This is a registry and data protection statement in accordance with the Punavuoren Patina E-Commerce Personal Data Act (Sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Prepared on May 18, 2018. Last modified on 18.5.2018.


Tmi Pirita Ranck
Y-tunnus 2618409-8
Sepänkatu 11
00150 Helsinki
044 981 9144

Contact person responsible for the register

Pirita Ranck

Name of the register

Customer Register

Legal basis and purpose of the processing of personal data

The legal basis for the processing of personal data under the EU General Data Protection Regulation is
– contract or legitimate interest of the controller (customer register) Personal data is processed for the management, administration, analysis and development of a customer relationship, such as:

– Maintenance of user data
– Execution of orders authorized by users, such as sending and collecting goods and invoices
– Surveys, eg. customer satisfaction surveys
– For the performance of legal and regulatory obligations, such as tax matters, personal data may also be used for the marketing of Punavuoren Patina, unless the user has prohibited the use of users data for direct marketing. Users are profiled and personal data can be used to make decisions based on automatic processing, such as the targeted provision of additional services.

Information content of the register

The information to be stored in the register is:
– Name
– Contact information: address, post code, county, country, telephone number and e-mail
– Orders and related information
– Payments and related information
– Necessary identification and technical usage data related to the transaction, such as cookies and log data

Regular sources of information

The information stored in the register is obtained from the customer’s online order form, in which customer provides his information. Personal data is also collected and updated from the authorities providing personal data services.

Regular transfers of data and transfers of data outside the EU or the EEA

The information is not regularly disclosed to other parties. Personal data may be disclosed to those service providers who process on behalf of Punavuoren Patina in accordance with the obligation of confidentiality and the data protection obligations of the contract. Personal data may also be disclosed, within the limits permitted and obliged by the authorities, for example, public authorities entitled to access the data.

Personal data may also be disclosed, within the limits permitted and required by the valid law at the time, to, for example, public authorities entitled to access the data.

Retention period of personal data

Personal data shall be kept for as long as it´s processing is necessary for the purposes for which the personal data was collected. Data is used for a maximum of 10 years from the person’s last use, unless the data subject has withdrawn his or her consent. Personal data may be stored for a longer period of time if this is necessary to fulfill an obligation imposed by legislation or another source of authority, such as the Accounting Act.

Registry security principles

The register shall be stored on a secure server accessible only to the controller and to technical administrators authorized by the controller.

Right of inspection and right to request rectification of data

The data subject has the right to request from the controller access to personal data concerning him, the right to request the rectification of his personal data, the restriction of processing or the deletion of personal data and the right to correct to the processing of his personal data. The data subject shall also have the right to receive personal data concerning him or her in a commonly used, machine-readable form and the right to transfer this data to another controller. The data subject must contact Punavuoren Patina’s customer service by e-mail or letter in all questions related to the processing of personal data and in situations related to the exercise of the data subject’s rights. The controller will respond to the member within the time limit set by the EU Data Protection Regulation (generally within one month).