Data protection
Privacy notice of the of the customer and stakeholder register
1. Controller
GRK Infra Oyj (business ID 0533768-1)
Address: Jaakonkatu 2, 01620 Vantaa
Phone: +358 10 321 4110
Email: tietosuoja@grk.fi
2. The name of the register
Customer and stakeholder register
3. Purposes and legal grounds for processing personal data
This privacy notice applies to all GRK Group companies, GRK Infra Oyj, GRK Suomi Oy, GRK Sverige AB and GRK Eesti AS (hereinafter referred to as “Controller” or “GRK”).
The controller processes the personal data of data subjects in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (2016/679) and national data protection legislation.
The controller processes personal data of representatives of organisational customers and consumer customers on the legal basis of Article 6 of the EU General Data Protection Regulation:
- Compliance with a legal obligation, such as the accounting and tax legislation applicable to each group company.
- The consent of the data subject when personal data is processed, for example to organise a catering service.
- The performance of pre-contractual measures by the controller at the request of the data subject (such as the processing of requests for proposals, contacts and orders from the data subject) and the performance of a contract between the data subject and the controller.
- The legitimate interest of the controller where there is a material connection between the data subject and the controller. Such a material connection arises, for example, where the data subject contacts the controller on his or her own initiative or where the controller processes the data subject’s personal data, for example, in the context of a business or cooperation between the data subject’s employer and the controller. In addition, the controller may, on the basis of legitimate interest, process personal data of potential customers and their contact persons and representatives who the controller can reasonably expect to be interested in acquiring the services or products offered by the controller.
The purposes of processing personal data are:
- Establishing, managing, maintaining and developing customer relations, customer service and other business relationships.
- Exercising the rights and obligations of the customer or other stakeholder and the controller.
- Customer communication.
- Detection, prevention and investigation of misconduct and crime.
- Processing personal data for purposes related to the controller’s products and services, such as the development, provision, delivery and marketing of products and services.
The data subject is not in itself obliged to provide his or her personal data to the controller, although failure to do so may complicate the aforementioned relationship between the controller and the data subject’s representative as described above.
4. Categories of personal data processed
The register contains information on the following persons:
- The controller’s customers and potential customers, their representatives and contact persons. The controller’s customers are both organisations and individuals.
- The representatives and contact persons of other stakeholders.
The personal data processed include:
- Name
- E-mail address
- Phone number
- Company name, business ID, contact person and position
- Order information, contract and quote information, invoice and payment information
- Feedback and contact details
- Customer and relationship-based information, such as contact history, feedback and follow-up data
- Additional information provided by the data subject
As a general rule, the controller will not process sensitive personal data revealing, for example, information about the data subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, sex life or sexual orientation (Article 9 of the EU General Data Protection Regulation). As an exception to this, the controller may, with the explicit consent of the data subject, collect and process information on the data subject’s food allergies in connection with the registration for an event. The data collected in relation to food allergies may be indicative of the health or religious beliefs of the data subject. The processing of food allergy data is necessary in order to provide safe and appropriate food and beverages to event participants.
5. Regular sources of personal data
Personal data are mainly collected directly from the data subject when dealing with the controller, when sending requests for contact, when concluding contracts, when dealing in person, or in the context of any other cooperative relationship by electronic means or by telephone.
Information may also be obtained from public/ publicly available sources (such as company websites, social media and business registers) or from a representative of the data subject’s employer or other party with whom the data controller has a customer, business, cooperation or contractual relationship.
In addition, information on companies is checked in the Suomen Asiakastieto Oy or similar registers, which reports may also contain information on representatives of companies.
6. Disclosure and transfer of personal data
For the technical implementation of its services, the controller uses trusted service providers who process personal data on behalf of the controller under a data processing agreement between the controller and each service provider, as required by applicable data protection legislation. The service providers shall process the personal data under the responsibility of the controller in accordance with the data processing agreement and the controller’s documented instructions.
By separate consent with the data subject on a case-by-case basis, the controller may also disclose personal data to another controller or a third party. Personal data may also be disclosed where required by law or where required by mandatory legal provisions.
