Privacy Statement

This Privacy Statement describes how Kotipizza Group Oyj (Business ID: 2416007-6) and its subsidiaries (hereinafter referred to as “Kotipizza Group Oyj” or the “Company”) process personal data, what personal data they collect, for what purposes personal data is used and to whom data may be disclosed.

Kotipizza Group Oyj is committed to protecting the privacy of all individuals whose personal data it processes in compliance with the General Data Protection Regulation of the EU (2016/679) (hereinafter referred to as the “GDPR”), data protection legislation and other applicable legislation as well as according to good information management practice. This Privacy Statement applies to all services, applications, systems and channels managed by the Company. In addition, the Privacy Statement applies to all personal data processing performed by any of Kotipizza Group Oyj’s subsidiaries.

As defined in the GDPR, “personal data” means any information relating to a data subject, who can be identified, whether directly or indirectly, from that information. Data from which the data subject cannot be directly or indirectly identified is not considered as personal data.

  1. Data controller and data protection officer
  2. Purposes and legal basis for processing personal data
  3. Categories of personal data to be processed, information content and sources of information
  4. Retention of personal data
  5. Processors and recipients of personal data
  6. Data transfers outside the EU/EEA
  7. Data protection principles and security of processing
  8. Rights of the data subject
  9. Complaint with a supervisory authority
  10. Changes to the Privacy Statement

1. Data controller and data protection officer

Data controller: Kotipizza Group Oyj (Business ID: 2416007-6)
Contact information: Hermannin rantatie 2 B, FI-00580 Helsinki, Finland
Data protection officer at Kotipizza Group Oyj: Mikko Mäkelä
Contact information: tietosuoja@kotipizzagroup.com

2. Purposes and legal basis for processing personal data

Personal data is processed, for instance, for the following purposes:

  • ordering products and services of Kotipizza Group Oyj;
  • managing stakeholder relationships;
  • delivering products and services;
  • carrying out stakeholder satisfaction, opinion and marketing surveys;
  • personalising customer service regarding products and services, targeting customer communications and tracking the use of services;
  • marketing communications and targeting it at stakeholder groups;
  • data statistics and processing;
  • performing rights and obligations arising under the legislation;
  • risk management and preventing misuse;
  • protecting the assets of Kotipizza Group Oyj and the safety of stakeholder groups.

The legal basis for processing personal data is the contractual relationship between Kotipizza Group Oyj and the data subject. Furthermore, regarding contractual relations, processing is based on legal obligations, too.

3. Categories of personal data to be processed, information content and sources of information

Kotipizza Group Oyj only collects and processes personal data concerning data subjects that is relevant and necessary for the purposes described in this Privacy Statement. This applies to both data obtained directly from the data subjects and from other sources of information.

Sources of information

As a general rule, personal data is collected from the data subjects themselves through surveys and other measures conducted in Kotipizza Group Oyj’s channels and services.

Data collected from other sources than from data subjects

Kotipizza Group Oyj processes also personal data obtained from third parties and uses external marketing service providers which process data subjects’ contact information for marketing and communications purposes.

Furthermore, personal data may be collected from communities on behalf of which the data subject acts. In addition, data may be, to the extent permitted by legislation, collected and updated from registers maintained by third parties.

4. Retention of personal data

Kotipizza Group Oyj only retains personal data for as long as necessary to fulfil the purposes specified in this Privacy Statement, unless we are required to keep it longer by the legislation (for instance due to responsibilities and obligations concerning specific legislation, accounting obligations or reporting obligations) or in case the Company needs the data to establish, exercise or defend legal claims.

The data retention time and retention criteria depend on categories of personal data and the purpose of use of a certain category of personal data. Kotipizza Group Oyj may, as required by the legislation, use personal data of data subjects for contacting purposes after the customer relation has ended or, if the data subject has given their contact details, for example, in connection to a competition, prize draw, feedback submission or newsletter subscription.

Personal data is processed throughout the duration of a customer or contractual relationship as well as after it, as long as necessary.

Data concerning customer identification will be retained for as long as required by legislation.

When personal data is no longer needed for the above-mentioned purposes, it is deleted within a reasonable time or rendered anonymous in such a way that individuals cannot be identified, directly or indirectly, from the data.

5. Processors and recipients of personal data

Kotipizza Group Oyj processes personal data in accordance with the data protection legislation.

The Company may use external third-party service providers for data processing purposes. The Company selects service providers with due care and will ensure, with sufficient contractual measures, that the personal data is processed appropriately and lawfully.

