Australia
Austria
Belgium
China
Czech Republic
Denmark
Estonia
Finland
France
Germany
Hungary
India
Ireland
Italy
Japan
Kazakhstan
Latvia
Lithuania
Malaysia
Netherlands
Norway
Poland
Singapore
Slovenia
Spain
Sweden
Switzerland
Thailand
UK
Ukraine
12.5.2025
Orion Corporation is committed to protecting your privacy in compliance with all applicable regulations and ensuring the security of your personal data. This privacy notice explains how we collect, use, and protect your personal information.
Contact Details
Data Controller: Orion Corporation
Data Protection Officer (DPO): Jyri Wesanko, privacy@orion.fi
Representative (if applicable): Carolina Sved, carolina.sved@orion.fi; Susanna Virtanen-Kari, Susanna.Virtanen-Kari@orion.fi
1. What data do we collect about you?
We collect and process the following types of personal data:
- Contact data: name, work telephone numbers, addresses, e-mail addresses, possibly role at the supplier company, notes of communication with suppliers’ and potential suppliers’ representatives.
- Self-provided data: Any personal data provided or entered by data subjects themselves and/or suppliers’ other personnel.
2. How do we use your data?
We process your personal data for the following purposes:
- Supplier management: The purpose for processing the personal data in these data files is to enable Orion Corporation to maintain and administer the relationship with its suppliers, prospective suppliers and external consultants with whom Orion Corporation is collaborating. The controller will not disclose the collected data for commercial purposes.
3. Legal Basis
We process your data based on the following legal grounds:
| Consent of the data subject (EU General Data Protection Regulation Article 6.1.a) / 9.2.a) (special categories of data) | N/A |
| Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract / (EU General Data Protection Regulation Article 6.1.b) | Contact data |
| Compliance with the controller’s legal obligations based on binding law / (EU General Data Protection Regulation Article 6.1.c) | N/A |
| Legitimate interests of the controller or a third party (the legitimate interest to be identified, such as direct marketing) (EU General Data Protection Regulation Article 6.1.f). |
We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest. |
4. How do we share your data?
We may share your data with the following recipients:
- Third party service providers: Service providers who assist us by performing technical operations such as data storage and hosting. The controller uses Polaris strategic procurement system for the management of its supplier relationships. The system is technically maintained by a service provider called Corcentric, Inc. for which purposes personal data is disclosed to Corcentric, Inc.
- Possible new owner, successor or assignee: If ownership or control of Orion Corporation or all or any part of our products, services or assets changes, we may disclose your personal data to any new owner, successor or assignee.
5. How long do we store your data?
We will retain your personal data for no longer than is necessary for the purposes defined in this Statement. The data files are periodically updated to include only data which is relevant for the purpose.
| Type of data | Retention period |
| Contact data | For the duration the agreement and up to 10 years after that, or otherwise for no longer than 10 years after the last interaction or communication with the supplier. The agreements are stored for as long as necessary in order for the controller to satisfy legal or contractual obligations, industry self-regulation, or in order to establish, exercise or defend legal claims. |
| Self-provided data | For the duration the agreement and up to 10 years after that, or otherwise for no longer than 10 years after the last interaction or communication with the supplier. |
6. What are your rights and options?
You have the right to:
- Access your data: You can request information and a copy of your personal data that we have collected and stored in connection with our services / this information notice.
- Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as descripted in chapter 12.
- Erase your data: You can contact us if you think the processing of your personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 7 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
- Restrict processing: If you want to restrict our processing of your personal data, please contact us.
- Object to processing: If you want to object to the processing of your data for maintenance and management of supplier, prospective supplier and external consultant relationship purposes, please contact us. When making the request, please specify the scope of your request.
- Data portability: The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
7. Cookies and Tracking Technologies
We use cookies and similar technologies. For more information on how use cookies, please read our Cookie Policy.
8. Security Measures
We hold your personal data in a combination of secure computer storage facilities.
We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.
We have put in place appropriate technical and organisational measures to ensure a level of security appropriate to the risk of harm that might result from unauthorised or unlawful processing, accidental or unlawful loss, destruction or alteration, unauthorised (or disclosure of) access or damage to your personal data including:
- locks and security systems;
- encryption
- usernames and passwords;
- virus checking;
- auditing procedures and regular data integrity checks; and
- recording of file movements.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality.
We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.
9. Changes to this Notice
We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.
10. Contact Us
If you wish to use your rights as a data subject described in chapter 8, or if you have any questions or concerns, please contact us at privacy@orion.fi.
Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your data subject rights.