CUSTOMER PRIVACY POLICY
We are committed to respecting and protecting the privacy of our customers and to processing personal data in accordance with applicable data protection legislation and good data protection practices. We comply with current Finnish legislation and the General Data Protection Regulation of the European Union when processing personal data.
The purpose of this privacy policy is to describe how we collect, use and protect our customers’ personal data and what rights the data subject has regarding the processing of their personal data.
Contact information
Controller of the processed personal data:
Kärkkäinen Oy (0865108-6)
Ollilanojankatu 2, 84100 Ylivieska
tietosuoja@karkkainen.com
Data protection officer:
Privaon Oy (2647800-2)Hevosenkenkä 3, 02600 Espoo
Processing and retention period of personal data
Personal data sources
The personal data is provided by the customer upon using Kärkkäinen’s services. Services refer to services offered by the Kärkkäinen Group company, such as the www.karkkainen.com online store, the marketplace connected to the store, the www.suomitrading.fi online store, websites maintained by the Kärkkäinen, a newsletter or other services provided by Kärkkäinen.
We may also receive information from our partners, such as freight companies, finance companies, marketplace merchants, and, within the limits of law, from other service providers, such as a credit information register holder or from authority registers, such as the Population Information System.
Purposes of processing personal data and retention period
| Purpose of Processing | Legal Basis | Personal Data Categories |
|---|---|---|
| Provision of e-commerce services to consumers (registered and guest customers, from purchase to delivery) | Agreement Legitimate interest | Guest users of suomitrading.fi and karkkainen.com: name, contact information, purchase information, last four digits of payment card Registered users of suomitrading.fi and karkkainen.com: name, contact information, purchase information, last four digits of payment card, user name, staff information, interests, given consents, customer events, service usage information, behavioural information |
| Targeted marketing in online stores and digital channels | Legitimate interest | Name, contact information, purchasing and financial information, technical identifiers used to target marketing and product offerings and to monitor and measure the data subject’s activity on the website, permissions and prohibitions |
| Offering customer financing online and in-store | Agreement | Name, contact information, purchasing and financial information, financial decision information |
| Processing of returns and complaints in the online store and in-store | Agreement | Name, contact information, purchasing and financial information |
| Product return procedure | Legal obligation | Name, contact information, purchasing and financial information |
| Customer service and communication | Agreement Legitimate interest | Name, contact information, purchasing and financial information, content of communication, call recordings, chatbot technical identifiers |
| Electronic cash receipt | Consent | Potential cash register number, name of identified customer, customer/staff number |
| Provision of tool rental services | Agreement | Name, contact information, purchasing and financial information |
| Provision of maintenance services for machinery and equipment | Agreement | Name, contact information, purchasing and financial information |
| Provision of photography services | Agreement | Name, contact information, purchasing and financial information |
| Accounting, monitoring, and verification of arms and ammunition trade and storage | Legal obligation | Name, contact information, purchasing and financial information, firearms license, license issuer, and place of issuance |
| Ledger and accounting | Legal obligation Legitimate interest | Name, contact information, purchasing and financial information |
| Legal requirements and monitoring and collection of receivables | Legitimate interest | Name, contact information, purchasing and financial information, other information necessary to process the order |
| Prevention and investigation of fraud and risk management | Legitimate interest | Name, contact information, purchasing and financial information, other information required to handle the matter |
| Business and service development and training purposes | Legitimate interest | Name, contact information, purchasing and financial information |
| Electronic direct marketing based on the marketing registry | Consent | Name, contact information, purchasing and financial information, target group information, permissions and prohibitions |
| Competitions and raffles | Consent | Name, contact information |
| Product review | Consent | Email address, location, review location |
Personal data will be retained for as long as necessary to fulfil the processing purposes described in this Privacy Policy or as required by legislation, but no longer than the current year plus 10 years. Legislation may require that we retain some information after the customer relationship ends. We take reasonable measures to ensure that personal data that is unnecessary, outdated or incorrect in relation to the pur-pose of processing personal data is not retained.
Personal data recipients
Personal data processors
We use service providers to assist us in running our business and providing our services. To ensure the high quality and confidentiality of personal data processing, we have concluded personal data processing agreements with all service providers involved in the processing or personal data. Our service providers may not process personal data other than in accordance with the terms of the services and the agree-ments.
