Privacy Policy
Privacy Policy
- Data controller
- What personal data is collected and how
- Why and on what basis personal data is processed
- With whom we share your personal data
- How we process and protect your personal data
- How long we retain your personal data
- International transfers
- Your rights and choices
- Children's personal data
- Contact us
- Updates to this policy
This privacy policy describes how All Things Commerce Helsinki Ltd ("All Things Commerce", "we" or "us") and its group companies process your personal data. The policy applies when you buy our products, use our services or otherwise interact with us, and is applicable also to corporate customers and partners. The policy describes how your personal data is collected, used and shared for example when you visit this site, place orders through the site, or sign up to receive communications from us.
Data controller
The main data controller for the processing of your personal data as described in this policy is All Things Commerce Helsinki Ltd, Salmisaarenranta 7 M, 00180 Helsinki. You can find our contact details at the end of this policy.
In addition, if you order products through this site, the data controller responsible for the processing of your personal data in connection with the order and thereto related communications is the company with which you have entered into the agreement. The applicable data controller is visible to you in the terms and conditions you have accepted in connection to the purchase.
Additional information on purchases from local group companies In some countries, in order for us to be able to provide you with the products you have ordered as smoothly as possible, All Things Commerce works together with local group companies which handle local sales. In cases where we cooperate with a local company and you have made a purchase with that company through our site, we share certain order fulfillment data with such company, and the local group company acts as an independent data controller of such personal data for the purposes of providing you with the products you have ordered or the services you have signed up for, and for communicating with you about your orders, refunds, returns or cancellations, or other communications relating to your orders. Our local subsidiaries are Funkis Ltd in the United Kingdom and Nordic Brand Retail GmbH in Germany. You are welcome to contact All Things Commerce in all matters relating to the data processing described in this policy by contacting us at the contact details mentioned in section 10 below. |
We are committed to respecting and protecting your privacy, and we want you to know how we process your personal data. We will describe the processing of your personal data in more detail below. All Things Commerce is the sole owner of the information collected on this site and the information is used only by us except where shared with other group companies for the purpose of carrying out sales and in cases where we use third party service providers to perform certain functions for us (as described in more detail under section 4 below).
What personal data is collected and how
Our processing situations
We collect the following personal data relating to you, in the following situations as applicable and based on the legal bases specified in section 3 below:
- Contacts:When you contact us through the contact information available on our site, for example with questions regarding our products or in connection with cancellations or other order questions, we need to process your data. The information includes your name, number or email address you contact us from, as well as other information you provide to us in connection with your interaction. For our corporate customer representatives, we may also process the customer's organization name, position and other information related to the corporate customer relationship.
- Accounts:If you create an account in our webstore, we collect your personal data in connection with creating and maintaining the account. Such information includes your name and email address, and other information you provide us through your use of the account such as order information.
Use of third-party marketing and analytics services
We use third-party marketing services to market our products to you, and analytics to improve our site, offerings and services. In connection to such third-party marketing services, third parties may gather information from our website and use it to send you targeted ads. For example, we use Facebook Custom Audiences to deliver advertisements to people who have visited our websites. We also use Google Ads for delivering targeted advertisements and Google Analytics for carrying out analytics on our site.
For more on this and how you can opt out,please see our Cookie Policy. For legal bases of processing, please refer to section 3 below.
Joint controllership
In connection to our Facebook page, Facebook Ireland Ltd. ("Facebook") and All Things Commerce (or a local group company, as applicable) are joint controllers with regard to the personal data of visitors of the page in question, where applicable.
Facebook is also the joint controller for certain processing carried out while we use other business tools offered by Facebook, such as Custom Audiences tools. The joint controllership extends to the collection of personal data via the Facebook business tools and its subsequent transmission to Facebook in order to be used for the purposes of creating custom audiences to target ad campaigns, to deliver commercial and transactional messages and to improve ad targeting and delivery optimization of our ad campaigns. Facebook is an independent controller for any processing of such data that takes place after it has been transmitted to Facebook.
