Nikolai Sourcing Oy’s customer register

Date of publication: 21.10.2022

1.     General

This privacy policy outlines what personal data Nikolai Sourcing Oy (“company”) collects, how the data is processed, for what purposes the data is used, and to whom the data can be disclosed. The privacy policy also provides information on obligations with which the company complies when processing personal data.

The company pays particular attention to data protection and, when processing data, it complies with the Data Protection Act (1050/2018), the EU’s General Data Protection regulation (2016/679) (“GDPR”) and other applicable data protection legislation and good data processing practices.

This privacy policy is applied to the processing of customers’ and their contact persons’ personal data.

Personal data refers to all data concerning a natural person (“data subject”) from which they can be directly or indirectly identified as specified in the GDPR. Data from which a data subject cannot be directly or indirectly identified is not personal data.

2.    Controller and contact person

Controller: Nikolai Sourcing Oy

Business ID:                         2154748-6

Address:                 Henry Fordin katu 5K, 00150 Helsinki

Contact person:       Rauli Ratasvuori


3.    Lawful basis for and purposes of personal data processing

Personal data is processed for e.g. the following purposes:

The lawful basis for personal data processing is the contractual relationship between the company and the customer which is based on the ordering and provision of services. Personal data processing is also based on legal obligations, such as bookkeeping obligations. Processing for marketing or the development of services and other business operations is based on the company’s grounds of legitimate interest.

Digital direct marketing and subscription to the company’s newsletter is based on consent given by the data subject or on the company’s grounds of legitimate interest. The data subject has the right to withdraw the consent they have given at any time (please see “Rights of the data subject” below).

4.    Groups of personal data to be processed, data content, and sources of data

The company only collects personal data from the data subject which is essential and necessary for the purposes outlined in this privacy policy. The following data is collected about the data subject:

Personal data groupExamples of data content
Identifying and contact detailsData subject’s name, title/position, address, telephone number, email address, name and business ID of customer’s company
Data concerning the customer relationshipAccount number, invoicing and payment information, and other information that identifies the customer relationship
Customer transaction data and contract dataInformation about the contract between the company and data subject or between the company and customer, trade agreements, customer feedback, plus contact between the data subject and company, complaints and other information relating to business, as well as the information required to implement customer contracts, such as copies of passports required for travel services
Consent given by the data subjectInformation concerning the data subject’s consent to digital direct marketing plus consent that has been withdrawn and any bans set by the data subject
Behaviour analytics and technical identification dataThe data subject’s user behaviour on the website is monitored using technical identification data. Collected data may include e.g. the user’s IP address, the pages used, type of browser, network address, and time and duration of session

The provision of the data specified in sections A – C above is necessary in order to manage the contractual and legal obligations in the contract between the company and the customer, and to provide the company’s services. The company uses external services for website visitor monitoring, and these services collect the data specified in section E. An individual site visitor is not primarily identifiable based on this data. The company utilises the information in order to develop its services and business operations.

Personal data is primarily collected from the data subject themselves, for example, in connection with marketing and sales activities, when making a customer contract, or during the customer relationship. The data subject may also have given the company information when subscribing to the digital newsletter, on social media services, or on the company’s website.

The company may use external service providers for marketing who process data subjects’ contact information for marketing (e.g. newsletter services).

Personal data may also be collected from the customer company on whose behalf the data subject acts. In addition, data may be collected in situations permissible by law and updated from data files maintained by third parties.

The company’s subcontractors and partners in collaboration will provide the company with data subjects’ personal data if they are required to do so in order to fulfil legal and contractual obligations.

(F)  Storing of personal data

The company will store the personal data for as long as is necessary in order to fulfil the purposes specified in the privacy policy unless legislation sets an obligation to store the personal data for a longer period (e.g. duties and responsibilities relating to special legislation, bookkeeping obligations or reporting obligations), or unless the company requires the data in order to prepare, make, or defend against a legal claim or to resolve a corresponding dispute.

The retention period and storage criteria for data vary by personal data group according to the processing purposes of a particular data group.

Personal data is processed during the validity period of the customer and contractual relationship, and for the necessary period after the customer and contractual relationship has ended.