The Company may have to disclose personal data concerning data subjects in an emergency or other unexpected situation where it is necessary to protect an interest which is essential for the life or health of other persons or for the protection of assets. Furthermore, in case the Company is involved in legal proceedings or other dispute resolution procedures, the Company may have to disclose personal data concerning data subjects.

In case of a merger, acquisition or similar event in which Kotipizza Group Oyj is involved, it may have to disclose data subjects’ personal data to third parties.

As a general rule, disclosure of data to third parties is carried out via electronic communication links. Data may also be disclosed by other means, such as by phone or mail.

6. Data transfers outside the EU/EEA

As a general rule, no data is transferred outside the EU or the EEA.

If data is transferred outside the EU or the EEA, Kotipizza Group Oyj will ensure the adequate level of protection for personal data, for instance, by agreeing on matters related to the confidentiality of personal data and its processing as required by data protection legislation, for example, by using standard contractual clauses approved by the European Commission.

7. Data protection principles and security of processing

Kotipizza Group Oyj processes personal data in a way that ensures the appropriate level of protection of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage.

Kotipizza Group Oyj uses the appropriate technical and organisational measures in order to keep the data secured, including the use of firewalls, encryption techniques, secure IT equipment facilities and appropriate management of access control, guidance for the personnel participating in the processing of personal data and guidance for the third-party contractors.

Contracts and other documents to be stored in original form will be stored carefully with limited access granted only to those parties which are entitled to access the data. Documents will be destroyed in a confidential manner.

Based on the Finnish Employment Contracts Act and contractual terms of confidentiality, all parties processing personal data are bound by professional secrecy regarding personal data processing matters.

8. Rights of the data subject

Data subjects have rights under data protection legislation.

Right of access and inspect your personal data

Data subjects are entitled to obtain a confirmation as to whether their personal data is being processed. A reasonable fee may be charged for the administrative costs of complying with the request if the last request was made less than a year ago.

Data subjects have the right to inspect which data concerning themselves has been recorded in the register and, when requested, to obtain information on their data in written or electronic form.

Right to rectification and right to erasure

Data subjects have the right to request the rectification of inaccurate personal data concerning them. In addition, in accordance with data protection legislation, data subjects have the right to request the erasure of personal data concerning them.

Kotipizza Group Oyj shall also, on its own initiative, rectify, erase or supplement any erroneous, unnecessary, incomplete or obsolete personal data it has observed.

Right to data portability, right to restriction of processing and right to object

In accordance with data protection legislation, data subjects have the right to request the data controller to transmit data concerning them to another controller.

Under the conditions of data protection legislation, data subjects have the right to request restriction of processing of their personal data. Furthermore, in a situation where the possibly inaccurate personal data cannot be rectified or erased, Kotipizza Group Oyj will restrict access to such data.

Data subjects have the right to object to the processing of their personal data for certain purposes. Data subjects have the right to object to the disclosure and processing of their data for direct marketing purposes.

Executing your rights

Requests to exercise any of these above-mentioned rights must be made in writing and be signed by the person making the request. Requests may also be made in person at the data controller’s office located at the address Hermannin rantatie 2 B, 00580 Helsinki. The request must include the following information:

  • first and last name
  • date of birth or Business ID
  • email address
  • phone number
  • home address
  • postal code and place of residence or business
  • date and place
  • signature
  • name in block letters
  • information whether the request concerns inspecting, rectifying, deleting or transferring data and/or objecting to processing or restricting processing
  • information on which register the request is targeted at (for instance newsletter or customer feedback system).

Each request will be responded to without undue delay and, whenever possible, no later than one month after receiving the request and identifying the person. The response will be submitted to the person’s confirmed address.

If the request cannot be fulfilled, the requestor will be notified. Kotipizza Group Oyj may reject a request (such as data erasure) based on its statutory obligation or right, such as obligation, dispute or claim regarding its services.

9. Complaint with a supervisory authority

If the data subject considers that the processing of personal data concerning them infringes the applicable legislation, the data subject has the right to lodge a complaint with the supervisory authority. The contact information of the data protection ombudsman:

Office of the Data Protection Ombudsman

Visiting address: Ratapihantie 9, 6th floor, FI-00520 Helsinki, Finland
Postal address: P.O. Box 800, FI-00521 Helsinki, Finland
Email address: tietosuoja@om.fi
Switchboard: +358 29 56 66700
Fax: +358 29 56 66735

10. Changes to the Privacy Statement

Kotipizza Group Oyj continuously develops its services and may, due to this, update this Privacy Statement from time to time, if needed. Changes may also be made in response to changing data protection legislation. We encourage you to review this Privacy Statement periodically.