Data Protection Policy

This data protection information refers to personal data in the corporate customer register of Kesko AB, owner of the Onninen brand.

Table of contents

  1. Controller
  2. What personal data are we processing?
  3. For what purposes are we processing the personal data?
  4. Storage of data
  5. What are your rights?
  6. How to exercise your rights
  7. Information about the recipient of personal data
  8. Right to lodge a complaint
  9. Information on automated decision-making, such as profiling
  10. The use of data for other purposes
  11. Personal data that have been collected from sources other than you
  12. Data Protection Officer

1. Controller

Kesko AB
Corporate identity number 556511-2991
Esbogatan 11
164 74 Kista, Stockholm, Sweden
For any matters related to data processing, please contact [email protected]

2. What personal data are we processing?

We process the following personal data about our customer contacts:
• Name and contact details
o Information such as address, telephone number and email address
o Position and area of responsibility in the customer’s business
o The corporate identity number of a sole trader
• Objections to receiving marketing communications via mail, email or mobile phone
• Customer relationship management data
o Information such as delivery and invoicing contacts, user details for accounts, customer services registers, customer feedback and mailing lists (such as for campaigns and information mailings)
• Credit reports on sole traders and granted credits
• Registrations for online services

3. For what purposes are we processing the personal data?

We process personal data of our contacts at customers’ businesses to maintain and develop the company’s customer relationships and to invoice, manage outstanding receivables, deliver products and provide services. Data are also processed regarding sales, customer recruitment, correspondence and customer support.

The processing is necessary for the purpose of performing under agreements with our customers and to satisfy our legitimate interests. We require a designated contact in the customer’s company for assistance with the practical execution of the operations between the supplier and Onninen.

4. Storage of data

This is how we store the personal data for our services:
• The contact’s data are stored during the period when he or she is our contact and for three months after we have been notified that the individual is no longer a contact
• Data in documents included in our accounts are stored for seven years

5. What are your rights?

Right to information

You have the right to be informed of our processing of personal data and to obtain a copy of the data we process. If we are not processing your personal data, you also have a right to have this confirmed.

Right to rectification

You have the right to rectify or amend personal data that are inaccurate or incomplete according to the purpose of the processing.
Right to erasure
You have the right to request the erasure of your personal data from our register. Your personal data will be erased if we no longer have any legal ground to retain them.

Right to object

We may process your personal data as a part of our business operations to satisfy our legitimate interests once we have verified that the processing does not breach the protection of your privacy. In such situations, you have the right to object to the processing for personal reasons.
You may also at any time object to the processing of personal data for direct marketing.

Right to restriction of processing

You may have a right to restrict the processing of your personal data. When the processing has been restricted, the controller will only process your personal data by storing them. This is your right, such as when you contest the accuracy of your personal data, if the processing is unlawful or if you have objected to the processing and your request is pending.

6. How to exercise your rights

You can exercise your rights via [email protected]. When you make such a request, we will need to verify your identity.

7. Information about the recipients of personal data

As the controller, Kesko AB processes the personal data inhouse, but the company also cooperates with various service providers. Onninen, which is a part of Kesko AB, strives to only cooperate with the best partners and is responsible for its service providers’ activities related to the processing of personal data. Such service providers may vary but include:
• Providers of IT services
• Providers of logistics services
• Providers of payment services
• Providers of marketing services

Personal data are considered to be transferred outside of the EU and EES via our IT services partner, as they are given access to personal data in India. We have entered into an agreement with our service providers regarding the transfer of data, which are consistent with the European Commission’s standard contractual clauses. These standard contractual clauses are available at https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=CELEX:32010D0087

Certain authorities, such as the police, customs, border control and tax authorities, also have a statutory right to obtain personal data.

8. Right to lodge a complaint

If you consider that we are not processing your personal data in accordance with the EU’s General Data Protection Regulation (GDPR), you may lodge a complaint with the supervisory authority. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection.

9. Information on automated decision-making, such as profiling

Your personal data are not used for profiling or automated decision-making.

10. The use of data for other purposes

We do not process your personal data for any other purposes than those provided in this document. If any new processing purposes arise at a later stage, we will inform you of this and of the legal basis for the processing or, if required, we will obtain your consent to the processing of your personal data for this new purpose.

11. Personal data that have been collected from sources other than you

We update information on your company via Bisnode, for example to obtain the names of the company's authorised signatories.
We use public sources for customer recruitment.

12. Data Protection Officer

Kesko AB is a part of Kesko Group. Contact Kesko Oyj’s data protection officer if you have any questions regarding the processing of your personal data or want to exercise your rights under the General Data Protection Regulation in the EU in relation to the Kesko Group.

The data protection officer's contact details: [email protected]

Via mail to: Tietosuojavastaava/DPO
Kesko Oyj
PL 1
00016 Kesko
Finland