Privacy Statement

This privacy policy describes how Vepsäläinen Oy ("Vepsäläinen") processes the personal data of its customers (hereinafter also referred to as the "data subject"). Vepsäläinen reserves the right to update this privacy policy at any time as deemed necessary and to inform the data subjects of any material changes made.


Data Controller

Vepsäläinen Oy

Business ID: 2111755-8

Juvankartanontie 11, 02920 ESPOO


Contact Details for Data Matters

Vepsäläinen Oy, Juvankartanontie 11, 02920 Espoo

Phone: 020 7801 471

Email: [email protected]


Purpose and Legal Basis of Processing Personal Data

The processing of personal data in the customer register is based on a contractual agreement between the data subject and Vepsäläinen, or on Vepsäläinen's legitimate interest and customer relationship with its subsidiaries. The processing of data is necessary for managing customer relationships, developing business operations, ensuring better customer experience across all channels, and handling marketing communications. With the consent of the data subject, where required, the register is also used for sending marketing materials, newsletters, event invitations, and announcements. Additionally, the setting of non-essential cookies and the processing of personal data collected through them are based on consent. The processing of personal data contained in accounting records is based on compliance with legal obligations.

To provide engaging content, marketing messages, and advertisements, Vepsäläinen profiles its customers. However, Vepsäläinen does not make automated decisions that would have legal effects on the data subject or significantly affect the data subject in other ways.


Content of the Register

The customer register contains at least the customer information provided by the customer when subscribing to newsletters or making a purchase. The register also includes information added or updated by the user or Vepsäläinen.

The register may contain the following information:

  • First and last name/names, gender, date of birth, preferred language
  • Contact information: billing address, delivery address, phone numbers, email addresses
  • Company name and business ID (if applicable)
  • Information related to marketing consent: consent or refusal
  • Information related to purchases: customer number, dates, ordered products and services, delivery method, information on payment method*, complaints, and other customer communications
  • Applications for consumer credit are recorded and archived following the Accounting Act
  • Customer's bank account number (only in situations where a refund needs to be made to the customer's account)
  • Marketing-related information: such as targeted actions and participation in competitions and events
  • Information provided by the data subject and inferred interests and preferences from the use of services
  • Username and password for Vepsäläinen's electronic services

* Vepsäläinen never stores personal identification numbers, payment card numbers, or other personal details of bank accounts.

In addition, Vepsäläinen collects information through cookies and similar identifiers. Customer data and behaviour data collected through cookies may be combined as described in cookie policies.


Regular Sources of Information

Information concerning the data subject is primarily collected from the data subject themselves, Vepsäläinen's systems and services that the data subject uses, and in connection with various marketing activities. Information may also be collected and updated from the registers of partners and from authorities and companies providing services related to personal data.


Regular Disclosures of Information

The customer register information is not disclosed to third parties, except for the following exceptions: to authorities as required by law or in connection with corporate arrangements if Vepsäläinen sells or arranges its business. Additionally, Vepsäläinen may share encrypted customer register information with a partner who reconciles the information with their identifiers and creates target groups for targeted advertising.

In its business operations, Vepsäläinen also utilises partners and, if necessary, securely transfers customer register information for processing, and in such cases, the transferred data is properly destroyed. Partners always process data on behalf of Vepsäläinen, and they do not create their register from the data provided.


Transfer of Data Outside the EU or EEA

Data is not generally transferred outside the territory of the European Union member states or the European Economic Area unless it is necessary for processing personal data or for the technical implementation of data processing, in which case data transfers comply with the requirements of data protection legislation, such as the requirement to conclude standard contractual clauses of the Commission.


Retention Period of Personal Data

Vepsäläinen processes the personal data of data subjects for the duration of the customer relationship or the validity period of the newsletter subscription or other service. Data may also be retained for a longer period as explicitly required by legislation or as a result of contractual or legal obligations, such as warranty obligations.


Principles of Register Protection

The customer register is stored in systems protected by personal passwords and firewalls in accordance with the general principles of information security in the field. Manually processed materials are located in premises accessible only to authorized personnel. Access to the customer register is restricted to Vepsäläinen employees whose job requires it.


Rights of the Data Subject

The data subject has the right to object to the processing of their personal data at any time on grounds relating to their particular situation. If the data subject objects to the processing of their personal data, this may result in Vepsäläinen being unable to provide its services to the data subject.


Additionally, in accordance with applicable data protection legislation, the data subject has the right at any time to:

- access their personal data;

- request the correction or completion of inaccurate or incomplete personal data;

- request the erasure of their personal data;

- receive their personal data in electronic format and have the right to transfer it to another data controller, subject to legal requirements;

- object to the processing of personal data based on legitimate interests;

- withdraw consent; and

- request the restriction of the processing of their personal data.

The data subject must make a request regarding the exercise of their rights to the designated contact person. Vepsäläinen may refuse to comply with the data subject's request on legal grounds as provided by data protection legislation.


Right to Lodge a Complaint with a Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority if they believe that Vepsäläinen has processed their personal data in breach of data protection legislation.