Luhta.com online shop register description and privacy policy

1. Controller

L-Fashion Group Oy
Business ID: 0149158-5
P.O. box 55, 15501 LAHTI, Finland
Tel. +358 (0)3 822 111 (switchboard)

2. Contact information for matters related to the register

If the matter pertains to the processing of personal information or the use of the rights based on GDPR in the Luhta.com online shop, you may contact the Data Protection Officer of L-Fashion Group Oy. The Data Protection Officer may be contacted via email at dataprotection@luhta.fi.

3. Register name

Luhta.com online shop customer register.

4. What data do we process?

We process data relating to the customer:

  • First name and last name

  • Date of birth

  • Home address, zip code, town or city (unlisted address or other contact information will not be entered into the register, the provider of the information is responsible for the conformance of the data)

  • E-mail address

  • Phone number

  • gender

  • Preferred language of communication

  • Permissions for direct marketing and other marketing communication, such as marketing surveys

Data that is possibly collected on the basis of customer relationship:

  • Purchases made based on location of purchase, total, product group and product

  • Data collected for the purpose of developing the customer relationship

  • Possible data on the controller’s retail chains, services and products that interest the customer

  • Data voluntarily provided by the customer

Information that is possibly collected at the request of the customer:

  • Direct marketing restriction

  • Restriction on sending marketing surveys

5. Purpose of processing personal data

The personal data of Luhta.com online shop customers are processed for the following purposes: 

- Using the online shop:
Personal data are processed for the processing of Luhta.com online shop orders, purchase transactions and returns as well as for invoicing and crediting.

Basis for processing: fulfilment of contract, legal obligation

- Customer service:
Personal data are processed for the purpose of managing customer relations, communication with customers as well as designing and improving the customer service experience of Luhta.com customers. Feedback for developing the online shop may also be gathered in the register.

Basis for processing: customer consent, legitimate interest, legal obligation

- Marketing:
Personal data are also processed for marketing purposes. The data in the Luhta.com online shop register may also be used for targeting special offers, benefits, events or other marketing measures. The purchasing behaviour data of the Luhta.com online shop are gathered into the register on location of purchase, total, product group and product level.

Basis for processing: customer consent, fulfilment of contract

- Developing business operations:
Personal data are also processed for the purpose of designing and developing business operations.

Basis for processing: customer consent, legitimate interest

Providing data for the controller is based on the consent of the customer. If the customer does not provide the controller with all the personal data mentioned in point 4, the customer may not necessarily receive all the benefits of the Luhta.com online shop and the customer cannot make purchases in the Luhta.com online shop.

6. Where is data collected from?

The basic data and marketing data of the customer are collected from the Luhta.com online shop customer account and possibly from the notifications the customer gives the controller during the customer relationship either while the customer is using the controller’s services or when the customer gives or refuses consent for marketing when asked by the controller. The customer’s publicly available name and contact information can also be obtained from officials and companies offering updating services as the controller updates the customer register.

Data can also be obtained from the notifications given by the customer or from the answers the customer has given in customer surveys.

7. Information on the recipients of the personal data

Personal data are processed by the employees of either L-Fashion Group Oy or L-Fashion Group Oy partners. The processor of the personal data is bound by duty of confidentiality and personal data are processed confidentially.

Information may be disclosed from the register to officials if legislation so requires. The data stored in the customer register are not disclosed to parties outside of L-Fashion Group Oy other than in the circumstances described below or because of a legal obligation.

Customer register data can be disclosed to partners in the following situations:

Technical implementation of data processing:

To ensure the technical implementation of data processing, data may be transferred to or they can be collected directly by contract partners of the controller (such as suppliers, companies offering payment or fraud protection services, credit information companies and companies offering analysis environments, marketing services and marketing surveys). In these cases, the obligations related to data processing have been organised with contracts between the partners.

Examples of these third parties are Lamia Oy, Custobar Oy, Frosmo Oy, Klarna Ab, Posti Group Oyj, Google and Meta.

