Privacy Statement for customers, potential customers and stakeholders

This is a Privacy Statement for the personal data of Vallila's customers, potential customers and other stakeholders, where we inform about collecting and processing personal data. The privacy statement has been updated to comply with the EU Data Protection Regulation, which entered into force on 25 May 2018. To contact us about privacy issues, please contact us at: 


Oy Vallila Interior Ab (Finnish Company ID: 2425437-1) as well as the following companies belonging to the same corporation: Oy Vallila Collection Ab (Finnish Company ID: 2561625-8) and Oy Vallila Contract Ab (Finnish Company ID: 2561626-6) [hereinafter referred to as the “Controller”]

Address: Nilsiänkatu 15, 00510 Helsinki

Tel.:  +358 20 776 7700



2. What do the terms we use mean?

“Data subject” refers to the person whose personal data are being processed by Vallila in their personal data register in the role outlined in this Privacy Notice.

“Personal data” refers to all the information on an identified or identifiable natural person (hereinafter referred to as the “data subject”), including name, address, e-mail, telephone number and transaction history. A natural person is considered identifiable when they can be directly or indirectly identified on the basis of their name, social security number, location, network identification information, or one or more physical, physiological, genetic, psychological, economic, cultural or social factor distinctive to them.

“Customer” refers to data subjects who are consumers and contact persons from companies and other organisations (hereinafter referred to as the “company”) that have a customer relationship with the Controller.

“Potential customers” as a term refers to data subjects that are consumers or contact persons from companies that the Controller is attempting to create a customer relationship with.

 “Stakeholders” as a term refers to consumers and company contract persons who the Controller has a cooperative relationship with (for example, representatives of companies that provide services to the Controller) or another type of connection (for example, representatives of the media as parties in communications work as well as societal decision-makers related to social relations work).


3. What do we use your personal data for?

The Controller processes the personal data of the data subjects for the following purposes (one or more simultaneously):

  • Care, analysis and development of customer and stakeholder relationships

The Controller may use your personal data directly with you or with the company you represent to care for, analyse and develop the customer or stakeholder relationship you have formed.

  • Delivery of products and services

The Controller may use your personal data for the delivery of products and services if, for example, you or the company you represent have bought a product or service from us, used our digital services, ordered our newsletter or taken part in our events. The personal data are used for the agreement between the Controller and the customer or to effectuate the rights and obligations based on another commitment.

  • Customer communications

The Controller may use your personal data in its customer communications, for example to send you notifications about products and services, to notify about any changes to services and to ask for feedback about products and services.

  • Marketing

The Controller may contact you in order to tell you about new products, services or benefits. The Controller may use personal information to tailor its offering and to offer relevant content. For example, this means that we might give you recommendations or show you tailored content or tailored advertisements in our own services and those of third parties.

  • Development of products and services

The Controller may use your personal data for the development of its products and services, for example to improve its product selection to make it more interesting for customers.

The legal grounds for the processing of personal data can be found in following subsections of Article 6 of the EU’s General Data Protection Regulation (GDPR):

  1. the data subject has given consent to the processing of their personal data for one or more specific purposes;
  2. processing is necessary for the performance of a contract to which the data subject is party or to take steps at the request of the data subject prior to entering into a contract;
  3. processing is necessary for compliance with a legal obligation to which the controller is subject; and
  4. processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require the protection of personal data.

The Controller processes your data to implement the agreement made with you or the company you represent (for example, undertaking an online shop or specialty purchases, digital service or office interior design project).

The Controller’s legal rights related to doing business, such as the right to advance the sales of their products and services by certain means, and based on a legal right, the Controller may practice direct marketing and sales making use of your contact information, including processing personal data for profiling. Other legal benefits of the Controller that entitle them to the processing of your personal data include but are not limited to the assistance and other customer services for non-customers, development of their business as well as the investigation of possible cases of misuse and protection of property with video camera surveillance.

If the processing of data is not based on a contractual need or a legal benefit, the Controller may ask for your consent for other types of personal data processing.

In addition, the Controller may process your personal data as required by the legislation, for example based on the requirement to retain data in accounting law.