Independent data controllers
In our operations, personal data may also be processed by other independent data controllers who have their own responsibilities under the data protection legislation and who are responsible for their processing of personal data. Independent data controllers are the financing providers of the www.karkkainen.com online store and the merchants operating on the online store marketplace. For more information about the processing of your personal data, please contact the data controller directly.
Disclosure of personal data
We provide our partners and marketplace merchants with the personal data necessary for order processing, delivery, sales, and marketing, or to a finance company to make and implement a financial decision. We use the services of partners for analysis and personalization purposes, in which case we may disclose service usage information to provide targeted offers.
We may disclose personal data to other companies of the Kärkkäinen Group to the extent permitted by law. The Kärkkäinen Group companies may use the personal data only for the purposes specified in this Privacy Policy.
We may disclose personal data to authorities, for example for criminal investigation or official enquiries, as required by law or a decision by an authority. The information may also be disclosed to third parties to whom the customer has given consent, for example during a specific campaign.
Personal data may be disclosed to third parties in connection with business arrangements if the personal data is part of that arrangement. Such arrangements may include, for example, business acquisitions, transfers of business operations, and mergers and divisions of companies.
Data transfers outside the EU/EEA
Personal data is generally processed only within the EU/EEA. In certain cases, personal data may also be technically processed outside the EU/EEA. If we transfer personal data outside the EU/EEA, we ensure that the transfer complies with applicable law and that we use appropriate safeguards, such as standard contractual clauses approved by the European Commission or other appropriate mechanisms, to ensure adequate protection of personal data.
Personal data protection and data security
All personal data we process is protected by technical and organizational measures against unauthorised processing, destruction, loss, damage, and access.
The security of our information systems is of a high standard and our systems are protected against data breaches and denial of service attacks. We ensure the security of our personnel, internal processes and premises to protect personal data.
Personal data is stored in monitored and guarded facilities in accordance with general industry practices. If necessary, information processed and stored outside of monitored and guarded facilities is encrypted to prevent unauthorised use.
Access to personal data is protected by user-specific IDs, passwords, and access rights. Users of systems containing personal data only have access to the data required by their job duties. Persons processing personal data have been trained to process personal data confidentially, securely and in accordance with applicable legislation and issued instructions and regulations. Persons processing personal data are bound by confidentiality.
Data subject rights
The person whose personal data is processed is called the data subject. The data subject has the follow-ing rights:
| Right to be informed | You have the right to receive information about the processing of your personal data. In addition, you have the right to receive information about the recipients to whom your personal data may be disclosed. |
| Right of access | You have the right to know that we are processing your data and the right to access the data. |
| Right to rectification | You have the right to ask us to rectify incorrect personal data about you. |
| Right to be forgotten | You have the right to request the deletion of your personal data. However, in certain cases this right may be limited due to mandatory legal obligations related to data retention. |
| Right to restriction of processing | You have the right to restrict the processing of your personal data. Restriction of processing means that we limit the processing of certain data to only retaining it. However, restricting the processing of your personal data may negatively affect your ability to receive expected products or services. |
| Right to data portability | You have the right to request that we provide you with your personal data in a systematic, commonly used and machine-readable format, which allows the transfer of the data to another data controller. |
| Right to object | You have the right to object to the processing of your personal data in certain cases. We will analyse whether the legal grounds for processing personal data are sufficient to continue processing or whether we will stop processing your personal data. |
| Rights related to automated decision-making | You have the right not to be subject to a decision based solely on automated processing that produces legal or other significant effects on you. You have the right to request that a human reviews decisions based on automated decision-making. We do not make decisions based solely on automated processing of personal data that would produce legal or other significant effects. |
| Right to withdraw consent | If the processing of personal data is based on your consent, you have the right to withdraw your consent unconditionally at any time. However, this does not affect the lawfulness of processing based on consent that took place before the withdrawal. |
| Right to lodge a complaint with a supervisory authority | If you believe that the processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with your local supervisory authority. |
If you need further information or assistance in exercising your rights, or if you have any other questions regarding the processing of your personal data or this Privacy Policy, please write an email to tietosuoja@karkkainen.com.
