General Data Protection Regulation (2016/679), Articles 13 and 14
Date of drafting: 7.12.2015, Last update: 26.10.2018, 11.03.2019, 7.4.2021
We may update or revise this Information Notice at any time, with any notice to you as may be required under applicable law.
1. Controller / Company
Orion Corporation (Company Identification Number: 1999212-6)
Tel. 010 4261
2. The person in charge / contact person
Polaris strategic procurement system (SaaS –solution from Corcentric, Inc.)
Head of Purchasing, Indirect, Carolina Sved
Orion Corporation, Orionintie 1A, 02200 Espoo, Finland
Tel. 010 426 4953
Supplier contact information files
Category manager, Indirect, Susanna Virtanen-Kari
Orion Corporation, Tengströminkatu 8, 20360 Turku, Finland
Tel. 010 426 7237
Contact details of the Data Protection Officer: e-mail: firstname.lastname@example.org
3. Name of the data file
Polaris strategic procurement system (SaaS –solution from Corcentric, Inc.) and other Supplier contact information files
4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data
The purpose for processing the personal data in these data files is to enable Orion Corporation to maintain and administer the relationship with its suppliers, prospective suppliers and external consultants with whom Orion Corporation is collaborating.
The controller will not disclose the collected data for commercial purposes.
We may share your information with third parties who assist us by performing technical operations such as data storage and hosting. The controller uses Polaris strategic procurement system for the management of its supplier relationships. The system is technically maintained by a service provider called Corcentric, Inc. for which purposes personal data is disclosed to Corcentric, Inc.
If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.
The legal basis for processing of the personal data is the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract or the legitimate interests of the controller or a third party / maintenance and management of supplier, prospective supplier and external consultant relationships. We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.
5. Content of the data file
The data files contain the following groups of data of suppliers’ and potential suppliers’ representatives, external consultants, as well as Orion’s personnel: name, work telephone numbers and addresses, e-mail addresses, possibly role at the supplier company, notes of communication with such persons.
6. Source of information
Data subjects themselves and/or suppliers’ other personnel provide the information or enter the information in the database and data is also collected by Orion´s contact persons.
7. Transfers of personal data to countries outside the European Union or the European Economic Area
Personal data from the register is transferred to countries of the European Union or the European Economic Area, as well as to the following other countries: India and the United Kingdom, where the level of data protection may not be deemed adequate by the European Commission.
8. Protection of the transferred personal data
The personal data being transferred outside of the European Union or the European Economic Area is protected by the signing of the Standard Contractual Clauses by the controller and the recipient(s). For more information, please contact the person responsible for the register.
9. Retention period of the personal data
The data files are periodically updated to include only data which is relevant for the purpose. Controller stores the information for as long as necessary in order for the controller to satisfy legal or contractual obligations, industry self-regulation, or in order to establish, exercise or defend legal claims.
10. The principles how the data file is secured
In Polaris strategic procurement system data file the location of Customer Data shall be in AWS European Economic Area (EEA) in following locations: Frankfurt (AWS eu-central-1), Ireland (AWS eu-west-1), and/or London (AWS eu-west-2). The location of Customer Data may be changed from time to time within EEA by Corcentric, Inc´s reasonable discretion. A European hosting provider recognized in the industry as having security standards in accordance with the industry standard will host in EEA upon such a move. Technical maintenance of the Polaris strategic procurement system is provided by Corcentric, Inc.
In other supplier contact information files, the contact information is available either internally at Orion Corporation´s Intranet or in shared databases with suppliers. In the latter case, contact information of particular supplier is only shared between that particular supplier and Orion.
Technical data protection is being used and the entered information is available only for the authorized persons. Authorizations are granted according to business needs.
11. Right of access and right to data portability
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information on the sources of the data, on the uses for the data in the file, and the destinations of disclosed data.
The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
The data subject who wishes to use its above-mentioned rights, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.
12. Right to object to processing
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation.
In case the data subject wishes to use its above-mentioned right, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the representative of the data controller named under section 2. hereinabove.
13. Rectification, restriction of processing and erasure
A controller shall, on its own initiative or at the request of the data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
Under specific circumstances, the data subject has the right to obtain from the controller restriction of processing of his or her personal data.
If the controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.
The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.
Requests for the above uses of data subject’s rights shall be made by contacting the representative of the controller named under section 2 hereof.