Port of Oulu Ltd Privacy Policy

The Port of Oulu Ltd (hereinafter ‘Port of Oulu’) processes personal data in compliance with data protection legislation as well as good data management and processing practices.

Our Privacy Policy may change as we develop our services or as legislation changes. Up-to-date information on our policy is provided on this website.

The Port of Oulu is committed to protecting the privacy of its customers, partners and employees. This Privacy Policy describes how the Port of Oulu collects and processes the personal data that it collects as a controller.

This Privacy Policy concerns all of the information systems, online services, websites and other services of the Port of Oulu that are used to collect and process personal data.

The use of the Port of Oulu website constitutes acceptance of this Privacy Policy.

What is personal data?

Personal data refers to any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, either directly or indirectly, in particular by reference to identifiers, such as name, personal identity number, location data, online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

What information does the Port of Oulu collect?

The Port of Oulu collects or may collect the following information:

  • information that you provide directly
  • information that you provide via the website
  • information related to invoicing, contracts and other business operations with us
  • information in job applications
  • information related to feedback
  • information collected for the user authentication of information systems

Information collected directly:

  • name, email address, phone number, postal address
  • sex, language, occupation or rank
  • information related to employment is collected from personnel
  • information related to user accounts: user ID, encrypted password
  • any consent given, messages sent
  • reported areas of interest
  • information related to facility lease and parking space rental agreements: information on contract, payment methods,
  • billing addresses
  • work-related information provided: name and contact details of company/employer, other information related to the employment relationship
  • other information collected based on explicit and voluntary consent provided in advance (including public social media profiles)
  • other information collected based on your consent.

Information collected in connection with the use of our website, information systems or other services:

  • processing of contact requests and related communications from other potential sources (such as the website of the company you represent) that can be linked to your personal data.
  • the processing of job applications and information related to the application
  • monitoring and measuring the use of our website: browser data, operating system, device model, browsing and search data, IP address, connection establishment time and duration
  • location data (including Wi-Fi hotspot data, GPS coordinates or corresponding location data)
  • cookies
  • we may collect information from public registers maintained by the authorities.

For processing payments, we use a third party whose website is subject to the terms and conditions of the service provider in question.

We do not collect personal data from underaged children, unless the underaged person in question is an employee or trainee in a firm operating in the Port of Oulu or within the port safety area, in which case information required by law is recorded.

Grounds for processing

The Port of Oulu considers it important that personal data is processed confidentially and appropriately.

The processing of personal data is based on legislation, contract, the person’s consent and the legitimate interest of the Port of Oulu.

The collection of personal data by the Port of Oulu is based on one or more of the following legal grounds:

  • We have received consent (in writing, orally or online) in advance for processing personal data.
  • Processing is necessary in connection with a contract established with the Port of Oulu (contractual need).
  • Processing is in our legitimate interest due to reasons related to managing, carrying out or promoting our business operations (legitimate interests).
  • The EU Regulation on Enhancing Ship and Port Facility Security (EC No 725/2004), the EU Directive on Enhancing Port Security (2005/65/EC), and the Act on Security Measures on certain Ships and in Ports serving them and on monitoring the Security Measures (11 June 2004/485).
  • Other grounds based on legislation.

You have the right to withdraw your consent for the processing of your personal data (see Contact details, cancellation and erasure requests).

The Port of Oulu does not collect sensitive data from its customers/cooperation partners.

Use of personal data

The collection of personal data is related to the use of the Port of Oulu’s online services, invoicing and information systems.

We use the information that we collect from you for the following purposes, among others:

  • providing services, marketing communications
  • providing information via mail or phone, including SMS
  • electronic communications: email and newsletter
  • measuring the total number of visitors on our website
  • conducting certain measurements concerning our services
  • detecting, investigating and preventing illegal activity; upon request, we may provide your data to law enforcement authorities based on legal grounds. We may disclose your personal data to other parties by order of a competent court.

Service development and anonymised reporting

We may process your personal data in order to improve our current services and develop new ones.

We use anonymised data for reporting purposes. Anonymised data cannot be used to identify individuals.

Retention period for personal data

We retain personal data for at least the duration of the customer relationship. After the conclusion of the customer relationship, the data retention period depends on the data and the purpose it is used for. As a controller, we comply with legislative obligations regarding data retention and erasure.

We strive to keep the personal data in our possession accurate and up-to-date by updating outdated data and by erasing unnecessary information.

Disclosure of personal data to others

  • We do not disclose personal data to third parties.
  • We do not sell personal data to third parties.
  • We may disclose your personal data to processors and authorised external suppliers who process the data on our behalf in accordance with applicable legislation. Their processing of the data is restricted by contracts.
  • Personal data may be disclosed to companies that carry out services such as customer satisfaction surveys and analysis of the results on our behalf in compliance with applicable legislation.
  • We process personal data primarily within the European Union or the European Economic Area.
  • For purposes such as email communications and managing mailing lists, we may use a service outside of the EU/EEA that is committed to complying with the Safe Harbour privacy protection principles approved by the United States Department of Commerce and the European Union with which an adequate level of privacy protection can be guaranteed.
  • We may disclose information in the event that doing so is necessary to comply with requests based on legislation, to prevent fraud, in connection with mergers or corporate acquisitions or to protect our interests.

