Privacy Policy

Privacy Policy for the Customer and Supplier Registry of DIETA GROUP OY and its Subsidiaries.

Introduction
The careful and cautious handling of your personal data is of paramount importance at Dieta Group Oy and its subsidiaries (hereinafter “Dieta”). We process personal data to operate effectively as an organization and to fulfill our obligations as a supplier. Personal data is processed for administrative, legal, support, health and safety purposes. We handle your personal data in accordance with data protection legislation and the principles defined in the data protection regulation, ensuring that your privacy is not compromised.

This privacy policy is not part of the customer contract. We update it as necessary.

Data Controller
Dieta Oy (0927839-1)  
Holkkitie 8A  
00880 Helsinki  

Contact Person for Registry Matters
Kenneth Carlson  
kenneth.carlson@dieta.fi  

Legal Basis for Processing
Contractual Basis

Purpose of Personal Data Processing

The purpose of the registry is to maintain the company's customer database, manage, archive, and process customer orders, and manage customer relationships. Data may also be used to develop the company’s operations, for statistical purposes, and to produce more personalized content on our web services. Personal data is processed within the limits permitted and required by data protection regulations. Data from the registry may be used within the company’s own records, for example, to target advertising without disclosing personal data to external parties. The company may employ partners to maintain customer and service relationships, and some registry data may be transferred to the partner’s servers for technical reasons. Data is processed solely for maintaining the company's customer relationships through technical interfaces. The company has the right to publish information contained in the customer database electronically or in written form, unless specifically prohibited by the customer. Such lists may include mailing labels for direct marketing or similar. Customers have the right to refuse the publication of their data by notifying the company's customer service via email (dieta@dieta.fi) or contacting the registry contact person. Processing is based on a contract.

Legitimate Interest Basis
Customer Relationship

Categories of Personal Data
Customers: customer companies, contractual partners, public administration, and other non-profit organizations

Recipients and Recipient Groups
Personnel of the data controller, subcontractors, and outsourcing partners (e.g., financial administration) as applicable

Content of the Registry
The personal data registry includes the following information:

- First and last name
- Represented company or organization
- Email address
- Postal address
- Phone number
- Information about previous orders

Regular Sources of Information

Data is obtained from customer purchases in the company’s stores, on the web service, or from resellers, as well as from notifications related to customer systems during the use of services. Data is obtained from customer registrations and notifications made during the customer relationship. Updates to the name and contact information are also obtained from update services provided by authorities and companies. Data may also be obtained from subcontractors related to the use or provision of services. Information on customers’ other actions in the digital environment may be obtained from partner websites, information systems, or other digital sources accessed through electronic invitations (links), cookies, or customer-provided credentials. Customer registry data is used exclusively by the company, except when using external service providers for value-added services or credit decisions. Data is not disclosed outside the company or its partners, except in cases related to credit applications, debt collection, invoicing, or as required by law. Personal data is not transferred outside the European Union unless necessary for the technical implementation by the company or its partners. Personal data of registered individuals is deleted upon request unless prohibited by legislation, open invoices, or debt collection actions.

Retention Period for Personal Data
10 years from the end of the customer relationship.

Regular Disclosures of Data

Customer registry data is used solely by the company, except when contracting external service providers for value-added services or credit decisions. Data is not disclosed outside the company or its partners, except in cases related to credit applications, debt collection, invoicing, or as required by law. Personal data of registered individuals is deleted upon request unless prohibited by legislation, open invoices, or debt collection actions.

Transfer of Data Outside the EU/EEA

Personal data is primarily processed within the European Economic Area. If data is transferred outside the EU/EEA, we ensure that personal data protection meets the required legal standards, for example, by using standard contractual clauses approved by the European Commission.

Principles of Data Protection A: Manual Data

Contact information and other manually processed customer data collected from customer transactions are stored in locked and fireproof storage facilities after initial processing. Only designated employees who have signed confidentiality agreements have the right to process manually stored customer data.

Principles of Data Protection B: Electronic Data

Only designated employees of the company and its authorized entities have the right to access and maintain the customer registry. Each defined user has a personal username and password. Each user is trained in proper use of the registry before gaining access. The system is protected by a firewall that safeguards against external access.