Facebook processes personal information in accordance with its own privacy policies. You can find more information on how Facebook processes your personal data, including the legal basis Facebook relies on and the ways to exercise data subject rights against Facebook, in Facebook's own data policy which you can find here:https://www.facebook.com/about/privacy. Facebook is primarily responsible for complying with the obligations of data protection law and enabling data subject rights on its service, while All Things Commerce is responsible for complying with data protection obligations for its own part, e.g. for handling the data of visitors on its Facebook page in accordance with the processes and purposes set out in this policy.
More information on the processing Facebook carries out as well as about the division of responsibilities between Facebook and All Things Commerce as joint controllers can be found here:https://www.facebook.com/legal/controller_addendum.
Source of the data
Most of the personal data we process comes directly from you and is data which you choose to provide to us, for example in connection to a purchase, inquiry, or while signing up to the Moomin Fan Club. Data can also be obtained through other service providers, if possible and in accordance with applicable regulations. If you have given your consent to such, we may also collect automatically generated data through the use of cookies and other tracking technologies on our website.
Why and on what basis personal data is processed
In the below table, we describe the purposes for which we process your personal data, as well as the legal basis for the processing as required by data protection law.
Where we need to process your personal data due to a statutory or contractual requirement, or in order to enter into a contract with you, and you fail to provide the requested personal data to us, we may not be able to perform or enter into the contract with you (for example, to provide you with the requested goods or services). In this case, we may have to cancel a product or service you have with us (if relevant, we will notify you thereof separately).
Purpose of the processing |
Legal basis for the processing |
To provide you with the products you have ordered or the services you have signed up for. |
Necessary for the performance of the contract between us and you (GDPR Article 6(1)(b)). Note: In cases where we cooperate with a local group company in another country and you have made a purchase with that company through our site, the local group company acts as an independent data controller of personal data processed for this purpose. |
To communicate with you about your orders, refunds, returns or cancellations, or other communications relating to your orders. |
Necessary for the performance of the contract between us and you (GDPR Article 6(1)(b)). Necessary for the compliance with a legal obligation to which we are subject (GDPR Article 6(1)(c)). Note: In cases where we cooperate with a local group company in another country and you have made a purchase with that company through our site, the local group company acts as an independent data controller of personal data processed for this purpose. |
To communicate to you about certain products or marketing campaigns, to recommend products or services that might interest you, and to send promotional messages via email, phone, and/or other similar means of communication. |
Necessary for our legitimate interests to market our products (GDPR Article 6(1)(f)). Note: We will ask for your prior consent for sending electronic direct marketing, if so required by applicable law. If you have made a purchase through the site, you will receive regular product recommendations from us by e-mail. These product recommendations are sent to you by us whether or not you have subscribed to a newsletter. In this way we want to inform you about products offered by us that, on the basis of your last purchases, might well interest you. If you decide that you no longer want to receive product recommendations or advertising from us, you can object to this at any time by sending an email to privacy@moomin.com. There is, of course, also a cancellation link available in every e-mail. |
To comply with your request to not send you direct marketing, where applicable. |
Necessary for the compliance with a legal obligation to which we are subject (GDPR Article 6(1)(c)). |
To administer and manage the account you have signed up for. |
Necessary for the performance of the contract between us and you (GDPR Article 6(1)(b)). Necessary for our legitimate interests to provide customer service and facilitate order processes (GDPR Article 6(1)(f)). |
To manage, maintain and develop our relationship with you, including responding to an inquiry or question made by you though our site or its contact information, and providing you with other customer support. |
Necessary for the performance of the contract between us and you (GDPR Article 6(1)(b)). Necessary for our legitimate interests to provide customer service and facilitate order processes (GDPR Article 6(1)(f)). |
To allow you to participate in events or competitions organized or promoted by us and/or our partners. |
Necessary for the performance of the contract between us and you (GDPR Article 6(1)(b)). Necessary for our legitimate interests to provide you with information about our events and campaigns, and for our legitimate interests to market our products (GDPR Article 6(1)(f)). |
