This Privacy Notice applies to the customers and potential customers including those visiting the web pages and included in the marketing activities (later “you” or “data subjects”) of Nevel that consist of the companies Nevel Oy (Finland) Nevel AB (Sweden) and Nevel Eesti OÜ (Estonia) (later “Nevel”, “we”). The Privacy Notice covers the business related to the products and services that we offer to you.
The purpose of this Privacy Notice is to inform you of what personal data we collect or obtain regarding you, and how this data is used including disclosure, retention and protection of the data. It also explains your rights to control the processing.
We are committed to respect your privacy and processes your personal data according to the European Union’s General Data Protection Regulation (2016/679) (later “GDPR”) and other applicable privacy laws and regulations.
Personal data is information that directly or indirectly reveals your identity, such as a name, identification number, address, and Internet Protocol (IP) address (later “personal data”). The definitions of the data privacy terms set out in Article 4 of the GDPR shall apply for this Privacy Notice.
2. Contact information, controller
Nevel is the controller of the personal data described in this notice. Nevel consist of the following three companies: Nevel Oy, Nevel Ab (Sweden) and Nevel Eesti OÜ (Estonia).
Data protection officer is responsible for matters concerning data protection at Nevel. If you have any questions related to this Privacy Notice or data privacy in general concerning the companies in Nevel, you can contact:
Data Protection Officer
3. Purposes of processing of personal data
We process your personal data only for legitimate business purposes and to fulfil our legal obligations. The processing purposes include:
Customer sales and services
Sales processing such as order/purchase, delivery, invoicing, debt collection, credit limit check
Warranties, quality assurance, reclamation, feedback, inquires and other communications with you
Providing and maintaining the web shop services
Collecting service usage information for resolving service fee (district heating service)
Customer relationships management
Communications & PR (e.g. delivering annual report or company news)
Marketing including tracking technologies and personalized offers
Various customer and potential customer marketing activities (including direct mar-keting) in different media (mail, phone calls, email, web pages, social media, and online chat)
Opinion and market research
Promotional events and competitions
Tracking of service usage and web page behaviour for market analysis, research, personalised services and targeted marketing
Internal development of the business
Product and service analysis, statistics and development
Tracking of service usage and user behaviour on web pages for the purpose of service development and optimisation
Ensuring the security of our IT environments
Protection of our legal rights e.g. to be able to defend a claim or solve a dispute
In addition, personal data is processed to fulfil legal obligations set out in laws and regulations such as fraud prevention.
4. Legal basis for processing of the personal data
When you order/purchase a product or service a contractual relationship is formed between us. This contractual relationship is the legal basis for processing your personal data for sales and related services.
We need your consent for certain types of processing such as processing of sensitive personal data, electronic direct marketing and automated decision making having a significant impact on you.
You can withdraw any consent you have given and end the further processing of the personal data processed with your consent at any time by contacting us (see Contact information, Controller and Rights of the data subject).
4.3 Legitimate interest
The legal basis for customer relationships management, marketing, internal development, ensuring the security/safety of our data and property and protecting our legal rights is mainly our legitimate (business) interests. We want to offer better and safer services to you by developing our operations.
The other legal bases listed here apply in specific cases e.g. we ask for your consent for direct marketing and we perform security operations on your personal data due to legal obligations
4.4 Legal obligations
Personal data is processed to fulfill legal obligations such as fraud prevention and implementing an appropriate level of data security to ensure modern and efficient protection of your personal data.
5. The personal data processed and the sources
We collect personal data from various sources:
You are the most important source of personal data. You provide personal data when ordering/purchasing our products or services, participating in our promotional events, games or opinion/marketing research, visiting us, contacting us or communicating with us
We collect and update contact information (e.g. address, phone number) from third party public sources such as Fonecta Enterprise Solutions Oy and Yritystietojärjestelmä (YTJ, Finland) (business customers’ contact information)
We also receive personal data from third parties such as credit rating companies (credit limit), partners (sales orders for our products and services) and marketing information providers (contact and identity information of potential customers interested in us)
We collect the following categories of personal data:
Categories of personal data
Examples of personal data
Contact and identity information
name, address, phone numbers, email address, personal identity code, date of birth, language, title, position, name of a private trade, business id, country/nationality
Feedback, reclamation, inquires, customer service recordings (chat messages and customer service phone calls)
Payments, credit ratings
Electronic identification, tracking and behaviour data
Consent and objection to processing of personal data
Additional information collected for specific events
Additional voluntary information provided to a specific event such as dietary information or need for services for people with disabilities
Additional information provided
Customer wishes and preferences
We do not intend to process your sensitive personal data (such as health data), but you may submit such data voluntarily when you communicate with us, and thus the data is processed with your consent.
When you order/purchase our products and services or otherwise enter into a contract with us, we need your personal data to fulfill the contract and our legal obligations. We will inform you when we collect the data which personal data are mandatory to be provided by you.
6. Retention periods
We retain your personal data as long as necessary for the purposes presented in this Privacy Notice, unless a longer retention time is required in the legislation.
