Security and Privacy Policy

Porvoon Kirjakeskus Oy


1    Introduction

1.1    This privacy policy statement describes the operating practices and principles of Porvoon Kirjakeskus Oy regarding the personal data collected for and used in the company's business. Furthermore, this statement explains the measures you can take to influence the processing of your personal data. Porvoon Kirjakeskus Oy abides by the European Union (EU) General Data Protection Regulation (GDPR, (EU) 2016/679) and the requirements of other applicable data protection legislation.

1.2    This privacy policy statement may be updated at any time without prior notice. Any changes will become effective immediately once the updated privacy policy statement is uploaded to our website. The current privacy policy statement in effect can be found on the website of Porvoon Kirjakeskus at If you continue to use our website, you accept our privacy policy statement.

2    Data controller and their contact information

2.1    The data controller, as defined by data protection legislation, is Porvoon Kirjakeskus Oy (business ID 2405922-6, Teollisuustie 4, 06150 Porvoo, Finland; hereinafter Controller). This indicates that we are responsible for the personal data that you entrust to us.

2.2    For data protection matters or those listed in section 5.1, please contact our IT department by phone (+358 400 839 121, 8 a.m. to 4 p.m. on working days) or email (


3    The purpose of and justification for personal data processing

3.1    Personal data is collected and processed solely for the following purposes:

a)    To make agreements and create customer relationships.

b)    To fulfil agreements.

c)    To fulfil orders.

d)    For marketing purposes.

e)    For invoicing purposes.

f)    For order and invoicing information reporting.

3.2    The legal bases for data processing:

a)    The data subject's consent.

b)    Processing that is required to fulfil an agreement that the data subject is party to.

c)    Processing that is necessary for Porvoon Kirjakeskus to meet a statutory obligation.

Where data processing is based on consent, data subjects have the right to withdraw their consent at any time.

3.3    We will keep personal data for the length of time stipulated by the Finnish Accounting Act, after which the data will be removed.

3.4    If you refuse to hand over the personal data requested, we are unfortunately unable to offer our services to you.


4    The data we use

We will keep and use the following data: person's name, address, telephone number, email address and personal identity code, as well as any equivalent information required to manage the customer relationship.


5    The data subject's rights

5.1    Data subjects may request that the Controller remove, amend or correct any data processed or used by the Controller that is erroneous or misleading. Data subjects may also request to have the use of the data restricted, have it transferred from one system to another, or forbid the Controller from processing the data for other purposes than those required by law.

5.2    Data subjects also have the right to request access to the data concerning them from the Controller. If a data subject submits such a request, the data concerning the data subject will be sent to them electronically. The requests of data subjects will be responded to as soon as possible.

5.3    Data subjects have the right to file a complaint regarding the Controller's processing of personal data to the Data Protection Ombudsman.

5.4    You may use the contact information listed in section 2.2 to make contact regarding the matters described in this section.


6    Transfer of personal data

6.1    Personal data may be transferred, within the confines of data protection legislation, from the Controller to service providers, partners and other similar parties closely related to the Controller's business, as well as to meet statutory obligations.

6.2    In the aforementioned situations, personal data may be transferred according to the current legislation and using a transfer agreement that ensures the personal data is only used for a specific purpose and that sufficient precautions are taken.

6.3    Personal data may be transferred and kept outside the European Economic Area (EEA). If personal data is transferred outside the EEA, the Controller will ensure sufficient security by transferring data to countries that the European Commission has deemed to offer adequate protection. If data is transferred to a country with inadequate data protection, according to the European Commission, the Controller will prepare a separate personal data processing agreement with the non-EEA organisation receiving the data.


7    Protection of personal data

The Controller hereby warrants that it will undertake the necessary measures to secure personal data against accidental or unlawful destruction, loss, changes/alteration, unauthorised disclosure, abuse, etc. All data will be stored under physical and technical protection. In addition, the Controller employs internal security measures (such as passwords and access rights) to ensure that only a limited number of personnel who need the data will process it.

8     The register protection principles
All personal data included in the register will be kept confidential. The use of the person register has been instructed and restricted within the Controller's organisation so that the data kept in the register and stored in the system may only be accessed and used by those employees that have the right to do so based on their duties and need the data in said duties. All personnel handling personal data are obligated to secrecy.
Access to the system requires each user of the register to enter a username and password. The Controller's network and the hardware the register resides on are protected by a firewall and other technical measures. All material containing personal data is destroyed in a secure manner.