Privacy policy

The Data controller collects and processes personal data about the decision-makers, contact persons and representatives (“Data Subjects”) of the Data Controller’s current and potential customers, suppliers or partner companies and entities (“Company”). 

The Data Controller collects and processes the following personal data about the Data Subjects: 

Data group	Description	Where is the information collected and updated?
Basic	Company information (including billing and delivery information), name, title or profession, position or task in the company, work-related contact information (mailing and visiting address, email address, telephone number), year of birth, gender, native language, service language, preferred method of contact	Data subject  Data controller  Public and private registers, such as the Trade Register, Posti, Fonecta, and the Finnish Customer Marketing Association
Identification information	Verification, identification and personal identification data of the registered person, e.g. name and personal identification number, right to represent the Company	Data subject  Data controller  Trade Register, Asiakastieto Oy
Credit information	Credit information of the company's responsible person	Credit reporting agencies in connection with a credit check
Marketing information	Information regarding the data subject's duties and position in business or public office, professional interests,  information about requests for quotations, inquiries made by the Data Subject, as well as offers sent to the Data Subject and other pre-contractual marketing activities and contacts  Consents, prohibitions, restrictions and authorizations given by the data subject regarding the use of data and direct marketing  other information provided by the Data Subject	Data subject (e.g. in connection with service events or participation in events)  Data controller  Company website  public and private registers, such as the commercial register and contact information services, e.g. Suomen Asiakastieto Oy, Fonecta Oy, Posti Oy
Usage data for electronic services	Access rights, usernames and passwords, other possible identification information	Data controller, Data subject
	Usage history and log data recorded when using electronic services	Data subject  Data controller's information systems
	Newsletter usage data: email address, data regarding sending, receiving and reading	Data subject  Information systems of the controller and its subcontractor
	Online service usage and browsing data: page from which the user has accessed the Data Controller's website, device model, unique device and/or cookie identifier, data collection channel (internet browser, mobile browser, application), browser version, IP address, session identifier, session time and duration, screen resolution and operating system, country/city level location	Data subject ( using cookies, advertising tags, etc.) information about the use of Internet and mobile services and newsletters.
Information regarding suspected crimes	Information about suspected crimes or misconduct	Data Controller, Company, Data subject
Information regarding a customer or other relationship	Communication and other activities in the relationship between the Controller and the Company, Newsletter subscription and cancellation information	Data controller, Data subject
Event organization information	Participation information, e.g. invitation, registration and participation information related to events, competitions, raffles and other events organized by the controller	Data subject
	Health information: essential dietary and accessibility information	Data subject
	Photos and videos taken from events	Data controller
Profile and classification information	Based on the analysis and profiling of the data described above, classifications, segments and profiles are formed for the purposes of processing in accordance with this statement.	The data is generated automatically based on the customer register data .

 

Company information is not personal data. 

Legal transactions and documents between the Data Controller and the Company (e.g. electronic transaction forms, requests for quotations, offers, orders, agreements, etc.) that the Data Subject has performed on behalf of the Company as its representative, as well as the Data Subject's information contained therein, are not personal data, but information describing the Company and are not subject to the Data Subject's rights and data protection legislation. 

 

4. Legal basis and purposes of processing personal data 

referred to in Section 3 are processed on the legal grounds and for the purposes set out in the following table:

Purpose of processing	Data groups to be processed	Legal basis
Advertising and targeting of the of the Data Controller's services and events related to the data subject's work tasks and its targeting in the Data Controller's own and other Internet and mobile services and applications; direct marketing and its targeting by telephone, letter, email, text message and otherwise electronically; conducting opinion and market research, organizing marketing competitions and other events	Basic  Marketing information  Customer or other relationship information  Usage data for electronic services  Profile and classification information  Event attendance information	The legitimate interest of the Data controller to conduct business and market its services (Article 6(1)(f) GDPR)  Regarding the use of online services and browsing data, the Data subject's consent to the use of cookies (Act on Electronic Communications Services, Section 205)
providing customer, support and other services  handling contacts, managing, developing and maintaining customer relationships,  customer communication and contact by letter, telephone, email, text message or other electronic means  customer satisfaction and other customer surveys and polls  business and service development	Basic  Marketing information  Information regarding a customer or other relationship  Usage data for electronic services  Event attendance information  Profile and classification information	The legitimate interest of the Data Controller, based on the right to conduct business and the customer, supplier or other relationship between the Data Controller and the Company (Article 6(1)(f) of the GDPR)
Providing a newsletter service	Newsletter subscription, usage and cancellation information	Implementation of a registered newsletter subscription (Article 1, point 6 b) of the GDPR
Organizing events	Basic Event organization information	The legitimate interest of the Data controller based on the right to conduct business (Article 6(1)(f) GDPR)
	Health information	Data subject consent  (Article 6(1)(a) GDPR)
Information provided by the Controller regarding events in the media, the Internet, and social media	Photos and videos taken from events	Data subject consent  (Article 6(1)(a) GDPR)
Ensuring data security	Basic  Data on the use of the controller's electronic services	Compliance with a legal obligation (Article 6(1)(c) GDPR and Article 32 of the Act on Electronic Communications Services)
Detecting, preventing and investigating fraud and other crimes and abuses	The information required for the purpose of use mentioned in paragraph 3 above and information regarding suspected crimes	The legitimate interest of Data  controller in preventing crimes against it and other parties (Article 6(1)(f) of the GDPR)
Carrying out the Company and Data Subjects' and other statutory duties of the Controller	All information required for each statutory task mentioned in section 3 above	Compliance with a legal obligation, e.g. regulatory reporting  (GDPR Article 6(1)(c))
Analysis, statistics and profiling for the development of services and customer relationships, as well as for marketing	All information mentioned in section 3 above and declared to be processed for each purpose of use in accordance with this statement	The Data controller's legitimate interest based on the customer relationship  (GDPR Article 6(1)(f))
	Online service usage and browsing data	Data subject's consent to the use of cookies (Act on Electronic Communications Services, Section 205)

