Vesivek Privacy Policy

1) General Information

This Privacy Policy describes how Vesivek Oy (“Vesivek” or “the Data Controller”) processes personal data. This Privacy Policy applies to the Data Controller’s website, the provision of products and services, customer relationship management, and marketing. In addition, this Privacy Policy applies to subcontracting and other stakeholder collaboration. This Privacy Policy also applies, to the extent applicable, to the processing of personal data by companies belonging to the same group as Vesivek Oy, such as Vesivek Salaojat Oy, Vesivek Tuotteet Oy, and HLRE Group Oy.
We comply with applicable data protection legislation when processing personal data. “Data protection legislation” refers to current data protection laws, such as the European Union’s General Data Protection Regulation (2016/679) and the Finnish Data Protection Act (5.12.2018/1050).
Any data protection-related terms not defined in this Privacy Policy shall be interpreted in accordance with data protection legislation. Personal data refers to any information relating to an identified or identifiable natural person (“data subject”) that can be used to identify the person directly or indirectly, as further defined in the General Data Protection Regulation.
Our websites may also contain links to external websites and services operated by other organizations that we do not control. This Privacy Policy does not apply to their use, so we encourage you to review their respective privacy policies. We are not responsible for the privacy practices of other websites or external services.

2) Data Controller and Contact Information

Data Controller: Vesivek Oy
Business ID: 0951383-0
Address: Jasperintie 273, 33960 Pirkkala
Email: tietosuoja@vesivek.fi

3) Purposes and Legal Bases for the Processing of Personal Data

We process only the personal data that is necessary for each specific purpose. The main purposes and legal bases for processing are described below:

  • Delivering products and services, entering into customer agreements, processing orders, and ensuring business transactions (contractual relationship or preparation thereof, legitimate interest).
  • Customer service and communication, customer satisfaction surveys, and prize drawings (legitimate interest).
  • Billing, credit decisions, and debt collection (contractual relationship or preparation thereof, legitimate interest).
  • Marketing (including market research), other marketing promotion and event organization, marketing references, analyses, the production of statistics, and the measurement of marketing effectiveness (legitimate interest).
  • Direct marketing, including electronic direct marketing and telemarketing, planning and measuring the effectiveness of advertising and marketing, as well as combining and updating personal data for direct marketing purposes (legitimate interest, consent).
  • Managing stakeholder relations, as well as subcontracting and cooperation with service providers (legitimate interest, contractual relationship, or preparation for such a relationship).
  • To improve the user experience on our website and other services, track user traffic, and target marketing based on cookies and similar tracking technologies (consent).
  • Fulfilling statutory obligations (such as accounting and taxation).
  • Internal and Group reporting, other administrative measures, business planning, and stakeholder training (legitimate interest).
  • Handling warranty and liability matters, processing complaints, and managing legal and regulatory proceedings (statutory obligation, legitimate interest).
  • Preventing and investigating misconduct; ensuring information security, the safety of persons and property, and occupational safety (legitimate interest).

When we process personal data based on a legitimate interest, we weigh the benefits of the processing against any potential harm to the data subject and determine that the data subject’s rights and interests do not override the legitimate interest. Upon request, we will provide additional information regarding the processing of personal data based on legitimate interest.

4) Personal Data Processed and Sources of Data

Data GroupExamples of data content
Identification and Contact Information*Name of the customer or the customer’s representative
Information regarding products and services, as well as related orders and customer communications*Information regarding processed orders, order delivery times, and information related to contracts, financing, customer communications, and complaints
Information related to marketing (including direct marketing) and events, as well as the data subject’s consents and opt-outsContact information for customers and potential customers for marketing purposes, as well as information collected in connection with events and functions, materials on our website, and newsletter subscriptions. Consents and opt-outs regarding direct marketing
Information regarding the use of websites and other electronic services.IP address, device information, browser and operating system information, and registration information
Call Details*Call recordings for the purposes of verifying business transactions and for training purposes

*The marked personal data fields are required. Without the personal data marked as required, we will not be able to, for example, deliver products or services or handle customer communications.

We collect personal information directly from you when, for example, you interact with us, purchase or order our products or services, either on your own behalf or on behalf of the organization you represent, or when you visit our website or other online services, subscribe to our newsletter or other materials available on our website, respond to a customer satisfaction survey, or otherwise contact us.

We also obtain personal data from other external sources, such as registers maintained by public authorities and, for direct marketing purposes, from private registry services such as ProFinder (Leadventure Oy).

Personal data may also be received from other companies within the Vesivek Group.

5) Retention of Personal Data

We retain personal data for as long as necessary to fulfill the purposes specified in the Privacy Policy, such as for the duration of the warranty we provide and for six months following its expiration. However, we will retain data for at least the period required by law (for example, to fulfill responsibilities and obligations related to accounting or reporting requirements), or for the purpose of legal proceedings or the resolution of a similar dispute. When personal data is no longer needed for the purposes for which it was collected or otherwise processed, it will be deleted or anonymized within a reasonable time.

