This privacy policy and statement of Skand Oy in accordance with the Finnish Data Protection Act and the EU General Data Protection Regulation (GDPR) was prepared May 24, 2018. Latest revision May 24, 2018.

This privacy statement explains how Skand Oy (business ID: 2492105-8) processes personal data, the personal data it collects, the purposes for which personal data is used, and the parties to whom personal data may be disclosed.

Skand Oy has made a commitment to protecting the privacy of all persons, such as customers and users, in accordance with the EU General Data Protection Regulation (GDPR) and data protection legislation as well as any other relevant legislation, and to processing personal data in accordance with accepted data management and data processing practices. This privacy statement applies to all services, applications, systems, and channels offered by the company. Controller

1. Controller
   Skand Oy, Korkeakoulunkatu 7, 33720 Tampere
   Business ID: 2492105-8
2. Person in charge of register-related matters
   Miika Utoslahti, info@skand.fi, +358 2 480 9060
3. Name of register
   Customer and marketing register of the company
4. Legal basis and purpose of the personal data processing
   The legal grounds for the processing of personal data under the EU General Data Protection Regulation is based on the legitimate interest of the controller (customer relationship and employment relationship).
   
   The purpose of the processing of personal data is:
   – Purchase of Skand Oy’s products and services
   – Management of stakeholder relations
   – Delivery of products and services
   – Interest group satisfaction, opinion, and market research surveys
   – Personalized customer service pertaining to products and services and targeted customer communication and monitoring the use of services
   – Marketing communication and its targeting toward interest groups
   – Compilation of statistics and processing of information
   – Realization of rights and obligations arising from legislation
   – Risk management and prevention of misconduct and abuse
   – Securing the safety of the property of Skand Oy and interest groups
   
5. Register contents
   The data stored in the register includes: name of the person, possible company/organization, contact information (telephone number, email address, address), possible IP address of network connection, user accounts/profiles on social media platforms, information pertaining to purchased services and products and the related changes, invoicing information, other information pertaining to the customer relationship and purchased services. Skand Oy stores personal data for as long as it is necessary in order to ensure the realization of the purposes specified in the privacy statement, unless legislation requires the personal data to be stored for longer (such as the liabilities and obligations pertaining to specific legislation, accounting requirements, or reporting requirement), or unless the company needs the information for the preparation or presentation of or defense against a legal claim.
   
   The storage period and storage of data varies depending on the personal data category based on the intended purpose of each personal data category. Skand Oy may in accordance with legislative requirements use the personal data of a data subject for communication after the customer relationship has been concluded or if a data subject has provided their contact information in the context of a competition or prize draw, when providing feedback, or ordering an electronic newsletter. Personal data is processed for the duration of a customer and contractual relationship and for the time period necessary following the conclusion of the customer and contractual relationship.
   
   Information pertaining to the identification of a customer shall be stored for the period required by legislation. When personal data is no longer required in the manner specified above, the data is erased within a reasonable time or converted into a format which no longer enables the person to be identified directly or indirectly.
   
6. Regular sources of data
   The data stored in the register is sourced from the customer using, inter alia, messages sent through online forms, email or telephone, website visit information and social media platforms, agreements, customer meetings, and other such circumstances where the customer provides their information.
7. Processors and recipients of personal data
   Skand Oy processes personal data in compliance with the data protection legislation. The company may also use third-party service providers for the processing of data. The company selects the service providers carefully and ensures through sufficient contractual obligations that the personal data is processed appropriately and legally. In case of an emergency or some other unforeseeable circumstance, the company may also have to disclose the personal data of data subjects in order to protect the lives and health of people as well as property. In addition, the company may be forced to disclose the personal data of data subjects if it is involved in legal proceedings or other proceedings taking place in dispute resolution bodies. If Skand Oy is party to a merger, asset acquisition, or some other form of corporate transaction, it may have to disclose the personal data of data subjects to third parties. The disclosure of personal data to third parties primarily takes place through electronic data links. Data may also be disclosed in some other manner, such as by telephone or letter.
   
