Australia
Austria
Belgium
China
Czech Republic
Denmark
Estonia
Finland
France
Germany
Hungary
India
Ireland
Italy
Japan
Kazakhstan
Latvia
Lithuania
Malaysia
Netherlands
Norway
Poland
Singapore
Slovenia
Spain
Sweden
Switzerland
Thailand
UK
Ukraine
June 2025
Orion Corporation is committed to protecting your privacy in compliance with all applicable regulations and ensuring the security of your personal data. This privacy notice explains how we collect, use, and protect your personal information.
Contact Details
Data Controller: Orion Corporation
Contact Person: Juho Muurinen
Data Protection Officer of Orion: privacy@orion.fi
1. What data do we collect?
We collect and process the following types of personal data.
- Vendor data: Names of vendors, vendors’ representatives and contact persons, and foreign doctors or vendor’s contact person’s name and/or email, doctor’s name, address, email, phone number, bank account details and contact details of representatives of pharmaceutical manufacturers
2. How do we use your data?
We process your personal data for the following purposes:
- Vendor management: Maintaining and administering information about Orion group´s vendors, vendor´s representatives and vendor´s contact persons in the SAP system. The information is used for making purchase orders, recording maintenance information, recording of invoices and making payments. Additionally the purpose for processing the personal data in this data file is to enable the payment of remunerations and participation fees for foreign doctors relating to different medical events / conferences.
3. Legal Basis
We process your data on the following legal grounds:
| Consent of the data subject (EU General Data Protection Regulation Article 6.1.a) / 9.2.a) (special categories of data) | NOT APPLICABLE |
| Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract / (EU General Data Protection Regulation Article 6.1.b) | Vendor Data: Vendor management |
| Compliance with the controller’s legal obligations based on binding law / (EU General Data Protection Regulation Article 6.1.c) | NOT APPLICABLE |
| Legitimate interests of the controller or a third party (the legitimate interest to be identified, such as direct marketing) (EU General Data Protection Regulation Article 6.1.f). | We only process personal data based on our legitimate interests, in case we have deemed, based on the balancing of interest test, that the rights and interests of the data subject will not override our legitimate interest |
4. How do we share your data?
The controller will not disclose the collected data for commercial purposes to third parties. We may share your data with the following recipients:
- Service providers: Data of vendors may be shared with third parties, who assist us by performing technical operations such as data storage and hosting and server maintenance. The controller uses SAP system, which is located on a server maintained by the service provider Nordcloud. The controller may use outsourced service providers in its operations, such as audit services, for which purposes personal data is disclosed to service providers.
- Orion group companies: The purchase department or persons who create purchase orders in the controller´s affiliate located in India have access to the data of vendors, vendor´s representatives and contact persons. Data is not otherwise transferred to countries outside of the European Union or the European Economic Area. Personal data, which is transferred outside of the European Union or the European Economic Area, is protected by the signing of the Standard Contractual Clauses between the companies within the Orion group. You can acquire more information by contacting the representative of the controller.
5. How long do we store your data?
We will retain your personal data for no longer than is necessary for the purposes defined in this Statement.
| Type of data | Retention period |
| Data of vendors | Managing vendors: The retention period of personal data is determined by the implementation of rights and obligations arising from legislation, such as accounting laws, as well as regulations related to the controller’s field of activity. The controller is obliged to store personal data and other materials necessary for accounting purposes in accordance with the accounting laws. [MP11] It may also be necessary to retain data for a longer period or permanently to fulfill the controller's long-term responsibilities and obligations. |
6. What are your rights and options?
You have the right to:
- Access your data: You can request information and a copy of your personal data that we have collected and stored in connection with our services / this information notice.
- Rectify inaccurate data: In order to keep your data up-to-date and accurate, you can request us to modify your data by contacting us as descripted in chapter 10.
- Erase your data: You can contact us if you think the processing of your personal data is unlawful and your data should be erased. We shall erase or anonymize your personal data without undue delay in accordance with the retention periods detailed in chapter 5 if the data in question is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.
- Restrict processing: If you want to restrict our processing of your personal data, please contact us.
- Object to processing: If you want to object to the processing of your data for development of the services, please contact us.
- Data portability: The data subject shall have the right to data portability, i.e. the right to receive his or her personal data, which the data subject has provided to the controller and that is being processed by automated means, in a structured and machine readable format and the right to transmit those data to another controller, where the basis for processing is consent or the fulfilment of a contract between the controller and the data subject.
7. Cookies and Tracking Technologies
We use cookies and similar technologies. For more information on how use cookies, please read our Cookie Policy.
8. Security Measures
We hold your personal data in a combination of secure computer storage facilities and paper-based files.
We have implemented appropriate measures to ensure the level of security around your personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage to it.
We have put in place appropriate technical and organizational measures to ensure a level of security appropriate to the following risks:
- unauthorized or unlawful processing of personal data,
- accidental or unlawful loss, destruction or alteration of personal data,
- unauthorized, or disclosure of, access or damage to your personal data
Such measures include:
- locks and security systems;
- encryption;
- usernames and passwords;
- virus checking and security updates;
- auditing procedures and regular data integrity checks; and
- recording of file movements.
We limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They must only process your personal data on our instructions and subject to the access controls listed above. They are also subject to a duty of confidentiality, and they are obliged to participate regularly in data protection training.
We have agreed on security-related measures with the third parties we share your personal data with to ensure that it is treated by those third parties in a way that is consistent with how we safeguard your personal data.
We have also put in place procedures to deal with any suspected personal data breach and will notify you and any applicable supervisory authority where we are legally required to do so.
9. Changes to this Notice
We reserve the right to change this notice from time to time. We will review this notice periodically and update it accordingly if we change our processes materially. We may make changes to this notice when we believe it is reasonable to do so e.g. to comply with legal or regulatory requirements.
10. Contact Us
If you wish to use your rights as a data subject described in chapter 6, or if you have any questions or concerns, please contact the contact person or the Data Protection Officer of Orion (privacy@orionpharma.com)
Please note that we will contact you to verify your identity in order to proceed with your request if you wish to use your data subject rights.