Nikolai Sourcing Oy’s customer register
Date of publication: 21.10.2022
The company pays particular attention to data protection and, when processing data, it complies with the Data Protection Act (1050/2018), the EU’s General Data Protection regulation (2016/679) (“GDPR”) and other applicable data protection legislation and good data processing practices.
Personal data refers to all data concerning a natural person (“data subject”) from which they can be directly or indirectly identified as specified in the GDPR. Data from which a data subject cannot be directly or indirectly identified is not personal data.
2. Controller and contact person
Controller: Nikolai Sourcing Oy
Address: Henry Fordin katu 5K, 00150 Helsinki
Contact person: Rauli Ratasvuori
3. Lawful basis for and purposes of personal data processing
Personal data is processed for e.g. the following purposes:
The lawful basis for personal data processing is the contractual relationship between the company and the customer which is based on the ordering and provision of services. Personal data processing is also based on legal obligations, such as bookkeeping obligations. Processing for marketing or the development of services and other business operations is based on the company’s grounds of legitimate interest.
Digital direct marketing and subscription to the company’s newsletter is based on consent given by the data subject or on the company’s grounds of legitimate interest. The data subject has the right to withdraw the consent they have given at any time (please see “Rights of the data subject” below).
4. Groups of personal data to be processed, data content, and sources of data
|Personal data group||Examples of data content|
|Identifying and contact details||Data subject’s name, title/position, address, telephone number, email address, name and business ID of customer’s company|
|Data concerning the customer relationship||Account number, invoicing and payment information, and other information that identifies the customer relationship|
|Customer transaction data and contract data||Information about the contract between the company and data subject or between the company and customer, trade agreements, customer feedback, plus contact between the data subject and company, complaints and other information relating to business, as well as the information required to implement customer contracts, such as copies of passports required for travel services|
|Consent given by the data subject||Information concerning the data subject’s consent to digital direct marketing plus consent that has been withdrawn and any bans set by the data subject|
|Behaviour analytics and technical identification data||The data subject’s user behaviour on the website is monitored using technical identification data. Collected data may include e.g. the user’s IP address, the pages used, type of browser, network address, and time and duration of session|
The provision of the data specified in sections A – C above is necessary in order to manage the contractual and legal obligations in the contract between the company and the customer, and to provide the company’s services. The company uses external services for website visitor monitoring, and these services collect the data specified in section E. An individual site visitor is not primarily identifiable based on this data. The company utilises the information in order to develop its services and business operations.
Personal data is primarily collected from the data subject themselves, for example, in connection with marketing and sales activities, when making a customer contract, or during the customer relationship. The data subject may also have given the company information when subscribing to the digital newsletter, on social media services, or on the company’s website.
The company may use external service providers for marketing who process data subjects’ contact information for marketing (e.g. newsletter services).
Personal data may also be collected from the customer company on whose behalf the data subject acts. In addition, data may be collected in situations permissible by law and updated from data files maintained by third parties.
The company’s subcontractors and partners in collaboration will provide the company with data subjects’ personal data if they are required to do so in order to fulfil legal and contractual obligations.
(F) Storing of personal data
The retention period and storage criteria for data vary by personal data group according to the processing purposes of a particular data group.
Personal data is processed during the validity period of the customer and contractual relationship, and for the necessary period after the customer and contractual relationship has ended.
For a customer company, the retention of the company representative’s personal data is tied to how long the data subject in question has acted as the representative for that customer company towards the company.
Once the personal data is no longer required in the manner specified above, the data will be erased within a reasonable time.
(G) Parties that process and receive personal data
Personal data may be disclosed to authorities whenever obligated and justified to do so by law.
The company will not disclose the data subject’s personal data for direct marketing.
If the company participates in a fusion, asset acquisition or other merger and acquisition transaction, it may be required to disclose data subjects’ personal data to third parties.
The disclosure of data to a third party primarily takes place via digital data transfer connections, but data may also be disclosed in other ways, such as by telephone or letter.
(H) Disclosure of data outside of the European Union or the European Economic Area
Primarily, your data will not be transferred outside of the European Union or the European Economic Area.
If data is transferred outside of the European Union or the European Economic Area, the company will ensure a sufficient level of data protection by e.g. agreeing on matters pertaining to personal data processing in a manner required by the GDPR, such as by using the standard contractual clauses adopted by the European Commission.
(I) Principles of personal data protection and security of processing
The company processes personal data in a manner which, in all situations, strives to ensure the appropriate security and data protection of personal data, including protection from unauthorised processing and from accidental loss, destruction, or damage.
In order to ensure this, appropriate technical and organisational protective measures have been undertaken in personal data processing, including the use of firewalls, encryption technologies, secure hardware facilities, appropriate access control and management, and personnel instructions.
Contracts and other documents to be stored as original copies are kept in locked facilities to which access is limited to those who are entitled to use the facilities. Paper copies are destroyed in a data-secure manner.
Pursuant to the Employment Contracts Act and contracts’ terms of non-disclosure, all parties processing personal data are obligated to non-disclosure concerning matters which pertain to the processing of data subjects’ personal data.
(J) Rights of the data subject
The data subject has rights guaranteed in data protection legislation.
The data subject has the right to receive confirmation of whether or not their personal data is processed. The data subject has the right to access and check the data about themselves and to receive the information in writing or digital format upon request.
The data subject has the right to request the correction of inaccurate or erroneous data. In addition, pursuant to data protection legislation, the data subject has the right to request the erasure of their information. The company will, at its own initiative, erase, correct, or supplement any personal data that it observes to be erroneous, unnecessary, inadequate or obsolete with regard to the processing purpose.
The data subject has the right to request its data be transferred to another controller in accordance with valid data protection legislation.
Furthermore, the data subject has the right to request the restriction of processing of their personal data in accordance with requirements specified in data protection legislation. In addition, in situations wherein personal data that is suspected to be erroneous cannot be corrected or erased, or if the request for erasure is ambiguous, the company will restrict access to the data.
The data subject has the right to object to the processing of data for certain purposes. The data subject has the right to ban the disclosure and processing of their data for direct marketing.
If it is not possible to permit the data subject’s request, the data subject will be informed of the refusal in writing. The company may refuse a request, such as the erasure of personal data, due to a legal obligation or the company’s legal right, such as an obligation or claim relating to a service.
Consent that relates to digital direct marketing can be withdrawn or given by contacting the company’s contact persons. In addition, the data subject can unsubscribe from the company’s mailing list at any time by clicking the link in the email.
The data subject has the right to submit a complaint to the data protection ombudsman (www.tietosuoja.fi) if the data subject feels that their personal data has been processed in breach of valid legislation.