Privacy policy

This privacy statement describes how we process personal data at EcoUp Oyj and its group companies (“Group companies”), which, in addition to the parent company, include Ekovilla Oy, Ekovilla Sverige AB, Uudenmaan Imupalvelu Oy, Eko Asennuspalvelu Oy and Suomen Puukuitueriste Oy. This Privacy Statement applies to the processing of personal data in customer and marketing communications, as well as in relation to our customers, suppliers, partners, potential customers and the Group com-panies’ websites and any users of other electronic services of ours. In addition to con-sumer customers, this privacy statement also applies to the processing of our corporate customers’ personal data.

We comply with applicable data protection legislation in all processing of personal data, including the provisions and principles of the European Union’s General Data Protection Regulation (2016/679) (“GDPR”) and the Finnish Data Protection Act (1050/2018). We only process personal data according to lawful processing criteria and in a transparent manner.

“Personal data” and “data” refer to any information relating to a natural person (“data subject”) from which they can be identified, directly or indirectly, as defined in the General Data Protection Regulation. Data by which a data subject cannot be identified, directly or indirectly, is not personal data.

For more information about the way we use cookies, please see our cookie policy, which you can access here.

1. Data controller

For the purposes of this privacy statement, the data controller is EcoUp Oyj.

Depending on the context of the processing, other Group companies may also act as data controllers. Please find a list of the companies in the EcoUp Group below.

EcoUp Oyj
Business ID: 0297617-0
Kansankatu 49, 90100 Oulu

Ekovilla Oy
Business ID: 3098689-4
Katajaharjuntie 10, 45720 Kouvola

Ekovilla Sverige AB
Business ID: 559113-8002
c/o True Value Redovisning AB 591 35 Motala

Uudenmaan Imupalvelu Oy
Business ID: 0424663-0
Ilveskuja 1, 01900 Nurmijärvi

Eko Asennuspalvelu Oy
Business ID: 2838744-6
Kansankatu 49, 90100 Oulu

Suomen Puukuitueriste Oy
Business ID: 0600544-3
c/o Ekovilla Oy Katajaharjuntie 10, 45720 Kouvola

EcoUp Group Data Protection Officer:
Henrik Hirvensalo
Address: Kansankatu 49, 90100 Oulu

Data protections enquiries:
Kansankatu 49, 90100 Oulu

2. Data subjects

Data subjects:

• Representatives of our corporate customers and consumer customers
• Persons who have requested to be contacted
• Potential customers (consumer customers and representatives of corporate customers)
• Suppliers, service providers, other partners and their representatives
• Visitors to our websites and users of other electronic services of ours

3. Purpose and legal grounds for the processing of personal data

We only ever process personal data for a specified purpose and to the extent it is necessary.

Contracts and pre-contractual measures
The processing of personal data for the purpose of supplying goods and services to data subjects and the processing of personal data for the purpose of the performance and negotiation of contracts to which a data subject is party and fulfilling contractual obligations and rights (e.g. invoicing, debt collection as well as contract or supply negotiations and communications) are based, where applicable, on the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures.

Legitimate interest
The data controller’s or a third party’s legitimate interest is the basis for processing personal data for the purpose of management and maintenance of customer and supplier relationships, communications, customer satisfaction surveys and brand surveys, sales and marketing activities (including telephone marketing and other types of direct market-ing, marketing plans and follow-ups) as well as the development of business operations, analytics and reporting. Processing related to the manufacture, supply and sale of products and services as well as other contractual matters and marketing related to the recip-ient’s area of responsibility in the company they work for is also based, where applicable, on the legitimate interest of the controller or that of a third party.

When we process personal data on the basis of legitimate interest, we weigh up the ad-vantages and potential disadvantages of the processing for data subjects and ensure that the data subjects’ rights and interests do not override the legitimate interest. The data subjects have, however, the right to object to the processing of their personal data based on a legitimate interest by presenting the grounds relating to their particular situation. In a case such as this, we will assess whether there is a substantial and valid reason, despite the objection, to override the data subject’s interests, rights and freedoms, or whether the processing is permitted on other grounds under the General Data Protection Regulation. However, data subjects always have the right to object to the processing of their personal data for the purposes of direct marketing. We provide additional information regarding processing and the right to object upon request. Please contact our data protection officer.

