Port of Oulu Ltd Privacy Policy

Port of Oulu Ltd (later ”Port of Oulu”) processes personal data in compliance with data protection legislation as well as good data management and processing practices.

Our data protection practices may change as we develop our services or as legislation changes. Up-to-date information on our practices is provided on this website.

The Port of Oulu considers it important that personal data is processed confidentially and appropriately.

The Port of Oulu is committed to protecting the privacy of its customers, partners and employees. This Privacy Policy describes how the Port of Oulu collects and processes the personal data that it collects as controller, and describes the rights of data subjects and the measures taken to protect personal data.

This Privacy Policy concerns all of the information systems, online services, websites and other services of the Port of Oulu that are used to collect and process personal data.

The use of the Port of Oulu website constitutes acceptance of this Privacy Policy.

Information about the controller:

Port of Oulu Ltd
PL 23 (Poikkimaantie 16)
90015 City of Oulu
www.ouluport.com
Business ID: 2578908-7

Data Protection Officer:

Päivi Vähänikkilä-Kuronen
Port of Oulu Ltd
PL 23 (Poikkimaantie 16)
90015 City of Oulu
www.ouluport.com

What is personal data?

Personal data means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, either directly or indirectly, in particular by reference to an identifier such as name, personal identity number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

The Port of Oulu collects and processes personal information. In addition to personal data, we also collect and process “non-personal data”. This refers to information collected about the use of Port of Oulu services that does not enable identification of individual persons or anonymised information.

Definitions

The concepts used in this Privacy Policy are subject to the following definitions:

  • Controller” refers to the party which, alone or jointly with others, determines the purposes and means of the processing of personal data.
  • “Personal data” means any information relating to an identified or identifiable natural person.
  • The expressions “to process” and “processing” mean anything that is done with personal data by means of automated data processing or manually, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.
  • “Processor of personal data” refers to a person or party that processes personal data on behalf of the controller.
  • Sensitive information” means personal data that reveals a person’s race or ethnicity, political opinions, religious or philosophical beliefs or trade union membership, and genetic and biometric data that may unambiguously reveal a person’s identity, health information or the sexual behaviour or sexual orientation of a natural person.
  • Data “anonymisation” means removing the identifiability of personal data so that it can no longer be attributed to a specific individual.
  • “Port of Oulu area” refers to both the land and water area of the Port of Oulu.

What data is processed by the Port of Oulu?

The following information is processed by the Port of Oulu:

Information that you provide directly:

  • information that you provide via the website
  • information related to invoicing, contracts and other business operations with us
  • information in job applications
  • information related to feedback
  • information collected for the user authentication of information systems

Information collected directly:

  • name, email address, phone number, postal address
  • sex, language, occupation or rank
  • information related to employment is collected from personnel
  • information related to user accounts: user ID, encrypted password
  • any consent given, messages sent
  • reported areas of interest
  • information related to facility lease and parking space rental agreements: information on contract, payment methods,
  • billing addresses
  • work-related information provided: name and contact details of company/employer, other information related to the employment relationship
  • other information collected based on explicit and voluntary consent provided in advance (including public social media profiles)
  • other information collected based on your consent.

Information collected in connection with the use of our websites, information systems, the PORT OULU Smarter. data platform or other services provided by us:

  • processing of contact requests and related communications from other potential sources (such as the website of the company you represent) that can be linked to your personal data.
  • the processing of job applications and information related to the application
  • monitoring and measuring of the use of our websites: browser, operating system, device model, browsing and search data, IP address, time of establishment and duration of connection
  • location data (including GPS coordinates or corresponding position data)
  • information collected on the Port Oulu Smarter. data platform in connection with digital services provided and maintained by the Port of Oulu (such as location and position data, measurement data, surveillance data)
  • still and video footage of persons and vehicles moving in the Port of Oulu area
  • vehicle register plate information (register numbers) and/or RFID vehicle tag information, video information and contact information of the holder of the registration certificate of the vehicle and/or employer. The information is obtained from the person/company to whom permit is granted by filling in the online form on the Port’s website, by phone or in other situations (e.g. Port security training sessions) where the individual/company provides the information. To obtain an access pass, the applicant must submit the necessary information which is entered in the system maintained by the Port of Oulu at any given time, and
  • cookies.

