Privacy Statement: Concerning Partners
DESCRIPTION OF THE PROCESSING OF PARTNERS PERSONAL DATA
1 BACKGROUND
This document describes how Oy Matkahuolto Ab (hereinafter “Matkahuolto”) processes the personal data of its partners’ representatives and provides a framework for the conditions and extent to which Matkahuolto’s staff and the parties involved in data processing may process the personal data of the representatives of Matkahuolto’s partners, ensuring that the legal requirements for the protection of the personal data and privacy of the data subjects, i.e. the representatives, are met and that the data subjects’ rights are not violated.
This document applies, where applicable, to processing the personal data of the representatives of potential partners, unless otherwise stated below.
We strive to process personal data with the utmost care. The carefulness of processing is reflected in the technical and organisational arrangements in place: access to personal data is limited on a need-to-know basis to those persons whose duties require them to have access to the processed data. In connection with the transfer of data, adequate conditions for the protection of personal data and the exercise of the data subjects’ rights will be ensured through agreements on the processing of personal data
2 CONTROLLER AND CONTACT DETAILS FOR REGISTRATION MATTERS
Controller
Oy Matkahuolto Ab
Business identity code: 0111393-9
Kaivokatu 10 A, P.O. Box 100, 00101 Helsinki, Finland
Telephone: +358 (0)20 710 5000
tietosuoja@matkahuolto.fi
3 STARTING POINTS FOR THE PROCESSING OF PARTNERS’ PERSONAL DATA
All processing of the personal data of our partners’ representatives is subject to the provisions of the EU General Data Protection Regulation (2016/679, hereinafter “GDPR”), which is applicable as a general law. Applicable legal provisions are also contained in the Act on the Protection of Privacy in Electronic Communications (917/2014).
In accordance with the data minimisation principle of the GDPR, Matkahuolto processes the personal data of its partners’ representatives only to the extent deemed necessary for the purpose of the processing. The applicable legislation sets out the conditions under which information about our partners’ representatives can or should be processed. This document describes the processing of the personal data of the representatives of the following Matkahuolto partners:
Carriers: Matkahuolto provides various services to carriers, such as selling carrier bus tickets, maintaining ticketing and payment systems and managing freight transportation rights.
Agents: Agents are independent companies or outlets of chain partners that provide parcel and/or travel services on behalf of Matkahuolto.
Service points: Service points are independent companies or outlets of chain partners that provide parcel services on behalf of Matkahuolto.
Chain partners: Chain partners or their individual outlets can act as agents, service points or travel card top-up points.
Other partners: Matkahuolto’s other partners include a wide range of service and goods suppliers, such as transport subcontractors, system service providers, cleaning, maintenance and security service providers, occupational health service providers, legal service providers, and financial and marketing partners. Other contractual partners, such as lessors and lessees, are also considered other partners.
Under the GDPR, there must always be a legal basis for the processing of personal data. The processing of the personal data of our partners’ representatives is mainly based on the following criteria for the processing of personal data:
Legitimate interest of Matkahuolto or a third party (such as current or future business partners, suppliers and customers). Examples of legitimate interests include, in particular:
Exercising the rights and obligations under the agreement between Matkahuolto and its partner, i.e. the company represented by the partner’s representative, or performing measures preceding the conclusion of an agreement
Developing the business of Matkahuolto and ensuring its continuity
Ensuring the security of facilities, information and data networks, preventing and investigating various types of misuse, and ensuring the legal safeguards of Matkahuolto; and
Ensuring the safety of Matkahuolto and the persons on the premises of Matkahuolto, as well as the protection of property.
Legislation binding on Matkahuolto.
The processing of personal data must be based on at least one of the above-mentioned legal grounds for processing for the entire period of processing, from the collection of the data to its deletion or anonymisation.
4 CATEGORIES OF PARTNERS’ PERSONAL DATA PROCESSED BY MATKAHUOLTO AND PURPOSES OF PROCESSING
Matkahuolto processes the following personal data that is of direct relevance to the cooperative relationship between the partner and Matkahuolto, in connection with the maintenance of the cooperative relationship and the performance of the rights and obligations of the parties. In addition, Matkahuolto processes the personal data of the representatives of potential partners in order to provide Matkahuolto services to the companies they represent. The personal data processed can be grouped as follows:
Basic data, such as
first and last name
title
employer’s details
btelephone number
usiness ID
email address
Information related to the cooperation relationship and performance of tasks, such as
the the access rights, user IDs and passwords to Matkahuolto’s electronic systems and registers granted to the representative
completion data for online courses provided by Matkahuolto
Information related to training, communication and contacts, such as
registration and participation information for Matkahuolto trainings and other events
responses to Matkahuolto surveys
other information related to communication
Data collected through technical monitoring, such as
log data collected on the use of Matkahuolto systems
information on camera surveillance and camera surveillance recordings
In addition, Matkahuolto may process information on changes to the above listed data types.
