Privacy Policy

1. Contact details of the controller for data protection matters

Data controller

Idlis Ltd.
Business ID: FI32805006

Contact for all data protection matters

The data subject may contact the controller on all data protection issues as follows:

Email: privacy@idlisbuy.com

2. Data subjects and content of the register

The Register contains the following information about the following personal data of the decision-makers, contact persons and representatives ("Data Subject") of the Controller's customer, supplier or partner companies and entities ("Company"):

  1. Basic information: name, title or profession, position or function in the company, company details, work-related contact details (postal and visiting address, email address, telephone number), year of birth, gender, mother tongue, language of service, preferred method of contact;
  2. Data for the verification, identification and personalisation of the identity of the data subject.
  3. Marketing Data: information on functions and status in business or public office, professional interests, other information provided by the Data Subject; marketing measures targeted at the Data Subject, event attendance data, direct marketing and other authorisations and consents, prohibitions and restrictions;
  4. Information on the use of the electronic services or information systems of the controller: e.g. Data on the use of the controller's services or information systems, e.g. access rights, user IDs and passwords, other possible identification data, access history and log data stored in connection with the use of information systems; data on the use and browsing of Internet services, reading data of newsletters, advertisements displayed and data on clicking on advertisements; the page from which the user has accessed the Controller's website, device model, unique device and/or cookie identifier, data collection channel (internet browser, mobile browser, application), browser version, IP address, session identifier, time and duration of the session and screen resolution and operating system, country/city location.
  5. Profiling and classification data: customer/user and marketing segments and profiles based on the analysis and profiling of the data described above, as well as classification and other data collected from regular data sources.
Information about the company is not personal data

The communications and documents between the Data Controller and the Company (e.g. and communications, emails, e-filing forms, feedback, chat conversations, telephone records, enquiries, requests for quotations, orders and contracts made by the Data Subject on behalf of the Company and the Data Subject's data contained therein are not personal data but data describing the Company and are not subject to data protection legislation.

3. Legal basis and purposes of the processing of personal data

The Controller processes the personal data of Data Subjects on the following legal grounds and for the following purposes:

  1. In accordance with a legitimate interest based on a customer, supplier or other relationship between the Data Controller and the Businesses Establishing a customer or other relationship between the Data Controller and the Business (e.g. responding to enquiries, requests for quotations), managing, maintaining, developing the customer relationship; designing and developing business, products and services; customer and other satisfaction surveys and other communications based on the relationship between the Business and the Data Controller;
  2. Performing the Controller's legal obligations, e.g. in the legitimate interest of the Controller, to detect, prevent and investigate fraud, money laundering and other crimes and misconduct;
  3. In the legitimate interests of the controller, direct marketing and targeting of its products and services (including sending newsletters) by telephone, e-mail, SMS and other electronic means; conducting opinion and market research, organising marketing competitions and other events;
  4. Processing data collected through the use of cookies, advertising tags or other similar technical means of tracking the use of the controller's online and mobile services for the purposes specified in the data subject's cookie consent.
  5. In accordance with the legitimate interests of the controller, advertising of its products and services on the controller's own and other internet and mobile media, services and applications and targeting of advertising;
  6. In the legitimate interest of the controller and its partners, analysis, profiling, segmentation and statistics of data subjects and their data for the above-mentioned purposes.

4. Where the data is collected

The data in the register is collected as a rule from the employer of the Data Subject or from the Data Subject himself/herself in connection with the use of the services and the website, the completion of a contact request or other form, the conclusion of a contract or other personal, electronic or telephone communication or in connection with participation in events. In addition, personal data may be collected and updated from open and public information about companies published by the Company or its representatives, for example on the Internet and from publicly available information sources such as the Company's website, trade registers, postal operators, contact information services.

5. To whom the data are disclosed or transferred

The controller may disclose information from the register to its partners when this is necessary to fulfil the purposes of the register, e.g. to deliver and invoice agreed products or services. Otherwise, the data will not be disclosed to third parties without the consent of the data subject, except where necessary to comply with the legal obligations of the controller, in connection with legal proceedings, at the request of public authorities or as part of business arrangements.

The Controller is entitled to use subcontractors for the processing of personal data under this Privacy Statement. In such cases, personal data may be transferred to subcontractors to the extent necessary for the performance of the subcontractor's services. The controller uses subcontractors for the following tasks:

  • ICT: IT infrastructure, security and user management, electronic messaging services
  • ERP: Enterprise Resource Planning
  • Analytics, marketing and sales
  • Financial management

The subcontractors process personal data on behalf and for the account of the Controller in accordance with the Controller's instructions and this Privacy Policy. The Controller shall ensure by contract that personal data is processed in accordance with the law in the provision and performance of its services.

