Data protection policy

Membership and customer register of the Vinhan ystävät ry association/Vinhan Kirjakauppa Oy.

In this data protection policy, you can find out for what purposes we use your data, what is the basis for our use and how we collect and store the data.

Controller and contact person:

Controller: Vinhan ystävät ry, Vinhan Kirjakauppa Oy
Address: Ruovedentie 15
Telephone: +358 (0)50 032 9591
Contact person: Pasi Vainio
Business ID: 326 35 90-8 Vinhan Kirjakauppa Oy / 328 96 73-7 Vinhan ystävät ry

Data Subjects

The register is used to process personal data of the current and former members of the Association, Vinha’s customers, invited guests at events and contact persons of organisations related to the operations of the Association (“Data Subject”).

Grounds for the processing of personal data and the purpose of use

The purpose of use of the register is the up-to-date management of personal data of the Data Subject during membership, its maintenance and development as well as marketing and direct marketing, in addition to the management of the documentation of terminated memberships in the personal data system (“System”).

The processing of personal data is based on the Association’s statutory duty to maintain a membership register and, in certain cases, the implementation of an agreement. The Association’s legitimate interest and obligation involves taking care of membership services, communication with members, charging membership fees and other fund-raising and care of contractual obligations. Legitimate interest means that there is a benefit from the data in taking care of matters related to the Association, while the risk of processing to the Data Subject is low. 

In our register, we store personal data collected from our members, customers and partners.

The purpose of processing personal data is to take care of the statutory obligations of associations and to provide membership services, communication with members, other communications related to stakeholders and the activities of the association as well as direct marketing (only with the consent of the data subjects), and to carry out membership fee invoicing and other fund-raising.

The legal basis for other processing of personal data is the management of the customer relationship in order to provide services in accordance with the contractual obligations, as well as the consent given to us by the customers when the customers have disclosed their information to us in connection with a product or service order in the online shop or a subscription to a newsletter.

The purpose of processing personal data is to provide customer service, customer communications, other communications related to stakeholders and the activities of the association as well as direct marketing (only with the consent of the data subjects), and carry out fund-raising.

Data subjects can prohibit the use of their data for sending bulletins and newsletters as well as direct marketing by notifying the controller about the matter.

We use the personal data of our customers to compile statistics on our operations. The data is also used to produce monitoring data sets, in which the data on an individual cannot be identified.

Regarding the online shop, the register and the data it contains are used to

• deliver the product or service ordered by the Data Subject
• process and archive the order and register the payment transaction
• provide a good customer experience
• confirm deliveries and inventory accounting
• monitor product sales and develop customer service and the online shop.

Personal data processed

The register is used to process the personal data and contact information of the members of the Association as well as other necessary information related to membership.

These data include:

basic information, such as the name
contact information, such as the email address, telephone number, street address
information on the corporation or the contact persons of the corporation, such as the business ID and the names and contact information of contact persons membership information (type and duration of membership)
membership fee payment information
refusal and/or consent to marketing and disclosure
identifying information for electronic communication
device and location information
lists of recipients of newsletters, bulletins, invitations and other communication on events. The lists include the name and email address of the customer.
order and customer information received via orders in the online shop, i.e. the identifying information of the customer as well as contact, payment and delivery information, such as the delivery method and address selected
information on enrolment to events and courses, including name, address and other contact information, the name and business ID of the corporation, if any, invoicing information, and other information needed for organising the event (e.g. special diet)

Regular sources of information

The data stored in the systems is primarily received from the customers themselves or via a group representing them either verbally, by telephone or email, via web pages or social media, in contests and through forms used in surveys, in connection with which the person has granted permission for marketing communications.

When our customers deal with us electronically, we automatically collect information on them that can be considered personal data. The data being collected includes, for example, the IP address, date and time of use, the devices used, the software and internet browser as well as the browser version. We may also collect data on clicks on the page and the pages they have visited as well as products added to the shopping cart in the online shop.

We use cookies on our website. A cookie is a small text file that is saved on your computer when you visit the site. We use Google Analytics, for instance, to compile statistics on how many visitors our site has and what pages they view the most. With a cookie, the browser can, for example, remember which language you have selected. The purpose of this information is to help us develop our operations and make using the site easier. 

If you share content from our pages with the social media buttons, the social media service installs its own cookie. In that case, the cookie comes from, for example, Instagram or Facebook, not our website. 

The cookies do not give us information that would allow us to identify who you are. The cookie records what has been done on our site using your browser and when. The use of cookies is based on consent, and if you wish, you can remove the cookies in the browser settings. 