Purpose of the processing | Categories of data processing |
---|---|
Maintaining and managing the partnership Carriers: Provision and production of services, contract management, invoicing, management of access rights to systems, other contacts required by the cooperation relationship Agents: Procurement of services, contract management, payment of fees, management of access rights to systems, other contacts required by the cooperation relationship Service points: Procurement of services, management of contracts, settlement of fees, invoicing, management of system access rights, other contacts required by the cooperation relationship Chain partners: Procurement of services, management of contracts, settlement of fees, invoicing, management of system access rights, other contacts required by the cooperation relationship Other partners: Procurement of products and services, contract management, other contacts required by the cooperation relationship | Basic data, information related to the cooperation relationship and performance of tasks, information related to communication and contacts |
Communication and events Carriers: Communication, including newsletters, conducting surveys, organising events Agents: Communication, including agent bulletins and shows of appreciation Other partners: Communication, including shows of appreciation | Basic data, information related to communication |
Management and implementation of online courses All partners: Organising online courses, recording and verifying performance data as needed | Basic data, information related to the cooperation relationship and performance of tasks |
Canvassing new customers All partners: Selling and marketing services to potential partners, establishing new cooperation relationships | Basic data, information related to communication |
Implementing legal obligations All partners: Meeting the legal obligations of Matkahuolto, based on, for example, accounting legislation requirements, requests for information by authorities, or other requirements | Basic data, information related to the cooperation relationship and performance of tasks, communication and contacts, information related to communication and contacts, data collected through technical monitoring |
Protection of Matkahuolto’s property and legal rights All partners: ensuring compliance with the guidelines, investigating and resolving suspected misconduct, responding to legal claims, ensuring public order and safety, and investigating crimes, damage and accidents | Basic data, information related to the cooperation relationship and performance of tasks, communication and contacts, information related to communication and contacts, data collected through technical monitoring |
5 REGULAR SOURCES OF DATA
The personal data of the representatives of Matkahuolto’s partners is primarily collected from the representatives themselves and/or the partner they represent. In addition, personal data is collected, for example, from the systems that store data processed in the register and from other approved sources, such as public authorities or public sources, to the extent permitted by applicable legislation.
6 TRANSFER AND DISCLOSURE OF PERSONAL DATA
Matkahuolto may transfer the personal data of the representatives of its partners to third parties for the purposes described in this document as explained below. When transferring personal data to an entity that processes them on behalf of Matkahuolto (i.e. the processor), Matkahuolto has ensured, for example through contractual arrangements, that the personal data is processed only in accordance with the written instructions issued by Matkahuolto and only for the purposes specified in this document, and that access to personal data is limited to those persons who have a legitimate need to access the personal data in relation to their tasks.
Processors of personal data: Matkahuolto may transfer personal data to processors for the purpose of providing services or performing tasks that Matkahuolto has assigned to them. The tasks of personal data processors relate, for example, to the provision of property security services, the provision and maintenance of information systems and software, and the provision of other data processing services.
Matkahuolto discloses personal data to the extent permitted and required by applicable law, for example, to public authorities. The personal data of a partner’s representative will also be disclosed to the partner in question.
No personal data will be transferred outside the European Union or the European Economic Area.
7 STORAGE PERIOD OF PERSONAL DATA
Matkahuolto, or the processor to whom Matkahuolto has delegated the processing of personal data, shall retain the personal data of the partners’ representatives in accordance with applicable legislation for only as long as the retention of data is deemed necessary to achieve the purpose of the processing of personal data. When Matkahuolto no longer needs the personal data for the purposes defined in this document, the data will be deleted from the information systems and other files of Matkahuolto and the processor, or irrevocably anonymised.
We determine the storage periods of personal data according to the following criteria:
The retention of the personal data of a partner’s representative is often deemed necessary at least for the duration of the contractual relationship between Matkahuolto and the partner. However, the partner may at any time notify Matkahuolto of a change or departure of the representative, in which case unnecessary data will be deleted.
Matkahuolto complies with the statutory storage obligations for personal data. For example, the Accounting Act (1336/1997) requires Matkahuolto to retain the personal data contained in the accounting material for ten years after the end of the financial year during which the partner was paid for tickets or parcels sold or Matkahuolto paid for services provided by the partner.
With regard to the personal data of the representatives of the partners who are not subject to the above-mentioned retention periods, Matkahuolto assesses the need for retention annually as part of its internal audit practices.
