The customer and supplier register privacy statement of DIETA GROUP OY and its subsidiaries


Introduction
Dieta Group Oy and its subsidiaries (“Dieta”) consider it a priority to exercise the utmost care when processing your personal data. We process personal data to enable our effective operation as an organisation and to attend to our responsibilities as a supplier. The personal data are processed for administrative, legal, support, health and security purposes. We process your personal data in compliance with the data protection legislation, the basic principles of the EU’s General Data Protection Regulation (GDPR) and the good data management and processing practice, and we ensure that your privacy is not risked.
This privacy statement is not part of the customer agreement. We will update it if necessary.

In practice, this means that:
Processing customers’ personal data is regulated by the legislation on privacy protection. According to the legislation, the supplier may, for example, process only those personal data that are necessary for realising an agreement and/or managing the customer relationship and that are connected to the company’s business activities and/or to providing and/or to selling its services/products.
We always comply with the basic principles of the GDPR when processing personal data:

  • Personal data shall be processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).
  • Personal data shall be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’).
  • Personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).
  • Personal data shall be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’).
  • Personal data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’).
  • Personal data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).

Why do we collect your personal data?
We process your personal data to be able to attend to our various obligations and statutory tasks as a supplier. The processing is based on the law, on an agreement, our legitimate interest or on your consent. In addition to managing agreements and communications, we need your personal data for various other purposes, such as developing collaboration, providing services, quality monitoring, providing information on events etc.
We collect personal data from our current and former customers and in connection with events and the use of online services, from persons who provide consent for processing their data.


In practice, this means that:
The purposes for processing customers’ personal data include, but not exclusively
(the list includes processing based on the law and/or an agreement and/or legitimate interest and/or consent):

  • tasks related to services, orders and statistics
  • managing the services provided by the Dieta Group
  • managing participation in development programmes
  • managing training activities
  • examining feedback and complaints
  • managing claims and defects brought to our attention by customers
  • managing our obligations under customer agreements
  • managing IT and data communications systems, such as email, online negotiation or online survey systems and business directories
  • attending to the physical and IT security of our customers
  • logging, scanning, camera surveillance and access control within our business premises
  • managing audits and other similar matters and processes
  • generating data for our interest groups (e.g. Statistics Finland)


Which data do we collect?
Our registers include personal data on persons who have a customer or marketing relationship to Dieta. These persons include customers, partners, subcontractors, Dieta’s personnel, companies’ relevant contact persons, event participants and website visitors.

Personal data means all kinds of entries that describe a person, their characteristics or living conditions that can be identified as attributable to them or their family. For data to be considered personal data within the meaning of the law, it must be recorded in a manual, machine-readable or electronic manner. Thus, an employer’s hand-written notes concerning a meeting, data stored in a computer, data stored in the register of an access control device, data generated when using a phone, for example, are considered personal data. On the other hand, exclusively oral information is not considered personal data unless it is based on data stored in a register or derived from a register.
We collect, for example, the following personal data on you:

  • data related to individualising and identifying a person; for example, name and position/role
  • contact data, such as an address, an email address and a phone number
  • data related to customer relationship management
  • personal credit data (for certain tasks)
  • data required for fulfilling our legal obligations
  • data on the use of IT services and systems
  • data collected by surveillance and management systems

In practice, this means that:
We store the following data in the register:

  • a person’s basic data (e.g. name, date of birth, contact data, assignment)
  • customer relationship data (e.g. order history and communication)
  • data on agreement discussions
  • training data
  • project allocation data
  • data related to the deployment of products and services
  • data related to product and service use; for example, use and browsing data collected from our website and mobile services
  • log data concerning the use of visitor networks
  • our business premises’ access control data
  • our business premises’ camera surveillance data

How do we collect your personal data?
Primarily, we collect your personal data directly from you, either orally or in writing. We may collect the data ourselves or our partners may collect the data under our commission.
The data may also relate to or derive from your use of our services and systems; for example, we collect data when you use the services and software, including electronic communications, email and internet applications, that we provide to you.
The data may also be collected by the management and surveillance services that we use.
In addition, we collect data from registers kept by authorities, the credit data and payment default register and other reliable registers.
We may also use cookies (small text files saved on a device) on our website to ensure that our services operate as smoothly as possible.

In practice, this means that:
The company must primarily collect personal data from the customer because this is the best way to allow the customer to find out which data are collected. If the company collects data from other sources, the company must acquire the customer’s consent and ensure that the consent covers the relevant purpose of processing.
Consent is not required when an authority discloses information to the company to enable the latter to fulfil a statutory duty or when the company acquires personal credit data or information from the criminal record in order to establish a customer’s reliability. The customer’s credit data may be necessary for assignments in which the person has been assigned immediate financial responsibility for their employer’s property or when the business relation to be established requires particular trust. The Criminal Records Act and Regulation state whom criminal record data may be disclosed to and the purposes for which they may be used.