In addition, in individual cases, the contact details of the data subject may be disclosed to partners of the controller, for example when the controller organises a joint customer event or training with a partner, provided that the conditions of data protection legislation are met. The partner in question is responsible for the processing of personal data on its own behalf.
Personal data may be transferred and processed by companies belonging to the same group as the controller on the basis of their legitimate interest for internal administrative reasons, such as sales, marketing, invoicing, internal reporting and business development.
In principle, personal data will not be transferred outside the European Union or the European Economic Area. However, personal data may be transferred outside the European Union or the European Economic Area if this is necessary for the operation and maintenance of the information systems. Any transfer of personal data will always be carried out in accordance with the applicable data protection legislation.
7. Retention of personal data
The controller will process and retain the data only for as long as required by law or as necessary for the predefined purposes for which the personal data are collected. For example, the Accounting Act requires that documents are retained for 6 years. Personal data that have become redundant and that the controller no longer has a purpose or obligation to retain or process will be deleted at regular periods in accordance with the controller’s own data protection policy. The controller may also process personal data for as long as necessary for the establishment, exercise or defence of legal claims.
8. Protection and security of personal data
The controller has provided its employees and service providers with binding written instructions and provisions on the processing of personal data and data protection, which they have undertaken to comply with.
The security of information systems is adequately ensured, including through encryption and other technical safeguards.
We regularly review our personal data processing activities and the systems and devices used in them, including assessing the risks inherent in our personal data processing activities, for example when new technologies are introduced.
9. Automated processing of personal data and profiling
The controller does not use automated decision-making, such as automated profiling, as part of its personal data processing activities.
10. Rights of the data subject
The data subject has rights under the EU General Data Protection Regulation
| Right | Description |
| Right of access to personal data | The data subject has the right to obtain confirmation from the controller that personal data concerning him or her are or are not being processed. If personal data are processed, the data subject has the right of access. |
| Right to request rectification, erasure or restriction of processing | The data subject has the right to request the controller to rectify inaccurate data concerning him or her and to erase any personal data concerning him or her on the grounds provided by law. The data subject’s right to erasure does not apply to data for which processing is necessary for compliance with a legal requirement or for the establishment, exercise or defence of legal claims. Some personal data processed by the controller are subject to a legal retention obligation and the controller cannot therefore erase such data before the expiry of the legal retention period. |
| Right to object | The data subject has the right to object to the processing of his or her personal data on grounds relating to his or her particular situation, where the controller processes the personal data on the basis of a legitimate interest. |
| Right to data portability | The data subject has the right to receive personal data concerning him or her which he or she has provided to the controller in a commonly used and machine-readable format and the right to transmit such data to another controller without the controller’s interference, where the processing is based on consent or on a contract and the processing is carried out automatically. The data subject shall have the right to obtain the transfer of personal data directly from one controller to another, where technically possible. |
| Right to file a complaint to the supervisory authority | Without prejudice to any other administrative or judicial remedy, the data subject shall have the right to submit a complaint to a supervisory authority, in particular in the Member State where he or she has his or her habitual residence or place of work or where the alleged breach has occurred, if he or she considers that the processing of personal data concerning him or her infringes the GDPR. In Finland, the supervisory authority is the Office of the Data Protection Ombudsman, whose contact details and instructions can be found at www.tietosuoja.fi. |
Exercising the rights
The data subject may exercise his or her rights by contacting the controller’s representative using the contact details provided in section 1. The controller will endeavour to respond to the request as soon as possible and, if necessary, provide further instructions or ask further questions about the request.
Before executing the request, the controller has the right and the obligation to verify the identity of the person making the request, which is why the controller must be able to identify the person making the request in an appropriate manner.
If the request is clearly unjustified or unreasonable, the controller may either charge a reasonable fee based on administrative costs for carrying out the requested action or refuse to carry out the requested action.
11. Further information
For further information on the processing of personal data, please contact us using the contact details provided in section 1 of this privacy notice.
The controller may update this privacy notice from time to time. This privacy notice was last updated on 16 May 2024.