We may ask you to clarify your request in writing or verify your identity before fulfilling the request. We may refuse to comply with the request on the grounds set out in applicable law. If the request is rejected, we will inform you of the reasons.
Changes to the privacy policy
We reserve the right to change this privacy policy if there are changes in our operations.
This Privacy Policy was last updated on 23 April, 2025.
PRIVACY POLICY FOR BUSINESS CUSTOMERS
We are committed to respecting and protecting the privacy of our business customers and to processing personal data in accordance with applicable data protection legislation and good data protection practices. We comply with current Finnish legislation and the General Data Protection Regulation of the European Union when processing personal data.
The purpose of this privacy policy is to describe how we collect, use and protect our business customers’ personal data and what rights the data subject has regarding the processing of their personal data. Business customer refers to the contact persons and representatives of business customers of companies belonging to the Kärkkäinen Group.
Contact information
Controller of the processed personal data:
Kärkkäinen Oy (0865108-6)
Ollilanojankatu 2, 84100 Ylivieska
tietosuoja@karkkainen.com
Data protection officer:
Privaon Oy (2647800-2)Hevosenkenkä 3, 02600 Espoo
Processing and retention period of personal data
Personal data sources
The personal data is provided by the customer when they use the services of companies belonging to the Kärkkäinen Group (hereinafter referred to as the “Company”) or when they enter into an agreement or other form of cooperation with the companies. The term “Services” refers to the various offerings made available by the companies. These include the www.karkkainen.com online store, the marketplace connected to the store, the www.suomitrading.fi online store, websites maintained by the company, the KauppaSuomi magazine, a newsletter or other services provided by the companies.
We may also receive information from our partners, such as freight companies, finance companies, and, within the limits of the law, from other service providers such as a credit information register holder or from authority registers, such as the Population Information System.
Purposes of processing personal data and retention period
| Purpose of Processing | Legal Basis | Personal Data Categories |
|---|---|---|
| Providing e-commerce services for business customers | Agreement Legitimate interest | Name, contact information, purchasing and financial information, username, business ID of private entrepreneur |
| Processing of returns and complaints | Agreement | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Sourcing activities | Agreement | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Provision of marketplace services to merchants on karkkainen.com | Agreement | Name, contact information, purchasing and financial information, business ID of private entrepreneur, and creditworthiness |
| Provision of credit account sales services and credit consideration | Agreement | Name, contact information, purchasing and financial information, business ID of private entrepreneur and creditworthiness |
| Business customer profiling to target and develop the business relationship | Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Management and development of business relationships and customer communication | Agreement Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Product return procedure | Legal obligation | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Ledger and accounting | Legal obligation Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Obligations under tax legislation | Legal obligation | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Legal requirements and monitoring and collection of receivables | Legitimate interest | Name, contact information, purchasing and financial information, other information required to process the order, business ID of private entrepreneur, and creditworthiness |
| Prevention and investigation of abuse and risk management | Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur and creditworthiness |
| Business and service development and training purposes | Legitimate interest | Name, contact information, purchasing and financial information, business ID of private entrepreneur |
| Processing purposes related to the publication of the Kauppa-Suomi magazine (advertising space sales, personal interviews) | Agreement | Name, contact information, business ID of private entrepreneur, billing information, personal interviews may also include e.g. family relationships, hobbies, work |
| Electronic direct marketing | Legitimate interest | Name, contact information, business ID of private entrepreneur, target group information, prohibition information |
Personal data is retained for as long as necessary to fulfil the processing purposes described in this privacy policy or as required by legislation, however, no longer than the current year plus 10 years. Legislation may require that we retain some information after the customer relationship ends. We take reasonable measures to ensure that personal data that is unnecessary, outdated or incorrect in relation to the purpose of processing personal data is not retained.
Personal data recipients
Personal data processors
We use service providers to assist us in running our business and providing our services. To ensure the high quality and confidentiality of personal data processing, we have concluded personal data processing agreements with all service providers involved in the processing or personal data. Our service providers may not process personal data other than in accordance with the terms of the services and the agreements.
Independent data controllers>
In our operations, personal data may also be processed by other independent data controllers who have their own responsibilities under data protection legislation and who are responsible for their processing of personal data. Independent data controllers are the financing providers of the www.karkkainen.com online store and the merchants operating on the online store marketplace. For more information about the processing of your personal data, please contact the data controller directly.