Protection of personal data and data security

The personal data that is processed electronically has been protected and stored in the System of the Association; access to it is limited to only the persons who need the data in question in order to carry out their duties. These persons have personal user IDs and passwords.

The personal data is protected from external use, and the use of member data is monitored. Members have a personal user ID and password protection. Personal data sent outside the Association are encrypted. The workstations and storage media used are encrypted.

Regular disclosure and transfer of personal data

Personal data can be disclosed to the partners of the Association in order to implement measures and services related to membership of the Association.

Personal data can also be transferred to other service providers in order to implement the System. The partner of the controller that carries out the technical maintenance of the personal data register can transfer personal data in accordance with the applicable legislation on the protection of privacy and this data protection policy.

Transfers of personal data outside the European Union or the European Economic Area

The Association may also use other service providers located outside the European Union or the European Economic Area to process personal data. The transfer of personal data outside the European Union or the European Economic Area is always carried out on one of the legal grounds mentioned below:

The European Commission has determined that an adequate level of data protection has been ensured in the recipient country in question

The Association has implemented the appropriate protective measures for transferring personal data by using the standard data protection clauses approved by the European Commission. In that case, the Data Subject has the right to receive a copy of said standard data protection clauses by contacting the Association as described in the Contacts section

The Data Subject has specifically consented to the transfer of the Data Subject’s personal data, or there are other legal grounds for the transfer of personal data.

The access to personal data is limited to what is necessary to implement the services. The transfer of personal data outside the European Union or the European Economic Area is always based on the valid legislation on the processing of personal data and it is implemented in compliance with said legislation.

Storage period of personal data

The personal data is stored in the register as long as the Data Subject is a member of the Association. After the end of the membership, the personal data is stored for a maximum of ten years as of the end of the membership based on a legitimate interest of the Association, that is, in order to defend itself against potential legal claims (KKO 2017:15). The personal data may also be stored for a longer period, if the applicable legislation or the contractual obligations of the Association towards third parties require a longer storage period. The backup period of the controller’s service provider is 6 months.

The controller assesses the necessity of storage regularly taking the applicable legislation into account. In addition to this, the controller takes care of reasonable measures that ensure that no personal data on the data subjects that is obsolete, incorrect or incompatible for the purpose of processing is stored in the register. The controller corrects or erases such data without delay.

Rights of the Data Subject

Data Subjects have the right to object to the processing of their personal data for direct marketing purposes at any time. The Data Subject may give the Association their consent or prohibition concerning channel-specific direct marketing (such as by refusing marketing messages sent by email).

At any time, Data Subjects have, in principle, the right in accordance with the applicable data protection legislation to:

receive information on the processing of their personal data
access their own data and review the personal data on themselves processed by the Association
demand that inaccurate and incorrect personal data be rectified and supplemented;
demand the erasure of their personal data
withdraw their consent and object to the processing of their personal data insofar as the processing of personal data is based on the consent of the Data Subject
object to the processing of their personal data on grounds related to their particular situation, insofar as the grounds for the processing of personal data involve a legitimate interest of the Association
receive their personal data in a machine-readable format and transfer said data to another controller, provided that the Data Subjects themselves have sent said personal data to the Association, the Association processes said personal data based on the consent of the Data Subjects, and the processing is carried out automatically
demand the restriction of the processing of their personal data.

Data Subjects must present the request to exercise the rights mentioned above in accordance with the Contact section of this data protection policy. The Association may ask Data Subjects to specify their request in writing and confirm the identity of the Data Subject before processing the request. The Association may refuse to implement the request on grounds provided for in the applicable law.

Right to lodge a complaint with a supervisory authority

Every Data Subject has the right to lodge a complaint with the appropriate supervisory authority or the supervisory authority of the Member State of the European Union, in which the place of residence or work of the Data Subject is located, if the Data Subject finds that their personal data has not been processed in accordance with the applicable data protection legislation.


Any requests on exercising the rights of the Data Subject, questions about this data protection policy and other communications should be sent by email to Pasi Vainio at the address Data Subjects can also contact us in person or in writing at the address below:

Vinhan ystävät ry
Pasi Vainio
Ruovedentie 15, 34600 Ruovesi, Finland

The controller may ask to confirm the identity of the Data Subject before processing the request.

Changes to this data protection policy

This data protection policy can be updated from time to time, such as when the instructions by the authorities or the legislation changes or our operations change or develop so that what has been stated in this policy is no longer accurate. 

This data protection policy was last updated on 11 April 2023.

Shopping Basket