Other legal basis:

Data may be disclosed outside of L-Fashion Group Oy, if it is necessary on the basis of legislation or there is another legal basis for the disclosure, such as if it is necessary in order to protect the company from legal action.

It is L-Fashion Group Oy’s goal that personal data are primarily processed in the EU and the European Economic Area.

Within the limits of the European Union General Data Protection Regulation (GDPR) and other applicable law, data may be transferred outside the EU or the European Economic Area if this is required by the technical implementation of its processing (see section ´Technical implementation of data processing´). If data are transferred, the security measures required by legislation are followed. If such transfer of data is implemented, a contract following the EU Commission Standard Contractual Clauses is signed, or the contract partner is required to follow the EU Commission Standard Contractual Clauses, the receiving country has an adequate level of data protection as ruled by the EU Commission, the company processing the data has Binding Corporate Rules or there is another legal basis for the transfer such as establishment, exercise or defence of legal claims.

8. Register protection principles and data retention period

Only specific employees of the controller or its partners have the right to access the register based on the user right granted by the controller. The information system of the Luhta.com customer register has been protected with firewalls and other technical security measures. The information system can only be accessed by named users using their personal usernames and passwords. The processor of the personal data is bound by duty of confidentiality and personal data are processed confidentially.

If the customer has not made purchases or changed or asked customer service to update their data in four (4) years, the customer relationship ends. When the customer relationship ends, the customer’s data are removed from the customer register. The customer will be informed of the end of the relationship beforehand.

Personal information is generally not kept in manual registers. Applications and other manually handled documents containing customer data are kept in locked and fireproof storage facilities.

The controller assesses the risks pertaining to data protection regularly.

9. Right of access

The customer has the right to find out what data the register holds about them. The customer can access their data primarily through the online shop at . If the customer is not able to access their data online, they can make a written and signed request for accessing their personal data. The request must be delivered to a Luhta Brand Store or Luhta Outdoor Store store. The customer must additionally send a copy of the request to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the access request, the customer must state their identity and address.

The customer also has the right to know if L-Fashion Group Oy is processing their personal data. The customer must make a written and signed request for the information about data processing and deliver it to a Luhta Brand Store or Luhta Outdoor Store store. The customer must in addition send a copy of the request to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the request, the customer must state their identity and address.  The customer has the right to receive a copy of the processed data. If their data are not processed, the customer also has the right to receive confirmation of it. If the customer refuses consent for marketing communication, the customer may still be sent information regarding purchases or the customer relationship. In certain circumstances, the provision of information is a requirement for the implementation or use of a service.

10. Right to rectification of personal data

The customer has the right to have any incorrect or incomplete personal data rectified.

The customer can rectify their data primarily online at .

If the customer is not able to rectify their data online, they can make a written and signed request for rectification of their personal data. The request must be delivered to a Luhta Brand Store or Luhta Outdoor Store store. The customer must in addition send a copy of the request to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the rectification request, the customer must state their identity and address.

The controller may also rectify or complete incorrect or incomplete data in the register on their own initiative.

11. Right of erasure of personal data

The customer has the right to have their personal data erased where one of the following grounds applies:

  1. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;

  2. the customer withdraws consent on which the processing is based and where there is no other legal ground for the processing;

  3. The customer objects, on grounds relating to their particular situation, to processing of personal data concerning them which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling;(In this case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the customer or for the establishment, exercise or defence of legal claims.)

  4. The customer objects to the processing of their personal data for direct marketing purposes;

  5. The personal data have been unlawfully processed;

  6. the personal data have to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject; or

  7. the personal data have been collected from a child in relation to the offer of information society services.

The customer may make a written and signed request about the erasure of their personal data. The request must be delivered to a Luhta Brand Store or Luhta Outdoor Store store. The customer must in addition send a copy of the request to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the request, the customer must state their identity and address.

If the customer has not made purchases or changed or asked customer service to update their data in four (4) years, the customer relationship ends. When the customer relationship ends, the customer’s data are removed from the customer register. The customer will be informed of the end of the relationship beforehand.

