ROBIT PLC PRIVACY NOTICE
PERSONAL DATA OF SUPPLIERS’ REPRESENTATIVES AND CONTACT PERSONS
Last updated 25 May 2018
This document describes how Robit Plc (hereinafter ”Robit”) and its staff process the personal data of Robit’s suppliers’ representatives and contact persons. Robit acts as a controller to such personal data.
As a controller, we are responsible for such personal data, and for the processing of such personal data. Protecting your privacy and your personal data is of utmost importance to Robit. We are committed to complying with the requirements of data protection regulation applicable to us in the processing of your personal data. The means and purposes of processing the personal data Robit’s suppliers’ representatives and contact persons are described in more detail in this Privacy Notice.
What is stated in this Privacy Notice, applies, where appropriate, to the processing of personal data conducted by Robit group companies.
2. Data controller and contact person
(Business ID: 0825627-0)
Tel.: +358 3 3140 3400
Tel.: +358 40 028 0717
3. Legal bases for processing and processing purposes
Processing of personal data must always be based on a legal basis set forth in the EU’s General Data Protection Regulation (the “GDPR”). Processing of personal data of Robit’s suppliers’ representatives and contact persons is based on the following legal bases:
- Data subject’s consent under applicable legislation;
- Compliance with a legal obligation to which Robit is subject;
- The performance of a contract between the data subject or an organization represented by the data subject and Robit, or other relevant connection between them, in which case the legal ground for processing is legitimate interest of Robit or a third party (such as current or future business partners, suppliers or customers). A legitimate interest may be, in particular:
- Ensuring and improving data security or the security of premises and data network; Protection of Robit’s property; To prevent and investigate suspected fraud and misuse;
- Managing and developing the supplier relationship;
- Other legitimate business purposes, such as service and product development.
Personal data is processed in particular for the following purposes:
- Managing the deliveries of services or products ordered by Robit from a data subject or an organization represented by the data subject, as well as the execution of and the obligations related to the delivery of the services or products;
- Invoicing and keeping track of the accuracy of the invoicing;
- Taking care of, managing and developing supplier relations and other relevant connections comparable to such relations, such as the execution of mutual communications;
- Developing the production of services and business development by using various surveys, for instance;
- Analysing and compiling statistics for business purposes;
- Advertising and marketing, including targeted marketing and electronic direct marketing, but only to the extent permitted by the applicable law or where the data subject has explicitly consented to such practices;
- The execution of administrative payments and costs;
- The prevention and investigation of malpractices, which can be conducted for example through camera and other technical monitoring.
After the termination of a delivery agreement or a relevant connection, Robit may transfer data subject’s personal data to direct marketing register of Robit to the extent permitted by the law.
The provision of personal data in the manner described in this Privacy Notice is partially based on a contract between the data subject and Robit or an entity represented by the data subject and Robit. In the context of entering into a delivery agreement as well as in the context of the delivery of services or products, the data subject is obliged to provide Robit with certain personal data for the processing purposes described in this Privacy Notice. The foregoing does not apply in situations where the provision of the data or certain processing of the data is based on the data subject’s consent. The non-delivery of personal data can prevent Robit from performing its contractual or other obligations or commitments, which can lead to the fact that a delivery contract cannot be entered into.
4. Categories of personal data processed by Robit
Robit may process the following personal data directly necessary for the maintenance of the relevant connection between the data subject and Robit and that relate to taking care of the rights and obligations of the parties. These personal data can be categorised as follows:
Basic information, such as
- Contact information (such as address, telephone number and email)
- When representing an entity, information concerning the data subject’s employer and position or assigned tasks within the entity
Information related to the contractual relation or other relevant connection between the data subject and Robit, such as
- Information related to the relevant contract and the data subject’s association to the contract, information on orders on products and/or services;
- Invoicing and payment details
- Information on communications between the data subject and Robit, and information on visits
- Possible permissions and prohibitions concerning direct marketing
Data collected through technical monitoring, such as
- log data of Robit’s data systems where appropriate
- data relating to access control and access control recordings where appropriate
- data relating to camera surveillance and other electronic surveillance recordings recorded when the data subject is visiting Robit’ premises
Furthermore, Robit may process change data of the above mentioned data categories.
5. Regular sources of personal data
Personal data are collected from the data subject himself/herself or from an organization represented by a data subject, for instance in the context of entering into a contract, filling in and signing order forms, or in connection to invoicing. When the contractual relation continues and in the context of delivering the ordered products and/or services, personal data is collected from the data subject himself/herself also by other means, for instance in various communications occasions via telephone or email or during the data subject’s visit on Robit’s sites.
Personal data may also be collected and updated from registers of companies belonging to the same group of companies and economic interest group with Robit as well as from authorities and companies providing services related to personal data, such as Suomen Asiakastieto.