For a customer company, the retention of the company representative’s personal data is tied to how long the data subject in question has acted as the representative for that customer company towards the company.

Once the personal data is no longer required in the manner specified above, the data will be erased within a reasonable time.

(G)  Parties that process and receive personal data

In accordance with this privacy policy, the company may outsource personal data processing to service providers or subcontractors. The company will ensure that the personal data is processed appropriately by means of sufficient contractual obligations.

Personal data may be disclosed to authorities whenever obligated and justified to do so by law.

The company will not disclose the data subject’s personal data for direct marketing.

If the company participates in a fusion, asset acquisition or other merger and acquisition transaction, it may be required to disclose data subjects’ personal data to third parties.

The disclosure of data to a third party primarily takes place via digital data transfer connections, but data may also be disclosed in other ways, such as by telephone or letter.

(H)  Disclosure of data outside of the European Union or the European Economic Area

Primarily, your data will not be transferred outside of the European Union or the European Economic Area.

If data is transferred outside of the European Union or the European Economic Area, the company will ensure a sufficient level of data protection by e.g. agreeing on matters pertaining to personal data processing in a manner required by the GDPR, such as by using the standard contractual clauses adopted by the European Commission.

(I)   Principles of personal data protection and security of processing

The company processes personal data in a manner which, in all situations, strives to ensure the appropriate security and data protection of personal data, including protection from unauthorised processing and from accidental loss, destruction, or damage.

In order to ensure this, appropriate technical and organisational protective measures have been undertaken in personal data processing, including the use of firewalls, encryption technologies, secure hardware facilities, appropriate access control and management, and personnel instructions.

Contracts and other documents to be stored as original copies are kept in locked facilities to which access is limited to those who are entitled to use the facilities. Paper copies are destroyed in a data-secure manner.

Pursuant to the Employment Contracts Act and contracts’ terms of non-disclosure, all parties processing personal data are obligated to non-disclosure concerning matters which pertain to the processing of data subjects’ personal data.

Based on this privacy policy, the company may outsource personal data processing to service providers, whereupon the company will use sufficient contractual obligations to ensure that personal data is processed appropriately and legally.

(J)   Rights of the data subject

The data subject has rights guaranteed in data protection legislation.

The data subject has the right to receive confirmation of whether or not their personal data is processed. The data subject has the right to access and check the data about themselves and to receive the information in writing or digital format upon request.

The data subject has the right to request the correction of inaccurate or erroneous data. In addition, pursuant to data protection legislation, the data subject has the right to request the erasure of their information. The company will, at its own initiative, erase, correct, or supplement any personal data that it observes to be erroneous, unnecessary, inadequate or obsolete with regard to the processing purpose.

The data subject has the right to request its data be transferred to another controller in accordance with valid data protection legislation.

Furthermore, the data subject has the right to request the restriction of processing of their personal data in accordance with requirements specified in data protection legislation. In addition, in situations wherein personal data that is suspected to be erroneous cannot be corrected or erased, or if the request for erasure is ambiguous, the company will restrict access to the data.

The data subject has the right to object to the processing of data for certain purposes. The data subject has the right to ban the disclosure and processing of their data for direct marketing.

Requests concerning the rights of the data subject are submitted in connection with an in-person visit or in writing or electronically, and should be addressed to the contact person specified in this privacy policy. Personal identification will be checked before providing the information. Requests for access will be responded to within a reasonable time and, where possible, within a month from submission of the request and checking of personal ID.

If it is not possible to permit the data subject’s request, the data subject will be informed of the refusal in writing. The company may refuse a request, such as the erasure of personal data, due to a legal obligation or the company’s legal right, such as an obligation or claim relating to a service.

Consent that relates to digital direct marketing can be withdrawn or given by contacting the company’s contact persons. In addition, the data subject can unsubscribe from the company’s mailing list at any time by clicking the link in the email.

The data subject has the right to submit a complaint to the data protection ombudsman ( if the data subject feels that their personal data has been processed in breach of valid legislation.

(K)  Changes to the privacy policy

The company continuously develops its services, and for that reason it may need to change or update this privacy policy. Changes may also be based on changes to legislation. We recommend that you check the content of this privacy policy regularly. Changes will be announced on the company’s website, and data subjects will be informed of substantial changes by email.