1. Data controller
Senop Oy, Business ID: 1795926-9, Lentolantie 7, FI-36220 KANGASALA, FINLAND
Phone: +358 20 734 3500
2. Data controller’s representative
Safety Director Erkki Grönlund
Phone: 020 734 3500
3. Name of the register
Senop Oy’s stakeholder register
4. Purposes of the register and processing
Personal data of data subjects who represent stakeholders which conduct national and international co-operation with the data controller are processed in the register.
It is a prerequisite for the data controller’s business activities that its own and contracted personnel have contact information of data subjects representing stakeholders for the purpose of communication needed for co-operation. Furthermore, personal data of such data subjects can be processed in the register with whom the stakeholder activity has not yet commenced or it has ended.
The purposes of processing are:
– Managing stakeholder relationships
– Fulfilling the rights and obligations of the stakeholder and the data controller
– Processing for the purposes related to the data controller’s products and services such as developing, providing, performing, marketing, maintenance and technical support of products and services
– Directing the data controller’s advertising (including newsletter) and allocation of marketing on basis of customer data via the data controller’s mediums and services
– Address list for customer magazines and releases
– Respondents to customer satisfaction surveys
– Lists of invited guests for stakeholder events
– Photographing in events
– Security-cleared carriers for the transport of sensitive material
– Persons participating in training events organized by the data controller
5. Content of the register
The register contains personal data of the following persons:
– Customers of the data controller and their representatives and contact persons
– Co-operation partners, subcontractors and suppliers of the data controller and their representatives and contact persons
– Potential customers of the data controller and their representatives and contact persons
The following personal data of the data subjects, relevant on the basis of the above-mentioned purposes of processing, are processed, such as:
- name, possible title, job description, area of responsibility / designation / rank, phone number, email address, work location and other necessary contact details which enable and ensure contact and communication,
- name of the organization (such as employer or other organization) which the data subject represents, country and/or area, business ID, postal address and possible relationship with the data controller.
Also, personal data of data subjects other than Finnish citizens may be processed in the register.
6. Legal basis for processing of the personal data
Personal data are processed in relation to the data controller’s business activities based on its or third party’s legitimate interest and/or on the basis of upcoming/current/ended contractual or similar commercial and/or non-commercial relationship with the data controller and on the basis of other co-operation with stakeholders or for the purposes of complying with legal obligations.
The data controller does not use solely automated decision-making, such as automated profiling, as part of processing personal data.
Personal data contained in the register are processed for the purposes and on the basis described in this Privacy Notice. Pursuant to privacy notices of the data controller’s other registers, the data controller may combine data subject’s personal data processed in such other registers to data subject’s basic information processed in this stakeholder register, provided that the data subject has provided his/her personal data to the data controller in connection with other co-operation or activities related to such other registers.
The data controller’s electronic direct marketing may be sent to data subjects who have given their voluntary consent to electronic direct marketing. When the data subject is requested to give his or her consent, he or she will be simultaneously informed that withdrawal of consent is possible easily and at any time. In addition, in accordance with applicable data protection legislation, electronic direct marketing can also be sent to recipients for whom the data controller can reasonably consider that the products or services marketed have essential connection with the potential customer’s area of responsibility or work.
Withdrawal of consent may be done by giving a notice to the data controller or by clicking the cancelling option, which can be found in every marketing message (“Unsubscribe” link), whereupon personal data of the data subject will be removed from the data controller’s list concerning subscribers of electronic direct marketing.
7. Regular information sources
The personal data processed in the register are collected from the data subject or from an organization which the data subject represents in connection with stakeholder activity as well as from other registers and sources used by the data controller.
Such other sources of personal data processed in the register are:
- Meetings, contacting, exhibitions, campaigns related to marketing and sales, events and training courses, communications with the data subject or an organization represented by the data subject or materials published by the data subject or such an organization.
- Data subject’s personal data processed in other registers pursuant to privacy notices of such other registers, provided that the data subject has provided his/her personal data to the data controller in connection with other co-operation or activities related to such other registers.
- Services subject to a charge or free of charge which contain personal data related to data subjects who represent organizations conducting stakeholder activity with the data controller, as well as possible assignments for the purpose of obtaining personal data to enable stakeholder activity.
- Personal data received from the data controller’s parent and/or other group companies (Patria Oyj and Millog Oy and related group companies) through internal group company co-operation.
- Trade register, other company information registers, and similar public registers and sources.
Furthermore, the data controller may receive personal data from national or international authorities in connection with co-operation with such authorities.
8. Regular disclosures and transfers of personal data
Contact person of the data controller may disclose personal data processed in the register to finance, corporate and group safety departments of parent and group companies (Millog Oy, Patria Oyj) as well as for the purpose of other stakeholder co-operation between the data controller and its parent and group companies (Patria Oyj, Millog Oy and related group companies).
