Privacy policy

Toivola Old Courtyard (Kiinteistö Oy Jyväskylän Kaupunkilaispiha) privacy policy as controller

1 Controller and point of contact
2 On what basis do we process data?
3 What data do we collect, from where, and for what purpose?
3.1 Data collected from the data subject and use of the data
3.2 More information about data collected from and in connection with online services
3.2.1 Information about our public online services and cookies
3.2.2 Community plugins and other website content
3.3 Collection and use of data collected from job applicants and work experience applicants
3.4 Collection and use of data collected from partners in collaboration
4 Personal data processors, i.e. who may access personal data and how such people are authorised to act
5 Personal data storage, recipients and disclosure practices, i.e. how data is stored and to whom it is disclosed
6 Exercising the rights of the data subject, i.e. your rights concerning your personal data
7 Notification of data breaches
8 Changes to data security practices
9 Limitations of liability
10 Version history
10 Toivola Old Courtyard’s (Kiinteistö Oy Jyväskylän Kaupunkilaispiha) privacy policy as controller

Kiinteistö Oy Jyväskylän Kaupunkilaispiha undertakes to protect the privacy of people whose personal data it collects as part of its business operations. This privacy policy outlines how and why Kiinteistö Oy Jyväskylän Kaupunkilaispiha processes personal data relating to Toivola Old Courtyard’s

  • customer relationships
  • marketing
  • recruitment
  • maintenance of relationships with partners in collaboration.

In the policy, we also outline how our website and online store collect data from site visitors.

It is important to us that everyone from whom we collect personal data knows their rights concerning their personal data. In this privacy policy, we explain

  • the purposes for which we collect and use data
  • what data we collect
  • where the data is collected from
  • how any consent to personal data processing may be withdrawn
  • how to have personal data removed from our data file if desired

1 Controller and point of contact

Controller:
Kiinteistö Oy Jyväskylän Kaupunkilaispiha (hereinafter also “Toivola Old Courtyard”, ”Toivola”, ”Controller”)
Business ID: 2317713–2
Registered office: Jyväskylä
Point of contact with Controller for data security matters:

Kiinteistö Oy Jyväskylän Kaupunkilaispiha
Arto Hakanen
+358 41 466 7982
arto.hakanen@toivolanpiha.fi
Visiting address: Cygnaeuksenkatu 2, FI-40100 Jyväskylä
Postal address: Kärpänkuja 5 B 2, FI-40400 Jyväskylä

2 On what basis do we process data?

Our right to use personal data is based on one or more of the following:

  • Consent: We have obtained consent to personal data processing in advance, for example in writing, verbally, by email, in connection with purchases from our brick-and-mortar or online stores, via online contact, upon subscription to our newsletter, in connection with campaigns, or in an equivalent manner.
  • Fulfilment of an agreement: It may be necessary to process data in order to fulfil an agreement, such as delivery of a product purchased from the online store or to provide another product or service ordered in advance.
  • Purposes of legitimate interest: Data processing may be necessary in order to fulfil Kiinteistö Oy Jyväskylän Kaupunkilaispiha’s grounds of legitimate interest.

3 What data do we collect, from where, and for what purpose?

We only process personal data that is reasonably required in order to fulfil the purposes outlined in this privacy policy.

3.1 Data collected from the data subject and use of the data

Some or all of the following data will be collected from the data subject in connection with online activities, e-commerce, use of the online store and any bookings placed online, and in certain situations in brick-and-mortar stores where required:

  • First and last names
  • Postal address, email address and telephone number
  • Possible company or association and its contact person’s information
  • Position in the company or other association
  • Payment details required to complete payment transactions, refunds and any credit checks
  • Purchase history of ordered products and services, and any returns
  • Delivery information required to deliver the product and/or service
  • Any feedback, messages, form information, and other communications
  • Any notes or other documentation relating to the customer
  • Any calendar events and other activities relating to the customer
  • Bookings and group bookings, with associated data
  • Participation in any campaigns, customer satisfaction surveys or other equivalent surveys and/or procedures in which contact details are requested
  • Any communications and marketing bans
  • For example, any interests selected when subscribing to the newsletter
  • Any store information if the submission of information and/or newsletter subscription was carried out in one of the brick-and-mortar stores or equivalent operating in connection with Toivola Old Courtyard.
  • Any avatar, messaging addresses and social media accounts
    Content downloaded from Toivola Old Courtyard’s online services (guides, webinars, other content).

