Data Privacy Notice and Registration Statement
1. Data Controller
Havi Oy (business ID: 0648171-4)
02200 Espoo
Tel. 010 843 4246
Email: havi@havi.fi
Havi Oy (= Supplier) processes personal and customer data on www.havi.fi. “Personal and customer data” means all information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified directly or indirectly in particular by reference to identification data, such as a name, personal identification number, location data, online identifiers or one or more factors specific to that person’s physical, physiological, genetic, mental, economic, cultural or social characteristics.
“Processor” is the Supplier that processes personal data on behalf of the Customer. For payment transactions, the data controller is the payment service provider selected at any given time. The data protection statements of the payment service providers can be read on each service provider's own website:
2. Name of the Register
Havi Oy's customer register
3. Group of Data Subjects
Customers of the Havi.fi online store and persons in other material connection with the data controller.
4. Purpose of Personal Data Use
The purpose of use of the personal data entered in the register is to manage customer relationships and target marketing to provide the best customer experience.
The supplier uses customer and personal data for the following purposes:
• To process orders and returns through our online services
• To send information about deliveries
• To contact you if there are problems with the delivery of products
• To be able to provide the best possible assistance when you contact us and to inform you about new or changed services
• To analyze how you use havi.fi and to continuously improve the website
• To provide you with relevant content through automated profiling and evaluation. Profiling means analyzing personal data and purchase history to identify your behavior, preferences, capabilities or needs.
5. Data Content of the Register
The register may process data in the following categories: Basic data, such as: first and last names, contact information (email addresses, postal addresses, telephone numbers), date of birth and age, gender, language, and user names and passwords for the controller's online services. Interest, profile and participation information, such as: interest information reported by the data subject and other information provided to the service and answers to questions asked of the data subject in various campaigns.
Information related to customer service or other relevant connection, such as: Identification information related to the use of Havi services and content, the start date of customer service and direct marketing permissions and prohibitions, as well as information regarding the utilization of electronic services and content, technical information sent to the server of the registered browser by the data controller (IP address, browser, browser version) and information related to cookies sent to the registered browser.
Information related to offers and purchases and other communication, such as: benefits, services and campaigns targeted and offered to the registered and their use; other communication related to customer service or other relevant connection (including feedback and complaints), communications and actions, as well as purchases made in the havi.fi online store, purchase dates, purchased products (quantities and prices of purchased products and the total purchase amount). Information about changes to the information specified above.
6. Data Sources, Analytics and Cookies
By using the website www.havi.fi, you agree that Havi Oy processes your customer and personal data in accordance with this privacy notice and the applicable legislation on the protection of personal data.
Data is collected from the data subject at the beginning and during the duration of the customer relationship or other relevant connection.
We use Google Analytics for customer analytics. More information about this can be found on the Google Analytics privacy page at (https://policies.google.com/privacy?hl=fi). Technical information is automatically saved during your visit.
A cookie is a text file that is sent to the user's own computer and stored there. Cookies do not harm the user's computers or files. Cookies are used to collect, among other things, the following information: pages loaded, browser type, operating system and time.
You can disable cookies in your browser settings if you wish. If this function is disabled, this may result in some services being slower or access to some websites being blocked altogether. For example, when shopping in an online store, the use of cookies must be enabled.
7. Disclosure of Data
The personal data we collect is stored in the European Economic Area (“EEA”), but your personal data may also be transferred to and processed in a country outside the EEA. All transfers of personal data are made in according to applicable laws.
The Supplier may need to use subcontractors to provide services and support to the Customer. By using the this site, the Customer consents to the Supplier using the Supplier’s Affiliated Companies as subcontractors.
Subcontractors
• The Supplier may need to use subcontractors to provide services and support to the Customer.
• The Customer hereby expressly consents to the Supplier using the Supplier’s Affiliated Companies as subcontractors. In addition, the customer gives its general consent to the use of other subcontractors on the following conditions:
• The supplier shall provide the customer with a list of the subcontractors used in connection with the contract or otherwise in writing.
• The supplier shall notify the customer in advance of any new subcontractors.
• The customer shall notify the supplier of the rejection of the new subcontractor without delay, but no later than 14 days after receiving the supplier's notification.
• The supplier may then terminate the part of the contract to which the subcontractor's activities would relate with 30 days' prior written notice.
• The supplier requires that the subcontractors enter into a written agreement and comply with the data protection, security and confidentiality obligations applicable to the supplier in accordance with this statement, or such obligations that require an equivalent level of data protection and security. The subcontracting shall be carried out in accordance with the terms and conditions specified in the statement.
• The Supplier is liable to the Customer for the services performed by its subcontractors in the same way as if it had performed the services itself.
8. Duration of Data Storage
Customers' personal data will only be stored for as long as required by law or as long as it is necessary to fulfill the purposes specified in this statement.
