1) What is the purpose and scope of this Privacy Notice?
Suominen is committed to protecting the privacy and security of your personal data. This privacy notice explains how we collect and use personal data about you and what rights you have under the applicable laws, particularly under the EU's General Data Protection Regulation (GDPR).
This Privacy Notice applies to the processing of personal data by any Suominen Group company in the EU with respect to:
- contact persons and representatives of Suominen's prospective, current and former customers, suppliers and other business partners
- persons who visit our websites or submit their contact information e.g. to subscribe to our publications, leave an inquiry, request information, fill out a survey, participate in a competition or attend an event
- other stakeholders who interact with us such as prospective investors or analysts
This Notice does not apply to processing undertaken by a local Suominen entity entirely outside of the EU.
2) Who is the data controller?
Data controller, i.e. the legal entity responsible for collection and use of personal data under this Privacy Notice, is Suominen Corporation whose registered address is Karvaamokuja 2 B, 00380 Helsinki, Finland. Our Privacy Team can be contacted via email at data.protection(at)suominencorp.com.
In limited circumstances, other companies of the Suominen Group may also operate as data controllers, either independently or jointly with Suominen Corporation, for their own purposes and under the same principles as defined in this Notice.
3) Why do we process your personal data?
The main purposes for processing your data relate to your professional relationship with us and include the following:
- delivery or purchase of products and services
- managing customer, supplier and business partner relations
- marketing and development of our products and services
- providing you information you have requested from us
- facilitating communication between you and us, including customer and supplier feedback and satisfaction surveys
- improving customer experience and developing our customer insight
- operating and improving our websites
- analyzing, profiling, reporting, and statistics for the purposes explained above
4) What is the legal basis for processing your data?
We will only process your personal data when the law allows us to. Our legal basis for processing your data is:
- the performance of a contract between us and a customer, supplier or another business partner as well as taking steps prior to entering into a contract, e.g. to manage requests for information or quotation;
- legitimate interest of Suominen based on a business or other relationship, which includes e.g. relationship management and marketing of our products and services;
- your consent; or
- compliance with a legal obligation.
5) What kind of personal data do we process about you?
We may process the following information about you for the purposes described above:
- Basic information about you, e.g. name, title, your employer or the organization you represent, your industry, as well as contact details such as postal address, phone number and email address
- Information on the business relationship, e.g. your product and application interests and the use of Suominen's products and services
- Information relating to your use of our digital services, e.g. registration data for a digital account such as username and password; information about the service use; information collected using cookies and other online technologies, such as type of web browser you use, the device type you use, your web browsing history on our websites, your IP address, links you have clicked in an email or on a website, materials you have downloaded or the websites from which you have arrived at our websites
- Information related to contacts, meetings and communication, e.g. feedback and contact requests, digital forms, marketing efforts performed, or meetings and events you have participated
- Profile and analysis data, e.g. marketing segments and profiles derived from the data described above
6) What are the sources of your personal data?
The personal data that we process about you is:
- given to us by yourself e.g. when using our websites, registering as a user of our services, sending a request for information, filling a form, purchasing, ordering or offering products and services, participating events, or otherwise interacting with us personally, by phone or digitally;
- given to us by your employer or the organization you represent in connection with the business or other relationship between us and your employer/organization;
- collected automatically through electronic means, including cookies, e.g. when you engage in an online marketing campaign or use our websites or other digital services; or
- collected from other legitimate sources, e.g. public and private company and business registers, public authorities, postal operators, public telephone directories, direct marketing and other data brokers, and other similar public and private registers.
7) What are cookies?
Cookies are text files that are saved on the hard drive of your device by means of your browser when you visit a Suominen website, enabling us to recognize your browser for purposes such as saving your preferences and directing relevant content to you. These technologies are used to analyze trends, administer and improve the website, enable features on the website, track users' movements around the website and to gather demographic information about our users. We use technology created by third parties to enable such technological features. Most of the currently available browsers give you the option of managing cookies by, for example, disabling them entirely, accepting them individually, and deleting saved cookies from your hard drive. We would like to remind you that if you completely disable cookies on your browser, you might not be able to use some features of the website.
8) Who has access to your personal data?