We may also collect information from public registers maintained by the authorities.

For processing payments, we use a third party whose website is subject to the terms and conditions of the service provider in question.

We do not collect personal data or any other Sensitive information about underaged children, unless the underaged person in question is an employee or trainee in a firm operating in the Port of Oulu or within the port safety area, in which case information that is required by law is recorded.

The legal basis for processing personal data

The processing of personal data is based on legislation, contract, the person’s consent and the legitimate interest of the Port of Oulu.

The processing of personal data by the Port of Oulu is based on one or more of the following legal grounds:

  • We have received advance consent (in writing, orally or online) for processing of personal data.
  • Processing is necessary in connection with a contract established with the Port of Oulu (contractual need).
  • Processing is in our legitimate interest due to reasons related to managing, carrying out or promoting our business operations (legitimate interests).
  • Processing is necessary to comply with the controller’s legal obligations: According to EU regulation on enhancing ship and port facility security (EC No 725/2004), EU directive on enhancing port security (2005/65/EC) and Act on Security Measures on certain Ships and in Ports serving them and on monitoring the Security Measures (11 June 2004/485), the port operator must be aware of the vehicles/persons moving in controlled security areas.
  • Other grounds based on legislation.

You have the right to withdraw your consent for the processing of your personal data (see Contact details, cancellation and erasure requests).

The Port of Oulu does not process Sensitive data.

The purpose of processing personal data

The collection of personal data is related to the use of the Port of Oulu’s online services, invoicing and information systems.

We use the information that we collect from you for the following purposes, among others:

  • for providing services, marketing communications
  • for providing information by post, phone or internet
  • for electronic communication: e-mail and newsletter
  • for measuring the total number of visitors on our website
  • for conducting certain measurements concerning our services
  • for detecting, investigating and preventing illegal activity; upon request, we may submit your data to law enforcement authorities based on legal grounds. We may disclose your personal data to other parties by order of a competent court.
  • location and measurement data is used for real-time logistics tracking, digital service development and regional planning
  • the purpose of camera surveillance is to guarantee security in the port area, and CCTV surveillance is part of the Port of Oulu security system.
  • access control is used to manage vehicle access passes in security areas controlled by the Port of Oulu. The purpose of access control is to manage and maintain access passes that are based on automatic register plate detection and granted to Port of Oulu staff and stakeholders for accessing port and ISPS areas controlled by the Port of Oulu. The software is also used to maintain and manage identifiers associated with access rights of vehicles and individuals.

Service development and anonymised reporting

We may process your personal data in order to improve our current services and to develop new ones.

We use anonymised data for reporting purposes. Anonymised data cannot be used to identify individuals and can therefore be classified as non-personal data. We may also disclose anonymised data to our collaboration partners.

Retention period for personal data

Personal data are only retained for as long as they are needed to fulfil the purpose of the processing of personal data as defined in this Privacy Policy, subject to limitations imposed by legislation.

Due to obligations imposed by applicable legislation, the data retention period may have to be extended from that mentioned above.

From the time of recording, video recordings are only stored for as long as necessary, after which they are deleted. Due to obligations imposed by applicable legislation or in individual cases, recordings may have to be retained for longer than the period mentioned above, e.g. upon authorities’ request or to help solve crimes.

Disclosure of personal data

  • We do not disclose personal data to third parties. Non-personal data or anonymised data may be disclosed to third parties.
  • We may disclose your personal data to processors and authorised external suppliers who process the data on our behalf in accordance with applicable legislation. Their processing of the data is restricted by contracts.
  • Personal data may be disclosed to companies that carry out services such as customer satisfaction surveys and analysis of the results on our behalf in compliance with applicable legislation.
  • As a rule, we do not transfer personal data outside the EU or EEA member states. If personal data is transferred outside the EU or the EEA, we will ensure the adequate level of protection for personal data, for instance, by agreeing on matters related to the confidentiality of personal data and its processing as required by legislation on data protection; for example, by using model contract clauses approved by the European Commission, and in other ways so that personal data is processed in accordance with this privacy policy.
  • We may disclose information in the event that doing so is necessary to comply with requests based on legislation, to solve or prevent crimes or fraud, in connection with mergers or corporate acquisitions, or to protect our interests.

