Last updated 21 April 2023

Dispelix Oy respects your privacy and is committed to protecting your personal data. This privacy notice will inform you as to how we collect, process, and share your personal data when you act as a representative of our business customer or supplier, or as a potential business contact or otherwise communicate or interact with us. In addition, this privacy notice will tell you about your data protection rights.


1. WHO IS DATA CONTROLLER?


The data controller for the processing described in this notice is: Dispelix Oy (‘Dispelix’)

If you have questions regarding this privacy notice, please contact us by email at email hidden; JavaScript is required.

If you visit our website, please read our privacy notice for websites and cookies.


2. DATA WE COLLECT AND HOW WE COLLECT IT


In the following, we will tell you which types of personal data we may collect about you and how we collect it. In section 3, you will find a table which explains the purposes for which we process your personal data and the lawful basis we rely on.

We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:

(A) Identity Data include name, date of birth, photo identification and social security number;

(B) Contact Data include email, telephone number and address;

(C) Company Data include the name of the organisation you represent and your role in the organisation;

(D) Transaction Data include billing information and purchases or orders made by you or by Dispelix from your organisation and details of agreements we have entered into;

(E) Communication Data include information on recent communication between Dispelix and you and your participation in surveys and competitions and reasons for your contacting Dispelix;

(F) Marketing Data include your preferences in receiving marketing from us and our partners as well as your communication preferences;

(G) CCTV Data includes video recordings from Dispelix premises.

(H) Notifications Data include information included in whistleblowing notifications.

(I) Sanctions Data include information included in international sanctions lists regarding restriction or suspension of economic or commercial relations, or other areas.

In most situations the information is collected directly from you in connection with our business relationship. We may also receive information from publicly available sources and third parties, such as marketing companies.


3. THE PURPOSES AND THE LAWFUL BASIS


We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

(i) Where we need to comply with a legal obligation cf. Article 6(1)(e) GDPR.

(ii) Where you have provided your consent cf. Article 6(1)(a) GDPR or Article 9(2)(a) GDPR.

(iii) Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests cf. Article 6(1)(f) GDPR.

(iv) We may process information on your social security number when required by law or when we have a lawful basis identified in (ii), (iii) or (iv). We may disclose your social security number when it is of decisive importance for unique identification or when the disclosure is demanded by a public authority cf. Section 29 of the Data Protection Act.

In the table below we describe all the purposes for which we will use your personal data, and the legal basis on which we process your personal data. Where appropriate, we have also identified our legitimate interests are.

Purpose/Activity

Type of data

Lawful basis for processing including basis of legitimate interest

To provide and deliver products to business customers and to manage and perform contracts:

  • To register a new customer
  • To allow you to purchase our products and services
  • To manage and collect payments for our products and services
  • To communicate with you and to provide customer service and support, including administration of complaints
  • Generally, to comply with our obligations and exercise our rights under agreements entered into with your organisation

(A) Identity

(B) Contact

(D) Transaction

Processing is necessary for our legitimate interests to conduct business.

Processing is necessary to comply with a legal obligation (bookkeeping, accounting and tax laws).

To buy products and services from suppliers

  • To negotiate contracts with the supplier
  • To communicate with you

(A) Identity

(B) Contact

(C) Company

(D) Transaction

(E) Communication

Processing is necessary for our legitimate interests to conduct business.

To carry out marketing activities

  • Dispelix may use your personal data for marketing purposes and to promote its products.
  • Marketing may include profiling leads to provide different segments with relevant marketing.
  • Dispelix may also provide you with an opportunity to participate in competitions and surveys

(A) Identity

(B) Contact

(C) Company

(D) Transaction

(E) Communication

(F) Marketing

Processing is necessary for our legitimate interests to send you relevant marketing.

To send you newsletters or other marketing

(A) Identity

(B) Contact

(C) Company

(D) Transaction

(E) Communication

(F) Marketing

Processing is necessary for our legitimate interest to send you relevant marketing.

Receiving and processing notifications made in the whistleblowing channel

(H) Notifications

Processing is necessary to comply with a legal obligation (whistleblowing act).

To analyse and improve our business procedures and practices

(A) Identity

(B) Contact

(C) Company

(D) Transaction

Processing is necessary for our legitimate interest to analyse and improve our business, including our products and services.

To host visitors at our premises

(A) Identity

(B) Contact

(C) Company

Processing is necessary for our legitimate interests to protect the business secrets of Dispelix and our customers.

Background checks

  • Dispelix may carry out background checks on you verifying certain information that you have provided to Dispelix.
  • Dispelix may also check whether you are listed in international sanctions lists.
  • Dispelix may also request the Finnish Security and Intelligence Service to carry out Security Clearances on you.

