Newsroom & privacy

Privacy statement – B2C and B2B customer information

1) Controller and contact information
L-Fashion Group Oy / Luhta Sportswear Company
Business ID: 0149158-5
PO Box 55, 15501 Lahti, Finland
tel. +358 (0)3 822 111 (switchboard)

2) Purpose and grounds for processing of personal data
The purpose of processing and using personal data is to process the orders of consumer cus-tomers (B2C), who do not belong to the aClass customer loyalty scheme, as well as the orders of typically agreement -based business customers (B2B). In addition, the purpose of processing of personal data is to manage, prepare for, communicate, maintain, administrate and analyse such customer and potential customer relationships. The information can also be used for development purposes of the Controller’s business operations and services. The Controller may also have a statutory obligation to process the information.
Additionally, the Controller, the possible joint controller or contractual partner and a company with-in the same group of undertakings may have the right to use the personal data for direct advertis-ing, distance selling or other direct marketing, opinion or market surveys, or other addressed shipments comparable to them, including electronic direct marketing and the targeting of direct marketing, as well as the improving of business based on, e.g., the individual’s consent or its le-gitimate interest.
The data subject has the right to prohibit direct marketing targeting them. Despite the prohibition, information related to the customer relationship can be sent to the data subject if deemed neces-sary.
The data protection description regarding the aClass customer loyalty scheme is available at: https://www.aclassraha.fi/aclass/rekisteriseloste  (FI only).

3) Data content of the register
The following data content can be processed in the register, depending on whether it is a cus-tomer relationship with a private individual or a business customer:
•    First and last name
•    Title and company information (information about the business customer’s employee)
•    Email address, mailing address and cell phone number
•    Information about the potential customer, collaboration or transaction history, such as contacts, information about offers, orders, purchase and other agreement information that can be associated with a natural person
•    Additional personalised information voluntarily provided by the customer, e.g. infor-mation such as professional targets of interest related to the customer relationship
•    Purchase history (transaction history)
•    Direct marketing permissions and prohibitions
•    Customer relationship-related communications
Modifications to the above mentioned data.

4) Sources of information
Information is collected to the registry from the data subject, e.g., in connection with the creation of the customer relationship.
Personal data can be collected also, e.g., when registering for services offered by the Controller or a partner working on the behalf of it, or otherwise with the data subject’s consent (for example, by using cookies), from the controller’s registers or the registers of companies within the same group undertaking at the time, from the population register, and from other comparable public or private registers and data sources offering data services. Personal data can be collected and up-dated from public sources. The use of cookies -policy and related consents are disclosed sepa-rately at the time of the collection of the data.

5) Data transfers and disclosure
The Controller can disclose information within the limits allowed and obligated by the existing leg-islation. Information can be disclosed to the Controller’s contractual partner and the Controller’s IT system contractual partners for undertaking of e.g. online trade, customer service, customer communications, billing and marketing. Accordingly, the data processing has been handled with agreements between the parties. Personal data can be transferred or disclosed in connection with possible M&As.
Personal data is not transferred outside the European Union or the European Economic Area un-less it is necessary for the realisation of the register’s purposes. This kind of situation could be, e.g., when the data is physically located outside the European Union or European Economic Area in the servers or equipment of collaboration partners working on the behalf of the Controller, with the data being processed over a technological user connection. If data is transferred outside EU or EEA, we will use the data transfer mechanisms approved by the European Commission, for example the standard contractual clauses approved by the European Commission.

6) Principles of protection
The use of the system containing customer information and the modification of customer data are limited to separately specified employees of the Controller, receivers and to employees of com-panies commissioned by and working on the behalf of the Controller. The access right is limited exclusively to the information needed for the person to perform their work duties. The employees processing customer register information are bound by professional secrecy. The system has been protected through technological solutions.

7) Right to access the data
An individual is entitled to verify what information related to them has been saved in the register. Written and signed verification requests must be mailed to:
PO Box 55, 15501 Lahti, Finland
Mark on the envelope: Data protection
The customer must include the information needed to search for the data and must be prepared to prove their identity, if necessary, in accordance with the Controller’s instructions.

8)Rectification of data and principles of erasure
For the purpose of processing, the Controller shall rectify, erase or complete inaccurate, unnec-essary, incomplete or outdated personal data in the register at their own initiative or at the data subject’s request. The data subject must contact the Controller to amend the data.
The data subject has the right to prohibit the Controller from processing the data related to them in e.g. direct marketing, distance selling, and market and opinion surveys by contacting the Con-troller.
The data subject has the right to demand the erasure of the data to the extent that the Controller is not legally obligated to retain the data. The data shall be erased within a reasonable timeframe (generally, within a month) from receiving the request.
Customer information is stored for the duration of the customer relationship and upon termination of the customer relationship for as long as the parties can submit legal claims towards each oth-er. Legislation (such as legislation related to the expiration of accounting and legal claims) may impose obligations on processing times and data storage.

9) Operating guidelines, complaints, and changes to the description
The Controller has appointed a Data Protection Officer who can be contacted by using the abovementioned contact information. If you have any questions about the data protection de-scription or the processing of your personal data, or if you want to exercise your rights related to the Data Protection Act, you can contact the Controller by sending a letter to the above men-tioned Controller’s address, or by email to: dataprotection@luhta.fi.
If you are unsatisfied with the answers you receive, you can also contact the Office of the Data Protection Ombudsman at: www.tietosuoja.fi.
We reserve the right to change or update this privacy statement as may be necessary. We regular-ly review and update our data processing practices.