• Home
  • Privacy Policy for New Customer Acquisition

Privacy Policy for New Customer Acquisition

Pihla’s Privacy Policy for New Customer Acquisition Pihla processes personal data in accordance with the applicable data protection legislation. 

Updated 3 October 2025 

1 Data controller 

Data controller: Pihla Group Oy (Business ID: 18826249) 

Address: Äyritie 16, FI-01510 Vantaa, Finland 

Other contact details: Customer service +358 800 550 880 

2 Contacts on matters concerning the register 

Email address: tietosuoja@pihla.fi 

3 Name of the register 

New Customer Acquisition Register 

4 Purpose of processing personal data 

The register contains information necessary for new customer acquisition. The data is used for campaigns aimed at the data subject and for marketing products and services. The legal basis for the processing of personal data is the data subject’s consent to the processing of personal data for electronic marketing purposes or the legitimate interest of the controller to process personal data in connection with the acquisition of new customers. 

5 Data content of the register 

The register contains entries on potential customers, their properties and contact persons. The data may include name, address, telephone number and email address. 

6 Regular sources of information 

The data content of the register is collected from the data subjects themselves, for example in connection with competitions, as well as through disclosures from the databases of other data controllers. The party disclosing personal data is responsible for the accuracy of the data and the legal basis for the disclosure.   

7 Regular disclosures of data 

Personal data necessary for business operations may be disclosed between entities within the Pihla Group. As a general rule, personal data of data subjects will not be disclosed to third parties. If personal data are disclosed, the recipient undertakes to use the transferred personal data on behalf of and for the account of the controller, for example when an authorised reseller, debt collection agency or transport company performs its contractual duties. Data may also be disclosed to an authority if there is a statutory basis for doing so.   

8 Transfer of Data Outside the EU or EEA

As a rule, personal data is not transferred outside the EU or EEA. If transfers are made, we use safeguards approved by the European Commission, such as Standard Contractual Clauses (SCCs), as well as the EU–US Data Privacy Framework, in order to ensure an adequate level of data protection.

The marketing automation service we use, ActiveCampaign, is registered under the EU–US Data Privacy Framework, on the basis of which it is deemed to provide an adequate level of protection for the processing of EU personal data in the United States. Our newsletters and other marketing automation messages include a link to the Privacy Notice as well as an option to unsubscribe from the mailing list.

9 Principles of register protection 

  1. Manual data 

If manual material is obtained or printed from the register it is kept in a locked space and safeguarded to ensure that personal data are not used for purposes other than those stated in this notice. Unnecessary manual material is securely destroyed in accordance with the decisions and regulations and instructions on data retention. 

  1. Data processed electronically 

Data is stored in databases protected by firewalls, passwords and other technical means. The databases and their backups are located in locked premises and only certain designated persons have access to the data.   

10 Rights of the data subject 
The data subject has the right to: 

  • receive information on the processing of personal data 
  • access their personal data 
  • request the rectification of inaccurate or incomplete personal data 
  • request the erasure of their personal data (right to be forgotten) 
  • withdraw consent on which the processing is based if no other lawful basis for processing exists 
  • request the restriction of processing of their personal data 
  • receive notification of the rectification, erasure or restriction of processing of their personal data 
  • exercise the right to data portability 
  • object to the processing of their personal data 
  • not be subject to automated decision-making without a lawful basis. 

Requests concerning these rights shall be made personally with contact details as indicated in section 2. 

The data subject also has the right to lodge a complaint with the supervisory authority if they consider that their personal data have been processed in violation of applicable data protection legislation. 

11 Profiling and automated decision-making 

Profiling: Filters such as geographical location and age distribution may be used to select consumer contact details for potential new customer acquisition. The filtering criteria are not stored in our register. 

Automatic decision-making: The data will not be used for automated decision-making. 

12 Data retention and deletion 

Personal data recorded in the register are deleted within 60 months of entry or when there is no lawful basis for their retention. 

Version 3 October 2025: Clarification regarding data transfers.