Privacy Policy

Version 1.0 · Updated 22 May 2026

This Privacy Policy describes how Piikkio Works Oy (hereinafter referred to as the “Controller”) processes personal data on its website. This policy fulfills the information obligations under the EU General Data Protection Regulation (GDPR 2016/679) and the Finnish Data Protection Act (1050/2018).

1. Controller

Piikkio Works Oy | Business ID: 1736847-7 | Address: Kolamäentie 2, 21500 Piikkiö, Finland | Email: hr@piikkioworks.fi | Phone: +358 10 67010 (switch)

Contact Person for Data Protection Matters

Tarja Laiho, tarja.laiho@piikkioworks.fi, tel. +358 40 534 7980

2. Personal Data Processed

The Controller collects personal data on its website as follows:

2.1 Contact Form (Supplier Inquiries)

The following information is collected through the form:

  • name
  • company
  • email address
  • phone number
  • information provided in the form and message content

2.2 Open Job Applications

In connection with unsolicited job applications received by email, the Controller processes information provided by the applicant, which may include:

  • name and contact details
  • education and work experience information
  • application letter, CV, and possible attachments
  • other information voluntarily provided by the applicant

2.3 Technical Data and Cookies

The website also automatically collects technical data, such as:

  • IP address
  • browser type and version, operating system, device type
  • information about visited pages, referrer URL, and time of visit
  • data collected through cookies (see section 10)

Source of data: All personal data is collected directly from the data subject or automatically when the user visits the website. Data is not collected from other sources.

3. Purposes and Legal Bases for Processing

Personal data is processed for the following purposes and based on the following legal grounds under Article 6 of the GDPR:

Responding to Inquiries and Supplier Cooperation

Legal basis: Legitimate interest of the Controller (GDPR 6 art. 1 f) and preparation and performance of a contract (GDPR 6 art. 1 b) when the inquiry leads to cooperation.

Recruitment

Legal basis: Taking steps at the request of the data subject prior to entering into a contract (GDPR 6 art. 1 b) and the legitimate interest of the Controller in carrying out recruitment processes (GDPR 6 art. 1 f).

Website Functionality and Technical Maintenance

Legal basis: Legitimate interest of the Controller (GDPR 6 art. 1 f) in ensuring website functionality, security, and usability. For strictly necessary cookies, processing is based on Section 205 of the Finnish Act on Electronic Communications Services (917/2014).

Website Analytics

Legal basis: User consent (GDPR 6 art. 1 a), which is requested through the cookie consent tool before analytics cookies are placed.

4. Retention Periods

Personal data is retained only for as long as necessary to fulfill the purpose of processing or as required by law. After the retention period, the data will be deleted or anonymized.

  • Contact form data: 12 months from the end of the communication, unless the inquiry leads to ongoing cooperation.
  • Supplier cooperation data: for the duration of the cooperation and for 2 years thereafter, unless accounting legislation or other laws require longer retention.
  • Accounting materials (invoices, receipts): 6 years from the end of the financial year in accordance with the Finnish Accounting Act (1336/1997).
  • Open job applications: 12 months from receipt of the application, unless the applicant consents to longer retention or the application results in employment.
  • Technical log data: maximum of 12 months, unless longer retention is required for information security reasons.
  • Cookie data: according to cookie-specific retention periods; see the separate Cookie Policy (section 10).

5. Recipients of Data

Personal data is processed on behalf of the Controller by the following parties acting as data processors under the GDPR based on appropriate data processing agreements:

Website Technical Implementation and Maintenance

Perjantai Markkinointiviestintä Oy (Finland) is responsible for website hosting and technical maintenance.

Analytics

Google Ireland Limited / Google LLC (Google Analytics 4) collects information about website usage. Processing is based on user consent (see section 10).

Personal data is not disclosed to third parties for marketing purposes and is not sold. Data may be disclosed to authorities where required by law.

6. Transfers of Personal Data Outside the EU/EEA

In connection with the use of the website analytics service (Google Analytics 4), personal data may be transferred to the United States.

Transfer mechanism: The transfer is based on the adequacy decision adopted by the European Commission on 10 July 2023 regarding the EU–U.S. Data Privacy Framework. Google LLC is certified under the framework, ensuring an adequate level of data protection as required by the GDPR.

The data subject has the right to receive additional information about the safeguards used by contacting the Controller (see section 1).

7. Protection of Personal Data

The Controller protects personal data through appropriate technical and organizational measures, including:

  • access control and restriction of access rights only to persons who need the data for their work duties
  • password protection and, where necessary, two-factor authentication for systems
  • encrypted data transmission (SSL/TLS) on the website
  • data processing agreements concluded with processors
  • regular evaluation of information security and processes

8. Rights of the Data Subject

Under the GDPR, the data subject has the following rights regarding the processing of personal data:

Right of Access (Art. 15) The right to obtain confirmation as to whether personal data concerning the data subject is being processed and to receive a copy of the processed data.

Right to Rectification (Art. 16) The right to request correction of inaccurate or incomplete data.

Right to Erasure (Art. 17) The right to request deletion of personal data when there is no longer a legal basis for processing.

Right to Restriction of Processing (Art. 18) The right to request restriction of processing in certain situations.

Right to Object (Art. 21) The right to object to processing based on legitimate interest.

Right to Data Portability (Art. 20) The right to receive personal data provided by the data subject in a structured, commonly used, and machine-readable format.

Right to Withdraw Consent (Art. 7) Where processing is based on consent, the data subject may withdraw consent at any time. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Right Not to Be Subject to Automated Decision-Making (Art. 22) The Controller does not make automated decisions or carry out profiling based on personal data that would produce legal or similarly significant effects on the data subject.

Requests concerning the exercise of these rights shall be addressed to the Controller using the contact details provided in section 1. Requests will be answered within one month.

Right to Lodge a Complaint with a Supervisory Authority The data subject has the right to lodge a complaint with the Office of the Data Protection Ombudsman if they believe that the processing of personal data violates their rights.

Office of the Data Protection Commissioner
Postal address: P.O. Box 800, FI-00531 Helsinki, Finland
Visiting address: Lintulahdenkuja 4, FI-00530 Helsinki, Finland
Telephone (switch): +358 29 566 6700
Email: tietosuoja@om.fi
Website: https://tietosuoja.fi

9. Voluntary Provision of Data

Submitting the contact form and open job applications and providing personal data is voluntary. Mandatory fields are marked on the form. If mandatory information is not provided, the Controller may not be able to process the inquiry or job application.

10. Cookies

The website uses cookies to ensure website functionality, improve user experience, and analyze visitor numbers and website usage.
Cookies are categorized according to their purpose as follows:

  • Strictly necessary cookies: enable the basic functionality of the website and do not require consent.
  • Statistics and analytics cookies: help understand how visitors use the website. Use is based on consent.
  • Marketing cookies: used if marketing tools are utilized on the website. Use is based on consent.

The website uses the Cookiebot cookie management tool, which allows users to provide, manage, and withdraw their cookie consent. Consent can be changed at any time through the website’s cookie settings.

Users may also block the use of cookies through their browser settings. However, this may impair website functionality.

11. Changes to the Privacy Policy

The Controller may update this Privacy Policy, for example due to changes in legislation or services. The latest version is available on the website. Material changes will be communicated separately where necessary.