Last update: 21 March 2024
We value your fundamental right to privacy. As a company based in the European Union, we adhere to our obligations under the General Data Protection Regulation (GDPR). In this document, we inform you about our processing of your personal data if you’re a business customer (or a representative of one).
For clarity, we have divided the privacy policy into two parts:
If you have any questions or concerns regarding the processing of your personal data at Hydrohex, please don’t hesitate to contact us:
Hydrohex Oy Ltd
Privacy team
[email protected]
We may update our privacy policies from time to time. The date of last update is shown above. Minor changes will be shown in this document, and we ask that you review it regularly. Changes that significantly affect the rights and freedoms of our customers will be communicated to you by email or notification if we have your contact details.
As our customer (or a representative of one), we regularly process certain categories of your personal data. These are:
(Some of these categories are normally information related to the company that you represent, but in some cases such information may be considered your personal data under the GDPR.)
Occasionally, we process certain additional categories of your personal data. These are:
Some categories of personal data are mandatory in the sense that without certain data, we cannot provide our services to you or carry out other critical processes related to our customer relationship. In some cases we may also have a legal duty to process certain categories of your personal data.
In Part 2 of the privacy policy, we have marked clearly which categories of personal data are mandatory for a given purpose.
We primarily process personal data that you give us, for instance when we discuss our business matters or sign a contract.
However, in some cases we may receive personal data relating to you from other sources. These are:
When processing your personal data, we adhere to the principle of data minimisation. That means we only keep your personal data as long as necessary for the purposes that we describe more in detail below, and only as long as we have a legal basis set out in the GDPR to process the data.
As soon as no relevant purpose or legal basis applies, we will either destroy your personal data or anonymise it in an irreversible manner.
In Part 2 of the privacy policy, we have marked clearly all retention periods of your personal data for a given purpose.
As a commercial service provider, we like most other companies have to outsource some of the processing of your data to trusted partners. Because of that, we transfer certain categories of personal data to third parties.
We always make sure that all transfers are protected by a contractual arrangement between us and our trusted partners as required by the GDPR.
Our trusted partners can be categorised as follows:
Website, data storage and technical operations
Communications and deliveries
Financial service providers
Professional advisers
Customer and contract management
Public authorities
We normally process your personal data within the European Union and European Economic Area. In some cases, we or our trusted partners process your personal data outside these areas.
Because of that, some of your personal data are transferred to the following countries:
According to the GDPR, you have various rights as we process your personal data. These are:
If you request a copy of your data, we will send it to you electronically. In most cases we will be glad to accommodate your request, but if we receive repeated or manifestly unfounded requests from you, we may have to refuse or charge a reasonable administrative fee to process your request.
You may also ask us that we do not erase or otherwise process your personal data if you need the data e.g. in a legal dispute and the erasure or other processing would jeopardise your interests in that regard. We will aim to accommodate your request as well as possible.
If that happens, we will let you know about our reasons for not accommodating your request and inform you about your right to lodge a complaint with the relevant data protection authorities.
If we have contacted you for direct marketing purposes, you may also object to our processing of your personal data for that purpose. (In other words, you may prohibit us from contacting you for direct marketing purposes). We will accommodate your request without undue delay.
To exercice any of your above rights, please contact us using the contact details shown at the beginning of the document. We’ll be glad to assist you.
Like most other companies, we use cookies and similar technologies on our website, online services and in marketing. We will adhere to applicable laws regarding the prerequisites for the processing of your personal data in such ways.
We have described in detail the types of cookies and similar technologies we use as well as their purposes in our cookie policy.
As you are a business customer (or act as a representative of one), we process your personal data in certain ways in the context of our business relationship. Here we describe the purposes of processing your personal data together with the appropriate legal bases for the processing, as well as the categories of personal data processed together with their retention periods.
According to the GDPR, all processing of personal data must be justified using a legal basis found in the law. We use the following legal bases for our processing:
Here is a complete overview of our purposes of processing and the corresponding legal bases:
Purpose | Legal basis | Examples |
Performing services | Contract | In order to perform our services as contracted, we need to process some of your personal data.