4.  What kinds of data can we process?

The data collected by the Controller may include the following types of information and changes made thereto, among others:

  • Basic information about all data subjects
  • First and last name
  • Contact information (postal address, e-mail, telephone numbers)
  • Gender
  • Communications targeted at the data subject and activities related thereto
  • Direct marketing choices
  • Information on the use of the Controller’s digital services
  • Information on the cookies sent to the data subject’s primary devices (e.g. computers and mobile devices) as well as other equivalent functions and data collected with them, if the person is identifiable from the data
  • Possible recordings of customer service telephone calls as well as customer service-related e-mail and online conversations on social media channels, for example
  • Further information on company representatives
  • Title and/or job descriptions in their current and previous positions that relate to the work of the Controller
  • Data on those data subjects who have purchased the Controller’s products or services, those who give feedback on them and/or those who have made a complaint
  • Start and end date and type of the customer relationship or equivalent relationship
  • Campaigns and offers aimed at the customer and use thereof
  • Areas of interest and other information given by the customer
  • Contents of the feedback and complaints, related correspondence and follow-up
  • Data on data subjects who have taken part in the Controller’s events
  • Information related to diet (especially information that the user has given voluntarily)
  • Date of birth related to the events in cases in which the shipping company requires it, for example
  • Names and dates of birth of travel companions in cases in which the shipping company requires it, for example
  • Log-in information of customers of the Controller’s online services
  • The data subject’s log-in information
  • Activity in the online service after logging in

5. What sources do we use to collect your personal data?

The majority of data is received from you at the beginning of and during the customer or stakeholder relationship as well as from the programs you use for using our products and services. Personal data on potential customers collected for marketing purposes may be collected with the consent of the person in connection with various activities like competitions, surveys or events (by Vallila or its partners).

The Controller also receives personal data and their updates from officials and organisations that offer credit and personal data acquisition and updating services as well as from public directories and other public sources of information, such as company websites and social media channels. The Controller collects personal data from data subjects for marketing purposes in connection with various activities, such as raffles, competitions, surveys or events (by the Controller or its partners). The Controller may analyse the data in its filing systems as well as combine it crosswise and with data obtained from third parties.

The Controller also receives personal information on company representatives from their colleagues, meaning that a company’s primary contact person may give the Controller personal information about other individuals related to the use of the Controller’s products and services.


6. Do we practice targeted marketing?

 Data processing may be used, for example, to create target groups interested in similar content and to target content to different groups for the purpose of creating the best possible customer experience.


7. Who can we share your personal data with?

The Controller does not give, sell or otherwise reveal your personal data to external, third parties unless otherwise noted in the text below.

The Controller may distribute your personal data to third parties operating services for the Controller. For example, these services may include customer service, software services, research, marketing and event production. The Controller may distribute your personal data in order to collect payment for products and services and, for example, it can transfer or sell unpaid invoices to third parties offering collections services.

The protection of your personal data is important to the Controller, which is why it does not allow these parties to use data for any other purpose apart from the offering of the services in question. It also requires that the parties protect users’ personal data in accordance with this Privacy Statement and the applicable legislation.

The Controller distributes your personal data to partners that the Controller manages and carries out projects with.

The Controller may share your personal data with carefully selected third parties for shared and independent direct marketing purposes. Data can be shared for these purposes only when the third party’s planned usage is not in conflict with the purposes of use defined in this Privacy Statement.

The Controller can, using their discretion, share the personal data of those participating in the Controller’s events with other event participants if it is suitable given the nature of the event (for example, an event organised for stakeholders).

The Controller may share your personal data during in connection with a company acquisition or other merger or acquisition or during the transfer of a service to another service provider. The Controller may share your personal data under the order of a court of law or an equivalent body.

8. Do we transfer your data outside of the EU?

In offering its services, the Controller may use resources and servers located in various regions of the world. Thus, the Controller may transfer your personal data outside of the country in which the service is being used and possibly to countries outside of the EU, in which the data protection legislation is different.

In these cases, the Controller ensures that there is a legal basis for the data transfer and that the user’s personal data are protected, for example by using (as needed) the appropriate model contracts and processor contracts from officials and by requiring compliance with the appropriate technical and other data protection activities.

9. How long will we process your data for?

The Controller processes your personal data in this register for as long as the Controller has a valid basis for the processing of the data in accordance with section 2 of this Privacy Statement, and for a reasonable amount of time afterwards.

The processing time of personal data of various groups of people are set with the following justifications:

  • Private consumer customers

The Controller can process your personal data during your customer relationship and for three years following the end of the customer relationship.

