Privacy notice

Processing of customer personal data

Oras Group obtains and processes in its business operations personal data of its current, previous and potential customers and suppliers, as well as of such customers and suppliers’ employees and representatives (each natural person individually a “data subject”). With this privacy notice, we want to promote transparency and demonstrate how the personal data of data subjects concerned is processed. The controller of personal data is the Oras Group Company that has the relevant business relationship with the respective customer or supplier and for whose business operations the personal data is hence processed. Should you have any questions regarding the processing of customer or supplier personal data, please contact our local office or send an email to Oras Business  gdpr@oras.com only in English or Finnish.

1.                    Processing of personal data

The personal data is mainly obtained from or agreed with the data subject. We may also process personal data obtained from the company that the data subject is representing, the authorities and our other cooperation partners, such as our subcontractors, and from publicly accessible sources, such as internet pages and trade registers. The personal data comprise:

  • identification information such as name, the company that the data subject is representing and his/her title;
  • contact details such as work place address, phone number and e-mail address; and
  • personal data generated along with the business relationship, such as communications, information included in the purchase orders, information related to campaigns, special offers, joint activities or any cooperation, as well as information required for invoicing and payments, handling of deliveries, maintenance of the customer and supplier relationships and for development of our business.

2.                    The legal basis for and purposes of processing

We process personal data based on its necessity for the purposes of our legitimate interests, which arise when the data subject is our customer or supplier or at the service of such, or for compliance with a legal obligation to which we are subject.

Personal data is processed to investigate and negotiate with potential customers and suppliers, to give and negotiate offers, to handle orders, to deliver products and services to our customers and to receive products and services from our suppliers, to invoice, for shipment purposes and to create waybills, to draw up, enforce and maintain business agreements, to produce and execute any activities related to such agreements as well as  to execute marketing communications related to our business.

3.                    Transfers and location of data

As part of our business operations we transfer, where appropriate, personal data to our group companies and to our cooperation partners, such as the delivery companies and our resellers.

Personal data is located in the European Union or European Economic Area. Should we transfer your personal data outside EU/EEA, we shall inform you.

4                    Retention of personal data

We retain personal data as long as it is necessary for (i) the implementation and execution of the concerned business agreements, or to make and request offers and business proposals from the existing and potential customers and suppliers, and (ii) other legitimate purposes related to the existing or potential business relationship, such as producing financial information, or (iii) compliance with law. Should the respective customer or supplier relationship end, we retain personal data if it is necessary for our business operations, such as maintaining our contract archive and to process possible reclamations.

We also retain personal data when the retention is necessary to comply with legal obligations to which we are subject to, such as bookkeeping.

When the retention of personal data is no longer necessary, it will be erased or anonymised securely.

5.                    Rights of the data subjects

As a data subject you have a right to request from us:

  • access to your own personal data;
  • rectification or erasure of your personal data;
  • restriction of processing concerning you;
  • to object to processing; and
  • under certain preconditions, the right to data portability, which means that you may receive your personal data that you have provided to us, in a structured, commonly used and machine-readable format and transmit such data to another controller.

Where the processing is based on consent, as a data subject you have the right to withdraw your consent at any time. Please notice that a withdrawal of your consent will not affect the lawfulness of the consent-based processing taking place before your withdrawal of consent.

Any request shall be made to the point of contact provided above.

We will do our best to implement your request. However, sometimes we must refuse your request, in which case we shall inform you of the basis of such refusal.

In case you consider that our processing of personal data does not meet the requirements of the General Data Protection Regulation or other applicable legislation, you may contact the applicable supervisory authority (e.g. in Finland the Finnish Data Protection Ombudsman) to confirm the appropriateness of the processing of your personal data.