1. This Privacy Policy (hereinafter – the Privacy Policy) sets out how BUYEU FI (hereinafter – the Company, we, us or the Data Controller) processes personal data on the website buyeu.fi, in the customer account, as well as when providing services related to the purchase, delivery, return of goods, customer service and other related services.
2. If you have any questions related to the processing of personal data, the exercise of data subject rights, requests, complaints or other privacy-related matters, you may contact us by email at info@buyeu.fi.
3. Personal data are processed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter – the GDPR), the Finnish Act on Electronic Communications Services, other applicable legal acts of the European Union and the Republic of Finland, as well as the recommendations of the competent supervisory authorities.
4. The Company processes personal data in accordance with the following principles:
4.1. personal data are collected for specified, explicit and lawful purposes;
4.2. personal data are processed lawfully, fairly and transparently;
4.3. only such personal data are processed as are adequate, relevant and necessary for achieving the specified purposes;
4.4. personal data are processed only where there is at least one lawful basis for processing:
4.4.1. the data subject’s consent;
4.4.2. entering into or performing a contract;
4.4.3. compliance with a legal obligation;
4.4.4. the legitimate interest of the Company or a third party, provided that such interest is not overridden by the interests, rights and freedoms of the data subject;
4.5. reasonable measures are taken to ensure that inaccurate or incomplete data are corrected, supplemented or updated;
4.6. personal data are retained no longer than necessary for the purposes for which they are processed, unless a longer retention period is required by law or such retention is necessary for the establishment, exercise or defence of legal claims;
4.7. access to personal data is granted only to those persons for whom such access is necessary for the performance of their duties;
4.8. appropriate technical and organisational security measures are applied to protect personal data.
5. The Company’s services may be used by:
5.1. adult natural persons with legal capacity, as well as legal entities and their duly authorised representatives. Minors may use the services only where permitted by law. If, under applicable law or due to the nature of a specific service, the consent of parents or other legal representatives is required, such consent must be obtained before the use of the service begins.
6. Where the Company’s services are considered information society services and the processing of personal data is based on a minor’s consent, a minor who has reached the age of 14 may give such consent independently. In the case of a minor under the age of 14, such consent shall be given or confirmed by their legal representative.
7. The Company has the right to request information or documents confirming the lawfulness of the consent or the right of representation.
8. If a specific service, by its nature, is not intended for minors, the Company has the right to refuse registration, acceptance of an order or provision of the service until the required confirmation from the legal representative or another lawful basis for using the service has been obtained.
II. Collection, Processing and Storage of Personal Data
9. Depending on how you use our services, the Company may process the following personal data:
9.1. first name and surname;
9.2. telephone number;
9.3. email address;
9.4. delivery, receipt, return and other addresses related to the provision of services;
9.5. account and registration data, such as login information, account identifiers, password change records and security records;
9.6. information related to orders, purchases, delivery, returns and customer service;
9.7. payment and billing information to the extent necessary for providing services, refunding money, accounting and payment administration;
9.8. correspondence and communication with customer service, including the content of enquiries, complaints and claims;
9.9. IP address, login date and time, device, browser, operating system and other technical information;
9.10. data relating to cookies and similar technologies;
9.11. information on marketing preferences and consents;
9.12. other data that you provide when using our services or that are generated in the course of providing services.
10. Personal data are processed for the following purposes and on the following legal bases:
10.1. for registration, creation and administration of an account – on the basis of contract performance or steps taken prior to entering into a contract;
10.2. for ordering, purchasing, delivering and returning goods, and for providing other services – on the basis of contract performance;
10.3. for issuing invoices and financial documents, accounting and payment administration – on the basis of contract performance and compliance with a legal obligation;
10.4. for resolving issues related to the purchase, shipment, delivery or return of goods, or the fulfilment of other contractual obligations – on the basis of contract performance, compliance with a legal obligation or legitimate interest; the Company’s legitimate interest is to ensure proper service provision, avoid losses, manage disputes and defend its rights;
10.5. for handling customer enquiries, requests, complaints, claims and disputes – on the basis of contract performance, compliance with a legal obligation or legitimate interest; the Company’s legitimate interest is to ensure high-quality customer service, resolve disputes, collect and preserve evidence related to communication and defend its rights;
10.6. for ensuring website functionality, security, fraud prevention, system protection and improving service quality – on the basis of legitimate interest; the Company’s legitimate interest is to ensure the security of the website, systems, services, customers and business, identify technical malfunctions, prevent unlawful use and reduce the risk of fraud;
10.7. for statistics, analysis and service improvement – on the basis of legitimate interest and, where required by law, on the basis of consent; the Company’s legitimate interest is to analyse the use of services, improve website performance, user experience and service quality;
10.8. for sending newsletters, offers and other direct marketing communications:
10.8.1. by email or other electronic means of communication – usually on the basis of consent and, where permitted by law, also on another lawful basis, for example where offers concerning similar goods or services are sent to existing customers, while ensuring a clear and free opportunity to opt out of such communications at any time;
10.8.2. by telephone – on the basis of prior consent where required by applicable law;
10.8.3. for providing offers and information about the Company’s services within the customer account or on the website – on the basis of legitimate interest, where such information relates to the Company’s services and is provided to existing customers, ensuring a clear possibility to object to such processing at any time; in cases where applicable law requires consent for such processing, the data are processed on the basis of consent;
10.9. for the establishment, exercise or defence of legal claims – on the basis of legitimate interest; the Company’s legitimate interest is to defend its rights, interests and property in judicial, pre-trial or administrative proceedings.