We may share your data with service providers and business partners that operate and process personal data as data processors on our behalf. These data processors may include IT and technology providers hosting and maintaining our data as well as possible market research partners or other professional service providers.
Such service providers are only allowed to process your personal data to the extent necessary for them to provide the service we have requested from them. We require that all our service providers keep the personal data we provide them confidential and adequately secure. They are also required to comply with the applicable data protection laws, our privacy and information security policies, and the relevant service and other agreements.
In limited circumstances, Suominen may also make your personal data available to other third parties when required by law or if we have a legitimate interest to do so.
Additionally, we may disclose and transfer your personal data within the Suominen group of companies to Suominen employees who need access to such information to perform their duties.
9) Where is your personal data processed?
As Suominen is a global group of companies with affiliates and service providers both within and outside the EU, your personal data may be processed, transferred, or made accessible across country borders. If your data is transferred outside of the EU, we rely on adequacy decisions, data transfer agreements, or other EU-approved mechanisms for such transfers.
We contractually require recipients to only use personal data for the intended purpose of the disclosure, and to destroy or return it when it is no longer needed.
Transfers of personal data from within the EU to Suominen affiliates outside of the EU are primarily done on the basis of intra-group agreements, which are based on the EU's standard contractual clauses for export of personal data to third countries.
10) How long do we keep your personal data for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for or as required by applicable legislation. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the data, the potential risk of harm from unauthorized use or disclosure of the data, the purposes for which we process the data, the time limits on legal claims, and the applicable legal requirements.
11) What are your rights, and how can you exercise your rights?
You have certain rights over your personal data, including the following:
- Information and access: You may request to access your personal data, be provided with supplementary information, and be provided with a copy of your personal data.
- Rectification: You may request that inaccurate or out-of-date personal data about you be rectified and/or updated.
- Erasure: You may have the right to have your personal data erased.
- Restriction: You may have the right to restrict the processing of your personal data. This restriction means that your personal data is only stored by us, and not processed further. This restriction on processing is typically only temporary and may be lifted once we have dealt with your complaint.
- Objecting to processing: You may have the right to object to specific types of processing. These types are direct marketing, processing for research or statistical purposes, and processing based on legitimate interests. The right to object to processing based on legitimate interests may be subject to demonstration by us of grounds that override your right to object.
- Data portability: You may have the right to data portability. Data portability means the right to receive personal data about you in a structured, commonly used and machine-readable form so that it may be transferred by you or by us to another company easily.
- Right not to be subject to decisions based solely automated decision making: You may have the right not to be subject to decisions based solely on automated processing (i.e. without human intervention), if those decisions produce legal effects or significantly affect you. Automated processing is processing of your personal data by automated means.
These rights are not absolute: they do not always apply, and there may be restrictions or exemptions. For example, your right to access data about you may be denied in the case of repeated access requests within a short time interval, or where providing such access could compromise the privacy of another person or unreasonably expose sensitive company information.
If you want to review or verify personal data about you, or to have it corrected or request its erasure, or to restrict or object to the processing of your personal data, or to request that we transfer a copy of such data to another party please submit your request via the contact details provided above in the section "Who is the data controller?".
You will not have to pay a fee to access your personal data or to exercise any of your other rights. However, we may charge a reasonable fee if your request is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
We may need to request specific information from you to help us confirm your identity and ensure your right to access the data or to exercise any of your other rights. This is another appropriate security measure to ensure that personal data is not disclosed to any person who has no right to receive it.
12) Withdrawal of consent
In cases where your consent is the legal basis for processing your personal data, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact us via the contact details provided above in the section "Who is the data controller?". Once we have received notice that you have withdrawn your consent, we will no longer process your personal data for the purpose or purposes you originally agreed to, unless we have another legal basis for doing so.
If you are not satisfied with the response you have received or if you feel that we have not dealt correctly with your personal data, you have the right to make a complaint at any time to the relevant data protection regulator, also known as a "supervisory authority." The relevant supervisory authority is likely to be the supervisory authority of the country where you are located or where the alleged infringement took place.
14) Changes to this Privacy Notice
We reserve the right to update this Privacy Notice at any time. The current version can always be found from our website. We recommend that you revisit this Privacy Notice from time to time to review any possible changes.