1. General
This privacy policy describes how Vesivek Oy (“Vesivek” or “data controller”) processes personal data. The privacy policy applies to the data controller’s website, the delivery of products and services, customer relationship management and marketing. In addition, this privacy policy applies to subcontracting and other stakeholder collaboration. The privacy policy also applies, as applicable, to the processing of personal data within companies belonging to the same group as Vesivek Oy, such as Vesivek Salaojat Oy, Vesivek Tuotteet Oy and HLRE Group Oy.
We comply with applicable data protection legislation in the processing of personal data. Data protection legislation refers to the existing data protection laws, such as the European Union’s General Data Protection Regulation (2016/679) and Finland’s Data Protection Act (5 December 2018/1050).
Terms related to data protection that are not defined in this privacy policy are interpreted in accordance with data protection legislation. Personal data refers to all information concerning natural persons (“data subjects”) that can directly or indirectly identify the individual, as more specifically defined in the General Data Protection Regulation.
Our website may also contain links to external websites and services operated by other organisations that we do not control. This privacy policy does not apply to their use, so we encourage you to review the privacy policies applicable to them. We are not responsible for the privacy practices
of other websites or external services.
2. Data controller and contact details
Data controller: Vesivek Oy
Business ID: 0951383-0
Osoite: Jasperintie 273, 33960 Pirkkala, Finland
Email: tietosuoja@vesivek.fi
3. Purposes and legal grounds for processing personal data
We only process personal data that is necessary for each specific purpose. The main purposes and legal grounds for processing are described below:
- The delivery of products and services, the establishment of customer agreements, order management and ensuring business transactions (contractual relationship or its preparation, legitimate interest).
- Customer service and communication, as well as customer satisfaction surveys and prize draws (legitimate interest).
- Invoicing, credit decisions and debt collection (contractual relationship or its preparation, legitimate interest).
- Marketing (including market research), other marketing promotion, event organisation, references in marketing, analyses, as well as the production of statistics and measuring the effectiveness of marketing (legitimate interest).
- Direct marketing, including electronic direct marketing and telemarketing, planning advertising and marketing, measuring effectiveness, as well as combining and updating personal data for direct marketing purposes (legitimate interest, consent).
- Managing stakeholder relationships, as well as subcontracting and cooperation with service providers (legitimate interest, contractual relationship or its preparation).
- Improving the user experience of our website and other services, monitoring user traffic and targeting marketing based on cookies and similar tracking technologies (consent).
- Fulfilling legal obligations (such as accounting and taxation).
- Internal and group reporting, as well as other administrative actions, business planning and stakeholder training (legitimate interest).
- Handling warranty and liability issues, as well as processing complaints and managing legal and regulatory procedures (legal obligation, legitimate interest).
- Prevention and investigation of fraud, and ensuring data security, the safety of individuals and property, as well as occupational safety (legitimate interest).
When we process personal data based on legitimate interest, we weigh the benefits and potential harms of the processing to the data subject and ensure that the rights and interests of the data subjects do not override the legitimate interest. We provide additional information upon request regarding the processing of personal data based on legitimate interest.
4. Personal data processed and data sources
*Marked personal data is mandatory. Without the personal data marked as mandatory, we will not be able to, for example, deliver products or services or manage customer communication.
We collect personal data directly from you when, for example, you interact with us, purchase or order our products or services either for yourself or on behalf of an organisation you represent, visit our website or other electronic services, subscribe to our newsletter or other materials available on our site, respond to a customer satisfaction survey or contact us in any other way.
We also obtain personal data from other external sources, such as registers maintained by authorities and, for direct marketing purposes, from private registry services, such as ProFinder (Leadventure Oy).
Personal data may also be received from other Vesivek Group companies.
5. Storage of personal data
We retain personal data for as long as necessary to fulfil the purposes defined in this privacy policy, such as for the duration of the warranty we provide and for six months after its expiration. However, we retain the data for at least the duration required by law (such as responsibilities and obligations related to accounting or reporting requirements) or for the purpose of resolving legal disputes or similar conflict situations. When personal data is no longer needed for the purposes for which it was collected or otherwise processed, the personal data will be deleted or anonymised within a reasonable time.
Personal data obtained from external registry services is retained in accordance with the agreement made with the entity that provided the personal data.
We provide additional information about data retention practices upon request.