Toivola Old Courtyard uses data to manage customer relationships and to identify users. The data is used where necessary to handle, deliver, exchange, refund and archive orders and bookings. In addition, data enables the monitoring of a customer’s orders in any potential problematic situations, plus contact with the customer concerning orders and bookings. Using data in customer services enables the provision of the best possible service relating to our products, services and deliveries. Personal data may also be used in warranty-related matters.

Personal data may be used for targeted marketing to data subjects that have provided consent to marketing or other clear consent. Marketing procedures may include e.g. email marketing, direct marketing and digital marketing.

Personal data may be disclosed to third parties to the extent required by Toivola Old Courtyard’s activities. Examples of such situations include:

  • Data may be disclosed to an actor operating in connection with Toivola Old Courtyard where necessary when it is e.g. required in order to respond to a customer’s request for a quote or provision and delivery of a product and/or service.
  • Data may be disclosed where necessary to third parties in order to e.g. complete payments and deliver products.

Data disclosed for the purposes outlined in the previous paragraph does not entitle the third party to use the disclosed data for anything other than the purpose for which the data was disclosed.

The grounds for personal data processing are the fulfilment of an agreement (e.g. an online purchase) or the data subject’s consent.

3.2 More information about data collected from and in connection with online services

3.2.1 Information about our public online services and cookies

Toivola Old Courtyard also has the following public online services:

  • Toivola Old Courtyard’s website and online store at www.toivolanpiha.fi
  • Social media services: Facebook and Instagram at the time of writing.

The public online services we offer primarily use SSL encryption to protect the data connection between the user’s terminal device and the online service. SSL encryption also helps to ensure the authenticity of the website. You can identify an online service that uses SSL encryption from the HTTPS at the start of the URL and the lock icon in the address bar of your browser.

We use cookies on our website. A cookie is a small text file that is placed on the user’s computer and stored to allow the website’s basic function and helps to identify users visiting the website. Cookies are harmless and do not damage the user’s terminal device or files. The identification data produced by cookies helps us to target information of interest to the customer.

Visitors arriving on our website are able to choose which cookies to allow. In addition, most browsers allow cookies to be disabled and deleted. However, it is worth noting that some cookies may be necessary in order for the webpages we maintain and services we provide to function correctly.

3.2.2 Community plugins and other website content

Our website may contain links and connections to third-party websites, such as e.g.
LinkedIn, Facebook, Twitter, Instagram and other community services. Content provided via these sites is downloaded from third-party servers. In such situations, the content behaves primarily as if in a situation wherein you visit the page in question and third parties could potentially collect data from the user’s visit in accordance with their own valid terms.

We use third-party services for payment processing and product deliveries, and customers will be redirected to the website of the third party in question. In such situations, the third party’s terms and privacy policy will be applied to the website. Toivola Old Courtyard does not save bank or credit card information on its systems.

You can learn more about third-party privacy policy practices by clicking the following links:

3.3 Data collected from job applicants and work experience applicants, and use of this data

We collect personal data submitted to us by job applicants in order to complete recruitment processes relating to employees and interns. We process the personal data submitted to us in order to fill the vacant position and, for open applications, to fill any upcoming positions and to assess the requirements of the employment relationship. Processing is based on our legitimate interest to process data submitted by the data subject themselves in the recruitment processes.

Data submitted by applicants for a job and/or internship may include e.g. a name, address, telephone number, email address, date of birth, education and training information, work history, a self-assessment of language proficiency, the applicant’s own wishes concerning the content of the job or internship, contact details for references, and any attachments, such as information provided in a CV.

In situations relating to recruitment, the primary data source is the applicant themselves. The information provided by the applicant may be supplemented with the applicant’s consent using information provided by e.g. referees or previous employers. In addition, the supervisor at Toivola Old Courtyard responsible for recruitment and other persons participating in Toivola’s recruitment process may also supplement the data during the recruitment process.

Data may be disclosed, with the applicant’s consent, to a third party in order to carry out a recruitment-related personal assessment. In addition, data may be disclosed to an actor operating in connection with Toivola Old Courtyard, if it is beneficial for the applicant and/or necessary in order to process the application appropriately.

