We are very pleased about your interest in our company. Data protection is of a particularly high priority for the management of Fanesis Ltd.
Who is responsible for your data?
The person responsible for processing your data is:
Data Protection Officer
Fanesis Ltd.
Kappelikuja 6 B
02200 Espoo
Finland
Call us: +358 417553185
Email us: info@fanesis.com
What data do we process from you and for what purposes do we use it?
We process your data in accordance with the provisions of the General Data Protection Regulation (GDPR) and the Finland’s Data Protection Act (DPA). Which data is processed in detail and how it is used depends largely on the services you use.
Types of data processed
· Inventory data (e.g., names, addresses)
· Contact data (e.g., e-mail, telephone numbers if provided)
· Content data (e.g., text entries, messages)
· Usage data (e.g., website visited, interest in content, access times)
· Meta/communication data (e.g., device information, IP addresses)
Processing of special categories of data
No special categories of data are processed.
Categories of persons concerned by the processing
· Visitors/ interested parties / suppliers
· Visitors and users of the online offer
In the following, we also refer to the data subjects collectively as "users".
Purpose of processing
· Provision of the online offer, its contents, and functions.
· Provision of contractual services, service, and customer care
· Answering contact requests and communication with users
· Marketing, advertising, and market research
· Security measures
Relevant legal basis
In accordance with Article 13 of the GDPR, we inform you of the legal basis for our data processing. If the legal basis is not stated, the following applies:
· the legal basis for obtaining consent is Art. 6(1)(a) and Art. 7 GDPR,
· the legal basis for processing in order to fulfil our services and carry out contractual measures and respond to enquiries is Art. 6(1)(b) GDPR,
· the legal basis for processing in order to fulfil our legal obligations is Art. 6(1)(c) GDPR, and
· the legal basis for processing in order to protect our legitimate interests is Art. 6(1)(f) GDPR. In the event that vital interests of the data subject or another natural person require the processing of personal data, Art. 6 (1) (d) GDPR serves as the legal basis.
Below you will find an overview of the individual purposes and the legal basis on which the respective processing is based:
Contract initiation and fulfilment
In order to accept and process your order, we collect the following data from you during the ordering process:
· First name, surname and title
· E-mail address
· Billing address
· Telephone number, if applicable
· Payment details
· Purchased products and returns
· Date and time of order
If you do not order as a guest, but also create a customer account with us, we also process the following data:
· Password
· Customer number
The processing of data in the course of the ordering process is carried out in order to fulfil the contract with you in accordance with Art. 6 Para. 1 lit. b GDPR. If we collect further data from you when creating the customer account, this is based on our legitimate interest pursuant to Art. 6 para. 1 lit. f GDPR to maintain a customer relationship with you.
Service providers for order processing
In connection with the processing of an order, we use various service providers or partner companies to assist us in processing orders, providing customers with information and providing services. These companies are our order processors according to Art. 28 GDPR and may only use your data to fulfil their tasks on our behalf. Fanesis Ltd. is responsible for ensuring that these service providers comply with data protection regulations and has concluded corresponding order processing agreements with the service providers.
Payment processing
Klarna
If you select a Klarna payment service, the payment will be processed via Klarna Bank AB (publ), Sveavägen 46, 111 34 Stockholm, Sweden (hereinafter "Klarna"). In order to enable the processing of the payment, your personal data (first and last name, street, house number, postcode, town, gender, e-mail address, telephone number and IP address) as well as data related to the order (e.g. invoice amount, article, delivery type) will be passed on to Klarna for the purpose of checking your identity and creditworthiness, provided that you have expressly consented to this in accordance with your consent during the ordering process. You can find out which credit agencies your data may be forwarded to here:
https://cdn.klarna.com/1.0/shared/content/legal/terms/0/de_de/credit_rating_agencies
The credit report may contain probability values (so-called score values). If score values are included in the result of the credit report, they are based on a scientifically recognised mathematical-statistical procedure. The calculation of the score values includes, but is not limited to, address data. Klarna uses the information received about the statistical probability of a payment default for a weighed decision about the establishment, implementation or termination of the contractual relationship.