6. Transfers and disclosures of personal data
Robit may transfer personal data to third parties in the following manner in order to fulfil the processing purposes described in this Privacy Notice. When personal data are transferred to an entity which processes personal data on behalf of Robit (i.e. data processor), Robit has through contractual arrangements ensured that personal data is processed only in accordance with Robit’s written instructions and only for the purposes described in this document and that access to personal data is restricted to persons who need access to data based on their tasks.
- Data processors: Robit may transfer personal data to processors in order for the processors to perform services and tasks assigned to them. Data processors’ tasks relate, for instance, to provision and maintaining of devices, data systems and software, as well as provision of other data processing services.
Some of the data processors used by Robit are located outside the EU or EEA area. Robit has contractually ensured that these entities undertake to apply an appropriate level of data protection in their processing practices, and thus the data transfers are subject to appropriate safeguards. More information on cross border transfers of the personal data and on the appropriate safeguards applied thereto from time to time is available from the contact person mentioned under Section 2 of this Privacy Notice.
Robit shares the personal data of suppliers’ representatives and contact persons to the companies belonging to the same group of companies with Robit to the extent necessary in order to e.g. facilitate the ordering and provision of products and/or services by Robit and to facilitate communications and cooperation between the Robit group companies in relation to such products and/or services.
Robit may disclose personal data to competent authorities when required to do so under applicable laws, to prepare for legal proceedings or to defend a claim within the limits permit-ted or required by applicable legislation from time to time. In case of the sale of Robit’s business, or a part of it, or in case Robit conducts other organizational changes to its business, Robit may disclose personal data to the buyers and their advisors in accordance with the then current legislation.
7. Data retention period
The retention period of personal data depends on the data concerned and its purpose of use. Robit retains personal data at least as long as they are needed for the execution of the informed purposes of processing, such as in the performance of Robit’s contractual obligations or in managing the contractual relation with the supplier.
The retention periods are determined in accordance with the following criteria:
- Related personal data will be retained for as long as the legitimate interest of Robit can reasonably be considered valid. The validity of the legitimate interest is determined by, for example, the communications between Robit and the data subject. Ultimately, the retention period of personal data is tied to the term of a contract with the data subject or an organization represented by the data subject.
- Statutory retention periods may also apply. For instance, the accounting regulation requires that the information included in the accounting materials are retained for six years.
- Related personal data will be deleted when the data subject withdraws his/her consent or objects to the processing of your personal data for direct marketing purposes. In this case, however, Robit may keep the information regarding the data subject’s objection to receiving direct marketing
When personal data are no longer needed, the data is destroyed in a secure way or irrevocably anonymized.
8. Rights of the data subject
The GDPR provides the data subject with several rights based on which the data subject can in many situation himself/herself decide on the processing of his/her personal data. The data subject may use the following rights with regard to Robit to the extent Robit acts as the controller to the personal data of the data subject in question. The extent of your rights is subject to the legal basis for processing and exercising your rights requires identification.
- Right of access: The data subject has the right to obtain a confirmation from the controller on whether the controller processes personal data concerning the data subject and the right to access such data. The data controller may ask the data subject to specify his/her access request, amongst others, with regard to the details of the data to be delivered.
- Right to rectification: The data subject has the right to obtain from the controller the rectification of inaccurate personal data concerning him/her processed by the controller, or to have incomplete personal data processed by the controller to be completed.
- Right to be forgotten: The data subject has the right to obtain from controller the erasure of personal data related to him/her and the controller has the obligation to erase such data in case there is no longer a legal ground for the processing of such data or, where the legal or contractual obligation binding the controller related to the storing of the personal data has ended or, where the data subject has withdrawn his/her consent to the processing of his/her personal data.
- Restriction of processing: In certain cases, where so prescribed by law, the data subject may have the right to obtain from the controller restriction of processing of his/her personal data.
- Right to data portability: The data subject may, subject to certain conditions prescribed by law, have the right to receive the personal data concerning him/her processed by the controller in a commonly used and machine-readable format, and the right to transmit those data to another controller without hindrance from the original controller.
- Right to object to processing of his/her personal data: In certain cases, the data subject may have the right to object to processing of personal data concerning him or her. The right to object is applicable in such situations in particular where the processing of personal data is based on the controller’s legitimate interest. In such situations the controller has to follow the data subject’s request, unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
- To the extent the processing of personal data has been based on the data subject’s unambiguous consent, the data subject has, at any time, the right to withdraw his/her consent regarding the processing.
The requests shall be directed to the contact person mentioned in section 2 of this Privacy Notice.
In addition, the data subject has the right to lodge a complaint with the supervisory authority on the processing of the personal data by the controller. The complaint shall be made to the competent supervisory authority, in Finland to the Data Protection Ombudsman, in accordance with its instructions. The web-site of the Data Protection Ombudsman can be found here.
9. Changes to this Privacy Notice