Cookies

We use cookies on our website. A cookie is a small text file sent to and stored on the user's computer. Cookies do not harm users' computers or files. The primary purpose of using cookies is to improve and tailor the visitor’s experience on the website and to analyze and enhance the website’s functionality and content. Information collected through cookies can also be used for targeting communication and marketing, as well as optimizing marketing efforts. A visitor cannot be identified by cookies alone. However, information obtained through cookies may be combined with other information collected from the user, such as when the user fills out a form on our website. Cookies collect the following information:

- Visitor’s IP address
- Time of visit
- Pages visited and page viewing times
- Visitor’s browser

Your Rights

Visitors to our website have an option to limit cookies to those strictly necessary for the website's functionality. Most browser programs also allow cookies to be disabled and existing cookies to be deleted. Blocking cookies may affect the website’s functionality.

Purposes of Data Use:

- Necessary Functional Cookies: We use cookies to provide basic functionalities of our services, such as login, video playback, and storing user settings. Some necessary cookies are used for analytics understanding the use of Dieta’s services.

- Targeting and Recommendation Cookies: We use cookies and similar technologies to help users find content we believe interests them. Cookies and similar technologies also allow us to personalize the user experience on our site.

- Cookies for Service Development: We continuously improve our services. Cookies help us understand how our website’s services are used and what is expected from them. We use cookies and similar technologies to make Dieta’s services better. For example, we may test which option in the user interface or image best serves the customer.

Dieta customers have the option to subscribe to newsletters. Newsletters are developed by measuring, for example, the content's attractiveness through cookies and device identifiers.

Social Media Embedding Cookies

Dieta’s websites and services contain links and connections to third-party websites. Third-party plugins on Dieta’s sites are loaded from these services’ own servers.

Through social media plugins, information about the user's visit to the page is stored with the social media service provider. In some cases, individual user data is shared only when the user is active, such as sharing an article through a social media plugin.

Third-party services or applications on Dieta’s sites are subject to the respective third party’s terms of use and other conditions. These social media service providers process data as data controllers and, where applicable, joint controllers with Dieta. Dieta does not collect cookie data through social media plugins.

Customer’s Rights

The storage and collection of cookie data is based on the user's consent. Consent is given through a pop-up window on Dieta’s web services. Users can change their consent at any time by going to the settings icon that appears at the bottom left of any page on Dieta’s website and selecting "Change Consent."

Right of Access

Registered individuals have the right to check what data is held about them in the registry. Access requests must be made in writing to the company’s customer service or registry contact person in Finnish or English. The access request must be signed. Registered individuals have the right to object to the processing and disclosure of their data for direct marketing, distance selling, and direct marketing, as well as market and opinion research, by contacting the company’s customer service.

Right to Data Portability
Registered individuals have the right to transfer their data from one system to another. Transfer requests can be addressed to the registry contact person.

Right to Rectification
Incorrect, unnecessary, incomplete, or outdated personal data in the registry must be corrected, removed, or completed. Correction requests must be made in writing and signed, and sent to the company’s customer service or personal data registry administrator. The request should specify what data needs to be corrected and on what grounds. Corrections will be made without delay. The error correction will be communicated to the source of the erroneous data or to whom the data was disclosed. If a correction request is denied, the responsible person for the registry will provide a written explanation stating the reasons for the denial. The individual may refer the denial to the data protection authority.

Right to Restriction

Registered individuals have the right to request the restriction of data processing, for example, if the data in the registry is incorrect. Contact the person responsible for the registry.

Right to Object

Registered individuals have the right to request their personal data and to request the correction or deletion of their personal data. Requests can be addressed to the registry contact person. If you act as a representative of a company or organization, your data cannot be deleted during this period.

Right to Lodge a Complaint with a Supervisory Authority

If you believe that your personal data has been processed in violation of data protection regulations, you have the right to file a complaint with the supervisory authority. Complaints can also be made in the member state where you have your permanent residence or place of work. Contact details of the national supervisory authority are:

Office of the Data Protection Ombudsman  
PL 800, Ratapihantie 9, 00521 Helsinki  
Tel. +358 29 56 66700  
tietosuoja@om.fi  
www.tietosuoja.fi

Other Rights Related to Personal Data Processing
Registered individuals have the right to refuse the transfer and processing of their data for direct marketing and other marketing purposes, to request anonymization of data where applicable, and to be completely forgotten.