Privacy Policy

This Privacy Policy applies to the following member companies of KPY Group: KPY Cooperative (0171476-9) and KPY Novapolis Oy (2682876-2). The head offices of the companies are located at Viestikatu 7, 70600 Kuopio, Finland.

Processing and protection of personal data

KPY attaches great importance to data protection and the preservation of the privacy of individuals in the course of its activities and in processing personal data. KPY processes personal data in accordance with the EU Data Protection Regulation and other applicable data protection legislation while ensuring privacy and the confidentiality of personal data. In data processing, every effort is made to ensure materiality, data security and the protection of the rights of the data subjects.

The safeguards to protect personal data include appropriate technical and organisational measures, such as limitation of access, firewalls, data protection software and encryption. Personal data is only processed by persons who need to do so to carry out their duties and only to the extent required for this purpose. KPY’s existing IT systems support individual management of user access. Access rights are limited to employees who need the information stored in the IT systems in order to perform their work. Access is specifically limited to individual employees. Manually stored data is held in locked rooms only accessed by authorised personnel. Additionally, KPY provides training and instructs the staff in the procedures related to the processing of personal data and data protection.

Similarly, KPY expects its service providers to comply with the non-disclosure requirements and existing legislation on the protection of privacy and personal data. KPY does not allow third parties to use the personal data of members or customers for their own purposes without authorisation.

Contact details

KPY’s contact person in matters related to the privacy policy:

Teemu Pieviläinen
Viestikatu 7, 70600 Kuopio
Tel. + 358 (0)17 369 7800

A person other than the individual identified above may also serve as the contract person responsible for the personal data file.

Purpose of the processing of personal data and legal basis

Personal data is used for the purpose of managing customer relationships, disseminating information to cooperative members, maintaining the member register, executing orders issued by customers, offering products and services, marketing as well as for business development purposes.

Personal data is processed on the legal basis set out in law. More details of the legal basis are provided in the privacy statement prepared for each personal data file. Processing may be contract-based, which means that personal data is processed in order to fulfil a contract. Additionally, a data subject may give his or her consent to the processing of their data for one or several purposes. Such consent should be a voluntary, specific, informed and explicit expression of intent by which the person involved agrees to the processing of his or her personal data. The controller of the data file must be able to demonstrate that such consent required by law exists. Any consent should be just as easy to cancel as it was to give. Aside from the foregoing criteria, the processing of personal data may be based on statutory requirements.

KPY has in place several data files for managing personal data, each complete with a specific privacy statement. Cooperative societies and limited liability companies have different legal or contract-based rights and obligations in collecting and processing personal data. Hence, the personal data, the criteria for collecting and disclosing personal data and the purposes for which it is processed vary according to the operator involved. As a result, we have prepared specific privacy statements for each data file based on the KPY entity or company or the function or service involved.

Regular sources of data

As a rule, personal data is acquired directly from the persons concerned. Additionally, data may be retrieved from public registers maintained by the authorities. Other potential sources include employers.

To track the volume of service users and monitor other anonymous data, KPY uses cookies and web analytics (Google Analytics 4 and/or Leadoo Marketing Technologies) or other similar technologies. Linked third-party services (such as YouTube video clips and social media sites) may store information for identifying users. More information on the use of cookies is provided on KPY’s website.

Transfer of data outside the EU or EEA

Where possible, KPY provides the services and processes personal data by making use of providers and services available within the EU or EEA. However, with some functions and services, it may be necessary, in isolated cases, to rely on providers, services and servers located elsewhere.

KPY does not transfer or disclose personal data to outside the European Union or the EEA except on valid legal grounds. Some of KPY’s service providers may be based outside the European Economic Area. If so, KPY will make contract-based arrangements to protect data transfers to such service providers.

Disclosure of data

Personal data is only disclosed subject to the limitations set out in law or contracts. KPY does not sell personal data to third parties. Personal data may be disclosed to the authorities subject to the limits imposed by the existing legislation.

KPY’s entities and affiliated companies may rely on other KPY Group member entities or companies for the provision and maintenance of services intended for members and customers, the analysis of customer and user data as well as for communication, marketing and business development purposes. Additionally, KPY may rely on subcontractors and other service providers for the delivery of said services or performing said functions. Users’ personal data may only be disclosed to said operators to the extent they participate in the delivery of the services or the performance of the functions for the purposes specified in more detail in the privacy statements.

Storage of data

In storing the data, KPY complies with the obligations set out in the existing legislation. More information on storage periods is provided in the privacy statements of the data files.

Breaches of data protection

Personal data breach means a breach of security leading to the destruction, loss, alteration or unauthorised disclosure of, or access to, personal data.

KPY is making active efforts to develop procedures to identify and manage potential yet unlikely data protection infractions and breaches. The purpose of the procedures is to detect any personal data breaches and limit any consequential loss or damage as effectively as possible.

KPY documents all personal data breaches and reports them to the supervisory authority, if the breach may pose risk to the rights and freedoms of natural persons.

Rights of the data subject

Under the rights of data subjects defined in the EU General Data Protection Regulation, everyone has the right to know whether his or her data is being processed by KPY. If so, the data subject has the right to:

  • access the personal data and learn what information is stored, for what purpose, to whom the data is possibly disclosed, and for how long it is stored;
  • request that his or her personal data be corrected, complemented or deleted;
  • limit the processing or his/her personal data;
  • object to the processing or his/her personal data;
  • request that the personal data provided for the data files be returned for transfer to another controller; and
  • prohibit the use of his/her personal data for direct marketing purposes and certain other situations specified in the EU Data Protection Regulation.

Data subjects may send their requests related to the exercise of their rights in writing to the controller of the data file to the address indicated above. Please note that KPY is required, in certain cases, to ask for additional information necessary to verify the identity of the data subject submitting the request.

If a data subject requests access to his/her personal data, the controller will provide copy of the data stored in the data file in a hardcopy or electronic format or indicate a site on which the stored data is available without undue delay and no later than within one month of the submission of the request. If necessary because of the complexity or number of requests, the controller may extend the time limit up to two months provided that the data subject is duly informed of such extension.


KPY’s data protection procedures may change in response to legal amendments. KPY will update the procedures as appropriate. KPY will have the right to update its data protection procedures at any time by posting an updated version on this site. The information displayed on this website is always up-to-date. When information is updated, the date of the data protection procedures indicated at the top of page will also change. Any modified or corrected data protection procedures will apply as of the date of the update. All users or data subjects are urged to read the data protection procedures regularly to find out how personal data is protected by KPY.

Supervisory authority

Processing of personal data is overseen and supervised and related advice provided by the Data Protection Ombudsman. Contact details: Office of the Data Protection Ombudsman, PL 800, 00521 Helsinki, Finland.

If a data subject considers that his/her legal rights have been infringed, they have the right to lodge a complaint with a national data protection authority or other data protection authority in the European Union or the European Economic Area.

Our privacy statements