12. Restriction of processing personal data

The customer has the right to obtain from the controller restriction of processing where one of the following applies:

  1. the accuracy of the personal data is contested by the customer, for a period enabling the controller to verify the accuracy of the personal data;

  2. the processing is unlawful and the customer opposes the erasure of the personal data and requests the restriction of their use instead;

  3. the controller no longer needs the personal data for the purposes of the processing, but they are required by the customer for the establishment, exercise or defence of legal claims;

  4. The customer objects, on grounds relating to their particular situation, to processing of personal data concerning them which is necessary for the performance of a task carried out for reasons of public interest or for the exercise of official authority vested in the controller or processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party and the controller is waiting for the verification whether the legitimate grounds of the controller override those of the customer.

Where processing has been restricted, such personal data shall, with the exception of storage, only be processed with the customer’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the Union or of a Member State.

The customer may make a written and signed request about the restriction of processing of their personal data. The request must be delivered to a Luhta Brand Store or Luhta Outdoor Store store. The customer must in addition send a copy of the request to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the request, the customer must state their identity and address.

13. Right to object

The customer has the right to object to the processing of their personal data where one of the following applies:

  1. The customer has the right to object, on grounds relating to their particular situation, at any time to processing of personal data concerning them, which is necessary for the performance of a task carried out for reasons of public interest or for the exercise of official authority vested in the controller or which is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, including profiling (In this case, the controller shall no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the customer or for the establishment, exercise or defence of legal claims.); or

2. The customer has the right to object, at any time, to processing of personal data concerning them for direct marketing, which includes profiling to the extent that it is related to such direct marketing.

The customer may give a written and signed notice of objection about the processing of their personal data. The notice must be delivered to a Luhta Brand Store or Luhta Outdoor Store store. The customer must in addition send a copy of the notice to the Data Protection Officer of L-Fashion Group Oy by mail or via e-mail (dataprotection@luhta.fi). In the notification, the customer must state their identity and address.

14. Transfer of data

The customer has, under certain circumstances, the right to transfer the personal data stored by the controller to themselves or to another controller. The right applies to personal data, which the customer has given to the controller and which the controller processes based on the consent of the customer or in order to fulfil a contract in which the customer is a party. The right applies to data which are processed using data processing techniques.

15. The right to withdraw consent

The customer can, at any time, withdraw consent, when the processing of their personal information is based on this consent. The processing of personal data is based on consent, for example, when the customer has given consent to electronic direct marketing.

The customer can withdraw their consent by contacting the customer service of the Luhta.com online shop.

16. Information about automated decision-making and profiling

Decision-making is automated when

  • decision-making is based solely on automatic processing of personal data; and

  • The decisions made have legal effects or similarly significantly affects the registered.

Profiling means the automated processing of personal information, in which personal aspects are evaluated.

Profiling specifically relates to the analysis or prediction of aspects concerning, for example, personal preferences, interests or behaviour.

Profiling

Is automated or semi-automated;

Targets personal data; and

Evaluates personal aspects.

The controller may profile their customers in order to target marketing based on the purchasing behaviour and preferences of the customer. According to the estimate of the controller, this kind of profiling does not have significant effects on the targeted customer. In addition, the profiling done by the controller is always based on the consent of the customer and the customer has the right to object to the profiling.

17. The right to lodge a complaint

If the customer considers the processing of their personal data by L-Fashion Group Oy to violate the provisions of the EU’s General Data Protection Regulation, the customer may lodge a complaint with a supervisory authority in their permanent place of residence or place of work or where the customer considers the violation of the provisions to have happened. In Finland the authority in question is the Data Protection Ombudsman.

Office of the Data Protection Ombudsman
Street address: Lintulahdenkuja 4
FI-00530 Helsinki, Finland

Postal address: P.O. Box 800
FI-00531 Helsinki, Finland

Phone (switchboard): + 358 29 56 66700
Fax: + 358 9 56 66735
E-mail: tietosuoja@om.fi