6. Recipients of personal data
Personal data may be disclosed, combined or otherwise processed between companies belonging to the same group as the data controller, in accordance with data protection legislation, for the purposes described in this privacy policy.
Various service providers and other third parties may also be used in the processing of personal data, such as providers of technical solutions or server hosting, or providers of accounting, debt collection and financial management services. Group companies may also process personal data on behalf of another group company.
We ensure that the entities we use in the processing of personal data have the necessary contracts in place as required by data protection legislation.
Personal data may be disclosed to third parties in situations required by law or authorities, or for the purpose of investigating fraud and ensuring security. In addition, personal data may need to be disclosed in connection with legal proceedings or similar legal procedures.
If the data controller or a company within the same group is involved in a merger, business transaction or other corporate restructuring, personal data may be disclosed to the other parties involved in the arrangement or to entities assisting with the arrangement.
We provide additional information about recipients of personal data upon request.
7. Joint data controllers
Companies belonging to the same group as Vesivek Oy may act as joint data controllers under data protection legislation when processing personal data for shared purposes, such as marketing and customer relationship management. As joint data controllers, they decide together how and for what purposes personal data is processed.
The group companies have agreed that Vesivek Oy is responsible for fulfilling all obligations set for joint data controllers under data protection legislation, and data subjects may contact Vesivek Oy regarding matters related to joint data control.
8. Transfer of personal data outside the European Economic Area
We primarily process personal data within the European Economic Area (EEA), but it may also be processed outside the EEA. If personal data is transferred outside the EEA, we ensure the legality of the transfer using an appropriate safeguard mechanism, such as the standard contractual clauses approved by the European Commission or based on a decision of the European Commission regarding data protection adequacy.
We provide additional information upon request regarding personal data transfers and the safeguards used.
9. Protection of personal data
Data security and the protection of personal data are of utmost importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure, to the best of our ability, the resilience of our systems and the ability to recover data. Access to personal data is restricted to authorised parties only. Persons processing personal data are subject to a confidentiality obligation regarding matters related to the processing of personal data.
10. Rights of the data subject
Data subjects have the following rights under data protection legislation. However, the application of these rights in each individual case depends on the purpose and context of the personal data processing.
- Right to access one’s data. Data subjects have the right to obtain confirmation as to whether their personal data is being processed, as well as other information regarding the processing of personal data in accordance with data protection legislation. Data subjects have the right to access their personal data and obtain a copy of the personal data.
- Right to rectification of personal data. Data subjects have the right, with certain limitations, to request the correction or deletion of incorrect or inaccurate data.
- Right to erasure of personal data. Data subjects have the right to request the erasure of personal data in accordance with the requirements of data protection legislation. Upon request, we will delete personal data unless legislation requires us to retain it or some other exception under data protection legislation applies.
- Right to restrict processing. Data subjects have the right, in accordance with the requirements of data protection legislation, to request the restriction of personal data processing in certain situations.
- Right to data transfer. Data subjects have the right to request the transfer of personal data to another data controller. The right to data transfer primarily applies to personal data that a data subject has provided to the controller in a structured and machine-readable format, where the processing is based on the data subject’s consent or a contract and the processing is carried out automatically.
- Right to object to processing. Data subjects have the right, in accordance with data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for the establishment of the data controller’s or a third party’s compelling and legitimate interests. However, data subjects always have the right to object to the processing of personal data for direct marketing purposes and related profiling.
- Right to withdraw consent. If the processing of personal data is based on the consent given by the data subject, the data subject has the right to withdraw their consent. Withdrawing consent does not affect the processing that occurred prior to the withdrawal.
11. Exercise of rights
You can send a request regarding the rights of data subjects by post or email using the contact details provided in this privacy policy.
Your identity may be verified before processing your request. The request will be answered within a reasonable time and, where possible, within one month from the submission of the request and potential identity verification. If your request cannot be fulfilled, the refusal will be communicated separately.
12. Right to lodge a complaint with a supervisory authority
We kindly ask that you contact us if you have any questions regarding the processing of your personal data.
A data subject has the right to lodge a complaint with the competent data protection authority if they believe that their personal data has been processed in violation of data protection legislation.
The contact details of the Finnish Data Protection Ombudsman can be found here.
13. Amendments to the privacy policy
This privacy policy may need to be amended from time to time. Amendments may also be based on changes in data protection legislation. We therefore encourage you to regularly review the privacy policy for any changes. The latest version is available on our website.
This privacy policy was updated on 4 June 2024.