The Port of Oulu Ltd (hereinafter ‘Port of Oulu’) processes personal data in compliance with data protection legislation as well as good data management and processing practices.
What is personal data?
Personal data refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, either directly or indirectly, in particular by reference to identifiers, such as name, personal identity number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
What information does the Port of Oulu collect?
The Port of Oulu collects or may collect the following information:
- information that you provide directly
- information that you provide via the website
- information related to invoicing, contracts and other business operations with us
- information in job applications
- information related to feedback
- information collected for the user authentication of information systems
Information collected directly:
- name, email address, phone number, postal address
- sex, language, occupation or rank
- information related to employment is collected from personnel
- information related to user accounts: user ID, encrypted password
- any consent given, messages sent
- reported areas of interest
- information related to facility lease and parking space rental agreements: information on contract, payment methods,
- billing addresses
- work-related information provided: name and contact details of company/employer, other information related to the employment relationship
- other information collected based on explicit and voluntary consent provided in advance (including public social media profiles)
- other information collected based on your consent.
Information collected in connection with the use of our website, information systems or other services:
- processing of contact requests and related communications from other potential sources (such as the website of the company you represent) that can be linked to your personal data.
- the processing of job applications and information related to the application
- monitoring and measuring the use of our website: browser data, operating system, device model, browsing and search data, IP address, connection establishment time and duration
- location data (including Wi-Fi hotspot data, GPS coordinates or corresponding location data)
- we may collect information from public registers maintained by the authorities.
For processing payments, we use a third party whose website is subject to the terms and conditions of the service provider in question.
We do not collect personal data from underaged children, unless the underaged person in question is an employee or trainee in a firm operating in the Port of Oulu or within the port safety area, in which case information required by law is recorded.
Grounds for processing
The Port of Oulu considers it important that personal data is processed confidentially and appropriately.
The processing of personal data is based on legislation, contract, the person’s consent and the legitimate interest of the Port of Oulu.
The collection of personal data by the Port of Oulu is based on one or more of the following legal grounds:
- We have received consent (in writing, orally or online) in advance for processing personal data.
- Processing is necessary in connection with a contract established with the Port of Oulu (contractual need).
- Processing is in our legitimate interest due to reasons related to managing, carrying out or promoting our business operations (legitimate interests).
- The EU Regulation on Enhancing Ship and Port Facility Security (EC No 725/2004), the EU Directive on Enhancing Port Security (2005/65/EC), and the Act on Security Measures on certain Ships and in Ports serving them and on monitoring the Security Measures (11 June 2004/485).
- Other grounds based on legislation.
You have the right to withdraw your consent for the processing of your personal data (see Contact details, cancellation and erasure requests).
The Port of Oulu does not collect sensitive data from its customers/cooperation partners.
Use of personal data
The collection of personal data is related to the use of the Port of Oulu’s online services, invoicing and information systems.
We use the information that we collect from you for the following purposes, among others:
- providing services, marketing communications
- providing information via mail or phone, including SMS
- electronic communications: email and newsletter
- measuring the total number of visitors on our website
- conducting certain measurements concerning our services
- detecting, investigating and preventing illegal activity; upon request, we may provide your data to law enforcement authorities based on legal grounds. We may disclose your personal data to other parties by order of a competent court.
Service development and anonymised reporting
We may process your personal data in order to improve our current services and develop new ones.
We use anonymised data for reporting purposes. Anonymised data cannot be used to identify individuals.
Retention period for personal data
We retain personal data for at least the duration of the customer relationship. After the conclusion of the customer relationship, the data retention period depends on the data and the purpose it is used for. As a controller, we comply with legislative obligations regarding data retention and erasure.
We strive to keep the personal data in our possession accurate and up-to-date by updating outdated data and by erasing unnecessary information.
Disclosure of personal data to others
- We do not disclose personal data to third parties.
- We do not sell personal data to third parties.
- We may disclose your personal data to processors and authorised external suppliers who process the data on our behalf in accordance with applicable legislation. Their processing of the data is restricted by contracts.
- Personal data may be disclosed to companies that carry out services such as customer satisfaction surveys and analysis of the results on our behalf in compliance with applicable legislation.
- We process personal data primarily within the European Union or the European Economic Area.
- For purposes such as email communications and managing mailing lists, we may use a service outside of the EU/EEA that is committed to complying with the Safe Harbour privacy protection principles approved by the United States Department of Commerce and the European Union with which an adequate level of privacy protection can be guaranteed.