8 PERSONAL DATA PROTECTION
Matkahuolto ensures the security of the personal data of the partners’ representatives and their protection against external data breaches with passwords and other technical security measures. The databases and their backups are located in locked rooms. Access rights are limited to those persons to whom access to the information contained in the register is deemed necessary for the purposes of processing the register or otherwise for the performance of their duties.
9 RIGHTS OF DATA SUBJECTS
9.1 Right of inspection
Data subjects, i.e. the representatives of Matkahuolto’s partners, have the right under Article 15 of the GDPR to inspect what data relating to them are processed by Matkahuolto as the data controller. The inspection right ensures the transparency of the processing of personal data, and by exercising this right, the partner’s representative can be sure that the information in the register is correct and up-to-date. Under the right of inspection, the partner’s representative is entitled to see the data processed by Matkahuolto about them, and to receive copies of the data upon request.
A request for the verification of data must be addressed to the person in charge of registration matters referred to in section 2 of this document.
Upon receipt of a request for the right of inspection, Matkahuolto shall, pursuant to Article 12 of the GDPR, provide the partner’s representative, without undue delay or no later than one month after receiving the request, with information on the measures taken in response to the request for inspection. If necessary, Matkahuolto may extend the time limit by up to two months, taking into account the complexity and number of requests. Matkahuolto will inform the partner’s representative of any such extension within one month of receipt of the request, together with the reasons for the delay.
Matkahuolto will provide the information requested by the partner’s representative in writing or, where appropriate, in electronic form. If the partner’s representative so requests, the information may also be provided orally, provided that the identity of the partner’s representative has been confirmed. If the partner’s representative submits the request electronically, Matkahuolto will provide the information electronically where possible, unless the partner’s representative requests otherwise.
9.2 Right to rectify incorrect information
Pursuant to Article 16 of the GDPR, the partner’s representative has the right to request rectification of the data if they have checked the data or otherwise found them to be inaccurate.
A request for the rectification of data must be addressed to the person in charge of registration matters referred to in section 2 of this document. Upon receipt of a request for rectification, Matkahuolto shall, pursuant to Article 12 of the GDPR, provide the partner’s representative, without undue delay or no later than one month after receiving the request, with information on the measures taken in response to the request. If necessary, Matkahuolto may extend the time limit by up to two months, taking into account the complexity and number of requests. Matkahuolto will inform the partner’s representative of any such extension within one month of receipt of the request, together with the reasons for the delay.
9.3 Right to erasure
Pursuant to Article 17 of the GDPR, the representative of a partner has the right to request, at any time, that Matkahuolto erase the personal data processed by Matkahuolto, and Matkahuolto has the obligation to erase this data if there is no longer a legal basis for processing it. The right of a partner’s representative to erasure does not apply to data whose processing is deemed necessary for compliance with a legal requirement or for the establishment, exercise or defence of legal claims. Some personal data processed by Matkahuolto is subject to a legally binding data retention obligation, and therefore Matkahuolto cannot erase such data before the expiry of the legal retention period.
A request for the erasure of data must be addressed to the person in charge of registration matters referred to in section 2 of this document. Upon receipt of a request for erasure, Matkahuolto shall, pursuant to Article 12 of the GDPR, provide the partner’s representative, without undue delay or no later than one month after receiving the request, with information on the measures taken in response to the request. If necessary, Matkahuolto may extend the time limit by up to two months, taking into account the complexity and number of requests. Matkahuolto will inform the partner’s representative of any such extension within one month of receipt of the request, together with the reasons for the delay.
If Matkahuolto cannot comply with the request of a partner’s representative for a justified reason, Matkahuolto will provide the partner’s representative with a written justification as to why the representative’s request cannot be complied with.
9.4 Other rights of the data subject
In certain statutory cases defined in Article 18 of the GDPR, the partner’s representative may have the right to demand that Matkahuolto limit the processing of their personal data.
The partner’s representative may also have the right to object to the processing of their personal data in certain situations where the processing is based on a legitimate interest of Matkahuolto or a third party, and Matkahuolto is obliged to comply with the request of the partner’s representative, unless there are substantial and legitimate grounds which override the interests, rights and freedoms of the partner’s representative or if the processing is deemed necessary for the establishment, exercise or defence of legal claims.
To exercise the above rights, the partner’s representative must contact the contact person referred to in section 2 of this document.
Additionally, the partner’s representative has the right to lodge a complaint concerning the processing of personal data by Matkahuolto with the data protection authority. In Finland, complaints are submitted to the Data Protection Ombudsman in accordance with the instructions provided by the Data Protection Ombudsman. You can access the Data Protection Ombudsman’s website here.