Promeco Vendor Contact Data Protection Description

EU GDPR Compliant version
Effective Date: 3 May 2018

Data Controllers:

  1. Promeco Group Oy (FI21752500)
    Address: Mettälänkatu 91, (P.O.Box 116), 38700 Kankaanpää, Finland
    Telephone: +358 (0) 207 595 200
  2. Promeco Oy (FI18640129)
    Address: Mettälänkatu 91, (P.O.Box 116), 38700 Kankaanpää, Finland
    Telephone: +358 (0) 207 595 200
  3. VM-Group Oy (FI07851860)
    Address: Dynamotie 4 S (P.O.Box 227), 65320 Vaasa
    Telephone +358 (0) 207 681 500

Contact Person in Matters Related to Data File:

Veikko Lahtinen (ICT Manager)
firstname.lastname@promeco.fi
Mailing address and telephone number as above.

Data File Name:

Promeco Vendor Contact Data Protection Description (PRO1-1021027536-18)

Legal Basis for the Processing and Purposes of Use of the Personal Data:

Processing of personal data (“Contact Data”) is generally based on legitimate interest of the data controllers. Based on defined purposes of uses of Contact Data and relationship between data controllers and Contact Data subjects, the primary legitimate interest of the data controllers is the possibility to conduct justified and legitimate business according to applicable legislation.

Secondarily, for certain data subjects, the processing of Contact Data is based on direct or indirect contractual relationship between data subjects and data controllers.

Purposes of use:

1)     Business development and reporting;
2)     Quality management;
3)     Research and development of Promeco Group (Promeco Oy and its affiliated companies) IT infrastructure;
4)     Purchasing activities;
5)     Inventory management and activities;
6)     Manufacturing of products;
7)     Delivery of products;
8)     Vendor and subcontractor management (incl. access to Promeco Group digital channels and as appropriate to Promeco Group IT systems and products);
9)     Invoicing, taxation and related financial transactions; and
10)  Ensuring the integrity of Promeco Group business environment and processes (incl. eventual non-continuous system monitoring for the prevention or inspection of misuse as the case may require).

Data Subjects

Any natural persons representing vendor companies of Promeco Group.

Data Content

First name;
Last name;
Salutation;
Title;
Company (employer);
Job role;
Street Address;
Postal Code;
City;
State;
Country;
Contact Method;
Telephone number;
Mobile phone number;
Telephone extension;
Fax number;
Email address;
Miscellaneous business information (free text field);
Personal identification number (for some vendors only and only in certain countries: Spain, Portugal and U.S.)
Indicator of access to Promeco Group digital platforms;
Last data processing activity (time stamp);
Cookie consent;
Data request date (if any);

Regular Sources of Data:

Vendor contact persons themselves, other persons representing the vendor companies of the Promeco Group, employees and other persons working for or representing Promeco Group.

Regular Disclosures of Data and Transfer of Data to Countries Outside EU and/or EEA:

Contact Data are not disclosed (to another controller for independent use unless required by the law such as to authorities) regularly except within companies of Promeco Group and even then at all times in accordance with applicable laws.

Contact Data are transferred outside EU and/or EEA (incl. Switzerland) only as allowed by and in accordance with applicable laws. In case of absence of EU Commission adequacy decisions, EU Commission standard contractual clauses (of type controller to processor, EU Commission decision C(2010)593) are used as appropriate or suitable safeguards for these data transfers. Copies of the standard contractual clauses will be available through the contact details mentioned above. Furthermore, if EU Commission adequacy decisions are applicable we may rely on them.

If Contact Data is transferred to external data processors (subcontractors or vendors), appropriate contractual arrangements (including EU Commission standard contractual clauses, as applicable), as required by the applicable laws, are executed to secure lawful and appropriate processing of personal data.

Contact Data can be transferred to following countries for processing:
o Finland
o Poland

Security Principles of Data File:

Contact Data is protected by technical and organisational measures against accidental and/or unlawful access, alteration, destruction or other processing including unauthorized disclosure and transfer of Contact Data.

Such measures include but are not necessarily limited to proper firewall arrangements, appropriate encryption of telecommunication and messages as well as use of secure and monitored equipment and server rooms. Data security is of special concern when third parties (e.g. data processing subcontractors) providing and implementing IT systems and services are retained.

Data security requirements are duly observed in IT system access management and monitoring of access to IT systems. Access to personal data is available only in the internal networks of Promeco Group. Personnel processing personal data as part of their tasks is trained and properly instructed in data protection and data security matters.

Right to Object Data Processing:

In accordance with the law the data subject has at any time the right to:

Object the processing of Contact Data for the purposes of direct marketing, market research and opinion polls; and
On grounds relating to his or her particular situation, object the processing of his/her Contact Data when lawfulness of processing is based on legitimate interest of the data controllers.

In order to use these rights, the data subject shall contact the above mentioned contact persons in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

Other Rights of Data Subject:

In accordance with the law the data subject has at any time the right to:

  1. Access the Contact Data on him/her and at request, receive a copy of the Contact Data and related supplementary information concerning Contact Data processing as required by the law;
  2. Request, provided that the purposes of data processing allow
    a) Inaccurate Contact Data to be rectified;
    b) Incomplete Contact Data to be supplemented; and
    c) Outdated or obsolete Contact Data to be erased.
  3. Be forgotten by us, if:
    a) Contact Data are no longer necessary in relation to the purposes of data processing;
    b) The data subject has objected to the data processing pursuant to reason explained above in point 2 of the section “Right to Object Data Processing” and there are no overriding legitimate grounds for the data processing;
    c) The data subject has objected to the data processing pursuant to reason explained above in point 1 of the section “Right to Object Data Processing”; or
    d) The Contact Data have been unlawfully processed by us;
  4. Restrict the processing of the Contact Data on him/her if:
    a) Data subject contests the accuracy of the Contact Data;
    b)The processing is unlawful and the data subject opposes the erasure of the Contact Data and requests the restriction instead;
    c) The data controllers no longer need the Contact Data for the purposes of uses, but Contact Data are required by the data subject for the establishment, exercise or defense of legal claims; or
    d) Data subject has objected to processing pursuant to reason explained above in point 2 of the section “Right to Object Data Processing” and pending the verification whether the legitimate interests of the data controller override those of the data subject;
  5. Receive the Contact Data concerning him or her, which he or she has provided to data controllers, in a structured, commonly used and machine-readable format and have the right to transmit those data to other data controller when the processing is necessary for performance of a contract where the data subject is involved; or
  6. Lodge a complaint with a supervisory authority (Finnish Data Protection Ombudsman);

In order to use these rights, the data subject shall contact the above mentioned contact persons in writing (incl. e-mail). However, the request may be declined where allowed or required under the law.

Retention Period of the Contact Data:

Generally, to the extent permitted by applicable laws and regulations, data controllers retain Contact Data at most ten (10) years after the last business activity where the data subject has been involved. Additionally, as the case may require, data controllers may have to extend Contact Data retention on the grounds of establishment, exercise or defense of legal claims or execution of our internal investigations. This retention period is justified due to data controllers’ obligations or needs related to e.g. product and service warranties, product liability statutes as well as burdens of proofs in possible litigation situations.

Provision of Contact Data:

It is not statutory for the data subject to provide the Contact Data but certain Contact Data is required to execute or enter into a business activity (such as business contract) with Promeco Group. Lack of or failure to provide Contact Data prevents or may prevent the business activity (such as business contract) as the case may be.