Disclosure of personal data
We provide our partners and market place merchants with the necessary personal data for order processing, delivery, sales, and marketing, or to a finance company for making and implementing a financial decision. We use the services of partners for analysis and personalisation purposes, in which case we may disclose service usage information to provide targeted offers.
We may disclose personal data to other companies of the Kärkkäinen Group to the extent permitted by law. Kärkkäinen Group companies may only use the personal data for the purposes specified in this privacy policy.
We may disclose personal data to authorities, for example for criminal investigation or official enquiries, as required by law or a decision by an authority. Information may also be disclosed to a third party to whom the customer has given consent, for example during a specific campaign.
Personal data may be disclosed to third parties in connection with business arrangements if the personal data is part of that arrangement. Such arrangements may include, for example, business acquisitions, transfers of business operations, and mergers and divisions of companies.
Data transfers outside the EU/EEA
Personal data is generally processed only within the EU/EEA. In certain cases, personal data may also be technically processed outside the EU/EEA. If we transfer personal data outside the EU/EEA, we ensure that the transfer complies with applicable law and that we use appropriate safeguards, such as standard contractual clauses approved by the European Commission or other appropriate mechanisms, to ensure adequate protection of personal data.
Personal data protection and data security
All personal data we process is protected by technical and organizational measures against unauthorised processing, destruction, loss, damage, and access.
The security of our information systems is of a high standard and our systems are protected against data breaches and denial of service attacks. We ensure the security of our personnel, internal processes and premises to protect personal data.
Personal data is stored in monitored and guarded facilities in accordance with general industry practices. If necessary, information processed and stored outside of monitored and guarded facilities is encrypted to prevent unauthorised use.
Access to personal data is protected by user-specific IDs, passwords, and access rights. Users of systems containing personal data only have access to the data required by their job duties. Persons processing personal data have been trained to process personal data confidentially, securely and in accordance with applicable legislation and issued instructions and regulations. Persons processing personal data are bound by confidentiality.
Data subject rights
The person whose personal data is processed is called the data subject. The data subject has the follow-ing rights:
| Right to be informed | You have the right to receive information about the processing of your personal data. In addition, you have the right to receive information about the recipients to whom your personal data may be disclosed. |
| Right of access | You have the right to know that we are processing your data and the right to access the data. |
| Right to rectification | You have the right to ask us to rectify incorrect personal data about you. |
| Right to be forgotten | You have the right to request the deletion of your personal data. However, in certain cases this right may be limited due to mandatory legal obligations related to data retention. |
| Right to restriction of processing | You have the right to restrict the processing of your personal data. Restriction of processing means that we limit the processing of certain data to only retaining it. However, restricting the processing of your personal data may negatively affect your ability to receive expected products or services. |
| Right to data portability | You have the right to request that we provide you with your personal data in a systematic, commonly used and machine-readable format, which allows the transfer of the data to another data controller. |
| Right to object | You have the right to object to the processing of your personal data in certain cases. We will analyse whether the legal grounds for processing personal data are sufficient to continue processing or whether we will stop processing your personal data. |
| Rights related to automated decision-making | You have the right not to be subject to a decision based solely on automated processing that produces legal or other significant effects on you. You have the right to request that a human reviews decisions based on automated decision-making. We do not make decisions based solely on automated processing of personal data that would produce legal or other significant effects. |
| Right to withdraw consent | If the processing of personal data is based on your consent, you have the right to withdraw your consent unconditionally at any time. However, this does not affect the lawfulness of processing based on consent that took place before the withdrawal. |
| Right to lodge a complaint with a supervisory authority | If you believe that the processing of your personal data does not comply with the GDPR, you have the right to lodge a complaint with your local supervisory authority. |
If you need further information or assistance in exercising your rights, or if you have any other questions regarding the processing of your personal data or this privacy policy, please write an email to tietosuoja@karkkainen.com.
We may ask you to clarify your request in writing or verify your identity before fulfilling the request. We may refuse to comply with the request on the grounds set out in applicable law. If the request is rejected, we will inform you of the reasons.
Changes to the privacy policy
We reserve the right to change this privacy policy if there are changes in our operations.
This privacy policy was last updated on April 23, 2025.