Privacy policy for the register concerning customers and stakeholder groups

This Privacy Policy applies to customers and stakeholders of the Kolmeks Group (Brandt Group Oy, Ltd, Kolmeks Oy and AS Kolmeks) (hereinafter Kolmeks or “we”). It describes how Kolmeks collects, processes and discloses personal information.

1       Data controller

Brandt Group Oy, Ltd
Itälahdenkatu 15-17, 00210 Helsinki

Kolmeks Oy
Taimistotie 2, 14200 Turenki

AS Kolmeks
Planeedi 4, Viljandi 71020 ESTONIA

2 Contact information

3       Name of the register


4       What are the legal basis and purpose for processing personal data?

The basis for processing personal data is the company’s legitimate interest on the basis of the customer relationship and/or other appropriate connection or the fulfilment of the agreement.

The purpose for processing personal data is:

  • the delivery of our products and services,
  • the fulfilment of our contractual and other promises and obligations,
  • the management of our customer relationships,
  • the arrangement of events

5       What information do we process?

In connection with the customer relationship, we process the following personal data of the customer or other data subject, such as trainees:

  • The data subject’s basic details such as name*
  • The data subject’s contact details such as email address*, phone number*, address details*;
  • Details concerning the company and the company’s contact person such as business ID* and contact persons’ names* and contact details;
  • any possible direct marketing refusals and consents
  • details of event participants and any details concerning the event, such as food allergies
  • Details concerning the customer account and agreement such as the contact person’s name, email address in agreements, details of past and existing agreements as well as orders, correspondence and other communications with the customer/data subject, as well as any details the customer has voluntarily entered in the company’s system. In addition to this, for example, payment service and account details.

The provision of personal details that have been marked with an asterisk are a requirement for a contractual relationship and/or customer relationship to be formed. Without the necessary personal details, we are unable to deliver the product and/or service.

6       Where do we obtain the information?

We obtain information from the data subjects themselves.

In addition to this, personal data can also be collected and updated for the purposes described in this privacy policy, from publicly available sources and authorities or based on information obtained from third parties in accordance with applicable legislation.  Such updating of information shall be carried out manually or automatically.

7       Who do we disclose or transfer information to, and do we share data outside the EU or EEA?

We do not disclose data of the register to any third parties.

We utilise subcontractors working on our behalf in the processing of personal data. We have outsourced IT administration to a third-party service provider to whose server, which they manage and protect, personal data is stored.

We do not disclose personal data outside the EU/EEA.

8       How do we protect information, and for how long do we store information?

Only employees, who have the right to process customer details on behalf of their work, have the right to use systems that contain personal details. Each user has a unique username and password for the system. The data is collected in databases, which are protected with firewalls, passwords and other technical methods. Databases and their backups are located in locked premises, and certain pre-determined persons can only access the data.

We store personal data for the term of validity of the customer relationship.

We regularly assess the necessity of storing details while considering the validity of the customer relationship and its duration. In addition to this, we ensure reasonable measures, which we use to ensure that no incompatible, outdated or incorrect personal data about the data subject are stored in the register for processing purposes. We shall correct or remove such information without delay.

9        What are your rights as a data subject?

As a data subject, you have the right to review the information about you that is stored in the person register and demand for any incorrect, outdated, unnecessary or illegal information to be corrected or removed.  If you personally have access to your data, you can edit the details yourself. If the processing is based on consent, you also have the right to withdraw or change your consent.

In accordance with the General Data Protection Regulation, as the data subject, you have the right to deny or request the processing of your details to be limited and appeal the processing of personal data to a supervisory authority.

For special personal reasons, you also have the right to refuses processing measures concerning yourself when the basis for processing data is our legitimate interest. In connection with your request, you must specify the specific situation on which basis you refuse the processing. We can only refuse to implement the request for legally regulated reasons.

10    Who can you contact?

All communications and requests concerning this policy must be presented in writing to the contact information specified in Section two (2).

11    Changes to the Privacy Policy

If we make any changes to this policy, we shall date the changes in the policy. If the changes are significant, we can inform you about them by other means, such as by email or placing a notice on our website. We recommend that you regularly visit our website and take into account any changes to the policy.