Personal data protection measures – data security

We comply with the obligation of due diligence as required by legislation on the protection of personal data, and the systems that contain personal data are appropriately protected. As a controller, we ensure the confidentiality, integrity, availability and resilience of data with the help of technical and organisational measures and procedures.

Ensuring access control and observance of the rights and obligations of the processor in the processing of personal data are integral parts of data protection. Personal data is only processed by authorised individuals. These protections include firewalls, access control and monitoring, as well as personal IDs and passwords.

Printed information that is recorded and processed manually and that may contain your personal data is stored in locked facilities. Only separately authorised employees or authorised third parties have access to such facilities or the right to process this type of information.

Use of cookies

We use cookies or similar technologies on our website. We collect cookie-based data about users for the purpose of website analytics. This cookie-based data may include operations carried out on the website, website visits or information about the devices used by the user. Cookies are user-specific, but users cannot be identified based on them. Users can control the use of cookies through the settings of their own browser and delete their browser’s cookies.

The aim of using cookies is to develop our website to make it more user-friendly and to provide new services in the future. The services that we use include services provided by Google and social media services (such as Facebook, Instagram, Twitter, LinkedIn). Read more about our cookie policy.

Your rights – actions that you can take in regard to the processing of your personal data

You have the right to

  • access and check the information about you
  • demand that incorrect or inaccurate information is corrected or erased
  • transfer of data
  • restrict the processing of your personal data
  • revoke you consent
  • prohibit marketing
  • ask your personal data to be erased and
  • right to submit a complaint to the supervisory authority.

Third party websites

Certain functions on our website are provided by third parties and thus subject to the data protection practices of third parties.

Our websites and services include functions that enable content to be shared on social media, such as Facebook’s “Share” button. Such functions are directly provided by external service providers (Facebook, Twitter, Instagram, LinkedIn).

Policy for implementing the rights of data subjects

  1. The purpose of the guidelines

The purpose of these guidelines is to the define the main principles according to which the Port of Oulu operates in the event of requests to access or erase data.

The guidelines are binding to all Port of Oulu employees and elected officials.

The aim of the guidelines concerning access to and erasure of personal data is to ensure adherence with valid legislation and best practices at the Port of Oulu.

  1. Legislation and guidelines

The Port of Oulu complies with applicable legislation and internal guidelines in implementing data subjects’ rights. The implementation of data subjects’ rights is governed, among others, by the following decrees, which have been taken into account in drawing up the guidelines:

  • Data Protection Act, 5.12.2018/1050
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (i.e. General Data Protection Regulation (GDPR)

In addition, the following internal policies and guidelines concerning the implementation of data subjects’ rights:

  • Port of Oulu data protection guidelines

The Port of Oulu updates the guidelines and processes as needed in the event of any changes to the regulations.

  1. Guidelines concerning requests to access to and erasure of personal data

Requests to access to data, contact information, requests for cancellation and erasure of data

Everyone has the right to access and inspect the information about themselves recorded in a register. In matters related to data protection, your personal data and cancellation of newsletters, invitations to events and marketing communications, please contact our customer services:

Tel. +358 44 703 2753
Email: portoffice@nullouluport.com

Based on the request, our Data Protection Officer will assess the applicant’s right to access the data. If the request is justified, the Data Protection Officer is responsible for the collection and transmission of data to the data subject. The Data Protection Officer is responsible for documenting the access requests submitted.

The controller submits an answer to the client within the time stipulated by the GDPR (as a rule, within one month).

Rectification of data

Data subjects have the right to demand the rectification of any inaccurate and incorrect personal data by the controller without undue delay. In the case of a clear and simple error (such as phone number, email address) and if there is no reasonable doubt as to the correctness of the rectified information, the Port of Oulu will rectify the incorrect information and make a note of the information that has been rectified and of the register concerned. Information on the rectification, the person who made the request and the person who made the rectification will be stored. In unclear cases, the person receiving the request may contact the Data Protection Officer.

Right to submit a complaint to the supervisory authority.

Data subjects have the right to submit a complaint to the supervisory authority if they believe that applicable laws have been violated by the processing of their personal data.

Removal of personal data

Right to erasure of data

Data subjects have the right to ask the controller to erase all data concerning them without undue delay provided that one of the conditions defined in legislation is met. Requests to erase personal data should be addressed in writing to the Port of Oulu Data Protection Officer.