You can withdraw your consent at any time by sending a message to the data controller or to Klarna. However, Klarna may still be entitled to process your personal data to the extent necessary to process payments in accordance with the contract.
Customer reviews
If you submit a customer review on one of our offered products, we process the following data from you in order to display your customer reviews to other visitors:
· Name
· Review text
· Personal preferences, if you have released this information for publication in your review profile.
This processing is based on our legitimate interest according to Art. 6 para. 1 lit. f GDPR to enable our customers to exchange information about the offered goods.
Customer communication
In order to be able to communicate with you in the best possible way, we offer the following communication options:
In order to communicate with you by e-mail, telephone or post in connection with contact enquiries, complaints, making appointments and appointment reminders, we process the following data from you:
· Contact information, such as telephone number, mobile phone number, e-mail address, fax number and postal address.
· First and last name
· Customer and/or order number
· Order history
· Other data that you provide to us in the course of communication.
The processing of this data is based on the legal basis of Art. 6 (1) lit. b GDPR, provided that the communication is in connection with the execution of your order. Processing for other communication is based on our legitimate interest pursuant to Art. 6 (1) lit. f GDPR.
Newsletter
If you register for our newsletter, we will use your email address to inform you about Fanesis Ltd.-related topics, e.g., products, (store) promotions and offers from our partners related to the product range. The processing is carried out on the legal basis of your consent in accordance with Art. 6 Para. 1 lit. a GDPR. You can unsubscribe from the newsletter at any time at info@fanesis.com.
Advertising mail
We also use your contact data to send advertising for products that may interest. This applies regardless of whether you subscribe to the newsletter. If we receive your e-mail address in connection with the sale of a product or service and you have not objected to this, we reserve the right, to regularly send you offers by e-mail for products similar to those you have already purchased from our range. The legal basis for this processing is our legitimate interest in addressing our customers in an advertising manner. You can object to this use of your e-mail address at any time by sending a message to info@fanesis.com or via a link provided for this purpose in the advertising e-mail.
Use of cookies
In order to make visiting our website attractive and to enable the use of certain functions, we use cookies, pixels, web beacons and similar technologies (hereinafter: "cookies"). These are small text files that are stored on your terminal device. The cookies can be transmitted to a page when it is called up and thus enable the user to be identified. Cookies help to simplify the use of Internet pages for users. Some of the cookies we use are deleted again after the end of the browser session, i.e., after you close your browser (so-called session cookies). Other cookies remain on your terminal device and enable us to recognise your browser on your next visit (so-called persistent cookies). You can set your browser so that you exclude the acceptance of cookies for certain cases or generally. You can delete cookies that have already been set. If you do not accept cookies, the functionality of our website may be limited. Cookies from third-party providers are also used on our website (e.g., when tracking tools are used to evaluate user behaviour). For details of this, please refer to our Cookie Policy.
Collection of access data and log files
We collect data on every access to our website on the basis of our legitimate interests as defined in Art. 6 para. 1 lit. f. GDPR, we collect data on every access to the server on which this service is located (so-called server log files). The access data includes the name of the web site accessed, file, date and time of access, volume of data transferred, notification of successful access, browser type and version, the user's operating system, referrer URL (the previously visited page), IP address and the requesting provider.
Log file information is stored for security reasons (e.g., for the clarification of abuse or fraud) for a maximum of seven days and then deleted. Data whose further storage is required for evidentiary purposes is exempt from deletion until the respective incident has been finally clarified.
Web analysis and web tracking
We use Google Analytics on our website, a web analytics service provided by Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043 USA (hereinafter: "Google"). Google is Fanesis Ltd.’ processor in this context. We have concluded a corresponding commissioning agreement with Google in accordance with Art. 28 of the GDPR.