- We may disclose information in the event that doing so is necessary to comply with requests based on legislation, to prevent fraud, in connection with mergers or corporate acquisitions or to protect our interests.
Sensitive data concerning users is not stored.
Personal data protection measures – data security
We comply with the obligation of diligence as required by legislation on the protection of personal data, and the systems that contain personal data are appropriately protected. As a controller, we ensure the confidentiality, integrity, availability and resilience of data with the help of technical and organisational measures and procedures.
Ensuring access control and observance of the rights and obligations of the processor in the processing of personal data are integral parts of data protection. Personal data is only processed by authorised individuals.
Manually saved and processed printed information that may contain your personal data is stored in locked facilities. Only separately authorised employees or authorised third parties have access to such facilities or the right to process this type of information.
Your rights as a customer – actions that you can take in regard to the processing of your personal data
You have the right to
- access and check the information concerning you
- demand that incorrect or inaccurate information be corrected or erased
- restrict the processing of your personal data
- prohibit marketing
- request the erasure of your personal data (see Contact details, cancellation and erasure requests).
Third party websites
Certain functions on our website are provided by third parties and thus subject to the data protection practices of third parties.
Our websites and services include functions that enable content to be shared on social media, such as Facebook’s ‘Share’ button. Such functions are directly provided by external service providers (Facebook, Twitter, Instagram, LinkedIn).
- ‘Controller’ means a party that has the right to decide how personal data in a register is used. In many jurisdictions, the controller has primary responsibility for compliance with applicable data protection legislation.
- ‘Personal data’ means any information relating to an identified or identifiable natural person.
- The expressions ‘to process’ and ‘processing’ mean anything that is done with personal data, by means of automated data processing or manually, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- ‘Processor’ means a person or party that processes personal data on behalf of the controller (other than the Controller’s employees).
- ‘Sensitive data’ means personal data revealing a person’s race or ethnicity, political opinions, religious or philosophical beliefs or trade union membership, and genetic and biometric data that may unambiguously reveal a person’s identity, health information or the sexual behaviour or sexual orientation of a natural person.
- Data ‘anonymisation’ means removing the identifiability of personal data so that it can no longer be attributed to a specific individual.
Other additional information
- Privacy statements have been drawn up for systems that contain personal data. These are provided to customers on request.
25 April 2018 – the right to changes is reserved
Policy for implementing the rights of data subjects
1. The purpose of the guidelines
The purpose of these guidelines is to the define the main principles according to which the Port of Oulu Ltd operates in the event of requests to access or erase data.
The guidelines are binding to all Port of Oulu Ltd employees and elected officials.
The aim of the guidelines concerning requests of access to and erasure of personal data is to ensure adherence with valid legislation and best practices at the Port of Oulu Ltd.
2. Legislation and guidelines
In implementing data subjects’ rights, the Port of Oulu Ltd complies with applicable legislation and internal guidelines. The implementation of data subjects’ rights is governed, among others, by the following decrees, which have been taken into account in drawing up the guidelines:
- Personal Data Act (523/1999) [replaced on 25 May 2018 by the DATA PROTECTION ACT]
- Regulation (EU) 2016/679 of the European Parliament and of the Council (i.e. General Data Protection Regulation)
In addition, the following internal policies and guidelines concerning the implementation of data subjects’ rights:
- Data security guidelines of the Port of Oulu Ltd
The Port of Oulu Ltd updates the guidelines and processes as needed in the event of any changes to the regulations.
3. Guidelines concerning requests to access to and erasure of personal data
Requests to access to data, contact information, requests for cancellation and erasure of data
Everyone has the right to access and inspect the information about themselves recorded in a register. In general matters related to data privacy, your personal data and cancellation of newsletters, invitations to events and marketing communications, please contact our customer services:
Tel. +358 44 703 2753
Based on the request, the Data Protection Officer will assess the applicant’s right to access and inspect the data. If the request is justified, the Data Protection Officer is responsible for the collection and transmission of data to the data subject. The Data Protection Officer is responsible for documenting the access requests submitted.
Rectification of data
Data subjects have the right to demand the rectification of inaccurate and incorrect personal data concerning them by the controller without undue delay. In the case of a clear and simple error (such as phone number, email address) and if there is no reasonable doubt as to the correctness of the rectified information, the Port of Oulu Ltd will rectify the incorrect information and make a note of the information that has been rectified and of the register where the information concerned was located. Information on the rectification, the person who made the request and the person who made the rectification will be stored. In unclear cases, the person receiving the request may contact the Data Protection Officer.
