing and customer service.

  • Your consent (when you have consented). This concerns direct marketing targeted at you. You always have the right to revoke your consent.

  • Legitimate interest (when one exists). A legitimate interest is used as the basis when direct marketing is sent based on an existing customer relationship, for example, or when credit status or abuse is investigated. You always have the right to opt out of direct marketing. For more information on how we prevent and investigate abuse, see [here].

  • Statutory obligations. For example, official rules and accounting regulations concerning the scrapping of vehicles.

HOW LONG IS PERSONAL DATA KEPT?

We keep personal data only for as long as is necessary for the purpose of said data. Customer data is typically kept for three (3) years after the end of the customer relationship, after which we passivate the information. Passive customer data includes name, address and order information, and is kept for ten (10) years after the end of the customer relationship. Consent-based marketing data is kept for processing for a maximum of five (5) years or until you revoke your consent, if this occurs sooner.

Your personal data may be kept for longer if required by mandatory legislation, legal claims presented to us, or a period for filing a suit or claim based on law or an agreement. For example, accounting regulations require that data included in accounting records must be kept for six or even ten years, regarding the legislation applicable to the data controller.

Data that is processed for legitimate interests is kept for as long as the legitimate interest can be reasonably considered to exist. We determine this primarily based on contact between yourself and Kuusakoski, such as communication about sales projects in their active stage. If you revoke your consent for marketing or restrict the use of your personal data for direct marketing, we will delete your data. In this case, we will still record your direct marketing restriction information. You have the right to request the erasure of your data and we will always comply, unless we have a specific reason to keep the data.

Once your personal data is unneeded, it is destroyed in a secure manner or anonymised beyond recovery. Data that is obsolete and marked for deletion will be destroyed during regular database batch runs.

HOW IS PERSONAL DATA PROTECTED?

The databases containing your personal data are protected by firewalls, passwords, and other technical means. The databases and their backups are located in secure facilities. We ensure that the data is only accessible by those Kuusakoski employees and the employees of companies working for Kuusakoski who need it to carry out their work.

As a rule, any non-electronic materials (customer data forms on paper, for example) are scanned and sent to be archived electronically in a database. The original material is then destroyed in a secure manner, unless there is a specific reason to keep it (statutory requirements, for example). Manually processed documents that contain your personal data are kept in secure facilities that prevent unauthorised access.

HOW IS PERSONAL DATA COLLECTED?

We primarily collect data from you when you fill in forms for orders, communicate in different ways (calls and email), join the Kuusakoski mailing list, or participate in marketing raffles and other such events. Data is also collected in other ways in the course of your customer relationship and the ordered services’ delivery, including customer service situations on the phone or by email and service delivery through Kuusakoski partners (transport services and end-of-life vehicle recyclers, for example). Kuusakoski employees record the essential contacts for active sales projects in our marketing database.

We may also collect and update data from our other registers, including group company registers, based on legitimate interests or consent, as well as those authorities and companies who offer personal data services, such as LinkedIn and Suomen Asiakastieto Oy, to the extent that these parties are allowed to disclose information for Kuusakoski’s direct marketing purposes or other justified purposes (credit reports, for example).

WHO IS PERSONAL DATA SHARED WITH? (PARTNERS AND THIRD PARTIES)

We may transfer your personal data to third parties, such as service providers acting as our subcontractors, if it is necessary for the purpose of your personal data’s processing. If we transfer personal data to a party who processes it on our behalf (data processor), we have contractual and other arrangements in place to ensure that the personal data is only processed according to our written instructions and only for the purposes specified in this privacy policy. Furthermore, we ensure that access to the personal data is restricted to people who need it for their work.

We may transfer your personal data in order to realise services or tasks that we have delegated to data processors. For example, these tasks include services related to information systems and software, data processing services, marketing services, switchboard services, invoicing and collection services, and transport services.
We also disclose information to the authorities as required by law, including Traficom, ELY Centres, the Tax Administration, and the police for statistics, taxation, or other official review.

Based on legitimate interests, your personal data may also be processed by other companies within the Kuusakoski group. If Kuusakoski sells its personal data processing business or a part thereof or otherwise reorganises its operations, Kuusakoski may hand over personal data to the buyers and their advisors in accordance with the current regulations.

IS PERSONAL DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA?

We keep your data on servers located within the European Economic Area (EEA), but some of our subcontractors can access your personal data from outside the EEA. Kuusakoski operates as a single global organisation, and the employees of companies belonging to the Kuusakoski group have non-EEA access to your personal data as required (from China, the UK and the USA, for example).

In such cases, we ensure that these parties are committed to a sufficient level of data protection in personal data processing by

  • verifying that the European Commission has issued a decision on sufficient data protection in the target country (the UK, for example); OR

  • verifying that the data transfer is based on the protections required by the European Union’s General Data Protection Regulation (GDPR), such as the standard contractual clauses approved by the European Commission.

For more information on cross-border customer information transfers and the applicable protection, please contact Kuusakoski’s customer service (see the contact information at the end of the page).

INFORMATION ABOUT DATA SUBJECT RIGHTS AND HOW TO EXERCISE THEM

The GDPR gives you a set of rights that you may exercise in different situations to dictate how your personal data is processed. You may exercise the following rights with Kuusakoski when Kuusakoski is the data controller of your data:

  • Right of access: You have the right to receive confirmation of whether Kuusakoski is processing your personal data and also the right to access and review your information.

  • Right to rectification: You have the right to have inaccurate or incorrect personal data rectified and have incomplete data completed.

  • Right to erasure: You have the right to have your personal data erased and Kuusakoski is obligated to delete such data once there is no legitimate basis for its processing, the statutory or contractual obligation for their keeping has expired, or you have revoked your consent for the processing of personal data.

  • Right to restriction of processing: You have the right to request the restriction of your personal data’s processing (when waiting for a response to a request to correct or erase your personal data, for example).

  • Right to data portability: If certain statutory requirements are met, you have the right to receive your personal data in a commonly used and machine-readable format and to transmit said data to another data controller without hindrance from Kuusakoski.

  • Right to object: You have the right to object to the processing of your personal data when Kuusakoski processes it based on a legitimate interest. In this case, Kuusakoski is obligated to comply with your request, unless compelling legitimate grounds can be demonstrated that override the interests, rights, and freedoms of the data subject, or the processing is required for the establishment, exercise, or defence of legal claims. You always have the right to object to direct marketing.

  • When personal data processing is based on your consent, you have the right to revoke the consent for processing at any time.

In certain situations, you may review and correct your information in electronic services provided by Kuusakoski. If you cannot access these electronic services, you may contact Kuusakoski’s customer service (see the contact information below). Requests for erasure and transmission, as well as objections, must be presented to Kuusakoski’s customer service.

Customer service contact information:

Norokatu 5, 15170 Lahti, Finland
+358 800 308 80
asiakaspalvelu@kuusakoski.com

Upon your request, Kuusakoski will take immediate action and will generally deliver a report of its actions within one month of receiving your request.

In addition, you have the right to lodge a complaint with the supervisory authority regarding Kuusakoski’s processing of personal data. The complaint must be addressed to the competent supervisory authority – in Finland, this is the Data Protection Ombudsman – in accordance with their instructions. The Office of the Data Protection Ombudsman has a website, www.tietosuoja.fi.

This page was last updated on: 25/10/2021