PRIVACY AND PERSONALISATION INFORMATION

THIS IS MYLLYN PARAS FINLAND OY'S PRIVACY STATEMENT DRAWN UP IN ACCORDANCE WITH THE EU'S GENERAL DATA PROTECTION REGULATION (2016/679) AND THE DATA PROTECTION ACT (5 DECEMBER 2018/1050).

Drawn up on:
13.2.2019

Revised on:
7.4.2021

1. Controller:

Myllyn Paras Finland Oy
PO Box 5
FI-05801 Hyvinkää

Contact person for matters concerning the data file
Myllyn Paras Finland Oy
Johanna Kemppinen
PO Box 5
FI-05801 Hyvinkää, Finland
johanna.kemppinen(at)myllynparas.fi

2. Register name:
Privacy statement for the Myllynparas.com online service

3. Purpose of personal data processing:
Myllyn Paras Finland Oy uses personal data for customer management, provision and delivery of services, product development and marketing and communications, and to fulfil its statutory obligations.

4. Data content and data sources of the register:
Our registry contains information provided by the user: name, email address, phone number, position and organisation, marketing consents and bans, order, delivery and invoicing details, memos, any classification information (such as interests), social media activity, customer feedback and chat conversations. Via cookies, it also contains the user's IP address information or other similar identifier as well as the user's actions in the company's online service.
We collect information through the website using various forms, such as newsletter subscriptions, surveys or contests.

5. Basis for the processing of personal data:
We always ensure that we have a statutory basis for processing personal data. We process personal data on several grounds, but always with at least one processing condition determined by law.

We process customer and marketing register data to comply with agreements and on the basis of our legitimate interest to produce and deliver our services, manage our customers, develop our services, market and communicate about our services and process customer feedback. We may also process personal data on the basis of consent, in which case such consent may be withdrawn at any time by the person in question if it is our only condition for processing such data.

6. Regular disclosure of data:
If necessary, the contact details of the persons in the register will be disclosed confidentially and based on a contract to third parties that need the information for the provision of the service. Such details may be disclosed confidentially to Myllyn Paras Finland Oy's subcontractors in order to provide services to further the objectives set out in this privacy policy, committing to complying with activities as stated in this privacy policy. Depending on the service provider, the information is located in Finland or outside Finland in the data warehouses of the owners of the services used by Myllyn Paras Finland Oy.

Data may also be disclosed outside the EU or the EEA. If data is transferred outside the EU, we will ensure that the country complies with the provisions required by the EU Commission, or the transferee is Privacy Shield certified, referring to US-based parties using model clauses issued by the EU Commission. Any data transfer is always carried out under legal grounds and with sufficient protection mechanisms.

7. Use of cookies:
Our website uses cookies. A cookie is a small text file that is sent to a user's computer and stored there, which allows the webmaster to identify visitors who visit the site frequently, to make it easier for visitors to log in to the site, and to compile aggregate data about visitors. With this feedback, we are able to continuously improve the content of our website. Cookies do not harm users' computers or files. We use them so that we can provide our customers with information and services tailored to their individual needs. If the user visiting our website does not want us to receive the above information through cookies, most browsers allow you to disable the use of cookies. However, cookies may be necessary for the proper functioning of some of our pages and the services we provide.

We use Google Analytics for visitor analytics. Google Analytics uses cookies to help the online service analyse how it is used. Cookies store information on how you use the online service (including your IP address). The cookie information is sent to and stored on Google's servers, which means that the information may be located outside the EU. Google will use this information for the purpose of evaluating your use of the website, compiling reports on website activity for website operators and providing other services relating to website activity and Internet usage. Google may also transfer such information to third parties if required to do so by law, or to any third party processing the information on Google's behalf. Google will not associate your IP address with any other data managed by Google. By using the website, you consent to the processing of data about you by Google in the manner and for the purposes set out above.

This website uses the HubSpot marketing automation system. HubSpot uses cookies to collect information about how users use our site. We use the information collected by these cookies to compile reports, to help improve the site and to support our marketing. The HubSpot Privacy Policy can be viewed here.

8. Protection principles of the register:
The data will be stored in electronic form, protected and encrypted according to best practices in the industry. Our registry is located in the systems managed by Myllyn Paras Finland Oy and are protected by strong personal passwords, two-factor identification and role-based access restrictions. Data is stored in locked spaces, and all our devices are locked automatically. The register data is collected in systems to which employees of Myllyn Paras Finland Oy have personal IDs and the company's subcontractors have contractual and personal access, as necessary, limited to the scope of the assignment agreement.

9. Rights of the data subject:
The EU General Data Protection Regulation (2016/679) gives the data subject the following rights:
• The right to withdraw consent, i.e. the data subject may withdraw their consent at any time.
• The right to know what data has been stored about the data subject in the register or to find out whether the data subject is in the register.
• The right to correct information, i.e. the data subject has the right to demand the correction of any incorrect information about them in the register. A request for data correction must be made in writing.
• The right to the deletion of data, i.e. the data subject has the right to request the deletion of their personal data if one of the following is true:
  - Personal data is no longer needed for the purposes for which they were collected or for which they were otherwise processed
  - The data subject withdraws their consent and there is no other legal basis for processing
  - The data subject objects to the processing of their data and there is no valid reason for the processing
  - Personal data has been processed illegally
  - Personal data must be deleted in order to comply with a legal obligation applicable to the controller under EU law or the law of a Member State.
• The right to restrict processing, i.e. the data subject has the right to restrict processing if one of the following is true:
  - The data subject contests the accuracy of the personal data, in which case processing is limited until the controller can verify its accuracy
  - The processing is unlawful and the data subject opposes the deletion of personal data and demands the restriction of its use instead
  - The controller no longer needs the personal data in question for the purposes of processing, but the data subject needs it in order to prepare, present or defend a legal claim
  - The data subject has objected to the processing of personal data under Article 21 pending verification whether the controller's legitimate grounds override the data subject's grounds.
• The right to transfer data from one system to another, i.e. the data subject has the right to receive, in machine-readable form, any personal data concerning them which they have submitted to the controller, provided that the processing is based on consent and the processing takes place automatically.

10. Automatic decision-making:
Data shall not be processed automatically to serve as a basis for decisions.