The measures following the erasure of personal data are assessed on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented according to law.

Erasure of unnecessary data

The Port of Oulu takes all reasonable measures to ensure that personal data that is inaccurate or erroneous in view of the purpose of processing is erased or rectified without delay. Personal data is stored in such a form that the data subject is only identifiable as long as is necessary for the purposes of data processing. The necessity of erasure of data is evaluated separately for each piece of data.

The staff of Port of Oulu, together with the Data Protection Officer, are responsible for the appropriate erasure of data.

Restricting the processing of personal data

Data subjects have the right to request that the processing of personal data is restricted provided that one of the conditions defined in legislation is met. Requests to restrict the processing of personal data should be addressed in writing to the Port of Oulu Data Protection Officer.

The measures following the restriction of processing of personal data are assessed on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented according to law.

Notification of rectifications, erasures and restrictions of processing of personal data

The controller informs each recipient of personal data of any rectifications, erasures or restrictions of processing of personal data unless this proves unfeasible or requires undue effort.

Right to transfer of data

The data subjects have the right to receive the personal data they have provided to the controller in a structured, commonly used and machine-readable format, and the right to transfer that data to another controller provided that the conditions set in legislation are met. When data subjects use their right to transfer data from one system to another they have the right to have their personal data transferred directly from one controller to another if technically feasible. Requests concerning transfer of personal data should be submitted in writing to the Data Protection Officer.

The measures following the transfer of personal data are assessed on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented according to law.

Right to refuse processing

The data subjects have the right to refuse processing of their personal data for purposes such as direct marketing, market research and opinion polls.

 

  1. Implementation and compliance with obligations

All employees are obliged to comply with the internally agreed regulations of the Port of Oulu. In order to make this happen, line managers are responsible for the implementation of internal regulations.

The implementation includes all the measures that are necessary in terms of communication of internal rules and practical implementation. The implementation of internal rules is mainly carried out through appropriate communication and education, but the measures may vary depending on possible effects on technical solutions.

In the contracts entered into by the Port of Oulu, due measures are taken to ensure that collaboration partners and others working on behalf of the Port of Oulu also commit to the internal rules of the Port of Oulu.

  1. Updating the guidelines

Annual evaluations are conducted to ensure that the guidelines are up-to-date. Based on the evaluation, the content is updated as needed.

In the event of changes to regulations or the operation of the Port of Oulu, the content of the guidelines may be updated whenever necessary. The Data Protection Officer is responsible for evaluating the matter and updating the content.

Use of cookies

We use cookies on our website. A cookie is a small text file that is downloaded on the user’s device by the browser. Cookies are used, for example, to store users’ data as they browse a website. Cookies cause no harm to users’ devices or files. Cookies may be stored on website users’ devices permanently or deleted after using the service.

Cookies allow collecting data such as:

  • visitor’s IP address
  • time
  • browser type
  • operating system
  • screen resolution
  • how the visitor came to the site (via search engine, direct link etc.)
  • previous visits to the site
  • the pages used

The website’s own cookies

The website’s own cookies can be used to save visitor-specific data and settings intended for the website’s own use, such as user name, log-in data, language or region. This information is used to carry out and adapt the operation of the website and to remember the choices made by the user. These cookies may be necessary for the operation and use of the website. No information used for marketing or tracking visitors in other services or websites is stored in the cookies.

Third-party cookies

We collect website user statistics and analyse the data with the help of services provided by third parties. Our aim is to improve the quality and content of our website from users’ viewpoint. To run visitor tracking and analytics, the services may save their own cookies and use and combine data collected by the service about the same user on different websites.

We ensure that the cloud or other network services we use outside the EU or EEA operate in accordance with the legislation on personal data in force at any given time.

To read more about service providers’ operation, the data collected, the use of cookies and data protection policies, visit their websites.

The services used on the website

We also use external services on our website for purposes such as marketing monitoring, to improve our customer service, and for developing our digital services. We recommend that you visit the service providers’ websites to learn more about their privacy policies.

Management of cookies

You may remove existing cookies from your browser and set your browser not to accept cookies. However, blocking cookies may prevent the site from working properly.