Description of handling operations
EU general data protection regulation (2016/679), articles 13, 14, 15, 16, 17, 18, 20, 21 ja 30
We may update or change this Privacy Statement at any time. The description is valid from 02.02.2021.
Neidon Sydän Oy
Business ID: 3156754-4
050 550 8878
2. Contact persons responsible for registry matters
Contact person Riitta Kulju
Neidon Sydän Oy
050 550 8878
3. Register name
Neidon Sydän Oy customer and contact information register.
4. Purpose of the processing of personal data / recipients (or
groups of recipients) / legal basis for the processing of personal data
The purpose of the register is to process the information required for Neidon Sydän Oy's customer order processing and customer communication. On a case-by-case basis, we may transfer contact information related to the delivery of orders to third parties who are responsible for the delivery of products to the end customer. The information stored in the online store is stored in the server rooms of the Suomen Hosting Company Oy in Helsinki. The servers are protected by a smart firewall. IDS, Anti-virus and Mod Security technologies keep the server safe from attacks. Suomen Hostingpalvelu Oy stores and processes personal data in accordance with the EU GDPR and the current Personal Data Act (523/1999).
More information: www.hostingservice.fi/data-protection-description
5. Information content of the register
● Full name
● Pos. Company
● Street address
● Postal code and location
● Possible Business ID
● Consent to marketing communications (yes or no)
● Pos.sible billing information incl. e-invoicing or e-mail billing address
As well as information stored only in the online store database:
● Registration time (date and time)
● Last login (date and time)
● Activity status (active / blocked)
● Possible notes from the administrator, such as special requests made by the customer
● Communication with the online store
● Order history and purchase statistics
● Shopping carts
● Landing pages and current IP address
● Customer group
6. Information sources
Information provided by the data subject.
7. Disclosure of information
Customer data will not be disclosed to third parties.
8. Data transfer outside the EU or the EEA and data protection principles
Data will not be transferred outside the EU or the EEA. Neidon Sydän Oy is responsible for maintaining the register. Data maintenance can only be accessed by company employees when required for work tasks. Neidon Sydän Oy is centrally responsible and manages the rights to access the register in accordance with the security guidelines.
9. Retention period of personal data
The data controller retains personal data for the time being and as the customer relationship continues. However, at least the time required for shipments of the order to be delivered or for invoicing, the time required to verify payment of the invoice.
10. Registry security principles
A. Manual material
Manual material is stored carefully so that it cannot be accessed by third parties. Manual material is destroyed when it is no longer needed.
B. Electronically stored data
The data is technically and physically protected in such a way that, in addition to the registry administrators, third parties do not have access to the data. Each user of the system has his or her own ID and password.
11. Right of inspection and exercise of the right of inspection, the right to transfer data
from one system to another
The data subject shall have the right, after stating the facts necessary to search for the information, to know what information concerning him has been stored in this register or whether there is no information concerning him in the register. At the same time, the registrar must inform the data subject of the data sources of the register and where the data in the register is used and disclosed.
The data subject who wishes to check the in a similarly certified document. Neidon Sydän Oy may charge a service fee for the compilation of data, as it requires significant work. Is based on consent or an agreement between the controller and the data subject and is processed automatically.
12. Correction, deletion and restriction of data processing
The data subject has the opportunity to change the information provided by logging in to the online store or requesting it in writing (by e-mail or letter to customer service).
The registrar must correct, delete or supplement or outdated personal information. The controller shall also prevent the dissemination of such information if the information may compromise the data subject's privacy or rights.
The data controller shall also, at the data subject's request, restrict processing if or if the controller no longer needs such personal data for processing purposes but the data subject indicates that he or she needs them to the grounds put forward by the data subject. If the controller has restricted the processing on the above grounds, the controller must notify the data subject before the processing restriction
If the controller does not accept the data subject's request for rectification, he must provide written confirmation. The certificate shall also state the reasons why the claim has not been accepted. The data subject may refer the matter to the Data Protection Officer.
The controller shall notify the rectification to the person to whom the controller has disclosed or from whom the controller has received incorrect personal data.
