
Data Protection Notice for Contract Producers Register
1. DATA CONTROLLER
The controller of the register is Hunajayhtymä Oy (business ID 0204045-2).
The contact person for registration matters is:
Aapo Savo, CEO
Honey Conglomerate Ltd.
Kojonperäntie 13, 32250 Kojonkulma
Phone: 0207 769 68
Email: hunaja@hunaja.fi
2. REGISTER NAME
The name of the register is Honey Cooperative Ltd.'s Contract Producers Register.
3. PURPOSE OF PERSONAL DATA PROCESSING
The controller processes personal data for purposes related to the procurement of raw materials. For the purposes described above, the controller processes personal data in carrying out the procurement procedure, in requesting and responding to tenders submitted, in decision-making related to the procedure, in related contact and communication, and for other purposes of carrying out the procedure. Personal data is also processed for purposes related to the administration of contractual relationships concerning the procurement of raw materials and the fulfillment of the controller's related tasks, obligations, and rights.
Personal data is not processed by means of automated decision-making.
4. LEGAL BASIS FOR PROCESSING
The legal bases for the processing of personal data are the following grounds under the EU's General Data Protection Regulation (hereinafter also referred to as ”GDPR”):
- the data subject has given consent to the processing of his or her personal data for one or more specific purposes (Article 6(1)(a) GDPR) or, in the case of special categories of personal data, the data subject has given his or her explicit consent to the processing of those personal data for one or more specified purposes, unless Union or Member State law could prohibit the prohibition of processing by consent (Article 9(2)(a) GDPR);
- processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (GDPR Art. 6(1)(f)).
The data controller's legitimate interest referred to above may exist, for example, when there is a relevant and appropriate relationship between the data subject and the data controller because the data subject's information has been provided to the data controller in connection with the submission of an offer, and when the processing is done for purposes that the data subject could reasonably have expected at the time of collection of personal data and in the context of the appropriate relationship.
5. REGISTER CONTENT (PERSONAL DATA GROUPS PROCESSED)
The register contains the following personal data of the following data subjects:
Contracting party's name, address details, business ID, email address, and phone number.
6. REGULAR INFORMATION SOURCES
Personal data is primarily collected from the data subject themselves.
Personal data is also collected from publicly available sources within the limits of applicable legislation, as well as from other third parties with whom or through whom the controller fulfills its obligations related to the procurement process.
7. PERSONAL DATA RETENTION PERIOD
Data collected in the register shall be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data were collected.
The personal data concerning data subjects contained in the register shall be retained for as long as it is necessary for the successful completion of the procurement agreement and for the fulfillment of any obligations following the termination of the agreement, or if necessary, for as long as it is required for the establishment, exercise, or defense of legal claims related to the agreement.
The data controller regularly assesses the necessity of data retention in accordance with its internal code of conduct. In addition, the data controller shall take all reasonable measures to ensure that personal data which is inaccurate, erroneous, or outdated for the purposes of processing is deleted or rectified without delay. In any event, data concerning a registered person shall be deleted from the register 10 years after the termination of the customer relationship between said registered person and the data controller, and after all obligations and actions related to the customer relationship have been completed.
8. RECIPIENTS OF PERSONAL DATA (RECIPIENT GROUPS) AND REGULAR DISCLOSURES OF DATA
Information in the register will be disclosed to authorities within the framework of applicable legislation and in accordance with the data controller's obligations.
The data controller processes the data itself and utilizes the following subcontractors, who process personal data on behalf of and for the data controller. A list of subcontractors is available from the data controller's contact person mentioned in section 1.
9. TRANSFER OF DATA OUTSIDE THE EU OR EEA
Personal data included in the register is not transferred outside the EU or EEA.
10. PRINCIPLES OF REGISTER PROTECTION
Materials containing personal data are stored in locked facilities to which access is restricted to designated individuals who have been authorized to enter for the purposes of their duties.
A database containing personal data is on a server, which is kept in a locked room with access limited to designated individuals authorized for access due to their duties. The server is protected by an appropriate firewall and technical security measures.
Access to databases and systems is granted only with individually authorized personal user IDs and passwords. The controller has restricted the access rights and authorizations to information systems and other storage platforms so that only individuals necessary for the lawful processing of data can view and process it. Furthermore, usage events of databases and systems are logged in the controller's IT system logs.
The controller's employees and other individuals are committed to complying with confidentiality obligations and keeping secret the information they receive in connection with the processing of personal data.
11. RIGHTS OF THE DATA SUBJECT
The registered person has the following rights under the EU's General Data Protection Regulation:
- the right to obtain confirmation from the controller as to whether or not personal data concerning him or her are being processed, and where that is the case, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed, in particular recipients in third countries or international organisations; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source; and (viii) the existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject (Art. 15 GDPR);
- right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (Art. 7 GDPR);
- the right to request that the controller rectify, without undue delay, any inaccurate or incorrect personal data concerning the data subject, as well as the right to have incomplete personal data completed, including by providing additional information, taking into account the purposes for which the data was processed (GDPR Article 16);
- the right to request that the controller erase personal data concerning the data subject without undue delay, provided that (i) the personal data are no longer necessary for the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based, and there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation and there are no overriding legitimate grounds for the processing; (iv) the personal data have been processed unlawfully; or (v) the personal data have to be erased for compliance with a legal obligation to which the controller is subject under Union or national law (Art. 17 GDPR);
- the right to have the controller restrict processing if (i) the data subject disputes the accuracy of the personal data, in which case processing shall be restricted for a period during which the controller can verify their accuracy; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests, instead, the restriction of their use; (iii) the controller no longer needs the personal data for the purposes of the processing, but the data subject needs it for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to the processing of personal data on grounds relating to his or her particular situation pending verification of whether whether the controller’s legitimate grounds override those of the data subject (GDPR Article 18);
- the right to receive personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used, machine-readable format, and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and is carried out by automated means (GDPR Art. 20);
- the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data concerning them infringes the EU's General Data Protection Regulation (GDPR Art. 77).
Requests concerning the exercise of data subject rights shall be addressed to the data controller's contact person mentioned in Section 1.