3.4 Collection and use of data collected from partners in collaboration

We collect personal data from our suppliers and our other partners’ contact persons and other representatives in order to maintain our collaboration partnership and to fulfil our contractual obligations. The right to process suppliers’ and other partners’ personal data is based either on an agreement with the party in question or on grounds of legitimate interest in processing the party’s employees’ or other representatives’ personal data.

4 Personal data processors, i.e. who may access personal data and how such people are authorised to act

As controller, Toivola Old Courtyard processes personal data in its own operations. In such cases, Toivola Old Courtyard staff process personal data for the purposes and to the extent required by their tasks.

This section outlines in more detail the situations wherein Toivola uses subcontractors in its activities as Controller. In this context, subcontractor refers to a personal data processor that processes personal data in accordance with this agreement either wholly or partially on behalf of the Controller and commissioned by the Controller.

Subcontractors are primarily ICT partners and other partners who have technical access to the digital services, information systems or premises used by Toivola in order to maintain them, and in order to provide its own services to Toivola and partners, to whom personal data is collected for processing in situations such as those mentioned above. Such actors may be e.g. various system service providers, actors working with payment processing, logistics industry operators working with deliveries, and marketing agencies.

The personal data processor or anyone processing personal data on behalf of the Controller or personal data processor who has access to personal data, may not process this data in any other way besides in accordance with instructions issued by the Controller unless otherwise compelled by legislation or official regulation.

Where personal data is processed on the Controller’s behalf by a subcontractor, the agreements between the Controller and subcontractor must ensure the organisation of appropriate protective measures and make sure that personal data processing fulfils the requirements set by data protection legislation.

5 Personal data storage, recipients and disclosure practices, i.e. how data is stored and to whom it is disclosed

Data that is collected, the sources of the data, and key processing principles are outlined above. This section will outline our general practices and rights concerning the reception and disclosure of personal data in more detail.

The rule of thumb is that personal data is processed only by Toivola, in activities that immediately relate to Toivola’s business operations and/or by actors who are closely linked to Toivola’s business operations (personal data processors). Personal data is not sold, leased or disclosed to third parties for any other purposes.

The Controller may disclose personal data within the limits permitted and in accordance with obligations set in legislation, in order to fulfil an agreement between the parties, or if there is a factual connection. Personal data may therefore be disclosed e.g. on the basis of official legal requirements at various stages of the customer process, for example to actors operating in connection with Toivola Old Courtyard and to system providers and other providers who provide a service or part thereof.

Any joint events and campaigns between Toivola Old Courtyard and third parties may collect personal data that is disclosed to the third party in order to carry out practical arrangements for the event or campaign and to fulfil commercial objectives. In such cases, the data subject will be informed of any disclosure of personal data to third parties when data is collected.

Toivola does not primarily transfer data subjects’ data outside of the European Union, European Economic Area, or outside of other countries that the European Commission has deemed to have a sufficient level of data protection or which have guaranteed a sufficient level of data protection through agreement arrangements. Data from the systems, storage spaces (cloud solutions), email service, other communication solutions and software used for customer information and marketing communications utilised by Toivola can be stored in the European Union, European Economic Area or other countries that the European Commission has deemed to have a sufficient level of data protection or which have guaranteed a sufficient level of data protection through agreement arrangements. In practice, the personal data on Toivola Old Courtyard’s information systems and data files is stored in accordance with the associated service providers’ server solutions and locations.

Notwithstanding what is outlined elsewhere in this document, personal data can be disclosed to third parties in the following situations:

  • To the extent permitted or required by legislation;
  • When disclosing data to personal data processors;
  • If Toivola Old Courtyard is involved in a merger, company reorganisation or sale of all or some of its business operations;
  • If we believe the disclosure of personal data to be necessary in order to exercise our rights, to guarantee the safety of the Data Subject or others, to investigate data misuse or suspected misuse, or to respond to an official request;
  • To the extent where the Data Subject’s data is clearly linked to other persons or organisations.

