Privacy Statement

This is the privacy statement of the Company in accordance with the Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR).

Prepared on 14.5.2018. Last modified on 12.6.2018.

Exit-Painike Ky processes personal data carefully and securely. This privacy statement describes the procedures applied to the personal data processed by Exit-Painike Ky.

The privacy statement includes the description of Exit-Painike Ky's customer register and other information related to the customer register.

• The description of the customer register explains the processing of data of Exit-Painike Ky's customers and stakeholders.
• Other information related to the customer register includes information about the rights of the data subject, cookies, and data security.

Description of the Customer Register

1. Data Controller
Exit-Painike Ky, PL 78, 61800 KAUHAJOKI

2. Contact Person for Register Matters
Jukka Hakala, exitpainike(at)exitpainike.fi

3. Name of the Register
Company's customer and marketing register.

4. Legal Basis and Purpose of Personal Data Processing
The basis for processing personal data is the customer, transaction, or stakeholder relationship or other relevant connection with Exit-Painike Ky, as well as consent or assignment. The purpose of data processing is to carry out business activities related to the purpose of Exit-Painike Ky, such as billing and delivering products ordered by the customer, as well as possible communication and marketing through various channels. Exit-Painike Ky uses subcontractors operating in accordance with Section 5 of the Personal Data Act for the technical, commercial, or operational implementation of processing tasks on behalf of Exit-Painike Ky.

5. Content of the Register
The register contains the necessary identification information of the data subject and other information necessary for the purpose of the register. The following data is processed in the register:
◦ First name
◦ Last name
◦ Address, phone number, email address, and other necessary contact information (billing, delivery address)
◦ Company name
◦ Company business ID
◦ Customer group information
◦ Order history (identifier, date, product lines, amount, tax)
◦ Additional order information (payment method, delivery method, bank, order weight, product lines (product ID, title, quantity, unit price, and order events (created, delivery and payment status, possible order message))

6. Regular Data Sources
Personal data is obtained from the customer at the order stage. Data can also be collected, stored, and updated from messages sent via web forms, email, phone, social media services, contracts, customer meetings, and other situations where the customer provides their information.

7. Regular Data Disclosures and Data Transfers Outside the EU or EEA
Personal data is not regularly disclosed to other parties, but it can be disclosed within the limits and obligations of the applicable legislation. Data can be published to the extent agreed with the customer. Data is not disclosed or transferred by the data controller outside the EU or EEA without separate permission.

8. Principles of Register
Protection Care is taken in the processing of the register, and data processed through information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital security of the equipment is appropriately ensured. The data controller ensures that stored data, server access rights, and other critical information for the security of personal data are treated confidentially and only by employees whose job description includes it.

9. Right of Inspection and Right to Request Correction of Data
Every person in the register has the right to check their data stored in the register and request the correction of any incorrect data or the completion of incomplete data. If a person wants to check their stored data or request a correction, the request must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller responds to the customer within the time frame set by the EU General Data Protection Regulation (usually within one month).

10. Other Rights Related to the Processing of Personal Data
A person in the register has the right to request the deletion of their personal data from the register ("right to be forgotten"). Similarly, registered persons have other rights under the EU General Data Protection Regulation, such as restricting the processing of personal data in certain situations. Requests must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller responds to the customer within the time frame set by the EU General Data Protection Regulation (usually within one month).