Personal data may also be transferred for processing in a country outside the EU/EEA. Unless the European Commission has decided that the level of data protection in the country of processing is acceptable, the Controller will ensure adequate data protection by entering into written contracts with subcontractors under standard contractual clauses approved by the European Commission or other legal procedure. The standard contractual clauses can be found at: https://ec.europa.eu/info/system/files/1_en_annexe_acte_autonome_cp_part1_v5_0.pdf

6. Processing of personal data relating to the controller's social media users

The Registrar's website contains social media functions (i.e. community plugins) such as LinkedIn, Twitter and Instagram buttons that lead to community pages maintained by the Registrar.

Social media services share user information with the Registrar in accordance with their privacy policies and user consents, such as comments and links to the Registrar's websites shared by the user in the media and information contained in the user's public profile. The Controller will process personal data obtained through its social networking sites on the basis of legitimate interest only for the Controller's own purposes, such as announcing new products, services or offers, running competitions and sweepstakes, receiving feedback, purchasing advertising on social media, measuring the reach of pages or advertisements or providing customer service on social networking sites. The Controller will not process the data outside of social media and the data they share will not be combined with other data or registers of the Controller without the consent of the Data Subject.

Social plug-ins are the responsibility of the company providing them. They are primarily responsible for compliance with data protection legislation and for ensuring data security and the rights of the Data Subject in the service. Social media privacy policies and data protection information on social media can be consulted and their privacy settings can be managed on a service-by-service basis:

LinkedIn: https://www.linkedin.com/legal/privacy-policy

Instagram: https://fi-fi.facebook.com/privacy/explanation

Twitter: https://privacy.twitter.com/en

7. Principles of register protection and data retention period

Only those persons who need the data for the performance of their duties are entitled to access the data. Manual data are kept in locked premises with a level of protection equivalent to that of the data. The staff and subcontractors handling the data are bound by confidentiality obligations. The protection of electronically stored data is based on access control, technical protection of databases and servers, physical protection of premises, access control, protection of data traffic and data back-up. Access to the electronic content of the register by persons processing the data is protected by personal user IDs and passwords. Access and processing rights are granted on the basis of job function.

Personal data are kept for as long as necessary for the purposes for which they are used. Personal data relating to a customer, supplier or other relationship between the Data Controller and the Company will be deleted after the relationship has ended or after the Data Controller has been informed that the Data Subject is no longer the contact person for the Company, with the following exceptions:

  • Anonymised data may be kept permanently.
  • Data on the use of electronic services and contact data relating to the customer, supplier or other relationship will be kept for five years from the date of the anonymisation.
  • Electronic service usage data collected by cookies will be deleted in accordance with the time limits indicated in the cookie consent.
  • Basic data, marketing data, profile and classification data of the data subject may be permanently stored for marketing purposes.
  • Data may be retained beyond the above-mentioned retention periods in the circumstances permitted by the applicable legislation.

8. Inspection, rectification and other rights of the data subject

The data subject has the right to inspect the data stored in the personal data file concerning him or her and to request the rectification or erasure of inaccurate, outdated, unnecessary or unlawful data. The data subject also has the right to withdraw at any time his or her prior consent to the processing of his or her personal data. Withdrawal of consent does not affect the lawfulness of the processing that took place before the withdrawal of consent.

Data subjects have the right to object to the processing of their personal data for the purposes of direct marketing and related profiling.

Where the data subject has provided his or her personal data to the controller and the processing is based on consent or on a contract, the data subject has the right to receive these data in a structured, commonly used and machine-readable format and the right to transfer the data to another controller in accordance with the applicable legislation.

Where the processing of personal data is based on legitimate interests, the data subject has the right to object to the processing of his or her data on grounds relating to his or her particular situation. The data subject must identify the specific situation on which the objection is based at the time of the request.

The data subject may, in situations specified by law, request the restriction of the processing of his or her personal data, for example the total or partial suspension of processing, where the data subject considers that there is doubt as to the accuracy of the data or as to the processing of the data.

Requests should be made in person, by letter or by e-mail using the contact details in paragraph 1. Where necessary, the controller may ask the Data Subject to specify his or her request in writing and to prove his or her identity.

The data subject has the right to lodge a complaint about the processing of personal data with the Data Protection Ombudsman.