Privacy Statement
1. General information
This privacy statement describes how Nesco Oy (“Nesco Oy” or “the controller”) processes personal data. The privacy statement applies to the controller’s website, deliveries of products and services, customer relationship management and marketing activities. In addition, this privacy statement applies to subcontracting and other stakeholder engagement. Where applicable, this privacy statement also applies to the processing of personal data by Tuusulan Peltikeskus Oy and other Group companies of Nesco Oy.
In processing personal data, we comply with the applicable data protection regulations. Data protection regulations refer to data protection legislation valid at the time, including the EU General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (5 December 2018/1050). In the case that a term related to privacy is not defined in this privacy statement, the meaning given in data protection regulations shall apply. Personal data means any information relating to a natural person (data subject) who can be identified, directly or indirectly, as defined in detail in the EU GDPR.
Our websites may also contain links to external websites and services maintained by unaffiliated third-party organisations. As these are not controlled by us, this privacy statement is not applicable to their use. Therefore, we encourage data subjects to consult the third-party organisations’ respective privacy policies. We are not liable for the privacy policies of other websites or third-party services.
2. Controller’s name and contact information
Nesco Oy
Business ID: 0432656-9
Address: Teollisuustie 8, 16300 Orimattila
Email: tietosuoja@vesivek.fi
Tuusulan Peltikeskus Oy
Business ID 0950583-0
Address: Puusepäntie 27, 04360 Tuusula
Email: tietosuoja@vesivek.fi
3. Purposes and legal basis of processing
We only process personal data to the extent necessary for each purpose. The main purposes are described below:
- Delivery and provision of products and services, performance of customer contracts and management of orders.
- Customer service and communication as well as customer satisfaction surveys and prize drawings.
- Invoicing, credit decisions and debt collection.
- Marketing (including market research), other marketing promotion and event organisation, customer references for marketing purposes, analysis, generation of statistics and measuring the effectiveness of marketing.
- Direct marketing, including electronic direct marketing and telephone marketing, planning and measuring the effectiveness of advertising and marketing, and aggregating and updating personal data for direct marketing purposes.
- Management of stakeholder relations, subcontracting and cooperation with service providers.
- Improving the user experience of our website and other services, tracking user traffic and targeted marketing using cookies and comparable tracking technologies.
- Performance of statutory obligations (such as accounting and tax legislation).
- Internal and Group reporting and other administrative measures, business planning and personnel and stakeholder training.
- Handling of warranty and liability issues, complaints and legal and regulatory matters.
- Prevention and investigation of misconduct and ensuring data protection and the safety of persons and property as well as workplace safety.
When we process personal data for the purposes of delivering products and services, performing customer contracts and managing orders and related obligations, the legal basis for processing is the performance of the contract or its preparation.
The legal basis for processing personal data may also be the legitimate interest of the controller or of a third party. Legitimate interests include managing customer relationships, customer communications, the processing of personal data related to marketing (including direct marketing), the processing of personal data related to, for example, reporting and business development, and the handling of complaints and legal proceedings. When we process personal data on the basis of a legitimate interest, we weigh the benefits and potential disadvantages of the processing for the data subject and ensure that the data subject’s rights and interests do not override the legitimate interest. Upon request, we will provide additional information regarding the processing of personal data on the basis of a legitimate interest.
When we process personal data in order to comply with legal requirements, the primary legal basis for processing is compliance with a legal obligation.
Processing personal data for the purposes of sending out newsletters and other direct electronic marketing is based on the consent of the data subject, in accordance with the requirements of data protection regulations.
4. Categories of personal data and their sources
*Personal data marked with an asterisk are mandatory. Without mandatory personal data, we are unable to, for example, deliver products or services or handle customer communications.
We collect personal data directly from you when, for example, you do business with us, purchase or order our products or services either on your own behalf or on behalf of an organisation you represent, visit our website or other electronic services, subscribe to our newsletter or other materials, respond to a customer satisfaction survey or contact us for some other reason.
We also collect personal data from other third-party sources, such as registries maintained by the authorities and, for direct marketing purposes, also from private registry services such as ProFinder (Leadventure Oy).
We may also receive personal data from other companies belonging to the same Group.
5. Retention of personal data
We retain personal data for as long as is necessary to fulfil the purposes described in the privacy statement, but at least for the period required by our legal obligations (such as accounting and reporting responsibilities and obligations) or for the purpose of resolving legal disputes or other similar disputes. When personal data is no longer needed for the purpose for which it was collected or otherwise processed, the personal data is deleted or rendered anonymous within a reasonable time.
Personal data obtained from third-party registry services is retained in accordance with the agreement with the party that provided the data.