11. When registering, placing an order or otherwise providing data, the customer must provide accurate, correct and complete data. If data necessary for registration, order fulfilment, delivery, return, payment or responding to an enquiry are not provided, the Company may be unable to conclude or perform a contract, provide services or properly process the request.
12. Personal data are usually obtained directly from the customer when the customer registers, places an order, uses the website, contacts us or otherwise uses our services.
13. In certain cases, where necessary for the provision of services, compliance with legal obligations or ensuring legitimate interests, personal data may be obtained not directly from the customer but from third parties, for example:
13.1. from payment service providers, banks or financial intermediaries – information on payment status, payment confirmation, refund, failed payment or other information necessary for payment administration;
13.2. from shipment, logistics, warehousing and delivery service providers – information on parcel acceptance, transportation, delivery progress, delivery status, non-delivery, return or other data related to shipment fulfilment;
13.3. from persons acting on behalf of the customer, such as representatives, authorised persons or employees of a legal entity – customer identification, contact, order or delivery data;
13.4. from public registers or authorities, where permitted by law and necessary for fulfilling legal requirements, fraud prevention, dispute resolution or defence of rights;
13.5. from IT, communication, customer service or other service providers when they act on our behalf and transmit information generated through the use of their solutions;
13.6. from other third parties where the customer requests that their data be included in the performance of the service or where such receipt of data is permitted by law.
14. When processing and storing personal data, the Company implements appropriate technical and organisational measures intended to protect personal data against accidental or unlawful destruction, loss, alteration, disclosure or other unlawful processing.
15. Personal data are retained no longer than necessary for the purposes for which they were collected and processed, unless a longer retention period is required by law or is necessary for the establishment, exercise or defence of legal claims. The following main retention periods apply:
15.1. account and registration data are retained for as long as the account remains active and for 3 years after the last active login or account closure, unless longer retention is necessary due to pending orders, disputes, debt administration or defence of legal claims;
15.2. data related to orders, purchases, delivery, returns and related transactions are retained for 10 years from the date of completion, cancellation or return of the order to the extent necessary for accounting, fulfilment of tax obligations, dispute management and defence of rights;
15.3. invoices, payment, accounting and other financial documents are retained for 10 years, unless applicable law provides for a longer or shorter period;
15.4. data related to customer service enquiries, correspondence, complaints, claims and dispute handling are retained for 3 years from the resolution of the matter or the last contact, and if a dispute or legal proceedings are initiated, until their final conclusion and for 1 additional year thereafter where necessary for the defence of rights;
15.5. direct marketing data are retained for 3 years from the last active confirmation of consent or the last meaningful interaction with a marketing message, unless the person withdraws consent or objects to such processing earlier;
15.6. the fact of opting out of direct marketing and related minimum data may be retained for 5 years from the date the opt-out is received in order to ensure that no unwanted messages are sent to the person and to prove compliance with the opt-out request;
15.7. data concerning consents and evidence of obtaining them are retained for 5 years from the withdrawal of consent or the expiry of its validity in order to prove the fact and scope of consent;
15.8. technical logs, security records, IP addresses, login records and system records are generally retained for 90 days, unless longer retention is necessary for incident investigation, fraud prevention, security assurance or defence of legal claims; in such cases they may be retained for up to 1 year;
15.9. where a mandatory retention period is prescribed by law for a specific category of data, the retention period prescribed by law shall apply.
16. The website may use necessary, functional, analytical, statistical, marketing and other cookies and similar technologies.
