Privacy policy

Privacy policy

1 General

In this privacy policy statement, we describe how personal data is handled at Oy Halva Ab and Oy Halva-Trading Ab (hereafter collectively "Halva") in accordance with the legislation, official guidelines and good data protection practice.

2. Data of the data controller and contact person

PO Box 244
01511 Vantaa
tel. (09) 774 62 00 (centre)

Tarja Nupponen (data protection officer)
Please put 'personal data processing' as the subject when contacting us.

3. Purposes and legal basis of personal data processing

We process the personal data of customers (consumers, business customers and marketing partners) for the treatment, management and maintenance of customer relations and cooperation. We process personal data in a contractual relationship, i.e. for delivery of orders and customer service, including customer profiles in the online store: . In addition, we process the data of customers who have joined the Halva's Candy Club separately.

We also process personal data on the basis of a legitimate interest in situations where it is possible - such as to offer products and our marketing to our existing customers or potential customers - and in some situations separately on the basis of consent, such as for targeting advertising and participating in contests and lotteries. Regarding cookies, we follow the technically implemented cookie practices on our website with the necessary consents. You can find more detailed information about the cookies we use in the cookie choices link.

We can also process personal data when we have a legal obligation to do so.

4. Personal data to be processed

Depending on the purposes defined above, we collect, among other things, the following information:

      • Name and contact information, such as first and last name, address and email address, company name and title for business customers
      • Demographic information, such as Year of birth and information about gender collected with the person's own consent
      • Registration information required for an online store account, such as username / nickname and password
      • Customer relationship data and data based on the person's activities, such as product and order data, invoicing and payment data, contracts, customer feedback and contacts, lottery and competition data (separate conditions apply in addition to this privacy statement), marketing studies and cancellation data
      • Interest and profiling information, such as information about interests and interests that we can infer or derive from other information we collect in such a way that we have been informed in more detail in connection with the collection and we have received permission for this from the person in question to the extent necessary
      • Marketing permits and prohibitions to the necessary extent
      • Other data collected on the basis of consent, when separately informed in connection with the consent
      • Photo recordings, such as videos made by consumers and our partners and photos taken when they have been separately delivered to us, for example in connection with competitions and raffles
      • Online service usage data and cookies, such as visitor and browsing data of our website and online store, displayed / clicked ads, communication-related data as detailed in the online store, cookies are followed technically implemented cookie practices on our website with consent

5. Data sources

Mainly, personal data is collected directly from the customer himself, when, for example, you buy products from our online store, join our Candy Club and subscribe to our newsletter, when you give us feedback or otherwise communicate with us or participate in various marketing competitions such as games, raffles or surveys. Information is collected in connection with the order, joining or feedback / contact, or later during the customership / membership. We can collect information about the use of our online services, for example by means of cookies, in accordance with separate cookie information. Personal data can also be collected and updated by our partners as well as from authorities and companies that provide services related to personal data.

6. Data transfer and sharing

We can disclose information when required by law, for example to the authorities. In addition, in connection with the possible sale of our business or a part of it or another business arrangement, we can hand over and transfer the information to the buyer of the business / other entity essentially related to the business arrangement.

We use subcontractors and service providers in data processing, such as in the technical maintenance and implementation of online and mobile services, as well as in the implementation of campaigns and direct marketing. We hand over information to such partners to be used only for the purposes specified by us, and we oblige our partners to take care of their obligations regarding personal data as required by law in contractual arrangements.

Personal data can be disclosed to partners in the following situations:

      • Technical implementation of data processing, invoicing and deliveries

Personal data can be transferred or collected directly to our contractual partners, such as providers of goods suppliers, payment and anti-fraud services, credit information companies and other providers of technical operating environments. In this case, the obligations regarding data processing are arranged in agreements between us and our contractual partners. More detailed information is available from us.

      • Implementation of marketing or other legal basis

Personal data can be transferred or collected directly to our contractual partners for, for example, marketing and sending newsletters. In this case, the obligations regarding data processing are arranged in agreements between us and our contractual partners. This also applies to situations where there is another legal basis, such as when it is necessary to defend against legal claims. More detailed information is available from us.

      • Cookies

Necessary cookies are used for the basic functions of the online store and are mandatory for the functionality of the online store. In addition, optional cookies are used on the online shopping website. Information can be disclosed outside of Halva, if it is permitted by legislation or if there is another legal basis for the disclosure. The partners used each time are indicated in connection with the cookie selections.