Legal obligation
The processing of personal data can be based on compliance with legal obligations, such as those relating to accounting and tax legislation and statutory reporting obligations.

Personal data may also be processed in connection with the settlement of complaints and disputes, in connection with legal actions and claims, in connection with consumer dispute resolution processes and litigation as well as in connection with similar legal proceedings. Personal data may also be processed to detect misconduct and to protect property and the safety of individuals. In these cases, the processing of personal data may be based on a contractual relationship, compliance with a legal obligation or a legitimate interest.

Personal data may be processed for any purpose for which the data subjects have given their consent. For example, electronic direct marketing to data subjects requires their consent. The data controller may also, with users’ consent, collect personal data using non-essential cookies for purposes such as to monitor the number of visitors to the web-site, to compile statistics on the use of the website and to target marketing efforts.

4. Personal data that we process

Personal data stored in the customer register:
• Contact details and order/quote request details, such as name, email address, telephone number
• Job-related details* such as organisation, job title, responsibilities
• Employer’s contact details and background information
• Categorisation data (e.g. marketing bans, participation in events and related feed-back)*

Personal data related to events attended, contacts and marketing:
• Contact details and order/quote request details, such as name, email address, telephone number
• Job-related details such as organisation, job title, responsibilities
• Information about purchased products or services
• Details of events the data subject has attended and contact with or by sales and customer service teams*
• Possible permissions and consents*
• Any other information collected with the customer’s consent
• Information related to sending, opening and clicking on marketing messages*
• Details of the use of the company website, such as time, pages and duration
• Details of orders and downloads of manuals and other materials

Personal data related to the supplier register:
• Contact details of suppliers, clients and other partners (e.g. name, email address, mobile and landline number, address, language, job title, organisation, contacts made)
• Billing details*

Personal data collected from the use of the website and electronic services:
• Personal data collected by cookies and similar technologies
• Data collected from the use of information systems

* voluntary detail. Other personal details are required for operations such as delivering orders and offering services, managing customer relationships, communications and sales, organising events and fulfilling legal obligations. Providing data collected using cookies is voluntary insofar as it concerns data collected using non-essential cookies.

5. Regular sources of data

Personal data are mainly collected from the following sources:
• Information provided by the data subjects themselves through the website, social media, phone, subscription or through another type of contact/channel (privately held source)
• The Group’s customer register (privately held source)
• Contact persons’ details obtained from Suomen Asiakastieto’s decision-maker register, companies’ public websites, social media or similar registers
• Feedback and offer request forms (privately held source)
• Notes from meetings (privately held source)
• Public websites such as

6. Disclosure of personal data and recipients

We may use third parties when processing personal data (e.g. accounting firm, installation services, IT support and communications services).We have contracts required by data protection legislation in place with such parties.

Personal data may be transferred within EcoUp Group and between the Group companies for the purposes described in this privacy statement and in compliance with data protection legislation.

Personal data may be disclosed to the authorities as required by law. In the event of an emergency or other unforeseen circumstances, we may have to disclose personal data in order to protect life, health and property. We may also be required to disclose data sub-jects’ personal data if a Group company is involved in litigation or other dispute settlement proceedings. Moreover, if EcoUp Group or the Group companies become involved in a merger, acquisition or other arrangements, it may be required to disclose personal data to third parties.

7. Transferring personal data outside the EU or the EEA

As a rule, we process personal data in the EU and the EEA, but data may also be processed outside these areas. If personal data are transferred outside the EU or the EEA, we will provide an adequate level of data protection using the standard contractual clauses approved by the EU Commission.

We can provide further information about transferring personal data and the transfer mechanisms.

8. Data retention periods and criteria

• As a general rule, personal data are processed for the duration of the consumer/corporate customer relationship. Data related to customers are, however, processed for a maximum of ten (10) years after the last contact or transaction, taking into account any potential complaints and liabilities for defects.
• For marketing purposes, customers’ and potential customers’ contact details are processed for as long as we target marketing efforts at them or for as long as we contact them about certain services or products and they have not objected to the processing of their personal data for the purposes of direct marketing or, if the direct marketing efforts are based on consent, they have not withdrawn their con-sent. We retain contact details that we use in telemarketing for a maximum of 12 months.
• We process personal data related to sales and consumers for as long as the con-tract or project are valid.
• Personal data processed on the grounds of legal obligations are processed and retained for the period of time determined by law.

