Privacy policy

Privacy Policy

1. Data Controller

Kameratori Oy (Business ID 2375606-2) ["Data Controller"]
Address: Erkkilänkatu 11 B, PMK-talo, 7th floor, 33100 Tampere, Finland
Phone: +358 10 2311 777
Email: info(at)kamerastore.com

 

2. Purpose of Processing Personal Data

Personal data is processed and protected in accordance with applicable data protection laws, including the European Union General Data Protection Regulation (2016/679, as amended). The Data Controller processes personal data for the following purposes:

  • Managing customer relationships
  • Providing services
  • Informing about services
  • Developing online services and ensuring data security
  • Managing customer relationships and customer service
  • Fulfilling the rights and obligations of the Data Controller

 

3. Legal Basis for Processing Personal Data

The legal basis for processing personal data includes the Data Controller's statutory obligations, contracts, consents, and the legitimate interests of the Data Controller. The Data Controller's legitimate interest applies when there is a significant relationship between the data subject and the Data Controller. A significant relationship is established, for example, when the data subject voluntarily contacts the Data Controller or when the Data Controller processes the data subject's personal data to provide the Data Controller's services and products.

 

4. Processed Personal Data

The Data Controller's register contains information about the Data Controller's customers, representatives of customers, and contact persons, as well as other individuals associated with stakeholders, such as job applicants. The following data may be processed about the data subjects:

  • Name
  • Contact details (email address, phone number, postal address)
  • Bank account number provided by the data subject
  • Additional information provided by the data subject
  • Personal identification number (only when the customer sells products to Kameratori Oy. The personal identification number is not stored in the digital register, only as part of physical accounting material.)
  • Company name
  • Company Business ID
  • Company contact person
  • Contact details of the company contact person (email address, phone number, postal address)
  • Position of the company contact person within the company

 

5. Regular Data Sources of the Register

The Data Controller primarily obtains personal data from the following sources:

  • From the data subject themselves for the purpose of managing the customer relationship, either based on online store forms or information provided in-store
  • From authorities, organizations, and companies that provide credit and personal data updating services
  • From public data sources, such as newspapers, the internet, and the trade register
  • From social media
  • From the cookie data of the users of the online service

 

6. Recipients of Personal Data

The Data Controller does not generally disclose personal data to third parties unless required to do so by authorities or compelling legislation.

Despite the above, the Data Controller utilizes reliable external service providers in the processing of personal data and the technical delivery and implementation of their services, such as Shopify, Bubble, Gorgias, and Google. External service providers process personal data based on a data processing agreement required by data protection legislation concluded between the parties. The Data Controller ensures that personal data is protected in accordance with applicable legislation and requires compliance with appropriate technical and practical data protection measures from its partners.

The Data Controller may also disclose personal data to another data controller or third party if separately agreed upon with the data subject.

The Data Controller has the right to disclose personal data in connection with a business transaction or other corporate arrangement or when a service provided by the Data Controller is transferred to another service provider.

Personal data is generally not transferred outside the European Union (EU) or the European Economic Area (EEA). However, personal data may be transferred outside the EU or EEA if the information systems and software services used for processing require it. For example, the Data Controller uses Shopify for sales purposes, resulting in personal data being transferred outside the EU or EEA. The Data Controller ensures adequate data protection in accordance with applicable data protection legislation by adhering to adequacy decisions issued by the European Commission (Article 45 of the General Data Protection Regulation) and the data protection framework between the EU and the United States when transferring personal data to the United States.

 

7. Duration of Personal Data Processing

The Data Controller processes and retains personal data only as long as necessary to fulfill any basis or legal obligation described in this privacy statement.

The activities of the Data Controller are subject to the Act on Preventing Money Laundering and Terrorist Financing (444/2017). Section 3 of Chapter 3 of the Act requires that all customer identification and transaction-related documents and information be retained securely for five years after the end of the permanent customer relationship or the completion of a one-time transaction.

Additionally, personal data that is part of accounting records is retained in accordance with the Accounting Act (1336/1997) for six years from the end of the year in which the financial period has ended.

The Data Controller regularly deletes personal data for which there is no longer a basis for retention or processing. Deletion is carried out in accordance with the Data Controller's own data protection practices.

 

8. Protection of the Register and Appropriate Processing Measures

The personal data in the register is stored confidentially, and the information contained in the register is adequately protected by encryption, technical restrictions, and separate security software. The Data Controller protects personal data and ensures data security in accordance with commonly used and up-to-date practices, so that personal data is safeguarded against unauthorized access and processing, as well as against unlawful and accidental destruction, loss, and corruption.

