Privacy Statement

1 Registrar

The registrar for the register is jewelry brand Icemafia.

 

2 Register name

The register name is “Customer Register of Jewelry Brand Icemafia Oy.

3 Purpose of Processing Personal Data

Personal data is processed for purposes related to the management, administration, and development of customer relationships, the provision and delivery of services, as well as for service improvement and billing purposes. Personal data is also processed for the purposes of investigating possible complaints and other claims.

Additionally, personal data is processed for customer-oriented communication, such as information dissemination, newsletters, and marketing, including direct marketing and electronic direct marketing purposes.

Customers have the right to refuse direct marketing addressed to them.

The data controller processes the information themselves and may also utilize subcontractors who process personal data on behalf and for the account of the data controller.

4 Legal Bases for Processing

The legal bases for processing personal data are as follows, in accordance with the EU General Data Protection Regulation (GDPR):

  • The data subject has given consent for the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a)).
  • Processing is necessary for the performance of a contract to which the data subject is a party or for pre-contractual measures taken at the data subject’s request (GDPR Article 6(1)(b)).
  • Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party (GDPR Article 6(1)(f)).

The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, resulting from the data subject being a customer of the data controller, and when the processing is carried out for purposes that the data subject could reasonably expect at the time of data collection and in connection with the appropriate relationship.

5 Register Data Content (Categories of Processed Personal Data)

The register contains the following personal data, by default, of all registered individuals:

  • Basic personal information and contact details: first name, last name, address, phone number, email address.
  • Information related to the individual’s business or other organization, and the individual’s position or job title within that company or organization.
  • Direct marketing permissions and restrictions.

6 Regular Data Sources

Personal data is collected directly from the data subject themselves.

Personal data is also collected and updated, within the limits of applicable legislation, from publicly available sources related to the implementation of the customer relationship between the data controller and the data subject. These sources enable the data controller to fulfill their obligations regarding the maintenance of customer relationships.

7 Retention Period of Personal Data

The collected data in the register is retained only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected.

The need for retaining personal data is assessed every five years, and in any case, the information concerning the data subject is removed from the register after the termination of the customer relationship between the data subject and the data controller, and when the obligations and actions related to the customer relationship have been completed. For example, accounting records are retained for six years from the end of the financial year.

The data controller regularly assesses the necessity of data retention in accordance with its internal policies. Additionally, the data controller takes all reasonable measures to ensure that inaccurate, erroneous, or outdated personal data is promptly deleted or corrected in relation to the purposes of the processing.

8 Recipients of Personal Data (Recipient Groups) and Regular Disclosures of Data

Personal data is not disclosed to external parties.

9 Transfer of Data Outside the EU or EEA

The personal data included in the register is not transferred outside the European Union (EU) or the European Economic Area (EEA).

10 Principles of Register Protection

Materials containing personal data are kept in locked premises accessible only to designated individuals authorized for access due to their tasks.

The database containing personal data is stored on a server kept in a locked room, accessible only to designated individuals authorized for access due to their tasks. The server is protected by appropriate firewall and technical safeguards.

Access to the databases and systems is granted only through individually assigned personal usernames and passwords. The data controller has restricted the access rights and permissions to information systems and other storage platforms, allowing only authorized individuals necessary for the lawful processing of data to view and handle the information. Additionally, usage events of databases and systems are recorded in the data controller’s IT system logs.

Employees and other individuals associated with the data controller are committed to confidentiality and are obliged to keep confidential any information obtained during the processing of personal data.

11 Rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

  1. The right to obtain confirmation from the data controller as to whether or not personal data concerning them are being processed, and if so, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data involved; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or if not possible, the criteria used to determine that period; (v) the right to request the rectification or erasure of personal data or the restriction of processing of personal data concerning the data subject, and to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) if the personal data are not collected from the data subject, any available information regarding their source (Article 15 of the GDPR).

  2. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (Article 7 of the GDPR).

  3. The right to obtain without undue delay the rectification of inaccurate personal data concerning the data subject and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes of the processing (Article 16 of the GDPR).

  4. The right to obtain the erasure of personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; (iii) the data subject objects to the processing for personal reasons, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation under Union or Member State law applicable to the data controller (Article 17 of the GDPR).

  5. The right to obtain the restriction of processing if (i) the accuracy of the personal data is contested by the data subject, for a period enabling the data controller to verify the accuracy of the personal data; (ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the data controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to processing pending the verification whether the legitimate grounds of the data controller override those of the data subject (Article 18 of the GDPR).

  6. The right to receive the personal data concerning the data subject, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the data controller to which the personal data have been provided, where the processing is based on consent and carried out by automated means (Article 20 of the GDPR).

  7. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the GDPR (Article 77 of the GDPR).

Collapsible content

Business Registration Number

3341801-6

Registered Business Name

Rattware

Registered Business Address

Juholantie 97, 07190, Pornainen