Privacy policy


This is a statement on the processing of your personal data pursuant to the European Union's General Data Protection Regulation (679/2016).


1. Controller

Schoffa Oy Ab
Business ID: 1983116-2
Address: c/o Schoffa PL 175, 00121 Helsinki


2. Communication regarding privacy matters

We request that data subjects use the contact information provided above for all communication regarding the processing of personal data and situations related to the exercise of your rights.


3. Basis and purpose of processing personal data

The legal bases for the processing of personal data are:

  • The consent to the processing of personal data provided by the data subject;
  • The contractual relationship between the data subject and the controller;
  • Fulfillment of the controller's statutory obligations; or
  • The controller's legitimate interest.

The purposes of processing the personal data include:

  • Webshop activities, as well as orders and purchases; 
  • Providing sales and services as well as their development in-store and on the controller's online channels;
  • Customer communications and marketing; and
  • Statutory obligations and administrative procedures (such as accounting and consumer rights proceedings).

4. Personal data being processed

The controller only collects personal data concerning the data subjects that are essential and necessary for the purposes listed in this privacy policy.

The following personal data are processed:

  • Basic customer information (name, address, telephone number, email address);
  • Information regarding orders, shipping, and returns; and
  • Use of services and order information in different sales channels (in-store and online).


5. Disclosure of personal data

Personal data are generally not disclosed to third parties.

Personal data are disclosed to payment service providers, such as banks, credit institutions, and other payment service providers, to the extent required for enabling the payment services.

In addition to the controller, personal data are processed by the controller's service providers and partners on behalf of the controller and by assignment. Such service providers and partners include IT service providers, who inter alia take care of systems maintenance, and partners who assist in delivering the controller's products and services. The main recipients  and/or processors of personal data on behalf of the controller are Shopify Inc., provider of online shopping services, Viva Payments Services Single Member S.A. and Paytrail Oyj, providers of payment services, as well as PostNord Oy, provider of shipping and delivery services.

Personal data may also due to statutory obligations be shared with for example public authorities.

6. Retention period for personal data

As the basis for processing personal data is consent provided by the data subject, the controller ceases the processing after the consent is withdrawn by the data subject. Data regarding orders, returns and invoicing are processed as part of the controller's accounting material for the duration stipulated by the applicable bookkeeping legistlation.

The controller may have an obligation to process some personal data longer than stated above in order to comply with legislation or requirements from public authorities.


7. Rights of the data subject

A. Right to request access to personal data

The data subject has the right to receive confirmation regarding whether personal data are being processed and, if it is, the right to receive a copy of their personal data.


B. Right to rectification

The data subject has the right to request that inaccurate and erroneous personal data are rectified. The data subject also has the right to supplement incomplete personal data by providing the required additional information.


C. Right to erasure

The data subject has the right to request erasure of their personal data if:

  • the personal data is no longer required for the purposes for which they have been collected;
  • the data subject withdraws their consent which the processing of personal data is based on, unless some other legal basis exists for the processing; or
  • the personal data has been unlawfully processed.


D. Right to restriction of processing

The data subject has the right to restrict the processing of their personal data if:

  • the data subject contests the accuracy of their personal data;
  • the processing is unlawful and the data subject opposes the erasure of their personal data and requests the restriction of its use instead; or
  • the controller no longer needs the personal data for the purposes of the processing, but the data subject needs them for the establishment, exercise or defence of legal claims. 


E. Right to object

The data subject has at any time the right to object, on grounds relating to their particular personal circumstances, to the processing of personal data concerning them.

The controller shall no longer process the data subject's personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims.

Where personal data is processed for direct marketing purposes, the data subject has the right at any time to object to the processing of personal data concerning them for such marketing, including profiling to the extent that it is related to such direct marketing.

F. Right to withdraw consent

The data subject has the right to withdraw the consent they have provided for the processing, without affecting the lawfulness of processing based on consent before its withdrawal.


G. Right to data portability

The data subject has the right to receive the personal data concerning themselves, which they have provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit this data to another controller.


H. Right to lodge a complaint with a supervisory authority

The office of the Data Protection Ombudsman, operating under the Ministry of Justice, is the national supervisory authority for personal data matters. You have the right to bring your case to the supervisory authority if you consider that the processing of personal data concerning you is in violation of applicable law.