EU General Data Protection Regulation (EU) 2016/679
Articles 12-14
From 25 May 2018, updated 4 July 2022

1. Registrar
Pumpkin Design Oy, business ID number 2382682-5
Black Moda Oy, Haikanvuori 5 c 1, 33960 PIRKKALA

2. Contact person in matters concerning the register
Minna Uosukainen
Haikanvuori 5 c 1, 33960 PIRKKALA

3. Register name
Aarrelabel's online store customer register

4. Purpose of personal data processing
Personal data is processed in order to manage the customer relations of Aarrelabel's online store.

The processing of personal data is based on the Personal Data Act:

  • Section 8, subsection 1, points 5 and 7 (management of customer and stakeholder relations)
  • to § 19 (direct marketing and comparable broadcasts)

The processing of personal data has not been outsourced.

5. Data content of the register
The following information is stored about the registered person:

o User-provided or personally identifiable information

  • Identifying information, such as the person's name
  • Name of the company
  • Contact information, such as address, email address, country and phone number
  • Purchase history, e.g. ordered products and their price information
  • Delivery information, such as the selected delivery method and delivery address
  • Product reviews
  • For refunds of bank account fees, account number
  • Username of the registered user

o If the order is delivered to a different person than the subscriber, the information given by the user, the recipient, will be saved

  • Identifying information, such as the person's name
  • Name of the company
  • Contact information, such as address, email address, country and phone number

6. Regular sources of information
The information to be recorded in the register comes from the registrant himself.

7. Regular transfers of information
Personal data is not regularly disclosed to third parties, excluding authorities and those partners whose services Pumpkin Design Oy uses for e.g. order collection, transport and distribution or customer service communication.

8. Data transfer outside the EU or EEA
Information collected in the register is not transferred outside the EU or EEA. However, we use the technology of foreign service providers on our website, and the information collected by their possible cookies is transferred and stored on the service providers' servers, some of which may be located outside the EU. These include e.g. Google Analytics, Google Tag Manager and the Facebook conversion pixel.

9. Register protection principles
Manual material: A paper printout of the register is not kept.

The customer's hand-filled return form is scanned into the system. The paper form is kept for a possible inspection and for handling feedback for max. 2 months after arrival, after which it will be destroyed as required by the data protection regulation.

Information processed by ATK: The technical protection of the register for data and other breaches has been assigned to a professional service provider. Every machine and server has security software. The network is protected by a firewall.

There are only certain, separately named persons in the organization who have the right to access the register. Access to the register requires a username and password. Users are bound by a duty of confidentiality.

10. Right of Inspection
Everyone has the right to check their information stored in the personal register of the Aarrekid online store. The inspection request must be submitted in a hand-signed or similarly certified document. An inspection request cannot be made by phone.

The controller has the right to check that the person checking the data is checking their own personal data, and it is not data mining. The information is provided without undue delay, in an understandable form and, upon request, in writing. The right of inspection is free of charge once a year. Inspection requests must be submitted to the person in charge of registry matters mentioned in point 2.

11. The right to request data correction
In order to correct possible incorrect data, the data subject can submit a correction request to the controller, which must state, for example:

- information in which register or information related to the processing of which case the request applies to

- which information requires correction

- whether the information is required to be completely deleted as unnecessary, correction of the information if it is otherwise incorrect, or completion of the stored information with the data subject's own opinion

- if it is requested that the information be corrected as incorrect, a replacement text must be presented verbatim

- the claim must justify why the information is incorrect

- if any document can be used to show that the information presented in the repair request is correct, such a document must be attached to the request

The correction request must be submitted to the person in charge of registry matters mentioned in point 2 in a hand-signed or similarly certified document. You cannot make a repair request by phone.

12. Other rights related to the processing of personal data
According to § 30 of the Personal Data Act, the registered person has the right to prohibit the data controller from processing information about him/her for direct advertising, distance sales or direct marketing as well as market and market research (HetiL § 30).

Cookie statement