To communicate important notices to you, such as information about changes to the site or the terms of use. |
Necessary for our legitimate interests to provide customers with important changes to the site or our offerings (GDPR Article 6(1)(f)). |
To improve your purchase experience and for making it more customer-friendly and tailored for you. |
Necessary for our legitimate interests to market our products (GDPR Article 6(1)(f)). Your prior consent where so required by applicable law (GDPR Article 6(1)(a)). |
To carry out webpage analytics through the use of cookies and similar tracking technologies. |
Necessary for our legitimate interests to plan, develop and improve the site, the products and services we offer, and our marketing activities (GDPR Article 6(1)(f)). Your prior consent where so required by applicable law (GDPR Article 6(1)(a)). |
To make the advertising offers more useful and more interesting for you and to help us personalize our marketing communications to you, including to ensure that you receive relevant marketing communications based on your actions, purchases and general demographic data. |
Necessary for our legitimate interests to market our products (GDPR Article 6(1)(f)). Your prior consent where so required by applicable law (GDPR Article 6(1)(a)). |
To prevent and detect unlawful behavior, ensure compliance with applicable laws and policies, and protect or enforce our legal rights. |
Necessary for our legitimate interests to prevent and detect unlawful behavior, ensure compliance with applicable laws and policies, and protect or enforce our legal rights (GDPR Article 6(1)(f)). |
With whom we share your personal data
We will not sell, share or rent your personal data to any other entity for any reason. However, we may need to disclose your personal data to third parties in the following situations:
- Other group companies: We may share data with group companies and other associated companies or organizations where we consider that this is reasonably necessary for any of the legitimate purposes set out in this policy. If you make a purchase through the site from a local group company (as described in more detail under section 1), we will share your data with such group company for the handling of your order.
- Third parties for legal reasons:We reserve the right to transfer the information provided by you to the authorities if deemed necessary in order (i) to comply with applicable laws, regulations or a court decision; (ii) to detect, prevent, or otherwise address fraud, money laundering, terrorism financing, or technical or data security problems; or (iii) to ensure the safety and protect the assets of All Things Commerce or its customers, or for the purposes of public interest in accordance with the law.
- Third parties in connection with a business sale: If we are involved in a merger or business/asset transfer, we may transfer your personal data to one or more third parties as part of that transaction to the extent required by the nature and each phase of the transaction.
- Third parties with your express consent: We may disclose personal data to third parties for reasons other than those previously mentioned when we have your express consent to do so.
How we process and protect your personal data
Wewill only process personal data for the purposes for which it was collected and as set out above, and personal data will only be available to authorized employees holding a position that requires them to process the data to perform their work.
We are committed to process your personal data in a manner that ensures an appropriate level of security. Therefore, we use technical, administrative and organizational security measures to prevent unlawful or unauthorized processing of your personal data and accidental loss of or damage to the data. For example, the use of personal data is protected by appropriate user-specific credentials, passwords and access rights.
How long we retain your personal data
Your personal data will be retained only for so long as necessary for the particular purposes set forth in this policy and in accordance with applicable laws, including for the purposes of satisfying any legal requirements.
We will use your personal data for sending out our marketing communications until you inform us that you no longer want to receive such communications from us. If you want to stop receiving such communications, you can do so by either clicking "unsubscribe" in any email message received from us or by contacting us through the contact information mentioned under section 10 below.
International transfers
We primarily process your personal data on servers within the EU/EEA and the UK. However, we may need to transfer your information to a location outside the EU/EEA and the UK. The level of data protection in countries outside the EU/EEA or outside the UK may be lower than that offered within the EEA or the UK, and where this is the case, we will implement appropriate measures under applicable data protection legislation to ensure an adequate level of data protection for your personal data through our contractual practices (for example by entering into the European Commission's standard contractual clauses on transferring personal data to third countries, which may be foundhere) or other measures.
