DELETE Finland Oy – Privacy Policy for the Partner Register

Contact us

Updated 4th March 2026

This Privacy Notice describes how DELETE Finland Oy (“Company”, “Controller”) processes personal data in connection with the use of its website, enquiries, marketing activities, contractual relationships, supplier and partner register, as well as various events and services. The Notice is based on the EU General Data Protection Regulation (GDPR), the Act on Electronic Communications Services, and other applicable legislation.

  1. Controller and Contact Details

The controller is DELETE Finland Oy, Business ID 1075521-2, Pajalantie 31, 37570 Lempäälä, Finland. Data subjects may contact the Company regarding any data protection matters by phone at +358 10 656 100 or by email at privacy@delete.fi.

  1. Data Subjects and Processed Personal Data

The data subjects include decision-makers, contact persons and representatives (“Data Subjects”) of the Controller’s current and potential supplier or partner companies and organisations, as well as those of state, municipal and other public authorities (“Organisations”). The personal data processed about the Data Subjects may include information such as name, position and role within the organisation, preferred communication language, year of birth, employer, and other contact details. In addition, information used for identifying the individual may be processed, such as identification and verification details and, where necessary, personal identity code, date of birth, nationality and municipality of residence.

The Controller may, where necessary, process information related to the data subject’s qualifications, experience, training, permits and certificates, as well as mandatory or discretionary exclusion criteria related to procurement processes, such as information required for reviewing a criminal record extract. If the data subject works in a position requiring a high level of trust, information related to personnel security clearance may be processed within the limits permitted by law.

In connection with the use of electronic services, information about data subjects may be stored, such as user IDs, access rights, login details, service usage data and event history. In relation to newsletter subscriptions, information may be processed regarding subscriptions, cancellations, message deliveries, and email open and read data.

Technical information may be collected about the use of the website through analytics and cookies, such as IP address, device and browser details, session duration, country- and city-level location, the page from which the user accessed the website, as well as information about browsing behaviour.

In connection with events and occasions, information related to invitations, registrations and participation is processed, as well as, where necessary, health data concerning dietary requirements or accessibility needs, and photographs and videos taken during the events.

  1. Legal Bases and Purposes of Personal Data Processing

Personal data is processed for the management, maintenance and development of the relationships between the Company and its customers, suppliers, partners and public authorities. These activities include, for example, contract negotiations, requests for quotations, service delivery, feedback, enquiries, and other communication. The legal basis for such processing is the Controller’s legitimate interest in conducting its business and carrying out actions related to supplier or other relevant relationships.

In the context of organising events, the processing of personal data is based either on legitimate interest or on the data subject’s consent, for example when processing health data related to dietary requirements or when publishing photos taken at events.

For procurement procedures exceeding the EU thresholds, the processing of information concerning the data subject’s mandatory or discretionary exclusion grounds is based on a statutory obligation. The verification of any potential sanctions relating to the data subject is based on the legislation governing Finland’s obligations as a member of the UN and the EU.

Maintaining information security, preventing misuse and investigating offences are based on the Controller’s legitimate interest in ensuring a safe and reliable service environment and preventing harm.

For newsletters, the processing is based on the subscription made by the data subject, i.e. the performance of a contract. Website analytics is based on the data subject’s consent to the use of cookies.

  1. Disclosure and Transfer of Data

The Controller may disclose data from the register to the Controller’s group companies and partners when necessary for fulfilling the purposes of the register, such as delivering and invoicing agreed products or services.

Otherwise, data will not be disclosed to external parties without the data subject’s consent, except where such disclosure is necessary for fulfilling the Controller’s statutory obligations, for matters related to legal proceedings, at the request of authorities, or as part of business transactions.

Each subcontractor processes personal data only to the extent necessary for performing the tasks assigned to them. Subcontractors are bound by data processing agreements concluded with the Controller, including provisions on confidentiality and information security.

Personal data may also be transferred for processing outside the EU/EEA. If the European Commission has not determined that the country in question ensures an adequate level of data protection, the Controller will ensure appropriate safeguards by concluding written agreements with subcontractors based on the European Commission’s approved Standard Contractual Clauses or by using another lawful transfer mechanism. The Standard Contractual Clauses are available at:

https://commission.europa.eu/publications/publications-standard-contractual-clauses-sccs_en

The following partners monitor the Internet and mobile services on behalf of the data controller. They may also collect information using cookies for their own purposes in accordance with their own terms and conditions. They are responsible for their own cookies and the information they collect for their own use. You can view the privacy policies of our partners via the links below:

  1. Processing of personal data concerning social media users by the controller

The Controller’s website uses social media features (i.e., social plugins), such as Facebook buttons, which direct users to the Controller’s social media pages.