Personal data obtained from external registry services is retained in accordance with the agreement with the party that disclosed the personal data.

We will provide additional information about our personal data retention practices upon request.

6) Recipients of Personal Data

Personal data may be disclosed, combined, or otherwise processed between companies belonging to the same group as the data controller in accordance with the requirements of data protection legislation for the purposes described in this privacy policy.
Various service providers and other third parties may also be used in the processing of personal data, such as providers of technical solutions or server space, or providers of accounting, debt collection, and financial management services. Group companies may also process personal data on behalf of another group company.

We ensure that we have the agreements required by data protection legislation in place with the parties we use for the processing of personal data.

Personal data may be disclosed to third parties in situations required by law or by a government authority, or to investigate misconduct and ensure security. In addition, personal data may need to be disclosed in connection with legal proceedings or similar legal processes.

If the data controller or a company belonging to the same group is involved in a merger, a business transaction, or other corporate restructuring, personal data may be disclosed to the other parties to the arrangement or to parties assisting in the arrangement.

We will provide additional information about the recipients of personal data upon request.

7) Joint Data Controller Arrangement

Companies belonging to the same group as Vesivek Oy may act as joint controllers, as defined by data protection legislation, when processing personal data for common purposes, such as marketing and customer relationship management. As joint controllers, they jointly decide how and for what purposes personal data is processed.

The companies within the Group have agreed that Vesivek Oy is responsible for fulfilling all obligations imposed on a joint controller under data protection legislation, and data subjects may contact Vesivek Oy regarding any questions related to joint controllership.

8) Transfer of Personal Data Outside the European Economic Area

As a general rule, we process personal data within the European Economic Area (“EEA”), but it may also be processed outside the EEA. If personal data is transferred outside the EEA, we ensure the lawfulness of the transfer through an appropriate safeguard mechanism, such as the Standard Contractual Clauses approved by the European Commission or based on the European Commission’s adequacy decision.

Upon request, we will provide additional information regarding the transfer of personal data and the safeguards used.

9) Protection of Personal Information

Information security and the protection of personal data are of the utmost importance to us. We use appropriate technical and organizational safeguards to protect personal data. We also do our best to ensure the fault tolerance of our systems and the ability to recover data. Access to personal data is restricted solely to specifically authorized parties. Parties that process personal data are bound by a duty of confidentiality regarding matters related to the processing of personal data.

10) Rights of the Data Subject

Data subjects have the following rights under data protection laws. However, the application of these rights in each individual case depends on the purpose and context of the use of personal data.

  • The right to access one’s personal data. The data subject has the right to obtain confirmation as to whether the data subject’s personal data is being processed, as well as other information regarding the processing of personal data in accordance with data protection legislation. The data subject has the right to access their personal data and to receive a copy of it.
  • Right to rectification of personal data. Subject to certain restrictions, the data subject has the right to request the correction or deletion of incorrect or inaccurate information.
  • Right to erasure of personal data. In accordance with data protection laws, the data subject has the right to request the erasure of their personal data. Upon request, we will erase personal data unless we are required by law to retain it, or unless another exception under data protection legislation applies.
  • Right to restriction of processing. In accordance with data protection laws, the data subject has the right to request the restriction of the processing of personal data in certain situations.
  • Right to data portability. The data subject has the right to request that their personal data be transferred to another controller. The right to data portability generally applies to personal data that the data subject has provided to the data controller in a structured and machine-readable format, and the processing of which is based on the data subject’s consent or a contract, and which is carried out by automated means.
  • Right to Object to Processing. The data subject has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse such a request if the processing is necessary for the purposes of the controller or a third party’s compelling and legitimate interests. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and to profiling related to direct marketing.
  • The right to withdraw consent. If the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw that consent. Withdrawal of consent does not affect the lawfulness of processing carried out prior to the withdrawal.

11) Exercising Rights

You can submit a request regarding your rights as a data subject by mail or email using the contact information provided in this Privacy Policy.

Your identity may be verified before your request is processed. We will respond to your request within a reasonable time and, where possible, within one month of receiving the request and completing any necessary identity verification. If the request cannot be granted, you will be notified separately of the refusal.

12) The right to file a complaint with the supervisory authority

We hope you will contact us if you have any questions regarding the processing of your personal data.
Data subjects have the right to file a complaint with the competent data protection authority if they believe that their personal data has been processed in violation of data protection laws.
You can find the contact information for the Finnish Data Protection Authority here.

13) Changes to the Privacy Policy

This Privacy Policy may need to be amended from time to time. Changes may also be based on changes in data protection legislation. We therefore encourage you to review this Privacy Policy regularly to stay informed of any changes. The latest version is available on our website.

This Privacy Policy was updated on June 4, 2024.