Customers’ data protection statement

 Valid since 28th June 2024 (Older versions of the privacy policy can be found here).

Introduction 

At Barona, it is important to us that you can trust us to handle your personal data in a careful and transparent manner and with respect for your privacy. When processing your personal data, we strictly comply with the General Data Protection Regulation (GDPR) and other data protection legislation, and we always strive to act in accordance with good data protection practices. This data protection statement describes how we collect, process and protect the personal data of our B2B customers. 

The data protection statement may be updated, for example, in the event of changes to our privacy policy or applicable legislation. The current version is always available at https://policies.barona.fi/customers-data-protection-statement/.

Data controller’s contact information:  

Barona Oy 
Business ID 2808477-9 

Data protection officer 
Lauri Huhtanen 
privacy@barona.fi 

Processing of personal data 

Barona Oy
Business ID 2808477-9
privacy@barona.fi

Purpose of processingLegal basisTypes of personal dataRetention times 
Processing of contactsLegitimate interest in processing the received contactName, e-mail address, personal data in the message 2 years from the contact
Direct marketingLegitimate interest in establishing and promoting customer relationshipsName, company, title, e-mail address, telephone number, customer relationship data2 years from last contact, update or other event
Personalised marketingConsent, legitimate interest in establishing and promoting customer relationshipsName, company, title, e-mail address, telephone number, customer relationship data 2 years from last contact, update or other event
Statistical analysisConsent, contractName, e-mail address, title2 years from last contact, update or other event
Conducting research and surveysConsentName, e-mail address, title2 years from data collection
Customer relationship managementLegitimate interest in maintaining and promoting customer relationshipsName, company, title, e-mail address, telephone number, communication2 years from last contact, update or other event
Assignment management and invoicingLegitimate interest in processing the data of the organisation’s contact persons for the contractual relationshipName, e-mail address, title, companyFor the duration of the customer relationship, for the period required by the legislation on accounting with regard to invoicing-related information

Sources of personal data

We collect personal data directly from data subjects, for example through contacts. We may also collect personal data  from public registers or receive it as disclosures from other data controllers, for example.

Recipients of personal data 

We use external service providers, such as system providers, to process the data. The service providers process personal data as processors on behalf of Barona. We use contractual and technical measures to ensure that the service providers we use process your data in accordance with legislation and good data protection practices.  

We use third-party processors to process personal data for the following purposes: 

  • Processing of contacts 
  • Sending the newsletter 
  • Customer relationship management 
  • Assignment management and invoicing 

Personal data may be disclosed to companies within the Bravedo Group.  

Data transfers outside the EU/EEA

In some cases, the service providers we use may process personal data outside the EU/EEA, e.g. in the United States. Personal data will only be transferred outside the EU/ETA area when the requirements of the data protection legislation are fulfilled. The service providers we use are contractually committed to ensuring that an adequate level of data protection is ensured in all processing of personal data. 

Safeguarding your personal data

We use appropriate technical and organisational safeguards to protect personal data against loss, unauthorised access and other misuse. Examples of such measures include the use of firewalls, encryption technologies, backups and secure computer rooms. Access to your personal data is internally restricted through electronic and physical access control, as well as through policies for granting and controlling access to different systems. Access to personal data is restricted to those employees who have the right to access it within the scope of their duties. 

Rights of data subjects 

The data subjects have many rights that they can exercise to influence the processing of their personal data. The rights below can be exercised by sending a request on the matter by e-mail to privacy@barona.fi

Right to be informedThe data subjects have a right to be informed about what personal data regarding them we process and receive a copy of the data in question. As requested, the data controller delivers a copy of the personal data being processed or information on not processing the registered person’s data. 
Right to access Data subjects have the right to request rectification or correction of their data, in which case we will complete inaccurate or incorrect data. 
Right to rectification The data subjects have the right to have all their personal data erased, that is, to be forgotten. This right may be limited, for example, by a legal obligation to retain the personal data in question.
Right to erasure (“right to be forgotten”The data subjects have the right to have all their personal data erased, that is, to be forgotten. This right may be limited, for example, by a legal obligation to retain the personal data in question
Right to restrict processing The data subjects have the right to request the restriction of processing personal data. The restriction of processing means that the data will be retained, but they will be processed in other ways only based on permission, for legal request, for protecting the rights of another person, or for an important reason related the common interests of the EU or a Member State. The restriction of processing is applicable in case, for example, the legality of processing has been disputed. Then, the processing of data is limited until its legality has been ensured. 
Right to data portability Data subjects have the right to request the transfer of personal data from one system to another. This right is applicable when the personal data has been collected directly from the data subject and the processing is based on a contract or consent. 
Right to object The data subjects have the right to object to the processing of personal data with reference to a personal reason if the ground for processing is legitimate interest, public interest or exercise of official authority. The processing of the data is stopped unless the processing is necessary for some other justified reason.  
Rights relating to automated decision-making The data subject has the right not to be subject to decision-making based solely on automated processing and which results in legal effects or other significant effects. The data subject has the right to request that a person reviews decisions based on automated decision-making.  
We do not make decisions based solely on automated processing of personal data that would have legal or other significant effects.
Right to withdraw consent If the processing of personal data is based on your consent, the data subject has the right to withdraw the consent at any time without conditions. However, this does not affect the lawfulness of any processing based on consent that took place before the withdrawal of consent. 
Right to lodge a complaint with the supervisory authority The data subject has the right to lodge a complaint on processing personal data with the competent supervisory authority. In Finland, the data protection authority is the Office of the Data Protection Ombudsman.