8. Regular disclosure of data and transfer of data outside the EU or EEA
   Data is not regularly disclosed to third parties. Data is not regularly transferred outside the EU or EEA. If data is transferred outside the EU or EEA, Skand Oy will ensure that the personal data is sufficiently protected by, inter alia, agreeing on matters concerning the processing of personal data in the manner require by data protection legislation by, for example, using the standard contractual clauses for data transfers approved by European Commission. Personal data may be disclosed for lending purposes to Avarda Oy (business ID 2619111-6), which is owned by Intrum Justitia, in a situation where a customer places an order where they are applying for credit for the payment of the product later against an invoice or in instalments. Avarda Oy acts as the provider of the invoice and instalment purchase service.
   
9. Register protection principles
   protected. When register information is stored on a server connected to the Internet, the physical and digital data security of the equipment is handled appropriately by Google Finland Oy (business ID 0907346- 8). The controller ensures that the stored data and access rights to the servers as well as any other information that is critical for the security of personal data is handled confidentially and only by employees whose job descriptions comprise such activities.Right of inspection and other rights pertaining to the processing of personal data.
   
10. Right of inspection and other rights pertaining to the processing of personal data
    The privacy statement and policy of Skand Oy Data subjects have the rights provided by the data protection legislation. The right to access information and the right of inspection Data subjects have the right to receive confirmation on whether personal data pertaining to them is processed. The request to inspect information is subject to a reasonable fee if less than one year has passed since the previous inspection. The data subject has the right to review and access any data pertaining to them and to receive the data in a written or electronic format on request.
    
11. The right to rectification and erasure of data
    The data subject has the right to demand the rectification of any incorrect or incomplete information. In addition, the data subject has, under the existing data protection legislation, the right to demand the erasure of their data. Skand Oy will also erase, rectify, or complete on its own initiative any personal data that it observes to be incorrect, unnecessary, incomplete, or expired in terms of the processing of personal data.
    
    The data subject has, in accordance with the requirements specified by data protection legislation, the right to restrict the processing of personal data pertaining to them. In addition, in a situation where personal data suspected to be incorrect cannot be rectified or erased, or where there exists uncertainty concerning the request of erasure, Skand Oy will restrict access to the data. The data subject has the right to object to the use of their data for certain processing purposes. The data subject has the right to prohibit the disclosure and processing of their data for direct marketing purposes. A data subject has the right to request the erasure of personal data pertaining to them from the register (“the right to be forgotten”). The data subjects also have the other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. If a data subject wishes to inspect the data pertaining to them stored in the register or demand rectification to or the erasure of said data, they must send their request in writing to the postal address of the controller. The request must include the following:
    – First and last name
    – Date of birth or business ID
    – Email address
    – Telephone address
    – Home address
    – Postal code and town
    – Date and place
    – Signature and name in block letters
    – Whether the request concerns the inspection, rectification, erasure, or transfer of data and/or objecting to or restricting the processing of data
    
    To allow the recipient of the request to fully verify the identity of the person submitting the request, the request must be accompanied by a photograph of the person that shows their face and in which they are holding an ID. Request may only be submitted in relation to one’s personal information. Incomplete requests will not be considered. The controller will respond to the customer within the time specified in the EU General Data Protection Regulation (within one month in general). If the request of a data subject is refused, the data subject will be notified of the refusal in writing. Skand Oy may refuse a request (such as a request to erase data) on account of a statutory obligation or a statutory right of the company, such as an obligation, dispute, or claim concerning the services.
12. Lodging a complaint with the supervising authority
    The data subject has the right to lodge a complaint with Data Security Ombudsman if the data subject believes that their personal data has been processed in breach of the existing legislation. Contact information of the Data Security Ombudsman:
    
    Office of the Data Security Ombudsman
    Street address: Ratapihantie 9, 6th floor, FI-00520 Helsinki
    Postal address: P.O. Box 800, FI-00521 Helsinki
    Email: tietosuoja@om.fi
    Exchange: +358 29 56 66700
    Fax: +358 29 56 66735
    
13. Changes to the privacy statement
    Skand Oy is constantly developing its services further and may have to change and update this privacy statement as a result. The changes may also be based on amendments to the legislation concerning data protection. We recommend reviewing the contents of the privacy statement regularly.