 

The Data Controller does not use automated decision-making in its activities concerning Data Subjects and does not process personal data using artificial intelligence. 

 

5. Disclosure of information 

The Data Controller discloses the personal data of the Data Subjects to the following parties, who process them as independent controllers in accordance with their own data protection declarations: 

Transferees	Purpose of the transfer
The controller's respective subsidiaries, e.g. Mysoda Oy, Mysoda Scandinavia Aps, Mysoda Deutschland GmbH, Mysoda France SAS	Fulfilling the purposes of this statement
Transport and logistics service providers	Warehousing and order delivery
Banks and other providers of billing and payment services	Invoicing, paying, and tracking subscription fees
The Data controller's legal advisors and auditors	Performing legal assignments and auditing
Authorities, e.g. police, enforcement authority, tax administration	Implementing the authority's statutory right to information

 

Personal data will not be disclosed to other parties without the consent of the Data Subject, except if it is necessary to fulfill the Data Controller's legal obligations, in connection with legal proceedings, at the request of authorities, or as part of business arrangements. 

 

6. Transfer of data for processing by subcontractors 

The Data  has the right to use subcontractors in the processing of personal data in accordance with this statement. In this case, personal data may be transferred to subcontractors to the extent necessary for the implementation of the subcontractor's services. Each subcontractor processes personal data only to the extent necessary for the performance of the subcontractor's tasks. The subcontractors process personal data on behalf of and for the account of the Data Controller in accordance with the Data Controller's instructions. The subcontractors are bound by the agreements concluded with the Data Controller regarding the processing of personal data, including the terms and conditions regarding confidentiality and data security. 

The Data controller uses subcontractors for the following tasks: 

Subcontractor or group	Task
The controller's respective subsidiaries, e.g. Mysoda Sweden Ab, Mysoda Scandinavia Aps, Mysoda Deutschland GmbH, Mysoda France SAS	tasks related to sales, ICT services, marketing, logistics and customer service
Shopify International Limited, 2nd Floor, Victoria Buildings 1-2, Haddington Road, Dublin 4, D04 XN32, Ireland  https://www.shopify.com/en/legal	Shopify acts as the provider of the functionality (platform service) of Mysoda's online store. A list of Shopify's subprocessors and the services they perform and the data they process can be found here.
Klaviyo, Inc., 125 Summer Street, Floor 6, Boston, MA, 02110, United States  https://www.klaviyo.com/legal	Klavio produces the Mysoda newsletter service. A list of Klavio's subprocessors and the services they perform and the data they process can be found here.
Advertising and marketing agencies	marketing, analytics
Financial management service providers	accounting and other financial management services
ICT suppliers	design of online stores and other applications, cookie management, telecommunications services, other electronic communication services, information security services, information system services
Google Inc.	Statistical monitoring of Internet services is carried out by Google Inc. on behalf of the Data Controller in accordance with the cookie consent given by the Data Subject. Google may also use the information collected by cookies for its own marketing purposes in accordance with the cookie consent and its own terms of use and privacy policy. Google is responsible for its own cookies and the information it collects for its own use, see more information here.

 

7. Transfer of data to third countries 

The Data controller may also transfer or transfer personal data to a country outside the EU/EEA. The transfers mainly consist of the transfer of personal data to Shopify Inc., which is established in Canada and is subject to the EU Commission Decision 2002/2/EC of 20 December 2001 on the adequate protection of personal data provided by the Canadian Personal Data Protection and Electronic Documents Act. The transfer of data to the USA is based on the EU Commission Decision of 10 July 2023 on the adequacy of the data protection provided by the EU-US data protection framework. 