6 Exercising the rights of the data subject, i.e. your rights concerning your personal data

You have, among others, the following rights concerning your personal data:

  • The right to withdraw your consent to personal data processing in situations where processing is based on your consent.
  • The right to refuse to provide your personal data in situations where we collect it from you directly. Please note, however, that in such cases it will not be possible to implement all functions, such as online store purchases. It is not possible to complete recruitment processes without personal data processing.
  • The right to request access to your personal information and ascertain the personal data that has been stored about you, receive a copy of your personal data, and request information on whether your personal data is processed and how.
  • The right to object to direct marketing. All digital marketing messages we send contain a cancellation link via which you can withdraw your consent to direct marketing at any time. We will not send direct marketing messages after registering your cancellation. Please note, however, that we may still contact you e.g. in order to deliver any products and services you have ordered, or in other corresponding situations.
  • The right to request the erasure of your personal data entirely or the restriction of their use to only apply to e.g. some of our services. You may also object to the processing of your personal data for justified reasons.
  • The right to request the rectification of inaccurate or inadequate data. It is in everyone’s best interests if the personal data we use is accurate. For this reason, please check your personal data when you make purchases on our online store.
  • The right to transfer personal data to another controller, if technically possible.
  • The right to complain to the supervisory authority for personal data processing if you suspect that your personal data has been processed illegally.

Toivola Old Courtyard may gain the right and obligation to refuse to allow the Data Subject to exercise their rights as such, if other legislation sets restrictions. In such cases, other legislation may, on a case-specific basis, prevent the Data Subject from exercising their rights in full. Such situations may occur when e.g. accounting legislation restricts Data Subjects’ right to the full erasure of their personal data. In such situations, Toivola will inform the Data Subject clearly of the grounds for which their request was refused, and instruct the Data Subject on how to comprehensively exercise their rights.

Any requests from the Data Subject concerning information or procedures should be addressed to the point of contact specified by Toivola in this policy. Requests for information and procedures should include sufficiently detailed and individualising information to allow the procedure to be carried out. A precondition for the fulfilment of requests for information and procedures is for the Data Subject to be able to provide picture identification or to otherwise verify their identity in a manner that satisfies Toivola.

Primarily, the aforementioned information and procedures relating to the rights of the Data Subject are free of charge. If the Data Subject’s requests are clearly unfounded or unreasonable, especially if they are submitted repeatedly, Toivola may either charge a reasonable fee with consideration for the delivery of the information or messages, or costs relating to the implementation of the requested procedure; or decline to complete the requested procedure.

In such cases, Toivola will indicate the clear unfounded or unreasonable nature of the request to the Data Subject.

In any situation wherein Toivola acts as the personal data processor rather than Controller, responsibility for exercising the rights of the Data Subject always lies with the controller. In these cases, Toivola Old Courtyard does not have the right to disclose the data from the controller’s data file to the data subject without the consent of the controller in question, except on the basis of an official and statutory request for data.

7 Notification of data breaches

“Personal data breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

If a personal data breach occurs and it poses a high risk to the rights and freedoms of a natural person, then:

  • Toivola Old Courtyard will provide notification to the competent supervisory authority without undue delay and, where circumstances permit, within 72 hours of becoming aware of the breach
  • Toivola Old Courtyard will also notify the Data Subject of the personal data breach without undue delay
  • Toivola Old Courtyard will undertake the necessary measures to prevent risks caused by the personal data breach and to mitigate any detrimental effects.

8 Changes to data security practices

Toivola Old Courtyard continually monitors and develops its data security and data protection practices. For this reason, there may be updates to our documentation concerning data security and data protection. Toivola Old Courtyard reserves the full right to make changes to the aforementioned documentation, including to this privacy policy. An up-to-date version of this privacy policy will always be available on Toivola Old Courtyard’s website.

9 Limitations of liability

Please note that this section applies to personal data processing. The matters in this section do not concern any product warranty, etc.

Toivola Old Courtyard is only responsible for immediate damages arising from deliberate acts or gross negligence that relate to data protection legislation. Toivola Old Courtyard is not responsible for indirect damages, such as a reduction in income or other detriment caused to the Data Subject.

In all situations, Toivola Old Courtyard’s liability is limited in all situations to informing the Data Subject, and in the case of a personal data breach, the competent supervisory authority, and where circumstances permit, Toivola Old Courtyard will undertake procedures to prevent subsequent risk and mitigate detriment. Toivola Old Courtyard is under no circumstances obligated to provide compensation for damages. A breach of contract, error, or negligence shall not incur any penalty for Toivola Old Courtyard outside of that which is mentioned above.

10 Version history

Date Version Status Classification Edited by
Key changes
1.4.2021 V1.0 Approved Public Multiple editors Publication of policy required by the GDPR