Google Analytics enables us to analyse how users interact with the content provided on the website and thus to find out what is well received and what is not. Based on this, we can optimise our offers on the website. When Google Analytics is used, the following data is collected and transmitted to Google in the USA: Device and browser data (host name, browser type, referrer, language), IP address as well as the respective user interaction on the website (e.g., which page a user calls up, which products the user selects and purchases). In addition, a random, pseudonymous ID is assigned to a user by means of a cookie, to which the aforementioned information is assigned. As a rule, this is a cookie ID. This is linked to the identifier of the cookie set by Google Analytics for the specific device. In addition, we set a user ID for tracking across devices. We have also activated the anonymisation function for IP addresses. This means that as soon as the IP packet arrives on Google's servers, the data is completely anonymised at Google.
In addition, we use the "demographic characteristics" function of Google Analytics. This allows reports to be created that contain statements about the age, gender and interests of visitors. This data comes from interest-based advertising from Google as well as visitor data from third-party providers. This data cannot be assigned to a specific person.
Comments and contributions in our blog
When users leave comments or other contributions, their IP addresses are stored for 7 days on the basis of our legitimate interests as defined in Art. 6 para. 1 lit. f. GDPR for 7 days. This is done for our security in case someone leaves unlawful content in comments and posts (insults, prohibited political propaganda, etc.). In this case, we ourselves can be prosecuted for the comment or post and are therefore interested in the identity of the author.
Within the Blog you may be able to display certain profile information, share certain details, engage with others, exchange knowledge and insights, post and view relevant content. Content and data is publicly viewable. You have choices about the information on your comment. You don’t have to provide additional information on your comment; however, information helps you to get more from our Services. It’s your choice whether to include sensitive information on your comment and to make that sensitive information public. Please do not post or add personal data to your profile that you would not want to be available. The legal basis for the storage is Article 6 lit. f) GDPR.
Other processing purposes
In addition to the above-mentioned processing purposes, we also process your data for the following purposes:
· To comply with our legal obligations to retain data or obligations under data protection law. This processing is based on the legal basis of Art. 6 para. 1 lit. c GDPR.
· To exercise any legal rights or defend ourselves against claims. This processing is based on the legal basis of Art. 6 (1) lit. f GDPR.
· To respond to and comply with official requests. This processing is based on the legal basis of Art. 6 (1) lit. c GDPR.
To whom do we transfer your data?
We use external service providers in the provision of our services who process your data on our behalf. These include companies in the following categories. With regard to the specific recipients, we refer to the information on the purposes of data processing above.
· Technical service providers in the areas of IT and telecommunications (e.g., maintenance of IT systems and monitoring of system stability)
· Marketing service providers in the areas of marketing activities
· Affiliated companies of Fanesis Ltd. and other service providers in the context of customer management
· Service providers for fraud and abuse prevention in connection with the web shop
· Service providers for customer communication
Is your data transferred to recipients in a third country?
Insofar as this is necessary for the above-mentioned purposes, we also transfer your data to recipients outside the European Economic Area (EEA). We ensure that data is only transferred to third countries if there is a legal basis for doing so. This means that we only transfer your data if a decision of the EU Commission on an adequate level of data protection exists for the respective third country (Art. 45 GDPR), suitable guarantees are provided for the protection of your personal data (cf. Art. 46 DSGO) or a legal permission standard exists (cf. Art. 49 GDPR).
Appropriate safeguards within the meaning of Art. 46 GDPR include the standard data protection clauses published by the EU Commission. If you would like further information on the standard data protection clauses on the basis of which we transfer your personal data to third countries, please contact the offices mentioned above.
Details of the extent to which we transfer your data to certain third countries and the specific recipients can be found in the information above. In particular in connection with the use of our CRM system and the activation of analysis and marketing cookies on our website, your data will be transferred to the USA. For the USA, there is no so-called adequacy decision of the European Commission according to Art. 45 GDPR.
How long do we keep your data?