Unless the European Commission has decided that the level of data protection in the destination country is acceptable, the Data Controller shall ensure adequate data protection by concluding written agreements with the recipient using standard contractual clauses approved by the European Commission or other legal procedure. The standard contractual clauses can be found at: https://eur-lex.europa.eu/legal-content/FI/TXT/PDF/?uri=CELEX:32021D0914    

 

8. The controller's processing of personal data concerning social media users 

The Data Controller's website uses social media functions (i.e. community plugins), such as Facebook, Instagram and TikTok buttons, which take you to community pages maintained by the Data Controller. 

Social media services share user information with the Data Controller in accordance with their privacy policies and the consents given by users, e.g. comments and links shared by the user in the media regarding the Data Controller's sites and information contained in the user's public profile. The Data Controller processes personal data obtained through its community sites on the basis of legitimate interest only for the Data Controller's own purposes, such as informing about new products, services or offers, implementing competitions and raffles, receiving feedback, purchasing advertising on the social media service, measuring the reach of pages or advertisements or providing customer service on community sites. The Data Controller does not process information outside of social media, and the information shared by them is not combined with other data or registers of the Data Controller without the user's consent. 

Social plugins are the responsibility of the company providing them. They are primarily responsible for complying with data protection legislation and implementing data security and the rights of the Data Subject on the service. You can familiarize yourself with the privacy policies of social media and manage their privacy settings on a service-specific basis: 

Facebook and Instagram: https://www.facebook.com/privacy/policy/

TikTok: https://www.tiktok.com/legal/page/eea/privacy-policy/en

 

9. Principles of register protection 

Only those persons who need the information to perform their work duties are entitled to use the information. Personnel processing personal data have been given training and instructions on data protection. Personnel and subcontractors processing the information are committed to confidentiality obligations. Information regarding suspected crimes is kept separate from other information about the Data Subject. 

Personal data is stored in locked facilities that meet the data protection level and are monitored by automatic access control. The protection of electronically stored data is based on access control, user identification, technical protection of databases and servers, e.g. firewalls and other security software, data encryption, data traffic protection, data backup, and the collection of log data and monitoring of security events. 

A description of the security measures used on the Shopify e-commerce platform can be found here: https://www.shopify.com/security  

10. Personal data retention periods 

Data group	Storage time
Information collected based on consent	As long as the consent given by the data subject is valid.
Recordings of phone calls and remote meetings	12 months from recording
Usage data of electronic services collected using cookies	In accordance with the deadlines stated in connection with cookie consents
Other Electronic Services Usage Data	A maximum of 5 years after the end of the customer, supplier or other relationship between the Data Controller and the Company or after the Data Controller has been informed that the Data Subject is no longer employed by the Company
Basic information and Marketing information	Permanently, within the limits permitted by law, unless the Data Subject has prohibited the processing of the data.
Anonymized data	Information that does not identify a person may be stored permanently.
Backups	In accordance with the controller's normal retention and deletion schedules
Other personal information	A maximum of 2 years after the end of the customer, supplier or other relationship between the Data Controller and the Company or after the Data Controller has been informed that the Data Subject is no longer employed by the Company

 

Data may be retained after the aforementioned retention periods for the establishment, exercise or defense of legal claims, until the claims have been finally resolved and in accordance with the requirements of applicable law. 

The controller shall regularly assess the necessity of retaining personal data, e.g. identification and authentication data and documents no later than three years after the previous review of the necessity of retention. In addition, the Data controller shall take reasonable measures to ensure that no personal data of the data subjects that are incompatible with the purposes of the processing, outdated or incorrect are retained in the register. 

11. Data subject rights 

The data subject has the right to inspect the information about him or her stored in the personal data register and to demand the correction or deletion of incorrect, outdated, unnecessary or unlawful information. 

The data subject does not have the right to inspect information concerning suspected crimes. The Data Protection Ombudsman may, at the request of the data subject, inspect the lawfulness of the processing of this information. 

The data subject has the right to cancel the newsletter subscription and the right to withdraw previously given consent to the processing of their personal data at any time. Withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal of consent. 

The data subject has the right to prohibit the use of their data for direct marketing, opinion and market research, including related profiling. 

When the processing of personal data is based on legitimate interest, the Data Subject has the right to object to the processing of their data on grounds relating to their particular personal situation. The Data Subject must specify the particular situation on which the objection is based in the request. 

The data subject may demand the restriction of the processing of their personal data, for example, its suspension in whole or in part, if the data subject believes that there is uncertainty about the accuracy of the data or its processing, until the uncertainties regarding the data are clarified and resolved. 

If the Data Subject has provided their personal data to the Data Controller and the processing is based on consent or agreement, they have the right to receive this data in a structured, commonly used and machine-readable format and the right to transfer the data to another Data Controller in accordance with applicable law. 

The Data Subject may exercise the above rights by sending requests in writing or by email to the Data Controller (contact information is provided at the beginning of the statement). If necessary, the Data Controller may ask the Data Subject to specify their request in writing and to prove their identity. 

The data subject has the right to file a complaint about the processing of personal data with the Data Protection Ombudsman.