We strive to ensure that personal data is primarily processed in the EU and within the European Economic Area. However, data can be processed within the limits allowed by the EU General Data Protection Regulation and other applicable legislation also outside the EU or the European Economic Area. If data is transferred, the security measures required by the applicable legislation are used. A contract for such data transfer is made with the contractual partner in compliance with the model contract clauses approved by the EU Commission, the recipient country has an adequate level of data protection according to the EU Commission's decision, the company processing the data has binding corporate rules (Binding Corporate Rules) or there is another legal basis for the transfer, such as preparing, presenting or defending a legal claim.

7. Personal data retention period

We store personal data in accordance with the principles listed below and as necessary to fulfill the defined purposes of use in accordance with the legislation in force at any given time.

      • We keep customer data for the duration of the customer relationship and after the end of the customer relationship as long as the parties can make demands towards each other in connection with the customer relationship. Mandatory legislation (such as accounting legislation) imposes obligations on us to process certain information even after the end of the customer relationship.
      • Regarding online store customer profiles, if the customer has not made any purchases and is inactive, the data will be deleted within four (4) years from the date of inactivity.
      • The information of Candy Club members is stored as long as the membership and subscription to the electronic newsletter continue. Information is updated and outdated information is deleted regularly. The data of persons who have canceled a direct marketing license will be deleted after a reasonable period of time, as a rule within one (1) month after the license has been canceled or expired, unless some other reason (such as customership) requires the retention of the data.
      • We delete the data of those who participated in marketing lotteries and contests such as games, raffles and other surveys within a reasonable time, but no later than eleven (11) months after the end of the contest, etc., unless the participant has separately given permission for direct marketing to use the data. In addition, we may process the winners' information for a longer period of time in order to take measures related to the prize and to take care of legal obligations, such as tax obligations. In this case, we comply with the retention periods regarding obligations.

8. Rights of the data subject

Registrants have rights based on data protection legislation, such as:

      • the right to receive confirmation from us that personal data concerning him is being processed, as well as the right to request from us access to his personal data at reasonable intervals (right of inspection)
      • the right to demand the correction of inaccurate or incorrect information and possibly the addition of information (right to rectification)
      • the right to request the deletion of their data (the right to be forgotten), if the processing of the data is no longer necessary for the purpose for which the data was collected or if the consent that was the basis for the processing has been withdrawn, and there are no other processing grounds. However, we cannot delete data in order to, for example, deliver an online store order or to comply with the ban on direct marketing. Failure to provide personal information may result in us not accepting orders from the online store or not accepting you as a member of the Candy Club or as a participant in contests, etc.
      • the right to request the restriction of the processing of their data (right to restriction) during the verification of the correctness of the data, if the data subject considers that the data is not correct.
      • under certain conditions, the right to have his/her data transferred from one system to another (transfer right)
      • in certain situations, the right to object to the processing of personal data concerning him, for example for direct marketing purposes (right to object)
      • in principle, the right not to be subject to processing based solely on automatic processing
      • to the extent that the processing of personal data is based on the data subject's consent, the right to withdraw the consent they have given
      • the right to file a complaint about the processing of personal data to the supervisory authority

We ask that you send questions and requests regarding the rights of the data subject using the contact information of our data protection officer presented above.

9. Protection of personal data

We use the necessary technical and organizational data security measures to protect personal data against unauthorized access, disclosure, disposal or other unauthorized processing. Such means are e.g. firewalls, encryption technologies, the use of secure equipment rooms, appropriate access control, managed granting of access rights only to those for whom it is necessary for their work tasks and monitoring of their use, instructing the personnel involved in the processing of personal data and careful selection of contractual partners and the necessary measures.

10. The right to file a complaint with the supervisory authority

In matters concerning data processing, we ask that you primarily contact our data protection officer. If the matter cannot be resolved and the data subject believes that his personal data is not processed in accordance with the applicable legislation, he can file a complaint with the supervisory authority:

Office of the Data Protection Commissioner
Visiting address: Lintulahdenkuja 4, 00530 Helsinki
Phone (switchboard): + 358 29 56 66700
More information on the website of the Data Protection Commissioner .

11. Changing the privacy statement

We are constantly developing our products and services and our privacy practices, so we may change this privacy statement if necessary. Changes in the law and its interpretation may also cause changes. Our currently valid data protection statement can always be found on our website.