Sensitive data concerning users is not stored.

Personal data protection measures – data security

We comply with the obligation of diligence as required by legislation on the protection of personal data, and the systems that contain personal data are appropriately protected. As a controller, we ensure the confidentiality, integrity, availability and resilience of data with the help of technical and organisational measures and procedures.

Ensuring access control and observance of the rights and obligations of the processor in the processing of personal data are integral parts of data protection. Personal data is only processed by authorised individuals.

Manually saved and processed printed information that may contain your personal data is stored in locked facilities. Only separately authorised employees or authorised third parties have access to such facilities or the right to process this type of information.

Use of cookies

We use cookies or similar technologies on our website. We collect data about users based on cookies for the purpose of website analytics. This cookie-based data may comprise operations carried out on the website, website visits or information about the devices used by the user. Cookies are user-specific, but users cannot be identified based on them. Users can control the use of cookies through the settings of their own browser and delete their browser’s cookies.

The aim of using cookies is to improve our website to make it more user-friendly and to provide new services in the future. The services we use include services provided by Google (Google Analytics) and social media services (such as Facebook, Instagram, Twitter, LinkedIn). Read more about our cookie policy.

Your rights as a customer – actions that you can take in regard to the processing of your personal data

You have the right to

  • access and check the information concerning you
  • demand that incorrect or inaccurate information be corrected or erased
  • restrict the processing of your personal data
  • prohibit marketing
  • request the erasure of your personal data (see Contact details, cancellation and erasure requests).

Third party websites

Certain functions on our website are provided by third parties and thus subject to the data protection practices of third parties.

Our websites and services include functions that enable content to be shared on social media, such as Facebook’s ‘Share’ button. Such functions are directly provided by external service providers (Facebook, Twitter, Instagram, LinkedIn).


The concepts used in this Privacy Policy are subject to the following definitions:

  • ‘Controller’ means a party that has the right to decide how personal data in a register is used. In many jurisdictions, the controller has primary responsibility for compliance with applicable data protection legislation.
  • ‘Personal data’ means any information relating to an identified or identifiable natural person.
  • The expressions ‘to process’ and ‘processing’ mean anything that is done with personal data, by means of automated data processing or manually, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  • ‘Processor’ means a person or party that processes personal data on behalf of the controller (other than the Controller’s employees).
  • ‘Sensitive data’ means personal data revealing a person’s race or ethnicity, political opinions, religious or philosophical beliefs or trade union membership, and genetic and biometric data that may unambiguously reveal a person’s identity, health information or the sexual behaviour or sexual orientation of a natural person.
  • Data ‘anonymisation’ means removing the identifiability of personal data so that it can no longer be attributed to a specific individual.

Other additional information

  • Privacy statements have been drawn up for systems that contain personal data. These are provided to customers on request.

25 April 2018 – the right to changes is reserved

Policy for implementing the rights of data subjects

1. The purpose of the guidelines

The purpose of these guidelines is to the define the main principles according to which the Port of Oulu Ltd operates in the event of requests to access or erase data.

The guidelines are binding to all Port of Oulu Ltd employees and elected officials.

The aim of the guidelines concerning requests of access to and erasure of personal data is to ensure adherence with valid legislation and best practices at the Port of Oulu Ltd.

2. Legislation and guidelines

In implementing data subjects’ rights, the Port of Oulu Ltd complies with applicable legislation and internal guidelines. The implementation of data subjects’ rights is governed, among others, by the following decrees, which have been taken into account in drawing up the guidelines:

  • Personal Data Act (523/1999) [replaced on 25 May 2018 by the DATA PROTECTION ACT]
  • Regulation (EU) 2016/679 of the European Parliament and of the Council (i.e. General Data Protection Regulation)

In addition, the following internal policies and guidelines concerning the implementation of data subjects’ rights:

  • Data security guidelines of the Port of Oulu Ltd

The Port of Oulu Ltd updates the guidelines and processes as needed in the event of any changes to the regulations.

3. Guidelines concerning requests to access to and erasure of personal data

Requests to access to data, contact information, requests for cancellation and erasure of data

Everyone has the right to access and inspect the information about themselves recorded in a register. In general matters related to data privacy, your personal data and cancellation of newsletters, invitations to events and marketing communications, please contact our customer services:

Tel. +358 44 703 2753
Email: portoffice@nullouluport.com

Based on the request, the Data Protection Officer will assess the applicant’s right to access and inspect the data. If the request is justified, the Data Protection Officer is responsible for the collection and transmission of data to the data subject. The Data Protection Officer is responsible for documenting the access requests submitted.

Rectification of data

Data subjects have the right to demand the rectification of inaccurate and incorrect personal data concerning them by the controller without undue delay. In the case of a clear and simple error (such as phone number, email address) and if there is no reasonable doubt as to the correctness of the rectified information, the Port of Oulu Ltd will rectify the incorrect information and make a note of the information that has been rectified and of the register where the information concerned was located. Information on the rectification, the person who made the request and the person who made the rectification will be stored. In unclear cases, the person receiving the request may contact the Data Protection Officer.

