Information notice

Sections 10 and 24 of the Personal Data Act (523/1999)          

Date of drafting: 20 October 2017

1. Controller / Company

Orion Corporation (Company Identification Number: 1999212-6)
Orionintie 1, 02200 Espoo, Finland
Tel. +358 10 4261

2. The person in charge / Contact person

Associate Global Brand Manager Saara Heikari Orion Corporation
Orionintie 1A, 02200 Espoo, Finland
Tel. 358 10 426 3944

3. Name of the data file

Orion product website information data file

4. The purpose for processing the personal data / the purpose for the use of the data file / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data

The collected data will be used to the following purposes

- To manage the access/password requests to the website
- To identify the persons requesting access as healthcare professionals
- To inform users of password expirations or changes
- To manage feedback and contact requests from
- To inform visitors about webinars or other educational training events if the visitor has given their consent for it

The legal basis for processing of the personal data is consent of the data subject (EU General Data Protection Regulation Article 6.1.a).

5. Content of the data file

The following personal data is collected in the data file:
- Name
- Country
- Occupational e-mail address
- Occupation
- Employer and employer’s address
- Possible question or contact request from the data subject

6. Sources of information 

Information is only received from the data subject. 

7. Retention period of the personal data

The personal data shall be retained only for the period necessary to fulfil the purposes outlined in this description of the file unless a longer retention period is required or permitted by law, or until the data subject requests it to be removed.

8. The principles how the data file is secured

The data file is located on a web server protected with personal username and password. The server is protected technically and physically in a way that third party individuals cannot gain access to it. The access to the data file shall be granted only to those Orion employees involved in the management of the data file. Using the data file requires a personal Orion e-mail account. Access (both reader and maintenance) can be gained only through special request

9. Right of access and realization of the right of access

The data subject shall have the right of access to the data on himself/herself in the data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of data.

The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at Orion Corporation by a personally signed or otherwise comparably verified document.

10. Right to withdraw consent

The data subject has the right to withdraw the consent he/she has given for the processing of his/her personal data. Data subject shall make a request to this effect to the contact person at Orion Corporation named under section 2.  by a personally signed or otherwise comparably verified document in writing. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

11. Rectification, restriction of processing and erasure

A controller shall, on its own initiative or at the request of the registered data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.

The data subject shall have the right to obtain from the controller restriction of processing, in case the data subject has contested the accuracy of the processed personal data, if the data subject has claimed that the processing is unlawful and the data subject has opposed the erasure of the personal data and has requested the restriction of their use instead; if the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims; or if the data subject has objected to processing pursuant to the EU General Data Protection Regulation pending the verification whether the legitimate grounds of the controller override those of the data subject.  Where processing has been restricted based on the above grounds, the data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.

The data controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Requests for rectification shall be made by contacting the representative of the data controller named under section 2.