Not withstanding the foregoing, personal data may be retained for as long as necessary if they are required for the settlement of a complaint or similar or in relation to litigation. We can provide more information about data retention periods and criteria up-on request.

9. Automated decision-making and profiling

We do not use data for automated decision-making or profiling that would have a legal or similarly significant effect on data subjects.

10. Joint controllership related to Facebook services

When we maintain company pages on Facebook, Facebook and the controller referred to in this privacy statement are, where applicable, and in accordance with data protection legislation, joint controllers of the personal data of the visitors to said Facebook page.

Facebook processes personal data according to its own data policy, which you can read here. Facebook is responsible for complying with its obligations under data protection legislation and the implementation of data subjects’ rights in its service. The data control-ler specified in this privacy statement processes personal data collected through the company pages on Facebook as described in this privacy statement.

You can find information about the processing of personal data carried out by Facebook and the website administrator as well as the division of responsibilities between the joint controllers in Facebook’s Page Insights Addendum as well as here.

You can manage your Facebook privacy settings through your Facebook account, and you can also contact Facebook if you want to exercise your rights as a data subject. You can find the contact details in Facebook’s data policy mentioned above. You can also contact the controller specified in this privacy statement at any time to obtain further in-formation and to exercise your rights as a data subject.

11. Principles of protecting personal data

We protect personal data using appropriate technical and organisational measures. We aim to guarantee that our systems work and that personal data can be restored even in the event of a fault.

The data are stored appropriately on secure servers with technical data security that is controlled by several different means. Access to the data is managed by job role-based management of access rights. Any manual material is stored in a locked room to which only separately authorised persons have access.

12. Rights of data subjects

Exercising data subjects’ rights in a given situation depends on the purpose and context of the processing of personal data.

Right of access
Data subjects have the right to know whether their personal data are processed, and, if they are, they have the right to obtain the details described in data protection legislation about the processing. Data subjects have the right to obtain a copy of their personal data.

Right to rectification
Data subjects have the right to request that incorrect or incomplete data concerning them be rectified.

Right to object
Data subjects have the right to object to the processing of their personal data based on a legitimate interest. When filing an objection, data subjects must specify the particular situation based on which they are objecting to processing. The data controller can refuse to comply with the objection on the grounds provided for by law. However, data subjects always have the right to object to the processing of their personal data for the purposes of direct marketing and related profiling.

Right to restrict processing
Data subjects also have the right to demand that the data controller restrict the processing of their personal data, for example, in a situation where they are waiting for the data controller’s response to the request concerning the rectification or erasure of their data.

Right to erasure (“the right to be forgotten”)
Under data protection legislation, data subjects have the right to ask for their personal data to be deleted.

Right to data portability
To the extent that data subjects have provided data to the data controller to be processed upon their consent or in order to perform an agreement, they have, under certain circumstances, the right to receive such data in a machine-readable format and also the right to transmit these data to another data controller.

Right to withdraw consent
If the processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw this consent by notifying the data controller of this. Withdrawal of consent does not affect the processing carried out prior to the withdrawal.

Right to object to the processing of personal data for direct marketing
Data subjects have the right to withdraw their consent and to prohibit the use of their per-sonal data for electronic direct marketing purposes.

Exercising one’s rights
Requests concerning data subjects’ rights are to be made in writing or electronically
to the addresses specified in Section 1 of this privacy statement.

The data subject’s identity will be verified before the information is provided, so we may have to ask for more specific details. If a data subject’s request is refused, the data subject will be notified of the refusal in writing.

Right to lodge a complaint with a supervisory authority
Data subjects have the right to file a complaint with the Data Protection Ombudsman if they think that we are in breach of the applicable data protection legislation when processing their personal data.

The Data Protection Ombudsman’s contact details can be found here.

13. Changes to the privacy policy

We develop our services and operations constantly, and it may be necessary to update this privacy statement from time to time should the procedures or purposes of personal data processing change. Please check this privacy statement regularly to be informed of any changes. The latest version is available on the Group’s website.

This privacy policy was published on 31 August 2021.