Privacy notice for customer and stakeholder register

1. Data Controller
Westpak Oy Ab (Business ID 2191122-5)
Address: Maakunnantie 4, 27820 Säkylä, Finland
Phone: +358-20 755 1120

2. Name of the register
Westpak Oy Ab’s customer and stakeholder register

3. Contact person on register matters
Name: Jonas Skuthälla
Phone: +358-40 584 2243

4. Purposes of processing personal data and legal basis
The data controller processes personal data in accordance with applicable data protection legislation, including EU General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (1050/2018).

The purposes of processing are:

  • managing customer and co-operation relationships and customer services
  • fulfilling the rights and obligations of the customers and other stakeholders and the data controller
  • processing of personal data concerning stakeholders (suppliers, subcontractors, other co-operation partners)
  • processing of personal data of website visitors for the purpose of ensuring and developing the functionality of the website
  • processing of personal data for purposes related to the data controller’s products and services including developing, providing,
  • performing, and marketing of products and services

Legal basis for processing of personal data is, depending on the purposes of processing, legal obligations of the data controller, contract, consent, or legitimate interests of the data controller.

The legitimate interest of the data controller is the legal basis for processing of personal data when there is a material connection between a data subject and the data controller. Such material connection is formed, for example, when the data subject has on its own initiative contacted the data controller, or when the data controller, for example, processes the data subject’s personal data in connection with a business or co-operation activities between the data subject’s employer and the data controller. The data controller has conducted a balance test on assessing legitimacy of legitimate interests as legal basis for processing personal data.

On basis of its legitimate interest, the data controller may also save to its customer register personal data of potential clients and their contact persons and representatives who can be, on reasonable grounds, expected to be interested to acquire products and services provided by the data controller.

The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work duties.

Withdrawal of consent to direct marketing may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.

5. Categories of personal data processed
The register includes personal data of the following persons:

  • Customers of the data controller and their representatives and contact persons
  • Representatives and contact persons of the data controller’s subcontractors and suppliers
  • Potential customers, subcontractors and suppliers and their representatives and contact persons
  • Other stakeholders

The following personal data of the data subjects, relevant on the basis of the above-mentioned purposes of processing, are processed, such as:

  • Name
  • E-mail address
  • Phone number
  • Name and business ID of the company, contact person and title
  • Order information, contract and offer information, invoice and payment information
  • Customer feedback and contact information
  • Information based on customer and co-operation relationship, such as contact history, feedback and follow-up information
  • Additional information provided by the data subject

6. Regular information sources of the register
Personal data has been primarily obtained from the following information sources:

  • Directly from the data subject for the purpose of managing customer relationship
  • Directly from the data subject in connection with other co-operation relationship
  • Public/commonly available sources (such as internet, social media and Trade Register)
  • Data subject’s employer or other representative of the data controller’s customer, business or co-operation contact or contract party
  • Companies’ information is checked from Suomen Asiakastieto Oy’s registers in business contexts; hence reports may include data concerning companies’ representatives

7. Processors and recipients of personal data

In connection with implementing its technical services, the data controller uses reliable service providers which process personal data on behalf of the data controller on basis of data processing agreement required by applicable data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data processing agreements and data controller’s documented instructions.

The data controller may also disclose personal data to other data controller or a third party if agreed with the data subject on a case-by-case basis.

In addition, and pursuant to requirements of applicable data protection legislation, the data controller may disclose contact information of a data subject to data controller’s co-operation partners for example when the data controller organizes a customer or education event together with such co-operation partner. Such co-operation partner is responsible for processing of personal data for its own part.

Personal data may be transferred outside European Union or European Economic Area in accordance with and subject to the applicable data protection legislation. The data controller ensures adequate level of data protection as required by applicable data protection legislation also in situations in which the personal data is transferred outside European Union or European Economic Area by complying with adequacy decisions issued by the European Commission and by using, when required, standard contractual clauses approved by the European Commission together with necessary additional safeguards for such transfers.

8. Analytics and cookies
We may collect information about the use of our online services by using third-party analytics tools such as Google Analytics. The collection of information is automatic and may include, but is not limited to, the IP address, the user’s activity in the online service, the type of device used, the type of browser and language settings. This automatically collected data can be used to develop our online services, plan and develop our business and services, and for marketing. Our online service may also contain cookies from either our own or third parties, such as measurement and tracking services. Third parties may place cookies on your terminal device in connection with the use of online services. Anonymized information obtained from cookies may be used by third parties for targeted advertising in other online services. Our online service may also contain social media plugins.

9. Storage period for personal data
The data controller will process and retain personal data only as long as required by legislation or as long it is necessary for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis or requirement to retain or process, will be deleted on regular basis in accordance with the data controller’s own data protection policy.

10. Rights of the data subject
The data subject has the rights pursuant to EU General Data Protection Regulation.

Right Description
Right of access The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and a copy of the personal data processed.
Right to rectification, erasure and restriction of processing The data subject has the right to request from the data controller the rectification of inaccurate data concerning him or her, as well as the erasure of any personal data concerning him or her or to request the restriction of processing on the grounds laid down by law.
Right to object The data subject has the right to object, on grounds relating to his or her particular situation, processing of personal data concerning him or her when personal data is processed on basis of the legitimate interest of the data controller.

Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time to processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.

Right to data portability The data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another data controller, in cases where processing is based on consent or contract and the processing is carried out by automated means. The data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.
Right to withdraw consent In case where processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent by notifying the data controller. The withdrawal of consent shall not affect the lawfulness of the processing of personal data based on consent before its withdrawal.
Right to lodge a complaint with a supervisory authority Supervisory authority in Finland is the Office of the Data Protection Ombudsman. Contact details and instructions are available on address

Exercise of data subject rights

You may exercise your above stated rights by contacting the data controller via sending an e-mail to the e-mail address indicated in the beginning of this Privacy Notice. We aspire to provide a reply as soon as possible and, where needed, provide you with additional instructions or ask additional questions based on your request.

Please note that prior to fulfilling a request we have a right as well as an obligation to verify your identity, due to which we must be able to recognize you in an adequate manner.

If your request is manifestly unfounded or excessive, we may charge a reasonable fee for administrative costs to carry out your request or refuse to act on the request.

11. Processing of personal data and profiling
The data controller does not use automated decision-making, such as automated profiling, as part of processing personal data.

12. General description of appropriate technical and organizational security measures of the data controller
Access to the register have been granted solely to such designated representatives of the data controller who have signed appropriate non-disclosure commitments and have a legitimate need to process personal data contained in the register in connection with performing their work duties.

The data controller has provided all its employees and service providers with binding written instructions and orders on processing of personal data and data protection, which instructions and orders they have committed to comply with.

Data security of information systems has been arranged adequately, including encryptions and technical restrictions.

The data controller will revise its processing operations and equipment on regular basis and, amongst other things, assess risks related to processing of personal data, for example when introducing new technology.

13. Changes to this Privacy Notice
The data controller may change this Privacy Notice if needed. The data controller will inform the data subjects of substantial changes to this Privacy Notice.

This Privacy Notice has been last updated on 15.6.2022.