Privacy and data protection

Privacy Policy

1. General

This Privacy Policy describes how Aurora Infrastructure Oy (Business ID: 2587886-4), Aurora Kilpilahti Oy (Business ID 2590359-9) Aurora Tornio Oy (2587890-1) and KS Financing Oy (Business ID 2659063-5) (hereinafter ”Aurora” or ”Company”) handles its customers’ personal data; what personal data the Company collects, for what purposes the data is used and to which parties the data can be disclosed to and how the data subject can influence processing. The Privacy Policy also provides information on the obligations that the Company observes in the processing of personal data.

Aurora protects the privacy of data subjects and observes EU’s General Data Protection Regulation (2016/679) as well as other applicable data protection legislation (“data protection legislation”) and good data processing practices in all processing of personal data. Ensuring data protection is part of all of the Company’s business operations.

This Privacy Policy shall apply to services offered to Aurora’s customers and to training and events organised for customers, as well as to customer marketing.

“Personal data” refers to all information concerning a natural person (“data subject”), which can be used to directly or indirectly identify him/her, in accordance to what has been set out in the data protection regulation. Information, which cannot be used to directly or indirectly identify a data subject, is not personal data.

2. Data controller and person responsible for data protection

Data controller: Aurora Infrastructure Oy (Business ID: 2587886-4)

Address: Riihitontuntie 7C, 02200 ESPOO

Contact details: dataprotection@aurorainfra.com, tel. +358 44 3134169

3. Purposes and legal reason for processing personal data

Personal data is processed for the following purposes:

  • For ordering and producing the Company’s services.
  • For customer relationship management, such as a customer satisfaction survey.
  • For the maintenance, development and quality assurance of services.
  • For planning business operations and product development.
  • For marketing and targeting marketing to customers and potential customers.
  • For ensuring the safety of services and to prevent and investigate misuse.
  • For the management of regulatory obligations.
  • For risk management and the prevention of misuse

Legal basis for processing personal data:

The legal basis for processing personal data of data subjects is primarily a contractual relationship between the Company and the data subject, which is based on the ordering of mandates. The processing of personal data is also based on regulatory obligations, such as accounting obligations, regulatory reporting obligations, the obligation to ensure data security and protection, obligations concerning risk management and due diligence, such as the prevention of misuse.

Processing for the management of customer relationships, management of services and business operations, as well as marketing, is based on Aurora’s legitimate interest.

In addition, electronic direct marketing to personal, private personal details (not e.g. a person’s corporate email address) is based on consent.

4. Processed personal data groups and data content and data sources

The Company only collects such personal data from data subjects, which is essential and necessary in terms of the purposes described in this Privacy Policy.

The following information is processed about the data subject:

  • Identification and contact details, such as name/company representative’s name, address, phone number, email address, nationality, title or field of duties within the company, business ID, photo, name of person’s representative and date of birth/social security number
  • Payment and financial data, such as account number, billing and payment details, collection details, credit history details and customer ID or other data that identifies a customer account
  • Customer account-related transaction details, contractual and service details, contacts and communication details.
    Details on the agreement concluded between the Company and the data subject, service and order details and customer feedback, as well as contacts and reclamations between the data subject and the Company
  • Consents and refusals provided by the data subject
  • Due diligence details such as the details defined in the Act on Preventing Money Laundering and Terrorist Financing (444/2017), e.g. social security number and statement on the origin of funds related to the business, a copy of a passport or driving license
  • Details related to training, customer relationship management and marketing activities
  • Participant details and wishes of training and other customer/marketing activities, customer satisfaction surveys and other feedback
  • Personal data, which provision is essential for managing the obligations based on the agreement concluded between the Company and the data subject, as well as for producing the Company’s services, are notified in each case to the data subject.

In principle, personal data is collected from the data subject him-/herself, for example, in connection with making an offer, concluding a customer agreement or during the customer account period, in connection with marketing or via online forms.

Personal data can also be collected from the community on behalf of who the data subject operates for. In addition, data can also be collected and updated in situations permitted by legislation from registers maintained by third parties, such as from the Population Registration Office, the trade register, Suomen Asiakastieto, the Business Information System and credit institutions’ credit history registers or other equivalent public or private registers.

5. Storage of personal data

The Company shall store personal data for as long as it is necessary to implement the purposes defined in the Privacy Policy, unless legislation requires personal data to be stored for longer (for example, responsibilities and obligations related to special legislation, accounting obligations or reporting obligations), or unless the Company needs the data for preparing, presenting or defending a legal claim, or for the settlement of a similar dispute situation.

The retention period and retention criteria of data depends on the personal data group, according to the purpose of the specific personal data group.

Personal data shall be processed for the duration of the customer and agreement relationship and for the necessary time after the end of the customer and contractual relationship.

Due to regulatory and contract-based obligations and responsibilities, contract-related material is stored for 11 years from the last relevant transaction, unless otherwise stated by law.

Consents and refusals are stored for their term of validity.

Details concerning due diligence shall be stored for a period of time required by legislation.

Details concerning training and customer events, as well as marketing activities, shall be stored for up to 12 months from the relevant event, unless the data is later utilised for a similar event or activity that is organised.