Employees of the company sign a data protection policy agreement committing to follow safe practices when handling materials related to personal data in their work and to protect their IT devices and credentials with strong passwords and methods. The company’s personnel have restricted access to different operational environments, such as customer service software, enterprise resource planning software, and sales software. Staff members have personal credentials to log in and use each service individually, and access within the service can be shared according to the necessary functions related to their job tasks.

The Data Controller regularly reviews and assesses its protection and processing measures.

 

9. Rights of the Data Subject

The data subject has various rights regarding the processing of personal data. However, the data subject may not be able to exercise all of their rights in every situation. The rights may depend on the basis for processing the personal data.

The rights applicable to the data subject on a case-by-case basis are as follows:

Right to Withdraw Consent
The data subject has the right to withdraw their consent for the processing of personal data at any time. The withdrawal of consent does not affect the lawfulness of the processing based on consent prior to its withdrawal.

Right of Access
The data subject has the right to obtain confirmation from the data controller as to whether their personal data is being processed or not, and if so, the right to access the personal data as well as information mentioned in Article 15 of the General Data Protection Regulation (GDPR).

Right to Rectification
The data subject has the right to request that the data controller rectify any inaccurate or incorrect personal data concerning them without undue delay. Considering the purposes for which the data is processed, the data subject has the right to have incomplete personal data completed, including by providing a supplementary statement.

Right to Erasure (Right to be Forgotten)
The data subject has the right to obtain the erasure of personal data concerning them without undue delay, and the data controller has the obligation to erase the personal data without undue delay, provided that one of the grounds for erasure specified in Article 17 of the GDPR applies.

Right to Restrict Processing
The data subject has the right to obtain from the data controller a restriction of processing of personal data if one of the grounds for restriction specified in Article 18 of the GDPR applies.

Right to Data Portability
The data subject has the right to receive their personal data, which they have provided to the data controller, in a structured, commonly used, and machine-readable format, and the right to transmit those data to another data controller without hindrance from the original data controller, if the processing is based on consent or a contract and is carried out automatically.

Right to Object to Processing
The data subject has the right to object at any time, on grounds relating to their particular situation, to the processing of personal data concerning them which is based on the legitimate interests of the data controller. The data controller shall no longer process the personal data unless the data controller demonstrates compelling legitimate grounds for the processing that override the interests, rights, and freedoms of the data subject, or if it is necessary for the establishment, exercise, or defense of legal claims.

If personal data is processed for direct marketing purposes, the data subject has the right to object at any time to the processing of personal data concerning them for such marketing purposes.

Right to Lodge a Complaint with a Supervisory Authority
The data subject has the right to lodge a complaint with a supervisory authority if they believe that the data controller is acting contrary to applicable legislation on personal data processing and data protection. In Finland, complaints can be submitted to the Office of the Data Protection Ombudsman.

Actions of the Data Controller and Exercising Rights
The data controller must provide the data subject with information on the actions taken in response to requests regarding the above-listed rights without undue delay and in any case within one month of receiving the request. The deadline may be extended by a further two months if necessary, taking into account the complexity and number of requests. The data controller must inform the data subject of such an extension within one month of receiving the request, as well as the reasons for the delay. If the data subject submits a request electronically, the information must be provided electronically where possible, unless the data subject requests otherwise.

To exercise their rights, the data subject must contact the data controller by sending an email to info(at)kameratori.fi. The data controller aims to respond to the inquiry as soon as possible and resolve the matter. If the request is unreasonable or unfounded, the data controller may refuse the request.

 

10. Processing of Personal Data and Profiling

The data controller does not use automated decision-making, such as automatic profiling, as part of the processing of personal data.

 

11. Use of Cookies

The data controller uses cookies on its website to enhance the user experience. Cookies are small text files that the browser stores on the device of the user visiting the website. Some cookies are essential for the proper functioning of the website. According to legislation, the data controller may store cookies on the data subject's device if they are necessary for the operation of the website. The use of all other cookies requires the consent of the data subject.

The data subject can make choices on the website regarding the purposes for which cookies are collected. Based on the data subject's choices, the data controller may use cookies to customize the website, analyze visitor numbers, and for marketing purposes. Some cookies on our website are set by third parties.

 

12. Which Country's Laws Apply to Data Processing?

The processing of personal data in this register is governed by Finnish law as well as directly applicable EU legislation in Finland, such as the EU General Data Protection Regulation (GDPR).

 

13. Updating the Privacy Notice

This privacy notice was last updated on September 30, 2024.

The data controller reserves the right to change this privacy notice.