Data Protection Policy For At Beauty Oy’s Customer Register

1. Controller

The controller is At Beauty oy (business ID24410290)

E-mail: info@atbeautybox.fi

2. Name of file

The name of the file is atbeautybox wellness and beauty online store register.

3. The purpose of personal processing data

Personal data are processed for several purposes:

Maintaining, managing, and developing customer relationships.
Offering, supplying, and designing services.
Invoicing and resolving any possible complaints and other claims.
Communicating with customers and conducting direct and electronic marketing.

Customers have the right to refuse direct marketing targeted at them. The controller processes personal data directly and utilizes subcontractors working on its behalf in processing activities.

4. Legal grounds for the processing

The legal grounds for processing personal data are the following grounds specified in the European Union’s General Data Protection Regulation (in the future referred to as “GDPR”):

The data subject has given consent to the processing of their data for one or more specific purposes (GDPR Art. 6(1)(a));
Processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject before entering into a contract (GDPR Art. 6(1)(b));
Processing is necessary for the legitimate interests pursued by the controller or by a third party (GDPR Art 6(1)(f)).

The relationship between the data subject and the controller forms the basis for the processing. The data subject is the customer of the data controller, and the processing is carried out for purposes that the data subject can reasonably expect in connection with collecting personal data.

5. Data content of the file (categories of personal data processed)

As a general rule, the file contains the following personal data on all data subjects:

Basic information and contact information for the person: [first name, last name, address, telephone number, e-mail address];
Information related to the person’s company or other organization and the person’s position or title in the company or organization in question;
Direct marketing permissions and bans for the person.

6. Regular sources of information

Personal data are collected from the data subjects themselves.

In addition, personal data are collected within the framework of the applicable legislation from generally available sources that pertain to fulfilling the relationship between the controller and data subject and that the controller can use to perform its duties related to maintaining customer relationships.

7. Storage period of personal data

Personal data collected in the file are stored only for as long and to the extent necessary to the original or a compatible purpose.

The need to store personal data is assessed every five years. The information about the data subject is deleted from the file five years after the end of the customer relationship between the data subject and the data controller. The obligations and measures related to the customer relationship have been fulfilled.

The controller shall regularly assess the necessity of storing the data by its internal code of conduct. Furthermore, by all reasonable measures, the controller shall ensure that any personal data that are inaccurate, erroneous, or contain obsolete information in terms of processing the data are deleted or corrected without delay.

8. Recipients of personal data (recipient groups) and regular data disclosures

The company does not hand over personal data to third parties.

9. Transferring data outside the EU or EEA

The personal data contained in the file held by the company will not be transferred outside the EU or EEA.

10. Register protection principles

Materials containing personal data are stored in locked spaces accessible only to authorized personnel with task-specific permissions.

The database containing personal data is stored on a server in a locked facility accessible only to authorized personnel. The server is protected by an appropriate firewall and technical safeguards.

Access to databases and systems is restricted to authorized individuals with uniquely assigned user IDs and passwords. The controller has implemented strict access controls and permissions within information systems and storage platforms to ensure that personal data can only be accessed and processed by those required to do so for lawful data processing. Additionally, all interactions with databases and systems are logged in the controller’s IT system logs.

The controller’s employees and other authorized persons are bound by confidentiality agreements and are obligated to maintain the secrecy of any information obtained during the processing of personal data.

The website also uses the Google reCAPTCHA service to prevent automated and harmful activities, such as spam submissions. This service enhances the secure use of the website and protects personal data.

Access to databases and systems is granted only with individually assigned user credentials and passwords.

11. Rights of the data subject

The Data Subject has the following rights under the EU General Data Protection Regulation:

The right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source (GDPR, Art. 15); This basic information (i)–(vii) is provided to the data subject on this form;
The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR, Art. 7);
The right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning them and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including using providing a supplementary statement (GDPR, Art. 16);
The right to obtain from the controller the erasure of personal data concerning them without undue delay where one of the following grounds applies: (i) the personal data are no longer necessary concerning the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing; (iii) the data subject objects to the processing based on a unique personal situation, and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR, Art. 17);
The right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the processing, but the data subject for the establishment requires them, exercise or defense of legal claims; or (iv) the data subject has objected to processing on grounds relating to their particular situation pending the verification of whether the legitimate grounds of the controller override those of the data subject (GDPR Art. 18);
The right to receive the personal data concerning them, which they have provided to a controller, in a structured, commonly used, and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent referred to in the regulation and the processing is carried out by automated means (GDPR, Art. 20);
The right to complain to a supervisory authority if the data subject considers that the processing of personal data relating to them infringes the EU General Data Protection Regulation (GDPR, Art. 77).

Any requests regarding the enforcement of the data subject’s rights are to be addressed to the controller’s contact person listed in Section 1.