Social media services share user information with the Controller in accordance with their own privacy policies and the consents provided by users. Such information may include comments and links shared by the user related to the Controller’s website, as well as data contained in the user’s public profile. The Controller processes personal data received through its social media pages on the basis of legitimate interest, and only for the Controller’s own purposes, such as informing about new products, services or offers, organising competitions and raffles, receiving feedback, purchasing advertising from social media services, measuring the reach of pages or advertisements, or providing customer service on social media pages. The Controller does not process this data outside social media platforms, nor is the data shared by these platforms combined with the Controller’s other data or registers without the user’s consent.

Social plugins are the responsibility of the companies that provide them. They are primarily responsible for complying with data protection legislation and for ensuring information security and safeguarding of data subjects’ rights within their services. The Controller is a joint controller with Meta regarding the data of users of the Controller’s social media pages. Information on the privacy practices of social media platforms and joint controllership, as well as management of their privacy settings, is available on a service‑specific basis:

Meta: https://fi-fi.facebook.com/privacy/explanation

  1. Principles of Register Protection and Data Retention

Only those individuals who need the data to perform their work duties are authorised to access it. Manual materials are stored in locked facilities corresponding to the required level of data protection. Personnel and subcontractors who process the data are bound by confidentiality obligations. The protection of electronically stored data is based on access rights management, technical safeguards for databases and servers, physical security of premises, access control, protection of data communications, and data backups.

The original criminal record extract is destroyed immediately after it has been processed, but information about the criminal record check is retained. Personal security clearance data is destroyed immediately after processing, and no later than six months after the clearance information has been received. Information about the completion of the security clearance is retained permanently.

The confidentiality undertaking provided by the data subject to the Controller is retained for 10 years after the expiry of the confidentiality period defined in the undertaking.

Usage data collected through cookies in electronic services is deleted in accordance with the retention periods specified in connection with cookie consent.

The basic information, marketing data and profile data of the data subject described in Section 2 are retained for direct marketing purposes on a permanent basis within the limits permitted by law, unless the data subject has objected to the processing of their data. The Controller regularly assesses the necessity of retaining personal data and takes reasonable measures to ensure that no personal data that is incompatible with the purposes of processing, outdated, or inaccurate is kept in the register.

Other personal data of the data subject related to the customer, supplier or other relationship between the Controller and the Community is deleted after the relationship has ended or after the Controller has been informed that the data subject is no longer employed by the Community.

  1. Data subject rights

The data subject has the right to inspect the personal data stored in the personal data register and to request the rectification or deletion of any incorrect, outdated, unnecessary or unlawful data. The data subject also has the right to withdraw at any time their previously given consent to the processing of their personal data. The withdrawal of consent does not affect the lawfulness of processing carried out before the withdrawal.

The data subject has the right to object to the processing of their personal data for direct marketing purposes and for profiling related to such marketing.

If the data subject has provided their personal data to the Controller and the processing is based on consent or a contract, they have the right to receive this data in a structured, commonly used and machine‑readable format, and the right to transmit the data to another Controller in accordance with applicable legislation.

When the processing of personal data is based on legitimate interest, the data subject has the right to object to the processing of their data on grounds relating to their particular personal situation. The data subject must specify the particular situation on which the objection is based when submitting the request.

In situations defined by law, the data subject may request the restriction of the processing of their personal data, for example by requesting that the processing be fully or partially suspended when the data subject considers that there is uncertainty regarding the accuracy of the data or the lawfulness of the processing.

Requests must be submitted personally, by letter or by email using the contact details provided in Section 1. The Controller may, if necessary, ask the data subject to specify their request in writing and to verify their identity.

The data subject has the right to lodge a complaint with the Data Protection Ombudsman regarding the processing of their personal data.

  1. Changes to the Privacy Notice

DELETE Finland Oy may update this Privacy Notice when its operations, services or applicable legislation change. The latest version is always available on the Company’s website at www.delete.fi.