Your rights and choices
We have a legal obligation to ensure that your information is kept accurate and up to date. We invite you to help us to comply with this obligation by ensuring that any information you provide to us is true, accurate and complete, and by informing us of any changes to your information and/or updates to your preferences by updating your account or contacting us at privacy@moomin.com.
You have the following rights with respect to the processing of your personal data that we perform, subject to conditions and restrictions set out in applicable data protection legislation:
- Right to access personal data: You have the right to request access to the personal data relating to you. This includes for example the right to be informed whether or not personal data about you is being processed, what personal data is being processed, and the purpose of the processing.
- Right to rectification: You may request that we correct any inaccurate or incomplete personal data.
- Right to object: You are entitled to object to certain processing of personal data, including for example processing of your personal data for marketing purposes or when we otherwise base our processing of you on a legitimate interest. We will also give you the opportunity to opt out of future marketing whenever we send you marketing, and you can also opt out at any time by contacting us through the contact details set forth below. Please note that if you object to or opt out from receiving marketing from us, we may retain certain limited personal data about you (for example name and contact details) to ensure that we comply with your request also in the future.
- Right to erasure: You may also request that your personal data be erased if, for example, the personal data is no longer necessary for the purposes for which it was collected, the processing is unlawful, or the personal data has to be erased for compliance with a legal requirement.
- Right to restrict processing: In specific situations set forth in applicable data protection law, you have the right to demand that the processing of your personal data is restricted. This concerns for example when you have contested the accuracy of the data and we are verifying it, or when we no longer need the data for the purposes set forth in this policy but the data are required by you for the establishment, exercise or defense of legal claims. Where the processing of your personal data has been restricted as described above, we will process the personal data subject to the restriction only (in addition to storage) with your consent or for the establishment, exercise or defense of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.
- Right to data portability: If personal data about you that you yourself have provided is being processed automatically with your consent or in accordance with a contract between you and us, you may request that the data is provided in a structured, commonly used and machine-readable format and you may also request that the personal data is transmitted to another controller, if this is technically feasible.
- Right to withdraw your consent: In cases where the processing is based on your consent, you have the right to withdraw your consent to such processing at any time. Please note that withdrawing your consent will not affect the lawfulness of any processing carried out prior to such withdrawal, and that even after the withdrawal we might be entitled to continue processing your personal data if other legal grounds apply.
- Right to lodge a complaint with the data protection supervisory authority: If you wish to file a complaint with a national supervisory authority regarding our processing of your personal data, you may do so by contacting your local data protection authority. The relevant authority in Finland is the Data Protection Ombudsman (www.tietosuoja.fi) and the relevant authority in the UK is the Information Commissioner's Office (https://ico.org.uk/). You can find the contact details to other European data protection supervisory authorities here:https://edpb.europa.eu/about-edpb/board/members_en.
If want to exercise any of your above-mentioned rights, please contact us through the contact information set forth under section 10 below and send over the following information to us by post or email: name, address, telephone number and a copy of a valid form of identification. Please note that we may request that you provide more information for identity verification.
We will respond as soon as reasonably possible and at the latest within the time frame specified under applicable data protection legislation. We may reject requests that are repeated unreasonably often, are excessive or which are clearly unjustified.
Children's personal data
The site is not intentionally targeted to, or intended for, children under the age of 18, and we do not knowingly collect personal data relating to children.
Contact us
The appointed data protection supervisor of All Things Commerce is Jonas Forth.
If you have any questions regarding our processing of your personal data, please feel free to contact us atprivacy@moomin.com. You can also contact us at:
All Things Commerce Helsinki Oy
c/o Jonas Forth
Salmisaarenranta 7M, 00180 Helsinki, FINLAND
Updates to this policy
We may change and update this privacy policy. Any changes to this policy will be posted on this page. This policy was last updated on March 1st 2021.