9. Right for Inspection, Restriction and Correction
The customer has the right, in accordance with the Data Protection Act, to check what information about them has been stored in the register. The supplier will assist and support the customer with appropriate technical and organizational measures, and to the extent possible, so that the customer can fulfill its obligation to respond to requests received from data subjects.
The supplier must notify the customer in writing without delay of all:
• messages received from a data subject regarding the customer's right to access, modify, correct, delete or block access to their customer and personal data, as well as complaints regarding the processing of customer and personal data;
• other administrative orders or lawsuits requesting access to or disclosure of customer and personal data; or
• complaints, notifications or other communications related to the customer’s compliance with data protection legislation in the processing of customer and personal data.
The supplier must comply with the provisions of the contract applicable to its own operations and the provision of services, privacy and security laws. However, the supplier is not responsible for compliance with the legislation applicable to the customer or the customer’s industry.
Where required by law, the supplier must appoint a data protection officer who must fulfill their duties according to applicable law. The details of the data protection officer will be provided to the customer upon request. Information on data protection and the data protection officer can be requested from the supplier by sending an email to: havi@havi.fi The supplier asks the customer to verify their identity and additional information before acting on the request and that the customer is authorized to make such a request if the person is acting on behalf of someone else. The supplier must maintain all necessary records and, upon request by the customer, make all such information available as is necessary to demonstrate compliance with the obligations.
10. Information security
The supplier must implement and maintain appropriate technical and organizational measures to protect customer and personal data. The protection must take into account the level of information technology and security, the costs of implementation, and the nature, scope, context and purposes of the processing; as well as the likelihood and severity of the varying risk to the freedoms and rights of natural persons.
The processing must also take into account the risk of destruction, loss and alteration of personal data stored, transmitted or otherwise processed due to damage or illegal activity, as well as the risk of unauthorized access to or disclosure of the data. The customer is obliged to inform Havi Oy of all circumstances (including special risks or personal data groups) that require the definition of additional technical or organizational protection measures.
If the Supplier needs access to Customer and Personal Data to fulfill its legal obligations, it must restrict access rights and allow processing operations only to qualified personnel.
“Qualified Personnel” means employees and/or agents, consultants, subcontractors or other third parties who work under the Supplier in order for the Supplier to fulfill its obligations to the Customer and who are subject to such confidentiality and security obligations.
Audits and Controls
The Supplier undertakes to commission audits of its services and personal data processing by qualified third parties according to industry standards. In accordance with the Supplier's practices and agreements, and only to the extent not covered by the above-mentioned independent audit reports, the Customer or its representatives may, at the Customer's expense, conduct audits of the services and personal data processing or assess and monitor compliance with the security requirements listed by the Supplier.
Upon termination of an agreement or service subscription, the Supplier shall, in accordance with the Customer's instructions, either return or delete all customer data. If the Customer has not provided instructions within 30 business days of the termination, the Supplier shall delete all Personal Data, unless the Supplier is required by law to retain such Personal Data. In connection with card transactions, we cooperate with an authorized payment intermediary who helps us to monitor that payments can be made with the card directly from your bank. Our payment processor processes card data in a proper manner according to the international PCI DSS security standard.
Assisting the Customer in Meeting Security Requirements
During the term of the agreement, the customer may request that the supplier assist the customer in meeting the obligations required by applicable data protection legislation, provided that such obligations are related to the services/products, such obligations are commercially reasonable and if the supplier agrees to assist the customer, the customer is responsible for the costs.
Technical and Organizational Measures
The customer is solely responsible for implementing and maintaining security measures and other technical and organizational protective measures (e.g. when using an online store, to prevent credentials from falling into the wrong hands). The measures must be proportionate to the nature and amount of personal data stored and/or otherwise processed by the customer.
The customer is also responsible for its employees using the service and persons to whom the customer has granted access or use rights to the services. The customer is also liable if a third party gains access to its personal data or the service, even if the customer has not given permission to process the data, if the customer has not taken the necessary security measures. The customer may purchase additional services from the supplier to ensure compliance with its obligations under this section.
Data Security Incident Management
Each party undertakes to notify the other party without delay if it becomes aware of any unauthorized use of the service or customer credentials or any other incident affecting the personal data of the service. The notification shall include the following information, if available:
• the circumstances leading to the data breach
• a description of the nature of the data breach, including, when possible, the categories and estimated number of personal data affected and the categories and estimated number of data subjects affected
• a description of the likely consequences of the data breach
• a description of the measures taken or proposed to be taken to respond to the data breach, including, where appropriate, measures to mitigate its potential adverse effects.
Each party shall investigate all causes of the data breach within its area of responsibility and take appropriate action to stop the data breach, mitigate its effects and prevent similar breaches. The parties shall document and notify the other party of the results of their investigation and the actions taken. The parties shall cooperate reasonably in investigating the breach. The customer and the supplier agree to cooperate reasonably to secure the security of the service, the service environment, the systems located in the service, and customer and personal data in situations where service outages, security issues, or potential data breaches are being investigated.
Updated October 1st 2024