We will only retain your data for as long as is necessary to fulfil the purposes set out above. In addition, we are subject to various storage and documentation obligations, which result, among other things, from the Finnish Commercial Fiscal Code. The retention and documentation periods specified there are up to ten years. Finally, the storage period is also assessed according to the statutory limitation periods.
What are your data protection rights?
As a data subject, you can assert the following rights against us at any time. To do so, please contact us using the contact details provided.
a) Revocation of your consent to data processing
Insofar as we process your data on the basis of your consent, you can revoke this at any time for the future. The legality of the data processing carried out until the revocation remains unaffected by the revocation.
b) Right to data portability
You can have your data, which we process automatically on the basis of your consent or in fulfilment of a contract with you, handed over to you or to a third party in a common, machine-readable format. If you request that the data be transferred directly to another controller, this will only be done insofar as it is technically feasible.
c) Right to information
You have the right to obtain information about your data stored by us at any time and, if applicable, a copy of this data.
d) Right to rectification
You have the right to demand the immediate correction of your data stored by us if this data is incorrect or incomplete.
e) Right to deletion
Within the framework of the applicable legal provisions, you have the right to demand that we delete your data stored by us.
f) Right to restriction of processing
Subject to legal requirements, you have the right to request us to restrict the processing of your data.
g) Right to object
You have the right to object at any time, on grounds relating to your particular situation, to the processing of data relating to you which is carried out on the basis of Article 6(1)(f) of the GDPR (data processing on the basis of a balance of interests); this also applies to profiling based on this provision within the meaning of Article 4(4) of the GDPR. If you object, we will no longer process your data unless we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms, or the processing serves the purpose of asserting, exercising or defending legal claims.
In addition, you have the right to lodge a complaint with the competent data protection supervisory authority pursuant to Article 77 of the GDPR if you believe that the processing of your data is not lawful. The right of appeal is without prejudice to any other administrative or judicial remedy. The Office of the Data Protection Ombudsman (ODPO) in Finland is the for us relevant authority in matters of data protection. You have the right to make a complaint at any time to the ODPO (www.tietosuoja.fi). We would, however, appreciate the chance to deal with your concerns before you approach the ODPO so please contact us in the first instance.
Is there an obligation for you to provide the data?
When you use our website, your browser automatically transmits your usage data. Without this technical data, it is not possible to display our website for you. With regard to the respective services offered (web shop, contacting us, newsletter, account creation, customer reviews, etc.), you must provide the data that is required for the respective service or that we are legally obliged to collect. Without this data we will not be able to offer the respective service.
To what extent is there automated decision-making including profiling in individual cases?
Both when using our website and in connection with the services offered there, no automated decision-making pursuant to Art. 22 GDPR takes.
Security measures
We take appropriate technical and organisational measures in accordance with Article 32 of the GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in order to ensure a level of protection appropriate to the risk; the measures include, in particular, safeguarding the confidentiality, integrity and availability of data by controlling physical access to the data, as well as access to, input of, disclosure of, assurance of availability of, and separation of, the data relating to them. We also have procedures in place to ensure the exercise of data subjects' rights, deletion of data and response to data compromise.
Furthermore, we already take the protection of personal data into account during the development and selection of hardware, software, and procedures, in accordance with the principle of data protection through technology design and through data protection-friendly default settings (Art. 25 GDPR). The security measures include in particular the encrypted transmission of data between your browser and our server.
Data Subject Access Request
For clarification, you have the right to request confirmation from us at any time as to what information we hold about you and to request that we amend, update, or delete that information. We may comply with your request in response. In addition, we have the following options: Ask you to confirm your identity, or ask you for more information about your request, and were permitted by law, refuse your request. (However, in this case we will explain the reasons for the refusal).
Children Data
If you become aware that your Child has provided us with Personal Data, without parental consent, please contact us and we take the necessary steps to remove that information from our server.
Changes
This policy and our commitment to protecting the privacy of your personal data can result in changes to this policy. Please regularly review this policy to keep up to date with any changes.
Queries and Complaints
If you have any questions, please do not hesitate to contact us.
Last updated on 07.03.2022.