A person processing the personal data on behalf of the data controller may disclose personal data processed in the register to the data subject himself/herself, as well as to other persons or entities employed or contracted by the data controller and/or its parent and group companies (Patria Oyj, Millog Oy and related group companies) who process personal data on a need-to-know basis for carrying out their duties.
The data controller may disclose further personal data processed in the register to national or international authority in connection with co-operation with such authorities who have a need to process the personal data, or if legal obligation requires such disclosure.
The personal data of the data subjects can be disclosed to the service providers of the data controller on a case-by-case basis, i.e. when it is necessary considering the use of personal data. The data controller will use reliable service providers which process personal data on behalf of the data controller based on data processing agreement between the data controller and service providers required by data protection legislation. The service providers will process the personal data, for which the data controller is responsible for, in accordance with the data controller’s documented instructions. Service providers used by the data controller are event planners, marketing partners, printing houses, advertising agencies, photographer, and a provider of a customer satisfaction survey.
By default, personal data is not transferred outside of European Union or European Economic Area. Should personal data be transferred outside of EU or EEA, the data controller and its service providers will make contractual arrangements in order to carry out transfers of personal data in a manner required by applicable data protection legislation.
9. Data storage period
The data controller will process and retain personal data only as long it is necessary for compliance with a legal obligation or for the purposes of processing which have been determined in advance. Personal data which has become redundant, i.e. personal data which the data controller no longer has legal basis to retain or process, will be deleted on regular basis in accordance with the data controller’s internal data protection policy.
10. Rights of the data subject
10.1 Right of access by the data subject to his or her data
The data subject has the right to obtain confirmation from the data controller as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and a copy of the personal data processed.
10.2 Right to rectification and erasure
Within the limits of the legislation, the data subject has the right to obtain the rectification or erasure of inaccurate, unnecessary, defective or outdated personal data concerning him or her.
10.3 Right to withdraw consent
In case where processing of personal data is based on the consent of the data subject, the data subject has the right to withdraw his or her consent by notifying the data controller.
10.4 Right to object
The data subject has the right to object, on grounds relating to his or her particular situation, at any time processing of personal data concerning him or her and having its legal ground on the legitimate interest of the data controller, including profiling. Right to object shall not be applied if the related personal data is processed and necessary for complying with the data controller’s legal obligations and/or there exist compelling legitimate grounds for the processing which override the interests, rights, and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
Where personal data are processed for direct marketing purposes, the data subject has the right to object at any time of processing data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing. Where the data subject objects to processing for direct marketing purposes, the personal data will no longer be processed for such purposes.
10.5 Right to data portability
The data subject has the right to receive data concerning him or her, which he or she has provided to the data controller, in a structured, commonly used and machine-readable format and has the right to transmit those data to another data controller, in cases where processing is based on consent or contract and the processing is carried out by automated means.
When exercising the above described right to data portability, the data subject has the right to have personal data transmitted directly from one data controller to another, where technically feasible.
10.6 Responsibilities of the data controller
The data controller will inform the data subject about all measures that have been taken on basis of a request, without undue delay and in any case within one month having received such a request. The time limit may be prolonged for at most two months where needed, taking into consideration quantity and complexity of the requests made. The data controller will inform the data subject about such possible prolongment within one month having received the request, as well as about the reasons for delay. If the data subject has presented his or her request electronically, the information must be provided electronically when possible, unless the data subject requests otherwise.
If the data controller does not carry out the measures based on the data subject’s request, the data controller must immediately and at the latest within one month since having received the request, notify the data subject about the reasons for this, as well as about the possibility to lodge a complaint with a supervisory authority and to use other legal remedies.
10.7 Exercising rights
A free-form, detailed and justified request to exercise data subject’s rights shall be submitted to the data controller’s email address: firstname.lastname@example.org or email@example.com. The data controller will then instruct the data subject on personal verification and identification of the data subject. A request for exercising data subject’s right shall be deemed to have been received by the data controller when the data subject has personally identified himself/herself to the data controller.
10.8 Right to lodge a complaint with a supervisory authority
The data subject has a right to lodge a complaint with a supervisory authority, if the data subject considers that the data controller is infringing the applicable data protection legislation when processing the data subject’s personal data.
11. General description of technical and organisational safety measures
A facility security clearance certificate has been granted to the data controller by the national Designated Security Authority (DSA). The facility security clearance certificate covers security measures related to the data controller’s administrative operations and facilities.
Personal data stored in information systems are processed with access restrictions by personal access rights in company confidential information system environments.
Material containing personal data in paper format are stored in locked storage and/or security monitored and/or locked facilities. Personal data in paper format may also be processed and stored, when required, by personnel employed or contracted by the data controller.
The data controller ensures functioning of locking, crime reporting, access control and alarm systems as well as arranging guarding pursuant to facility security requirements.
12. Changes to this Privacy Notice
The data controller may change this Privacy Notice. The data controller will inform the data subjects of significant changes to this Privacy Notice and the processing operations reasonably before their entry into force on its website and/or by other appropriate means to allow the data subjects to reasonably assess the consequences of such changes.