Erasure of personal data
Right to erasure of data
Data subjects have the right to ask the controller to erase all data concerning them without undue delay provided that one of the conditions defined in the legislation is met. Requests to erase personal data should be addressed in writing to Data Protection Officer.
The measures following the erasure of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented in a lawful manner.
Erasure of unnecessary data
The Port of Oulu Ltd takes all reasonable measures to ensure that personal data that are inaccurate or incorrect in view of the purpose of processing are erased or rectified without delay. Personal data is stored in such a form that the data subject is only identifiable as long as is necessary for the purposes of data processing. The necessity of erasure of data is evaluated separately for each piece of data.
The staff of Port of Oulu Ltd is responsible for the appropriate erasure of data together with the Data Protection Officer.
Restricting the processing of personal data
Data subjects have the right to request that the processing of personal data be restricted provided that one of the conditions defined in the legislation is met. Requests to restrict the processing of personal data should be addressed in writing to Data Protection Officer.
The measures following the restriction of processing of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented in a lawful manner.
Notification of rectifications, erasures and restrictions of processing of personal data
The controller informs each recipient of personal data of any rectifications, erasures or restrictions of processing of personal data unless this proves impossible or requires an undue effort.
Right to transfer of data
The data subjects have the right to receive the personal data which they have submitted to the controller in a structured, generally used and machine-readable format, and the right to transfer the said data to another controller provided that the conditions set in legislation are met. When data subjects use the right to transfer data from one system to another they have the right to have their personal data transferred directly from one controller to another if technically feasible. Requests concerning transfer of personal data should be submitted in writing to the Data Protection Officer.
The measures following the transmission of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer ensures that the process is implemented in a lawful manner.
4. Implementation and compliance with obligations
All employees are obliged to comply with the internally agreed regulations of the Port of Oulu Ltd. To ensure this, line managers are responsible for the implementation of internal regulations.
The implementation includes all the measures that are necessary in terms of communication of internal rules and practical implementation. The implementation of internal rules is mainly carried out through appropriate communication and education, but the measures may vary depending on the possible effects on technical solutions.
In the contracts entered into by the Port of Oulu Ltd, due measures are taken to ensure that collaboration partners and others working on behalf of the Port of Oulu Ltd also commit to the internal rules of the Port of Oulu Ltd.
5. Updating the guidelines
Annual evaluations are conducted to ensure that the guidelines are up-to-date. Based on the evaluation, the content is updated as needed.
In the event of changes in regulations or the operation of the Port of Oulu Ltd, the content of the guidelines may be updated whenever necessary. The Data Protection Officer is responsible for evaluating the matter and updating the content.
6. Persons in charge
Data Protection Officer:
Data Protection Officer at Port of Oulu Ltd is Päivi Vähänikkilä-Kuronen.
Cookies allow collecting data such as:
- visitor’s IP address
- browser type
- operating system
- screen resolution
- how the visitor came to the site (via search engine, direct link etc.)
- previous visits to the site
- the pages used
The website’s own cookies
The website’s own cookies can be used to save visitor-specific data and settings intended for the website’s own uses, such as visitor’s user name, log-in data, language or region. This information is used to carry out and adapt the operation of the website and to remember the choices made by the user. These cookies may be necessary for the operation and use of the website. No information used for marketing or tracking visitors in other services or websites is stored in the cookies.
We use services provided by third parties to collect website user statistics and to analyse data. Our aim is to improve the quality and content of our website from users’ viewpoint. To implement visitor tracking and analytics, the service may save their own cookies and use and combine data collected by the service about the same user on different websites.
We make sure that the cloud or other network services we use outside the EU or EEA operate in accordance with the Personal Data Act.
Services used on the website
We also use external services on our website for purposes such as marketing monitoring and to improve our customer service. Below is a brief description of the external services we use. We recommend that you visit the service providers’ websites to learn more about their privacy policies.
Google Analytics is a tracking device by Google which provides information such as the number of people visiting the website at given times and from where users come to the website. We use Analytics to monitor marketing and the behaviour of target groups.
For more information, go to: Google privacy policies and Google Analytics data privacy and security principles
Management of cookies
With Your Online Choices you can manage the way in which your data is collected and used in many services.