This is the privacy statement of Stala Oy, in accordance with the General Data Protection Regulation of the EU. Prepared on 25 May 2018. Last amended on 28 September 2022.
1. Data controller
Stala Oy (Business ID: 1568546-0)
Tel: +358 3 882 110
2. Contact person for matters related to the register
Tel. +358 3 882 1145
3. Register name
Register based on a customer relationship with StalaShop.
4. Legal basis and the purpose of processing personal data
The legal basis pursuant to the General Data Protection Regulation of the EU for processing personal data is the consent of the person which the person gives by purchasing a product from StalaShop (the data subject is a party of the purchasing agreement).
The data given in the order form is saved in the customer register of StalaShop. The register data is used for maintaining the customer relationship; processing and paying of orders, information related to deliveries and returns, and other communications related to the customer relationship.
The data will not be used for automated decision-making or profiling.
5. Data content of register
The data saved in the register includes: the person’s name, delivery and invoicing address, email address, phone number, (company/organisation and Business ID, in case of a company) and payment method in the manners referred to in section 4.
The IP addresses of the website visitors and the cookies necessary for the operation of the website are processed on the basis of legitimate interest for purposes such as ensuring adequate data security and collecting statistics on the website visitors in cases where they can be deemed to be personal data. If necessary, consent will be asked separately for third party cookies.
6. Regular sources of information
The data to be saved in the register is obtained from customers from messages sent via www forms in which the customers disclose their data.
7. Regular disclosing of data and transfer of data outside the European Union or the European Economic Area
As a tule, data is not disclosed and it is not transferred outside the European Union or the European Economic Area. An exception to this are the nameplate orders managed by the data controller, in which case only the necessary personal data is disclosed to a cooperation partner operating in Finland in order to enable the processing and delivery of the nameplate orders.
8. Register protection principles
The processing of the register observes the principle of carefulness and the data processed with the data systems is protected appropriately. The register is only kept in a digital form and it is kept on servers that are protected with passwords, provided by outside service providers, and used by the data controller. The use of the data is restricted with user accounts and passwords. The register is protected with necessary technological and organisational measures. The data is collected in databases that are protected with user accounts, passwords, firewalls and other technical measures.
The servers in which the databases are kept are located in locked spaces. The databases can only be processed by persons separately authorised to do so.
9. Right of inspection and right to demand correction
Every person included in the register has the right to inspect their data saved in the register and demand that any possible errors be corrected or incomplete data be completed. If a person wants to inspect their saved data or demand that it be corrected, the request must be sent in writing to the data controller. If necessary, the data controller can ask the person to verify their identity. The data controller shall reply to the customer within the timeframe set in the General Data Protection Regulation of the EU (in general, within a month).
A data subject who wants to inspect the data concerning them must present the associated request to the data controller as a document that is signed by the data subject or as a similarly verified document. The data subject can also present the request at a facility of the data controller.
Inspecting the data is possible once the data subject sends a signed inspection request in writing by email to the address email@example.com or by post to the address:
10. Other rights related to the processing of personal data
A data subject is entitled to request that the personal data concerning them be removed from the register (‘right to be forgotten’). Similarly, a data subject has, in addition to the rights pursuant to the General Data Protection Regulation of the EU, other rights to limit the processing of their personal data in certain situations. The requests must be sent to the data controller in writing to the address given in section 9 or by email to the address firstname.lastname@example.org. If necessary, the data controller can ask the person to verify their identity. The data controller shall reply to the customer within the timeframe set in the General Data Protection Regulation of the EU (in general, within a month).