Privacy notice

Processing of customer personal data

Oras Oy (business ID 1988049-0, “Oras” or “we”) obtains and processes personal data of its current, previous and potential customers and such customers’ employees and representatives (each natural person individually a “data subject”). With this privacy notice, we want to promote transparency and demonstrate how the personal data is processed as part of our business operations with our customers. Should you have any questions regarding the processing of customer personal data, please contact our local office or send an email to gdpr@oras.com (in English or Finnish).

  1. Processing of personal data

The personal data is mainly obtained from or agreed with the data subject. We may also process personal data obtained from the company that the data subject is representing, the authorities and our other cooperation partners, such as our subcontractors, and from publicly accessible sources, such as internet pages and trade registers. The personal data comprise:

  • identification information such as name, the company that the data subject is representing and his/her title;
  • contact details such as work place address, phone number and e-mail address; and
  • personal data generated along with the customer relationship, such as communications, information included in the purchase orders and billing information, required for deliveries, or other activities with the customer.
  1. The legal basis for and purposes of processing

We process personal data based on its necessity for the purposes of our legitimate interests, which arise when the data subject is our customer or at the service of our customer, or for compliance with a legal obligation to which we are subject.

Personal data is processed to investigate and negotiate with potential customers, to request offers, to order and acquire products and services from our customers, to invoice payments, for shipment and waybill creation purposes, to draw up, enforce and maintain supply agreements, and to produce and execute any activities related to such agreements.

  1. Transfers and location of data

As part of our business operations we transfer, where appropriate, personal data to our group companies and to our cooperation partners, such as the delivery companies and our resellers.

Personal data is located in the European Union or European Economic Area. Should we transfer your personal data outside EU/EEA, we shall inform you.

  1. Retention of personal data

We retain personal data as long as it is necessary for (i) the implementation and execution of the concerned customer agreement or to make offers and business proposals to the existing or potential customers, and (ii) other legitimate purposes related to the existing or potential customer relationship. Should the customer relationship end, we retain personal data if it is necessary for our business operations, such as maintaining contract archive and to respond and handle to possible  reclamations.

We also retain personal data when the retention is necessary to comply with legal obligations to which we are subject to, such as bookkeeping.

When the retention of personal data is no longer necessary, it shall be erased or anonymised securely.

  1. Rights of the data subjects

As a data subject you have a right to request from us:

  • access to your own personal data;
  • rectification or erasure of your personal data;
  • restriction of processing concerning you;
  • to object to processing; and
  • under certain preconditions, the right to data portability, which means that you may receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format and transmit such data to another controller.

Where the processing is based on consent, as a data subject you have the right to withdraw your consent at any time. Please notice that a withdrawal of your consent will not affect the lawfulness of the consent based processing taking place before your withdrawal of consent.

Any request shall be made to the point of contact provided above.

We will do our best to implement your request. However, sometimes we must refuse your request, in which case we shall inform you of the basis of such refusal.

In case you consider that our processing of personal data does not meet the requirements of the General Data Protection Regulation or other applicable legislation, you may contact the Finnish/country Data Protection Authority to confirm the appropriateness of the processing of your personal data.