Chemigate Oy privacy notice
This privacy notice explains how and why we process the personal data of our customers and stakeholders and their employees.
Person responsible for register matters
Chief Financial Officer
+358 40 1835254
Purposes and legal criteria for processing personal data
Customers and contractual partners
The main purpose of processing our customers’ personal data is to supply Chemigate Oy’s products to our customers and for marketing purposes. Employees of our customers or contractors act as agents for their employers, and the processing of their personal data is based on a contract between the companies, their role in our business relationships and our legitimate interest in the conduct of business.
Another use is for marketing and related purposes, such as the delivery of our customer newsletter and various gifts and courtesies. Our customers’ employees act as agents for their employers, and the processing of their personal data is based on their role with their employer and our legitimate interest in the conduct of business and the direct marketing that goes with it.
You can read about the right to object and other rights of natural persons in the section “Rights of data subjects” below.
Only the information provided to us by customers and contractual partners will be processed. These include:
- Basic information about individuals, such as their name and contact details in relation to their role with their employer. Data subject to privacy and confidentiality are only processed if they are provided to us by our customers’ representatives. However, in principle we do not need such information and it should not be provided to us.
- Employment relationship information relating to the person’s employer, for whom he/she is a representative. These may include the job description and various documents and communications related to orders and deliveries.
We may also be bound by contractual obligations, such as the confidentiality of personal data provided to us. We will not disclose any of our customer information outside the company unless specifically agreed. We are also guided by our legal responsibilities and tax authorities’ instructions on accounting and invoicing, for example.
The data of job applicants are processed for the purpose of establishing an employment contract. If there are no vacancies or if the application is to be kept in case of a vacancy, the processing is based on the applicant’s own consent. After a selection is made, received applications will only be processed as long as the consent given is valid. This will be asked at the job application stage on a case-by-case basis, but applications will not be kept for more than two years.
All personal data are collected directly from the employee and, where we obtain data from elsewhere, explicit consent is obtained for these uses on a case-by-case basis.
Website visitor data are mainly used to enable the website to function, and these data are not retained after the visit.
If consent is given, the data are transferred to Google, whose Analytics tool is used to perform a statistical analysis. Due to the nature of Google’s international activities, data may also be processed outside the EU. The transfer will be based on the standard contractual clauses between us and Google, as approved by the Commission, and our assessment of the impact of the transfers on individuals.
For visitor statistics, information is collected on the user’s terminal device, network address (IP address) and the software used and its versions. This information allows us to identify and count the different users who visit our site, what information is requested from the site and how the site’s services are used. The purpose of this is to record the number of visitors to the page, for example for marketing campaign effectiveness studies. At the same time, we learn what information is most often searched for on our site and use this information to improve the structure of the site so that users can easily find what they are looking for. The data are kept for 26 months.
Google may collect information and target advertising based on the cookie data collected on our website. Google may therefore target advertising at visitors to our website based on their visit, depending on how they share information about themselves with Google. However, we will not disclose any information you submit to us through the site to any other third party.
We do not associate information obtained from the website with any other information collected about individuals.
Camera surveillance is carried out in our factory areas to control factory production, and to ensure safety at work and on our property. This information is kept for about two weeks to a month, depending on the application. When you visit our sites, images and video footage of your visit may be stored in our systems.
The accumulation of footage is very case-specific and depends on the area you have visited. This will be further specified on location, or you can find out more about it, if you wish, either at the time of your visit or afterwards using the contact details on this notice.
Regular data sources and storage
The data source for all processing is always the data subject or the data subject’s employer, who has a contractual relationship with us.
Unless otherwise specified in the notice, the data will only be kept for the duration of the contractual relationship or for marketing purposes, as long as there is no objection to the processing of the data. If the personal data are relevant for accounting purposes (for example, as accounting records of orders or deliveries), the data are kept for 10 years after the end of the contractual relationship.
Regular data disclosures
No information about our customers, contractors or job applicants will be passed on. The subcontractors we use are always bound by personal data processing agreements to respect confidentiality and to process our personal data only for the purposes we specify.
Transfer of data outside the EU/EEA
The personal data described above may be transferred to Microsoft, whose email and information system environment we use, as part of production management. Due to the nature of Microsoft’s international activities, data may also be processed outside the EU. The transfer will be based on the standard contractual clauses between us and Microsoft, as approved by the Commission, and our assessment of the impact of the transfers on individuals.
Rights of data subjects
A data subject has rights in relation to the personal data we hold. For routine customer service issues, such as changes to contact and billing information, delivery status enquiries and billing enquiries, you can contact us through the contact details on the Contact Us page or your contract contact person.
For more extensive information requests, you can contact us through the contact details on this notice. As a general rule, the rights can be used once per calendar year free of charge. Natural persons have the following rights:
a) Right of access to personal data
Interested parties have the right to access the personal data we hold about them. However, the right of access may need to be limited due to legal requirements, contractual obligations and the privacy of others. If access is restricted, we will always inform you of this when we reply.
b) Right to the correction of information
Interested parties have the right to request the correction of incorrect or incomplete information.
c) Right to the erasure of information
Interested parties have the right to request the erasure of their information. For example, the erasure of data can be done in the following cases:
- You withdraw consent and there are no other grounds for the processing.
- You object to the processing and there are no other grounds for continuing the processing.
d) Right to the restriction of processing
Data subjects have the right to restrict the processing of their personal data on the basis of Article 18 of the GDPR. This means, for example, cases where there are doubts about the accuracy or lawfulness of the processing of personal data.
e) Right to object
Data subjects have the right to object to the processing of their data if we process it on the basis of our legitimate interest or the public interest.
f) Right to data portability
The data subject has the right to receive the personal data provided in machine-readable form. This right applies to personal data that have been processed automatically on the basis of a contract or consent. The right to data portability does not apply to professional contact data processed in business-to-business relationships where the processing is not based on the data subject’s consent or on a contract to which the data subject is a party.
g) Right to withdraw consent
The data subject has the right to withdraw his or her consent at any time, without prejudice to the lawfulness of the processing carried out before its withdrawal, if the processing is based on consent.
h) Right to lodge a complaint with a supervisory authority
Data subjects have the right to lodge a complaint with a supervisory authority if they suspect that their personal data are being used inappropriately or unlawfully. However, we hope that you will contact us in the first instance in case of doubt, so that we can rectify the situation more quickly.
Principles for the protection of the register
Measures to ensure information security and data protection include:
Measures to make information more accessible and usable aim to ensure that relevant information is available when it is needed. These include ensuring systems are up and running, backups, backup personnel systems and the proper archiving of information.
Data integrity is ensured through system checks and controls. The security measures and guidance aim to prevent errors and omissions in the processing of data.
Organisational and technical measures are taken to ensure the confidentiality of data. Organisational tools include confidentiality agreements, defined operational processes, our quality system, guidelines and staff training. Technical means include virus and malware filtering, the encryption of communications, strong authentication, network and terminal security and encryption, locking and monitoring of premises and secure destruction of paperwork.
Contact details of the supervisory authority
Every data subject has the right to lodge a complaint about the processing of personal data with a supervisory authority if he/she feels that personal data are not being processed fairly.
Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor, 00520 Helsinki
Postal address: P.O. Box 800, 00521 Helsinki
Switchboard: +358 29 56 66700
Fax: +358 29 56 66735