Erasure of personal data


Right to erasure of data

Data subjects have the right to ask the controller to erase all data concerning them without undue delay provided that one of the conditions defined in the legislation is met. Requests to erase personal data should be addressed in writing to Data Protection Officer.

The measures following the erasure of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented in a lawful manner.

Erasure of unnecessary data

The Port of Oulu Ltd takes all reasonable measures to ensure that personal data that are inaccurate or incorrect in view of the purpose of processing are erased or rectified without delay. Personal data is stored in such a form that the data subject is only identifiable as long as is necessary for the purposes of data processing. The necessity of erasure of data is evaluated separately for each piece of data.

The staff of Port of Oulu Ltd is responsible for the appropriate erasure of data together with the Data Protection Officer.

Restricting the processing of personal data

Data subjects have the right to request that the processing of personal data be restricted provided that one of the conditions defined in the legislation is met. Requests to restrict the processing of personal data should be addressed in writing to Data Protection Officer.

The measures following the restriction of processing of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer makes sure that the process is implemented in a lawful manner.

Notification of rectifications, erasures and restrictions of processing of personal data

The controller informs each recipient of personal data of any rectifications, erasures or restrictions of processing of personal data unless this proves impossible or requires an undue effort.

Right to transfer of data

The data subjects have the right to receive the personal data which they have submitted to the controller in a structured, generally used and machine-readable format, and the right to transfer the said data to another controller provided that the conditions set in legislation are met. When data subjects use the right to transfer data from one system to another they have the right to have their personal data transferred directly from one controller to another if technically feasible. Requests concerning transfer of personal data should be submitted in writing to the Data Protection Officer.

The measures following the transmission of personal data are considered on a case-by-case basis by the Data Protection Officer. The Data Protection Officer ensures that the process is implemented in a lawful manner.

4. Implementation and compliance with obligations

All employees are obliged to comply with the internally agreed regulations of the Port of Oulu Ltd. To ensure this, line managers are responsible for the implementation of internal regulations.

The implementation includes all the measures that are necessary in terms of communication of internal rules and practical implementation. The implementation of internal rules is mainly carried out through appropriate communication and education, but the measures may vary depending on the possible effects on technical solutions.

In the contracts entered into by the Port of Oulu Ltd, due measures are taken to ensure that collaboration partners and others working on behalf of the Port of Oulu Ltd also commit to the internal rules of the Port of Oulu Ltd.

5. Updating the guidelines

Annual evaluations are conducted to ensure that the guidelines are up-to-date. Based on the evaluation, the content is updated as needed.

In the event of changes in regulations or the operation of the Port of Oulu Ltd, the content of the guidelines may be updated whenever necessary. The Data Protection Officer is responsible for evaluating the matter and updating the content.

6. Persons in charge

Data Protection Officer:
Data Protection Officer at Port of Oulu Ltd is Päivi Vähänikkilä-Kuronen.

Use of cookies

We use cookies on our website. A cookie is a small text file that is downloaded on the website user’s device by the browser. Cookies are used, for example, to store users’ data as they browse the pages of a website. Cookies cause no harm to users’ devices or files. Cookies may be stored on the website users’ devices permanently or be deleted after using the service.

Cookies allow collecting data such as:

  • visitor’s IP address
  • time
  • browser type
  • operating system
  • screen resolution
  • how the visitor came to the site (via search engine, direct link etc.)
  • previous visits to the site
  • the pages used

The website’s own cookies

The website’s own cookies can be used to save visitor-specific data and settings intended for the website’s own uses, such as visitor’s user name, log-in data, language or region. This information is used to carry out and adapt the operation of the website and to remember the choices made by the user. These cookies may be necessary for the operation and use of the website. No information used for marketing or tracking visitors in other services or websites is stored in the cookies.

Third-party cookies

We use services provided by third parties to collect website user statistics and to analyse data. Our aim is to improve the quality and content of our website from users’ viewpoint. To implement visitor tracking and analytics, the service may save their own cookies and use and combine data collected by the service about the same user on different websites.

We make sure that the cloud or other network services we use outside the EU or EEA operate in accordance with the Personal Data Act.

To learn more about other service providers’ operation, data collected, use of cookies and data protection policies, visit their websites.

Services used on the website

We also use external services on our website for purposes such as marketing monitoring and to improve our customer service. Below is a brief description of the external services we use. We recommend that you visit the service providers’ websites to learn more about their privacy policies.

Google Analytics

Google Analytics is a tracking device by Google which provides information such as the number of people visiting the website at given times and from where users come to the website. We use Analytics to monitor marketing and the behaviour of target groups.

For more information, go to: Google privacy policies and Google Analytics data privacy and security principles

Management of cookies

You can delete existing cookies and block the use of cookies in your browser. For instructions, go to aboutcookies.org. However, disabling cookies may prevent the website from functioning properly.

With Your Online Choices you can manage the way in which your data is collected and used in many services.