In terms of communities, the retention of personal data of a data subject is bound to, how long such data subject operates as the community representative for Aurora. Personal data is removed within reasonable time after the end of the role.

When personal data is no longer needed for the purposes defined above, the information is removed within reasonable time, unless legislation obliges the Company to store the information for a longer period.

6. Recipients of personal data

The Company may transfer personal data internally between companies that belong to the Group. In accordance with this Privacy Policy, the Company may outsource the processing of personal data to service providers or subcontractors, such as IT suppliers and an accounting firm. The Company shall ensure with sufficient contractual obligations that personal data is processed appropriately and in accordance with legislation.

The following parties, among others, shall participate in the processing of personal data:

Recipient group

  • Suppliers of accounting and debt recovery services. Payroll
    – Finago Oy, Accounting Firm Kesti, Talenom Oy
  • Suppliers of IT services (systems and maintenance)
    – Microsoft 365, Turun Tietokeskus Oy, Elisa SantaMonica Oy, Netcontrol Oy, M-Technology, Ekonocap.
  • Suppliers of communications services
    – Microsoft / Cryptshare (email), Posti (letters)
  • Access control and management of competency
    – Neste / Enersense
  • Access control and management of competency
    – Outokumpu Tornio

Personal data shall not be disclosed for direct marketing purposes or opinion surveys and market research, or other similar purposes.

In addition, personal data can be disclosed to debt recovery companies and credit institutions, as well as other similar parties in connection with the customer account.

In special circumstances, personal data can be disclosed to authorities in situations obliged or entitled by legislation.

Further details on the recipients of personal data are available upon request. A request can be addressed using the contact details referred to at the beginning of the Privacy Policy.

7. Transfer of personal data outside the European Union or the European Economic Area

Personal data shall, in principle, not be transferred outside the European Union or the European Economic Area.

If personal data is transferred outside the European Union or the European Economic Area (for example, if the customer account so requires), Aurora shall ensure the sufficient level of protection of the personal data, e.g. By agreeing on issues concerning the processing of personal data in accordance with the data protection legislation, such as by utilising the template contractual clauses approved by the European Commission.

8. Principles concerning the protection of personal data and the security of processing

The Company processes personal data in a way, which aims to ensure appropriate security of the personal data, including protection from unauthorised processing and accidental loss, destroy or damage.

The Company uses appropriate technical and organisational protection methods to safeguard this, including firewalls, encryption technologies, the use of secure device rooms, appropriate access control, guidance of staff and subcontractors that participate in the processing of personal data.

Agreements and other document material that must be stored as original copies shall be kept in locked facilities, and access control is limited to only authorised parties.

All parties that process personal data are subject to confidentiality in matters concerning the processing of data subjects’ personal data on the basis of confidentiality terms set out in the Employment Contracts Act and agreements.

In accordance with this Privacy Policy, the Company may outsource the processing of personal data to service providers and subcontractors, in which case the Company shall ensure with sufficient contractual obligations that personal data is processed appropriately and in accordance with legislation.

9. Rights of data subjects

The data subjects have rights set out by data protection legislation.

Right to access data and review data. The data subject has the right to receive confirmation on whether the data subject’s personal data is processed.

The data subject has the right to review and see data concerning him-/herself, and upon request has the right to receive such data in writing or electronic format.

Right to correct and remove information.

The data subject has the right to demand incorrect or inaccurate data to be rectified. In addition, the data subjects have the right to request for their data to be removed.

The data controller shall remove, rectify and supplement any incorrect, unnecessary, incomplete or expired personal data that it observes at its own initiative in terms of the purposes of processing.

Right to transfer data as well as limit processing and deny processing.

The data subject has the right to request for his/her data to be transferred to another data controller.

In addition, the data subject has the right in accordance with requirements set out by the data protection legislation to request the limitation of personal data processing. In situations, where personal data that has been suspected to be incorrect cannot be rectified or removed, or there is uncertainty concerning the request to remove, the Company shall limit access to the data.

The data subject has the right to refuse the use of data for certain processing. The data subject has the right to deny the transfer and processing of his/her data for direct marketing purposes.

Right to withdraw consent

If the processing of personal data is based on a separate consent given by the data subject, the data subject has the right to withdraw his/her consent concerning the processing of personal data. Withdrawal shall not affect any processing that has been completed before the withdrawal.

Implementation of rights

Any requests concerning the data subjects’ rights shall be made in writing using the contact details mentioned above. Sufficient identification details must be included in the request. The request shall be responded to within reasonable time and according to opportunities within one month from presenting the request and verifying the identity. The Company may ask more additional information, where necessary, in order to fulfil the previously mentioned requests. If the data subject’s request cannot be accepted, denial shall be informed to the data subject in writing.

10. Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with a data protection officer, if the data subject considers that his/her personal data has been processed in violation of currently prevailing legislation.

11. Changes to the Privacy Policy

The Company continuously develops its services, and for this reason may have to change and update this Privacy Policy. Changes may also be based on amendments to legislation concerning data protection. If the changes involve any new purposes for the processing of personal data, the Aurora shall inform them in advance and, if necessary, shall ask for consent.

The Privacy Policy has been published on 24th May 2018.