However, there is no obligation to notify if notification is impossible or involves unreasonable effort. Requests for rectification must be submitted to the representative appointed by the controller in point 2, cf. contact information above.
It should be noted that the controller may have a statutory or other right not to delete the requested information. The registrar is obliged to keep the accounting material in accordance with the period (10 years) specified in the Accounting Act (Chapter 2, 10). Therefore, the accounting material cannot be deleted before the deadline.
Customer information will not be used or disclosed for marketing purposes.
14. Descriptions of e-commerce payment intermediaries
Online store uses payment intermediaries that secure the payment transaction to the customer (consumer / business) and the seller (Online store). After selecting the payment method, the personal data is transmitted securely to the service provider to secure the payment transaction. The payment intermediary stores basic information in its system to secure the order and the money transaction. Read the detailed description in section 14.1.
14.1 Visma Pay
Information on the processing of personal data for Visma Pay users
Visma Pay (Paybyway Oy), part of the Visma Group (hereinafter "Visma Pay"), Business ID 2486559-4, processes your personal data (hereinafter "Information") for the execution of the requested payment transaction (hereinafter " Purpose"). The processing of data is governed by the EU's General Data Protection Regulation (the "General Data Protection Regulation"). Visma Pay is a payment institution supervised by the Finnish Financial Supervisory Authority (Fiva). Visma Pay acts as the data controller.
The data consists of the information needed to complete your payment transaction, such as credit card information if you have chosen a credit card as your payment method. You must provide the information to Visma Pay in order for Visma Pay to be able to process the payment transaction as requested. Legal basis for the processing of data for that purpose is that the processing is necessary for Visma Pay's legitimate interest in processing the payment to materialize and to enable you to pay for the goods and / or services you purchase. In addition, Visma Payhy is subject to a number of other laws and regulations concerning, among other things, the fight against money laundering. These laws also oblige Visma Pay to process the Information, in which case the legal basis for processing the data is the necessity to fulfill a statutory obligation to Visma Pay. If you do not disclose the Information, Visma Pay may not be able to process your payment transaction.
Visma Pay may disclose the Information to other companies in the Visma Group to process the Information for the same Purpose. The information may be disclosed to other companies that are needed to achieve the Purpose, for example to your own bank, depending on the payment method you choose. These other companies may be located outside the EU / EEA. If, according to the European Commission, the country in question does not provide an adequate level of data protection, the transfer of personal data will be based on the standard data protection clauses adopted by the European Commission for the transfer of personal data outside the EU / EEA, cf. Articles 45-46 of the General Data Protection Regulation. A copy of these model contract clauses is available at
Visma Pay processes the Information for the period of time required by Paybyway's laws and regulations to continue processing. In some cases, where data is no longer needed for this purpose, processing may cease earlier. In that case, the Data will be deleted from all Visma Group databases.
You can read a more comprehensive privacy statement on the Visma website: www.visma.fi/yksityisyydensuoja/etusivu
- Right of access - Under Article 15 of the General Data Protection Regulation, you have the right to access the Data as well as certain information about the processing. This information is included in this document.
- Right of rectification - Under Article 16 of the General Data Protection Regulation, you have the right to have inaccurate information about yourself rectified and incomplete information supplemented.
- Right to delete - In certain situations, you have the right to have the Data deleted in accordance with Article 17 of the General Data Protection Regulation. This is called the "right to be forgotten."
- Right to restrict processing - In certain situations, you have the right to restrict the processing of Data by Visma Pay under Article 18 of the General Data Protection Regulation.
- Right to transfer data - Under Article 20 of the General Data Protection Regulation, you have the right to receive Data from Visma Pay in a structured, commonly used and machine-readable form (or the right to transfer it to another controller).
- Right to object - Under Article 21 of the General Data Protection Regulation, you have the right to object to certain processing operations carried out by Visma Pay, such as processing operations based on a legitimate interest of Visma Pay. In addition, you have the right to lodge a complaint with the supervisory authority, the Office of the Data Protection Commissioner in Finland.