INFORMATION NOTICE
EU General Data Protection Regulation (2016/679), Articles 13 and 14
Date of drafting: October 26th, 2018
Updated: 17.06.2019
Version: 1.2.
We may update or revise this Information Notice at any time, with any notice to you as may be required under applicable law.
1. Controller / Company
Orion Corporation (Company Identification Number: 1999212-6) Orionintie 1 02200 Espoo Finland Tel. +358-10 4261
2. The person in charge / contact person
Contact person: Marja Jannula Orion Corporation Orionintie 1A 02200 Espoo Finland Tel. 010 426 2287 Email address: marja.jannula@orion.fi
Contact details of the Data Protection Officer:
e-mail: privacy@orion.fi
3. Name of the data file
Vendor register of Orion group
4. The purpose for processing the personal data / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data
The purpose for processing the personal data in this data file is to enable the controller to maintain and administer information about Orion group´s vendors, vendor´s representatives and vendor´s contact persons in the SAP system. The information contained in this register is used for making purchase orders, recording of invoices and making payments. Additionally the purpose for processing the personal data in this data file is to enable the payment of travel expenses of Orion group´s personnel and reimbursement of expenses, payment of remunerations and participation fees for foreign doctors relating to different medical events / conferences.
The controller will not disclose the collected data for commercial purposes to third parties. The controller may share your information with third parties, such as those who assist us by performing technical operations such as data storage and hosting. The controller uses SAP system, which is located on a server maintained by the service provider Atos. The controller may use outsourced service providers in its operations, such as audit services, for which purposes personal data is disclosed to service providers.
If ownership or control of Orion Corporation all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.
The legal basis for processing of the personal data is the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract or controller´s legitimate interests to maintain and administer information and to pay and record invoices and other bills. We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest.
5. Content of the data file
The data file contains the following groups of data of vendors, vendor´s representatives and contact persons as well as foreign doctors and Orion group´s personnel.
- Name or the vendor´s contact person´s name and / or email address
- Doctor´s name
- Address
- Telephone number
- Bank account details
- Vendor information
The content of this data file is restricted to what is necessary for the processing purposes and for the fulfilment of controller´s obligations.
6. Source of information
Data collected by the controller´s accounting department, purchase personnel and the employees of the controller´s affiliates from the vendors and data subjects.
7. Destinations of disclosed data and whether the data is transferred to countries outside the the European Union or the European Economic Area
The purchase department or persons who create purchase orders in the controller´s affiliate located in India have access to the data of vendors, vendor´s representatives and contact persons. Data is not otherwise transferred to countries outside of the European Union or the European Economic Area.
8. Protection of the transferred personal data
Personal data, which is transferred outside of the European Union or the European Economic Area, is protected by the signing of the Standard Contractual Clauses between the companies within the Orion group.
You can acquire more information by contacting the representative of the controller.
9. Retention period of the personal data
Controller stores the information for as long as necessary in order for the controller to satisfy legal or contractual obligations, industry self-regulation, or in order to establish, exercise or defend legal claims. The controller is obliged store personal data and other materials necessary for accounting purposes in accordance with the accounting laws.
10. The principles how the data file is secured
A. Manual data file
The manual data shall be stored in an area with restricted access, available only for the authorized persons who need the data for performing their work.
B. Electronic information:
The information is accessible only by such company employees who need the information based on their role and only with a personal username and password. Only an authorized user of the data file can create new users and maintain user information. Technical maintenance of SAP system is provided by Atos.
11. Right of access
The data subject shall have the right of access, after having supplied sufficient search criteria, to the data on himself/herself in the personal data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the sources of data in the file, on the uses for the data in the file and the destinations of disclosed data.
The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at controller by a personally signed or otherwise comparably verified document and by verifying his or her identity by attaching a copy of an official identification document.
12. Right to object to processing
In case the legal basis for processing the personal data is the legitimate interests of the controller, the data subject has the right to object to processing on grounds relating to his or her particular situation.
In case the data subject wishes to use its above-mentioned right, he or she shall make a request to this effect to the person in charge at the data controller by a personally signed or otherwise comparably verified document in writing to the local representative of the data controller named under section 2. hereinabove.
13. Rectification, restriction of processing and erasure
The data controller shall, on its own initiative or at the request of the data subject,
without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
Under specific circumstances, the data subject shall have the right to obtain from the controller restriction of processing.
If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the individual may bring the matter to the attention of the Data Protection Ombudsman.
The controller shall undertake reasonable measures to notify the erasure to the controllers to whom the data has been disclosed and who are processing the data. However, there is no duty of notification if this is impossible or unreasonably difficult.
In case the data subject wishes to use its above-mentioned rights, he or she shall make a request to this effect to the local representative of the data controller named under section 2. hereof.
If you have concerns regarding Orion Corporation’s processing of your personal data, you have the right to make a complaint to the Data Protection Ombudsman, the Finland supervisory authority for data protection issues (https://tietosuoja.fi/en/home). We would, however, appreciate the chance to deal with your concerns before you approach the supervisory authority so please contact us in the first instance.