(A) Identity

(B) Contact

(I) Sanctions Data

Your consent

CCTV

(G) CCTV

Processing is necessary for our legitimate interests to ensure safety for our employees and customers and for crime prevention and detection purposes.

To the extent that we have referred to our legitimate interest as the legal basis for the processing of personal data specified above, we have conducted a balancing test for those interests to ensure that our interest is not overridden by your interests or fundamental rights and freedoms. If you wish to receive more information on the balancing test, please contact us using the contact information provided under section 1 of this privacy notice.


4. SHARING OF DATA COLLECTED


We may disclose personal data to third parties:

  • To public authorities such as health authorities, tax authorities, and law enforcement authorities when required by law.
  • To any person or entity that acquires all or substantially all of our business, stock or assets, or with whom we merge.
  • When it is necessary for the purposes listed in section 3.
  • When we in good faith believe that disclosure is necessary to establish or exercise our legal rights or defend against legal claims, protect your safety or the safety of others, investigate fraud, or respond to a government request.

We also share data, including personal data, with our trusted third-party service providers that process your data on our behalf and under our instruction. Such services include, e.g., IT services, marketing and analytics services, customer service, whistleblowing channel services, payment processing, analytics, and other services necessary for the purposes listed in section 3. These third-party service providers may have access to or process your personal data for the purpose of providing these services for us. We do not permit our third-party service providers to use the personal data that we share with them for any other purpose than in connection with the services they provide to us. We have entered into data processing agreements with our data processors.


5. TRANSFERS TO THIRD COUNTRIES


We will not transfer your personal data to recipients outside the EU or EEA unless we have ensured compliance with Chapter V of the GDPR.

Dispelix operates in international environment. Therefore, your personal data may be transferred outside the EEA. However, to ensure that your personal data receive an adequate level of protection, we have ascertained that sufficient safety measures have been implemented to allow for the transfer, including where the European Commission have deemed the country to provide an adequate level of protection for personal data, or by use of specific contracts approved by the European Commission (Standard Contractual Clauses) which give personal data essentially equivalent protection as it has in the EEA.

If you require further information about our data processors established outside the EEA and the safety measures in place to allow for the transfer of personal data, you can request it from us by sending your request to us using the contact information provided under section 1 of this privacy notice.


6. DATA RETENTION


We retain the personal data we collect where we have an ongoing legitimate need or obligation to do so. Personal data regarding business customers and suppliers will be retained during the business relationship and after that as long as necessary. When we have no ongoing legitimate need to process your personal data, we will either delete or anonymise them.

Identity, Contact and Transaction Data is saved to demonstrate the agreement we have/have had and for bookkeeping and tax purposes for 6 full fiscal years after the expiry of the year in which the transaction relates.

Profile and Marketing Data will be retained for up to three years after the latest use.

CCTV Data will be retained for of 12 months from the collection of data.

Data may be retained for longer period if we are legally obliged to do so or if retention is necessary to establish, exercise or defend legal claims.


7. HOW TO EXERCISE YOUR DATA PROTECTION RIGHTS


You have certain choices available to you when it comes to your personal information. Below is a summary of those choices, how to exercise them and any limitations.

Under certain circumstances, you have the following rights:

  • Right to request access to your personal data. This enables you to receive a copy of the personal data we hold about you and to check that we are processing data lawfully.
  • Right to request rectification of the personal data that we hold about you. This enables you to have any incomplete or inaccurate data we hold about you corrected. Please note that the law may prohibit that we delete entries in certain cases, for example medical records.
  • Right to request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us to continue processing it.
  • Right to object to processing of your personal data where we are relying on our legitimate interest (or that of a third party) as a legal basis for processing and there is something about your particular situation which makes you want to object to processing. You also have the right to object where we are processing your personal data for direct marketing purposes.
  • Right to request the restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish accuracy of the data or the reason for processing the data.
  • Right to request that we transmit your personal data to another party (also known as data portability).
  • Where our processing is solely based on your specific consent, the right to with-draw your consent at any time. Such withdrawal will not affect the lawfulness of processing based on consent before its withdrawal.

If you wish to exercise any of the data protection rights that are available to you, please send your request to us using the contact information provided under section 1 of this privacy notice and we will action your request in accordance with applicable data protection laws.

You have the right to complain to your local data protection authority if you are unhappy with our data protection practices. You can lodge a complaint with the Office of the Data Protection Ombudsman at https://tietosuoja.fi/en/notification-to-the-data-protection-ombudsman.


8. CHANGES TO THIS PRIVACY NOTICE


This privacy notice may be updated from time to time to reflect changing legal, regulatory, or operational requirements. We encourage you to periodically consult our website for the latest information on our privacy practices.

If there are any material changes to this privacy notice, and you are a registered customer you will be notified by email prior to the change becoming effective.