|
Legitimate interest | As we perform our services to you, we have a justified interest in processing some of your personal data, e.g. to improve our services. | |
Maintaining and developing our customer relationship | Contract | Apart from performing our services, we do a number of things to maintain our contractual relationship with you. We may for instance take notes of our business interactions with you. |
Legitimate interest | To improve our customer experience, we may conduct case studies about our customer relationship. | |
Billing and debt collection | Contract | As we perform our services to you, we bill you as agreed in our contract. To send an invoice, we need to process some of your personal data. |
Legal obligation | We have legal duties to keep records of our business transactions. For instance, our invoices must contain certain information which may be your personal data. | |
Accounting and taxation | Contract | To keep records of our sales and business transactions, we store and retain information about our dealings with you. |
Legal obligation | We have a legal duty to keep records of our business transactions. For instance, we must store and retain our invoices for a number of years. | |
Risk management and protecting interests | Contract | To manage mutual risks and protect the interest of you and us, we need to keep records of our due diligence processes, contractual relationships and business dealings. |
Legal obligation | In some cases, we may have to process certain background information as a legal duty. For instance, we may have to check and store information about economic sanctions. | |
Legitimate interest | To manage risks and to protect various business interests, we process certain categories of personal data. For instance, we keep records of our contractual relationships and business dealings for a number of years in case a legal dispute arises. Also, we keep records of the usage of our intellectual property by our customers. | |
Communications | Contract | As part of our customer relationship with you, we often have discussions and correspondence with you. We store and retain these if they are relevant to our contractual relationship. |
Consent | In some cases, for instance if you contact us using a medium that processes certain technical identifiers, we may ask for your consent for processing the identifiers. Also, we may ask for your consent to use our communications with you for a purpose not depicted here, such as as a customer testimonial on our website. | |
Legal obligation | In some cases, have a legal obligation to store and retain our communications with you. This may be the case for instance if we must include our correspondence as an exhibit in our financial records. | |
Legitimate interest | In some cases, we store and retain our communications for various legitimate interests such as improving our customer service and training our staff. | |
Sales and marketing | Consent | In some cases, to process your personal data for sales and marketing purposes, we ask for your consent. This is case for instance when we use cookies and similar technologies for such purposes. |
Legitimate interest | As a commercial service provider, we have a justified reason for instance to approach you with the purpose of discussing our offering with you. In those cases, we process your personal data as part of our legitimate interesta. | |
Technical functioning and security | Contract | Some of the services that we provide to you under our contract process personal data for technical reasons. For instance, to offer you our online services, we need to ensure the proper technical functioning and security of the platform. This often includes processing of personal data such as necessary technical identifiers. |
Consent | In some cases we offer you technical functions that do not strictly relate to our contractual relationship. This is for instance if you access our website for unrelated reasons. In those cases we process personal data for the technical functioning of the services. If the processing is not necessary for that purpose (e.g. in case of cookies used to improve the visual appeal of our website), we will ask for your consent to process the data. | |
Legitimate interest | In some cases we have a justified reason to ensure the proper functioning and security of our services. In those cases we process certain technical personal data as part of our legitimate interests. |
Below is a list of our retention times for different categories of personal data under a given purpose. Once a specific retention period runs out, we will destroy the relevant personal data or anonymise it irreversibly, unless a different purpose with a longer retention period applies.
For instance, we keep personal data for the purposes of communications (like e-mails containing your name and e-mail address) for 1 year. Once the retention period runs out, we will destroy the relevant data unless we need to keep it for the purposes of risk management for 3 years. If so, we will continue to retain the data until the 3-year retention period runs out.
Purpose | Category of personal data | Retention period(s) | Examples |
Performing services | Name, contact details, position | 1 year from the end of performance | To perform and deliver our services to you, we need to process your personal data. We will keep the data in an active dossier for 1 year in case there are for instance immediate issues that have to be fixed. |
Messages and correspondence | |||
Technical identifiers | |||
Maintaining and developing our customer relationship | Name, contact details, position | 1 year from the end of customer relationship, or 5 years from collection and storage, whichever is sooner | To maintain and develop our active relationship, we will process your personal data. We will store the data in your customer dossier, and if the customer relationship ends (or you no longer represent your company towards us), we will retain the data for a safety period of 1 year. |
Messages and correspondence | |||
Preferences and activity | |||
Billing and debt collection | Name, contact details, position | 1 year from the end of the current financial year | As we bill you for our services, we process your personal data on invoices and in transaction records. We will retain that information for the current financial year and 1 year after that in order to keep our business records up to date. |
Financial information and public records | |||
Payment information and payment history | |||
Accounting and taxation | Name, contact details, position | 1 year after the current financial year (except legally prescribed information) | As part of our annual accounting, we store and retain relevant personal data for the current financial year and 1 year after it. |
Messages and correspondence | |||
Financial information and public records | |||
Payment information and payment history | |||
Risk management and protecting interests | Name, contact details, position | 3 years from collection and storage
| To protect your and our legitimate interests, we retain personal data for 1 to 3 years from the last instance of active processing (except in case of cookies and similar technologies, whose retention periods are stated in our cookie policy). We do so so that for instance in case of a legal dispute about our contract or service, any critical evidence will not have been destroyed. |
Messages and correspondence | |||
Financial information and public records | |||
Payment information and payment history | |||
Video and sound recordings and photographs | |||
Technical identifiers | 1 year from collection and storage (except as stated in cookie policy) | ||
Social media content and other public information | 1 year from collection and storage | ||
Communications | Name, contact details, position | 1 year from the communication | We retain personal data from our communications with you for 1 year in case we want to continue the discussion at a later time. |
Messages and correspondence | |||
Technical identifiers | |||
Social media content and other public information | |||
Sales and marketing | Name, contact details, position | For the time being | As we have a legitimate interest in approaching you to discuss our offering, we keep your name, contact details and position on file for the time being, however only as long as you represent the company that is or has been our customer. This means we may contact you some time in the future unless you prohibit us from doing so. |
Messages and correspondence | 3 years from collection and storage | If we haven’t had any business dealings with you (or your company) for the past 3 years, we’ll erase or anonymise your personal data unless we continue to retain them under another purpose. | |
Video and sound recordings and photographs | |||
Preferences and activity | |||
Technical identifiers | |||
Social media content and other public information | |||
Consents and prohibitions |
| If you have prohibited us from approaching you for sales and marketing purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise). | |
Technical functioning and security | Name, contact details, position | Immediately | We’ll destroy or anonymise your personal data immediately once they aren’t needed for the relevant purpose. |
| Technical identifiers | 1 year from the last active processing | We keep technical identifiers for 1 year from the last active processing (unless stated otherwise in our cookie policy) in case we need to investigate a technical or security issue in the future. |
| Consents and prohibitions |
| If you have prohibited us from processing your personal data for non-necessary technical purposes, we’ll make a note of it and retain it indefinitely (or until you instruct us otherwise). |
Hydrohex Oy Ltd
2705400-9
Yliopistonkatu 23 A 4
20100 Turku
Finland
Copyright © Hydrohex Oy Ltd 2024