16.1. necessary cookies are used to ensure the operation of the website and the provision of services;
16.2. analytical, functional, marketing or other non-essential cookies are used only with the user’s consent where required by law;
16.3. detailed information about cookies, their purposes and management options is provided in a separate Cookie Policy.
17. Direct marketing communications are sent only where there is a valid legal basis.
17.1. the customer has the right to opt out of direct marketing communications at any time by clicking the unsubscribe link in the newsletter or by contacting us using the contact details provided in this Privacy Policy;
17.2. opting out of direct marketing communications does not affect the sending of messages that are not considered direct marketing, such as messages related to order fulfilment, account administration, security, service changes or legal obligations.
18. The Company may use statistical, aggregated, anonymised or otherwise non-directly identifiable data for business analysis, planning, service improvement and other lawful business purposes.
III. Use and Disclosure of Personal Data to Third Parties
19. The Company may transfer personal data to third parties only to the extent necessary for the purposes set out in this Privacy Policy, for contract performance, compliance with legal requirements or ensuring the Company’s legitimate interests.
20. Personal data may be transferred to the following categories of recipients:
20.1. payment service providers, banks and financial transaction intermediaries (for example, Paysera) or other payment administration partners;
20.2. shipment, logistics, warehousing and delivery service providers (for example, Omniva, SmartPosti), courier companies, parcel locker operators and warehousing partners;
20.3. IT, hosting, cloud, system maintenance and data storage service providers;
20.4. customer service, communication, marketing and analytics service providers;
20.5. accounting, audit, legal, debt administration, fraud prevention and other related service providers;
20.6. other partners or service providers where necessary for providing the Company’s services or ensuring legitimate interests.
21. Personal data may also be disclosed to state and municipal authorities, courts, law enforcement authorities, supervisory authorities and other competent authorities where required by law or where such disclosure is necessary to protect the Company’s rights and legitimate interests in establishing, exercising or defending legal claims.
22. Where third parties process personal data on behalf of the Company, they act as data processors and process personal data only in accordance with the Company’s instructions and subject to appropriate technical and organisational security measures.
23. Where personal data are transferred outside the European Economic Area, the Company ensures that such transfer takes place in compliance with the GDPR and subject to appropriate safeguards, such as the standard contractual clauses approved by the European Commission, an adequacy decision or other lawful data transfer mechanisms.
24. Information on the safeguards applied and, where applicable, a copy thereof or information on where they may be accessed can be obtained by contacting info@buyeu.fi.
IV. Modification, Updating of Personal Data and Data Subject Rights
25. The customer has the right to modify, update, correct or supplement the data provided in their account or by other means. Where necessary, the Company may request additional information required to verify identity in order to protect personal data and the rights and freedoms of other persons.
26. The customer has the right to:
26.1. receive information about the processing of their personal data;
26.2. access their personal data;
26.3. request the correction of inaccurate data or completion of incomplete data;
26.4. request the erasure of data where there is a legal basis for this under applicable law;
26.5. request restriction of data processing;
26.6. exercise the right to data portability where applicable;
26.7. object to data processing where it is based on legitimate interest;
26.8. withdraw consent at any time where the data are processed on the basis of consent; withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal;
26.9. object at any time to the processing of their personal data for direct marketing purposes;
26.10. lodge a complaint with the national data protection supervisory authority.
27. Where personal data are processed on the basis of legitimate interest, the customer has the right to object to such processing on grounds relating to their particular situation.
28. Where the right to data portability applies, the customer has the right to receive the personal data concerning them in a structured, commonly used and machine-readable format or, where technically feasible, to request that such data be transmitted to another data controller.
V. Submission of Information or Claims
29. In order to exercise their rights, obtain information on the processing of personal data, or submit a request, complaint or claim, the customer may contact us by email at info@buyeu.fi.
30. Where necessary, the Company may request additional information required to verify identity in order to protect personal data and the rights and freedoms of other persons.
31. The Company provides information on the personal data being processed and responds to requests in the manner and within the time limits prescribed by law, usually no later than one month from the date of receipt of the request, unless, due to the complexity or number of requests, this period may be extended in accordance with applicable law.
32. The customer has the right to lodge a complaint with the national data protection supervisory authority.
VI. Changes to the Privacy Policy
33. The Company has the right to amend this Privacy Policy in part or in full by publishing the changes on the website buyeu.fi.
34. Changes to the Privacy Policy take effect from the date of their publication on the website, unless another effective date is specified in the Privacy Policy itself or in the amendment.
35. In the event of material changes to the Privacy Policy, the Company may additionally inform customers by email, via the customer account or by other usual means of communication.