Use of cookies:
We use cookies (small text files saved on a device) to provide and develop our services. We also use cookies to provide individualised content and targeted advertising. Cookies enable us to, for example, provide more timely and individualised services by showing content based on the user’s interests. They also enable logging in and verification, saving personal settings and definitions, analysing the operation of our website and preventing frauds. Our online services collect, for example, the following data on your use of our website: your IP address, which links you use, which advertisements or other content you view, which website you visited prior to visiting our website, the time and date of browsing, your browser or device type and other similar data. Our website and services may contain third-party cookies.
We use both session cookies and persistent cookies. Session cookies exist only for the duration of a session, or a single visit, and they are automatically erased when the browser is closed. Persistent cookies exist for a predetermined period of time, and they are stored on a computer also after the end of a session, unless you delete them before ending the session.
Cookies do not damage your device or files.
You can control the use of cookies by changing your browser’s settings, for example. Further information about cookies can be found in the data protection or instruction documentation of each browser.

How do we process your personal data?
We process your personal data in compliance with the GDPR and in a manner that respects your rights and freedoms. We ensure that the data protection principles are complied with at every stage of personal data processing.

Your data are only processed by our employees or our partners’ employees who are authorised to process personal data. We ensure our personnel’s data security awareness and skills with ongoing training and up-to-date instructions.

Your personal data may be processed in various information systems that are controlled either by us or our partners.

In practice, this means that:
We and our partners have concluded valid agreements (DPA) that comply with the GDPR. In accordance with the agreements, our processors have provided us with sufficient guarantees that their personal data processing complies with the requirements of the GDPR.

In connection with personal data processing, we have realised and ensured appropriate technical and organisational measures for implementing the data protection principles. The technical and organisational measures mean protection measures, such as the training of personnel, orders and instructions given to the personnel, non-disclosure agreements, space protection, access control through self-monitoring, information system data security, data encryption, data anonymisation and pseudonymisation, auditing, remote control connections, technical restrictions, inspection and monitoring systems, data balance sheet process, the implementation of codes of conduct and certificates.


To whom do we disclose your data?
We procure certain personal data processing services from our partners. We collaborate only with processors that comply with the good personal data processing practice by implementing appropriate technical and organisational measures, meet the requirements of the GDPR and can ensure the realisation of your rights.
We have concluded written agreements with all of our partners. The agreements state the target and purpose of personal data processing as well as the types of personal data that are processed.
In addition, personal data are disclosed in connection with the following procedures: reports to insurance companies, statistical data to the ministry, other statutory disclosures, payment data to banks and for accounting purposes.
We generally process personal data within the EU and the EEA.

Do we disclose your personal data outside of the EU or the EEA?
We mainly process your personal data within the EU or the EEA. However, in certain extraordinary situations, such as in connection with international assignments or the use of some services, your personal data may have to be transferred outside of the EU or the EEA. In that case, we ensure that your personal data is protected adequately and as required by the legislation, for example, by implementing the standard contractual clauses approved by the European Commission.

How long do we retain your personal data?
The retention periods of personal data are based on the law and the GDPR. In compliance with our data protection plan and data protection principles, we do not store obsolete or unnecessary data.


Used information systems and data sources
Dieta uses an extensive system portfolio which includes versatile information systems that are maintained with the help of experts and partners and in compliance with the aforementioned terms.
We have prepared separate information system and data flow diagrams that describe the composition and logical outline of the systems and data flow in relation to the purpose of use. In addition, we maintain technical continuity plans for critical systems to ensure the quick recovery of operations in case of error conditions. We also practice the recovery measures with our partners.
The information system and data flow diagrams are maintained by the CIO in collaboration with experts and our partners. Please send further inquiries to tietosuojavastaava@dieta.fi.


Your right of access to your data
In compliance with the GDPR, you have the right to obtain a copy of the personal data that concerns you. There is no specified form for presenting the request. If necessary, we may ask you to provide further information to be able to confirm your identity.
If you present your request concerning the right electronically, we will provide the data in a commonly used electronic format. Principally, we respond to requests free of charge but under certain conditions, we may charge you for the administrative costs caused by the requested procedure or refuse to perform the requested procedure.
As per the GDPR, the time limit for responding to your request is one month. If necessary, the prescribed time may be extended by two months considering the complexity and number of requests.

Your right to have data rectified and to be forgotten
With certain exceptions, the GDPR guarantees you the right to have your data rectified and the right to have your data erased or the so-called right to be forgotten.
You have the right to withdraw all the consents to which the processing of your personal data is based on. If you request the erasure of your data, we will erase your data from our systems unless there is a legal basis or obligation for processing the personal data.
If the data to be erased are held by a partner of ours, we will ask the partner to take similar measures.

Your right to transfer data from one system to another
In compliance with the GDPR, you have the right to transfer data from one system to another. In practice, you have the right to obtain the data concerning you in a commonly used transfer format and deliver them to another controller. This right can be exercised if the processing is based on consent or an agreement, and the processing is performed automatically.

Your right to object to processing, automatic decision-making and profiling
You have the right to object to the processing of personal data concerning you unless the processing is based on legal obligations or it is necessary for the business operations.
You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.

Your right to be informed about a data breach concerning your personal data
We have a duty to report personal data breaches personally to the data subjects whose data the breach concerns. The duty becomes effective if the personal data breach is likely to result in a high risk to the rights and freedoms of an individual in the form of, for example, an identity theft, a payment fraud or other criminal activities.

Who can you contact?
Please send inquiries and requests concerning the processing of your personal data primarily to the controller: tietosuojavastaava@dieta.fi.