After this, the Controller can transfer your necessary personal data to a marketing register and process you as a potential customer again.

  • Business customer representatives

The Controller can process your personal data as long as you are representing the Controller’s business customer and for three years following its end.

After this, the Controller can transfer your necessary personal data to a marketing register and process you as a potential business customer representative again.

  • potential private consumer customers and potential business customer representatives 

The Controller can process your personal data indefinitely, until you become a customer or until you demand that your data are deleted from the Controller’s marketing register.

  • Stakeholder members

The Controller can process your personal data for as long as you are a member of a stakeholder group, including representing a partner of the Controller or the media, and during the calendar year following the end of this membership.


10.  Is it necessary to give your personal data to us?

In order for the Controller to be able to fulfil the contractual obligations related to our relationship, the Controller must receive and process personal data about you. Without the necessary personal data, we cannot offer you the products and services which the processing of personal data is required for, such as online shop purchases, for example.


11.  How can you use your rights regarding your personal data?

As a data subject, you have various opportunities to affect the processing of your personal data. Normally, your request will be completed within a month. We ask that you contact us using the contact information provided in section 1 of this Privacy Statement for issues related to the use of your rights. Your rights include (the scope of the rights depends on the basis for processing of your personal data, meaning that not all of the rights below are necessarily at your disposal in all situations):

  • The right to gain access to the personal data collected about you. In practice, this happens in such a way that having received an appropriate and identified request from you, we provide you with a report of the personal data collected about you onto our personal data register.
  • The right to request the rectification or erasure of personal data collected about you. If you notice that there are mistakes or something is missing from your data, you can make a rectification request with us.
  • The right to request the erasure of personal data collected about you. We are obligated to erase your personal data from our personal data register upon your request if any one of the following justifications is fulfilled and if the erasure is not hindered by an obligation to retain data resulting from legislation or an official order:
  • The personal data are no longer needed for the purposes for which they were collected;
  • You revoke your consent, and there is no other legal basis for processing;
  • You object to the processing based on a particular personal situation and there is no justifiable reason for the processing, or you object to the processing of your personal data for direct marketing;
  • Your personal data have been processed illegally;
  • Your personal data must be erased in order to comply with a legal obligation applied to the Controller based on European Union law or Finnish legislation; or
  • Your personal data have been collected while offering information society services, for example when ordering of the Controller’s digital data services.
  • The right to request the restriction of processing of your personal data. You can request the Controller to restrict the processing of your personal data if:
  • You contest the validity of the personal data about you held by the Controller;
  • The processing is illegal and you demand the restriction of use as opposed to erasure;
  • The Controller no longer needs the personal data in question for purposes of processing, but you need them in order to draft, present or defend a legal claim;
  • You have objected to the processing of personal data while awaiting verification of whether or not the legal bases of the Controller override yours.
  • The right to object to the processing of personal data concerning you. If the Controller processes your data based on a legal benefit, you have the right to object to the processing of the personal data concerning you based on a particular, personal situation. Everyone included in the registers referred to in this Privacy Statement has the right to object to the processing of their personal data for direct marketing.
  • The right to transfer the data you have given from one system to another. If the automatic processing of your personal data is based on consent or agreement, you have the right to receive the personal data you have provided to the Controller in a structured, commonly used and digitally readable format as well as the right to transfer the data in question to another controller.
  • The right to withdraw consent. If all or some of your personal data are processed in this register based on your given consent, you have the right to withdraw your consent.
  • The right to make a complaint to supervisory authorities. If any disagreement between you and the Controller related to the processing of your personal data cannot be resolved amicably, you have the right to request that the issue be resolved by the Data Protection Authority.


12.  Which country’s legislation is applied to the processing of your data?

We are a Finnish corporation. Finnish legislation and EU legislation directly applicable in Finland, such as the GDPR, are applied to this personal data register and the processing of the personal data therein.


13.  How can we update this privacy statement?

We are constantly developing our business and it may also mean that changes to the processing of personal data are made. We update our Privacy Statement as needed to correspond to the changes in procedure. The changes may also be based on changes in the legislation. We recommend that you regularly familiarise yourself with the contents of the Privacy Statement.

If we start to process your personal data for purposes other than those which your personal data were originally collected for, we will notify you of this and the updated Privacy Statement before further processing. We will notify you of any other changes to the Privacy Statement on our website.