When the personal data are no longer needed for the purpose they were collected for, the data first gets passivated and its processing is limited (e.g. for legal purposes only). Later, the data are removed or rendered anonymous within a reasonable time. The length of the retention period depends on the purposes of the processing.
Sales and contract related data are stored at least 10 years after the sale due to legal obligations. Other customer data is stored at least 3 years after the last registered customer activity (product/service order, delivery) to ensure that reclamations and warranties can be processed properly.
Marketing and communications purposes:
Newsletter subscription data is removed from the newsletter service when the newsletter is cancelled.
Personal data of potential customers are removed within a year after they have been collected for a specific marketing activity.
Processing of personal data for other marketing purposes ends at latest 3 years after the last activity (the customer record is passivated).
Electronic identification and web page tracking purposes:
7. Data transfers and recipients
We transfer personal data within the companies of the Nevel Group if necessary for the purposes presented in this Privacy Notice.
We also transfer personal data to our partners and service providers in the following categories:
Categories of recipients
Financial service providers
Accounting service providers
IT service providers
Service or product delivery (logistics)
Service delivery and contractors
Marketing, customer relationships & PR service providers
We may also disclose personal data due to a legal obligation related to e.g. security, safety and protection of legal rights.
If we are involved in a merger, sale, joint venture, acquisition or similar arrangement, we may transfer personal data to the parties involved. We will inform of any significant changes in the level of privacy.
7.1 Personal data transfer(s) outside EU/EEA
If your personal data are transferred outside the European Union (EU) / European Economic Union (EEA), we ensure that the transfer is performed using the necessary safeguards (such as contract model clauses), which ensure that your data continues to be protected according to the GDPR.
8. Rights of the data subject
Data subjects i.e. those whose personal data we process, have the rights stated in the GDPR to make the requests presented here. We may request additional information if necessary to confirm the identity of the requestor. We will answer the request at latest one month after the requestor has been identified and we have received enough information to fulfill the request.
8.1 Right to access and rectification
You have the right to request us to inform you what personal data we process concerning you (or that no data is processed), and request us to correct your personal data that are incorrect or incomplete (or outdated).
8.2 Right to erasure (‘right to be forgotten’) and right to restriction of processing
You have the right to request us to erase (or render anonymous) or restrict the processing of personal data concerning you that we process. We will comply with your request unless we have a legitimate ground not to delete the data, in which case you will be informed.
8.3 Right to object to processing
You have the right to object to the use of all or some of your personal data for selected purposes. We will comply with your request unless we have a legitimate ground to continue the processing (e.g. legal obligation), in which case you will be informed.
8.4 Right to data portability
You have the right to receive the personal data concerning you that you have provided in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller if the processing is based on consent or on a contract, and the processing is carried out by automated means.
8.5 Right to withdraw consent
If you have given your consent to certain processing, you have the right to withdraw your consent at any time regarding further processing of your personal data.
8.6 How to use these rights
You can use these rights by contacting us using the contact information found in the beginning of this Privacy Notice. The requests must be submitted in writing and include enough information to confirm your identity. We may request additional information if necessary.
We will inform the recipients of your personal data if you have requested the data to be rectified, erased or restricted, unless this proves impossible or involves disproportionate effort.
We have the right to refuse to act on requests that are manifestly unfounded (obviously unjustified) or excessive, in particular because of their repetitive character, or charge a reasonable fee based on the costs to fulfill the request.
8.7 Right to lodge a complaint with a supervisory authority
You have the right to complain to the competent supervisory authority if you believe your personal data has been processed incorrectly. Contact information:
Data Protection Ombudsman
Address: Ratapihantie 9, 6th floor, 00520 Helsinki
Phone: +358 29 56 66700
E-mail: tietosuoja (at) om.fi
9. Security measures
We process personal data in accordance with applicable data protection laws and regulations, and ensure the compliance of the service providers (processors) with contractual measures (data processing agreements).
We have implemented modern technical and organizational security measures to protect personal data from unauthorised access or transfer and accidental or illegal destruction, loss or alteration. The information security and data protection of our systems and environments that contain personal data are managed appropriately as a whole. We ensure the security of the stored data, access rights and processing of the confidential and sensitive personal data.
Access to personal data is limited to those that need it for performing their job. Access is based on roles and the tasks and functions connected to that role. All persons processing personal data are required to treat the data as confidential. The users of the IT environment are identified and access to the systems is secured and limited by user rights. Access to the physical location is also based on individual access rights and access keys.
10. Changes to this Privacy Notice
We modify and update this Privacy Notice whenever necessary due to e.g. changes in the sales or marketing processes, service providers or laws and regulations Change history is found in connection to the Privacy Notice. Significant changes can also be provided with a separate notice (e.g. email).
11. Version history
Published 23.5.2018 version 1.0
Version | Changes | Date
1.1 | Nevel | 6.11.2019
1.2 | Nevel Eesti OÜ | 11.12.2019
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.