Data protection notice, procurement
11 August 2021
Data protection notice, VR Group Procurement
Partners’ contact persons
VR-Group Ltd (hereinafter referred to as “VR”)
Business ID 1003521-5
PO Box 488
FI-00101 Helsinki, Finland
tel. +358 307 10
2. Data protection officer and contact information
VR Group's Data Protection Officer: Lasse Toivonen
VR Group Procurement data protection contact: Elli Niskanen
Data and contact requests: [email protected]
3. Purpose of the processing of personal data
Data about the contact persons of VR’s partners, partners’ subcontractors and designated professionals is processed for the following purposes:
- Preparation, processing and archiving of contracts and purchase orders
- Managing collaboration and related contact requests
- Collaboration statistics, reporting and planning
- Securing of the quality and responsibility of VR's partners and their subcontractors and the products and services they supply
The processing of data about the contact persons of VR’s partners, partners’ subcontractors and designated professionals is based on:
A contract: We process personal data of the contact persons of VR’s partners, partners’ subcontractors and designated professionals to put into effect a contract to which the partner is a party.
A legal obligation: We process the customer’s personal data in order to fulfil our statutory obligations, for example in accordance with the obligations imposed on the procurement documents.
A legitimate interest: The processing of the personal data of a partner’s contact person may be based on the legitimate interest of the data controller when the data are used to manage and develop the customer relationship or to prevent and investigate irregularities.
4. Sources of data
VR collects procurement-related information through procurement contracts, purchasing systems, supplier management systems and databases, contact person databases, contract databases, supplier registration forms, public or commercial sources of information and surveys evaluating the performance of suppliers. Data about partners’ contact persons are collected from a company acting as a partner or from the persons themselves.
5. Data subjects and the personal data groups
Data subjects: Contact persons of VR’s partners, partners’ subcontractors and designated professionals
- Partners’ and partners’ subcontractors’ basic information, such as Company name, Business ID, address, invoicing details
- The partners’ and partners subcontractors’ contact information, such as first name, surname, e-mail address, telephone number and address
6. Recipients of personal data
We use external actors to support the processing of personal data, including the maintenance and development of IT systems. These service providers process personal data commissioned by us and on our behalf. The data processing is in compliance with the current legislation and is always carried out in accordance with this data protection notice. This is ensured, for instance, through agreements between the various organisations.
Without statutory grounds, we will not disclose customer data to parties outside VR or parties other than those participating in the production of VR’s services.
7. Transferring or handing over data outside the EU or EEA areas
Personal data will not be disclosed outside the EU or the European Economic Area or outside countries which the European Commission considers to have an adequate level of data protection, unless the adequate level of data protection has been ensured by means of contracts or in another manner required by law.
8. The data retention period or the definition criteria for the retention period
In data retention, the controller follows its statutory obligations. The practices of the retention of the personal data of partners, partners’ subcontractors and designated professionals depend on the grounds for the processing of the data, unless the removal is to be agreed in accordance with point 9. In general, we follow the data retention periods presented here:
- Contracts and personal data contained in contracts: Retention period is ten (10) years from the termination of the contract
- Tender documents and personal data contained in documents: Retention period is ten (10) years from the termination of the contract
- Personal data contained in potential suppliers register: Retention period is five (5) years from registration as potential supplier
- In other cases where the personal data of partners and partners subcontractors is processed: Personal data is preserved in contact person database for the length of the contractual relationship or if there is other contractual need related to the relationship with the partner.
9. Rights of the data subjects
As a partner’s contact person, you have the right to access your personal data processed by VR. You can exercise your rights by contacting VR at: [email protected]
You will receive a response to your request no later than one month after sending the request. Below, we have listed the general rights of data subjects:
1. Right to access data
A data subject shall have the right to receive confirmation regarding whether their data have been processed by VR and to receive a copy of their personal data.
2. Right to rectification
A data subject shall have the right to request that VR rectify inaccurate or incorrect data regarding the data subject. The incorrect nature of data is to be decided on a case-by-case basis by resolving whether the data are incorrect from the viewpoint of the processing thereof (unnecessary, incomplete, outdated).
3. Right to erasure ('right to be forgotten')
A data subject shall have the right to request that VR erase the data subject’s personal data. The requests will be processed on a case-by-case basis and data that VR has a legal obligation or right to store will not be erased.
4. Right to restriction of processing
Data subjects shall have the right in certain special situations stipulated by a decree to request the restriction of the processing of their personal data.
5. Right to object
A data subject shall have the right to object to the processing of their personal data if the processing is based on the controller’s legitimate interest or if the personal data are processed for direct marketing purposes.
6. Right to data portability
A data subject shall have the right to request their personal data in machine-readable file format. This right concerns data that are in electronic format and the processing of which is based on consent or a contract.
7. Right to withdraw consent
In situations in which the processing of the data subject’s personal data is based on consent, the data subject shall have the right to withdraw their consent. Once the consent has been withdrawn, the consent-based processing in question will be discontinued.
8. Right to lodge a complaint with an authority
We seek to resolve any disputes primarily directly with data subjects. If a customer finds that we have not processed personal data as stipulated by law, the customer may lodge a complaint with a data protection authority.
10. Principles of data protection
The data security of VR’s personal data and its confidentiality, integrity and accessibility is ensured with appropriate technical and organizational measures in accordance with VR’s data security principles. Personal data is protected against unauthorized access and illegal or accidental processing. Personal data is processed only by persons specifically appointed by VR to such tasks. We train and provide guidance to our employees in matters related to data protection.