Privacy statement concerning Valio’s customer feedback register

In this privacy statement, we describe how Valio Ltd (hereinafter “Valio” or “we”) processes personal data concerning people who have contacted Valio’s Customer Service. This includes persons who have purchased Valio’s products or persons who have contacted Valio’s Customer Service by phone, mail or email or personally, or by submitting an elec-tronic customer feedback form, to provide feedback on a Valio product or online service or to receive more infor-mation about Valio’s products.

We can update this privacy statement from time to time, when legislation changes, for example.

1. Data controller

Valio Ltd (Business ID: 0116297-6)

Meijeritie 6

FI-00370 Helsinki

2. Contact information

If you wish to exercise your rights under this privacy statement or if you have questions about the processing of your personal data, please contact us by email at or by calling +358 10 381 2185.

3. Purpose of and grounds for personal data processing

We process your personal data to manage and respond to feedback on our products and services, to pay any compen-sation and to settle any disputes.

We also process your feedback for statistical purposes and for the purposes of the Valio Group’s product development and other business development in order to better understand our customers and develop our operations in response to their needs. In these contexts, we anonymise your personal data so that you can no longer be identified based on the data.

The processing of personal data is based on the exercise of Valio’s legitimate interests. Valio’s legitimate interests are based on a relationship between you and Valio that is established when you provide us with electronic customer feedback or otherwise contact our Customer Service. Processing your personal data is necessary for managing and responding to customer feedback. With regard to processing a medical certificate you have provided or health infor-mation you have voluntarily disclosed in your customer feedback, the processing of personal data is based on your express consent.

4. What personal data do we process?

In connection with managing customer feedback, we process the following personal data: Your first name and last name, email address, phone number (if you have voluntarily provided this infor-mation) and address

  • Your free-form customer feedback (e.g. complaint or product enquiry)
  • Customer call recordings
  • Log data from the use of Valio’s electronic customer feedback system.

If your feedback gives us reason to pay compensation, we will also process the following personal data:

  • Your bank account information (bank account number in IBAN format)
  • If necessary, a medical certificate proving illness caused by a Valio product or damage entitling you to receive compensation

5. Where do we collect your personal data?

We collect personal data directly from you by phone, mail or email or through Valio’s electronic submission form or personally on-site.

6. Who processes your personal data and to whom do we disclose your data?

Your personal data is only processed by employees who need such data to perform their duties. In addition, your personal data is processed by subcontractors working for us and on our behalf, such as our electronic customer feed-back system service provider, the provider of the system used for paying compensation and other IT service providers. Subcontractors process personal data for Valio and on Valio’s behalf.

We do not regularly transfer your personal data to other data controllers. We disclose your personal data, if neces-sary, to auditors to process personal data on their own account or on our behalf, depending on the case. On a case-by-case basis, we also disclose your personal data to the authorities if there are legal grounds for doing so.

7. Do we transfer your personal data outside the EU or the EEA?

Some of our subcontractors have access to your personal data from outside the EU and the EEA. In such situations, we will ensure that your personal data is transferred lawfully in one of the following ways:

  • By verifying whether the European Commission has issued a decision on the adequacy of data protection in the country in question (e.g. Canada)
  • By ensuring appropriate safeguards as required by law, such as by signing the standard contractual clauses approved by the European Commission
  • By ensuring the lawfulness of the transfer in other ways, such as requesting your express consent for transfer-ring your personal data.

8. How long do we store your personal data?

We store your personal data for two years after receiving the data, excluding bank account information and telephone recordings, which we store for six months after receiving the data. If we pay you compensation, we will store your bank account information and any medical certificate for six years after the compensation has been paid.

We will store your personal data for longer to the extent that this is required by mandatory legislation (e.g. accounting obligations), a legal requirement concerning us or a statute of limitations or complaint period based on the law. In such a case, we will only store the data required by the legislation, statute of limitations or complaint period or the data required to process a legal claim and will erase any other data.

9. How do we ensure the security of your personal data?

We ensure the information security of your personal data through appropriate administrative and technological safe-guards. We have restricted the processing of personal data to those persons whose duties include the processing of such data. The systems containing your personal data can only be accessed using personal user identifiers and pass-words issued separately.

If you submit a medical certificate by mail, we will store it separately from your other personal data. Medical certifi-cates are stored in a locked cabinet that can only be accessed by employees who process customer feedback that leads to compensation.

10. What rights do you have?

In accordance with the applicable data protection legislation, you have, at any time, the right to:

  • Object to the processing of your personal data
  • Access your personal data (right of inspection)
  • Require any inaccurate or incorrect personal data to be rectified or completed
  • Require your personal data to be erased
  • Require the processing of your personal data to be limited (e.g. while you are waiting for a response to a re-quest concerning the rectification of your personal data).

You must submit a request to exercise your rights in accordance with section 2.

If you object to the processing of your personal data, you must specify in your request the grounds on which you ob-ject to the processing of your personal data (e.g. you no longer require compensation for a defective product). If you object to the processing of your personal data, we will no longer be able to process or respond to your customer feed-back.

We may ask you to verify your identity or further specify your request before implementing your request. We may also refuse to implement your request on grounds set out in data protection legislation, in which case we will inform you of such grounds.

11. Your right to file a complaint with the supervisory authorities

You have the right to file a complaint with the appropriate supervisory authorities if you believe that we have not processed your personal data in accordance with the applicable data protection legislation. You can file a complaint with the supervisory authorities in the EU member state where your permanent place of residence or employment is located or where the alleged personal data breach has occurred.

Version 1.2, updated on 14 February 2022

Changes to the privacy statement:

February 2022: The following amendments have been made to the privacy statement: we have updated the contact in-formation and removed the reference to the Privacy Shield arrangement.

January 2020: The following changes have been made to the privacy statement: we have added a mention of personal data disclosure based on auditing of the accounts and the law, updated the privacy statement with regard to personal data transfer, added a mention of longer personal data storage periods due to the law, a legal claim, a complaint period or a statute of limitations, combined the description of data subjects’ rights under one paragraph, simplified the language used and made the content more concise to make the privacy statement easier to read.