Upon request, we will provide more information about our personal data retention policy.
8. Recipients of personal data
Subject to the requirements of data protection regulations, personal data may be disclosed, combined or otherwise processed between companies belonging to the same Group as the controller for the purposes described in this privacy statement.
We may also use various service providers and other third parties to process personal data, such as providers of technical solutions or server space and accounting, debt collection and financial administration service providers. Group companies may also process personal data on behalf of another Group company. When we use third parties to process personal data, we ensure that the agreements required by data protection regulations are in place.
We may disclose personal data to third parties in situations required by the law or the authorities or in order to investigate abuse and ensure data protection. In addition, we may be required to disclose personal data in connection with litigation or similar legal proceedings.
If the controller or a company belonging to the same Group is involved in a merger, asset purchase or other corporate transaction, personal data may be disclosed to other parties to the transaction or to parties assisting in the transaction.
Upon request, we will provide more information about the recipients of personal data.
7. Joint controllers
Nesco Oy and Tuusulan Peltikeskus Oy belong to the same Group of companies as Vesivek Oy. Companies belonging to the same Group as Vesivek Oy may act as joint controllers within the meaning of data protection regulations when processing personal data for common purposes. As joint controllers, they jointly decide how and for what purposes personal data is processed.
The Group’s companies have agreed that Vesivek Oy is responsible for fulfilling all obligations imposed on the joint controllers by data protection regulations, and that data subjects can contact Vesivek Oy in matters related to the joint controllers. For more information, see Vesivek Oy’s privacy statement here.
8. Transfer of personal data outside the European Economic Area
We process personal data mostly within the European Economic Area (“EEA”), processing may also take place outside the EEA in certain situations. If personal data is transferred outside the EEA, we will ensure the lawfulness of the transfer by means of an appropriate safeguard mechanism, such as the European Commission’s standard contract clauses.
Upon request, we will provide additional information about the transfer of personal data and the safeguards used.
9. Protection of personal data
Data security and the protection of personal data are of paramount importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also do our best to ensure the resilience of our systems and the ability to restore data. Access to personal data is restricted to separately authorised parties. Parties who process personal data are bound by an obligation of professional secrecy on matters that relate to the processing.
10. Rights of data subjects
Data subjects have the following rights under data protection regulations. However, the exercise of the rights in each individual situation depends on the purpose and context of the use of personal data.
- Right of access to data. Data subjects have the right to receive confirmation as to whether their personal data is processed, as well as other information about the processing in accordance with data protection regulations. Data subjects have the right to access and receive a copy of their personal data.
- Right to rectification of data. Data subjects have the right, with certain restrictions, to request the correction or erasure of incorrect or inaccurate information.
- Right to erasure of data. Data subjects have the right to request the erasure of personal data in accordance with the provisions of data protection regulations. Upon request, we will erase personal data unless we are required by law to retain it or unless some other exemption under the data protection regulations applies.
- Right to restrict processing. Data subjects have the right to request the restriction of processing of personal data in certain situations and subject to the provisions of data protection regulations.
- Right to transfer data. Data subjects have the right to request the transfer of their personal data to another data controller. As a general rule, the right to transfer data applies to personal data which the data subject has provided to the controller in a structured and machine-readable form, which are processed on the basis of the data subject’s consent or the performance of a contract, and which are processed automatically.
- Right to object to processing. Data subjects have the right to object to the processing of personal data based on legitimate interests, including profiling, subject to the provisions of data protection regulations. We may refuse the objection if processing is necessary for the purposes of compelling legitimate interests of the controller or a third party. However, data subjects always have the right to object to the processing of personal data for direct marketing purposes and for profiling related to direct marketing.
- Right to withdraw consent. Where personal data processing is based on consent given by the data subject, the data subject shall have the right to withdraw his or her consent. Withdrawing consent has no effect on any previous processing.
11. Exercise of rights
You can send a request regarding any of your rights as a data subject by mail or email using the contact information provided in this privacy statement.
We will verify your identity before processing the request. We respond to requests within a reasonable time and, where possible, within one month of the request and the verification of identity. If we cannot comply with the request, we will notify you separately.
12. Right to lodge a complaint with a supervisory authority
We hope that you will contact us if you have any questions regarding the processing of your personal data.
Data subjects have the right to lodge a complaint with the competent data protection authority if they feel that the processing of their personal data is in violation of data protection regulations.
Contact details of the Finnish data protection authority can be found here.
13. Changes to the privacy statement
This privacy statement may be updated from time to time. The updates may also be due to changes in data protection regulations. We therefore encourage that you revisit this privacy statement regularly. The latest version is available on our website.
This privacy statement was published on 23.9.2021.