PRIVACY NOTICE FOR BUSINESS PARTNERS
This Privacy Notice for Business Partners (“Notice”) is provided by Lumene Oy (“Lumene”, “we” or “us”) to describe the processing of personal data relating to representatives of our corporate customers, suppliers and other business partners, hereinafter referred to as “Business Partner” or “you”, in connection with your business relationship with Lumene. The personal data of representatives of Business Partners are hereinafter referred to as “Business Partner Data”.
This Notice may be updated from time to time in accordance with applicable legislation, for example in cases where we implement new systems or processes that involve processing of personal data.
Please note that this Notice covers the processing of personal data of our Business Partners and the processing of personal data we conduct at our corporate website at https://lumenegroup.com. If you are a user of our online store at https://www.lumene.com/ or a consumer interacting with us through other means and wish to acquire information on how we process your personal data, please take a look at our Consumer Privacy Notice.
Our website at https://lumenegroup.com contains third-party components e.g., to social media services. These third-party components on our website are downloaded from the servers of these third parties. Please note that such services and applications provided by third parties are subject to their own terms and conditions, and the data protection and privacy practices of these third parties may significantly differ from the practices described in this Notice adhered to by us. If you wish to obtain more information on how these third parties process your personal data, please familiarize yourself with the privacy policies and other such documentation of these third parties.
- CONTROLLER AND CONTACT INFORMATION
Business ID 2377940-8
lumene.info (at) lumene.com
2. WHY WE PROCESS THE BUSINESS PARTNER DATA?
We process your personal data only for the purposes described in this Notice or as otherwise communicated to you when collecting your personal data, and only to the extent it is necessary for each purpose of processing further described herein.
We may process Business Partner Data for the following purposes and based on the following legal bases:
- Business relationship management, such as performing due diligence and any other form of background check as permitted by applicable law, entering into and performing an agreement between us and you or the organisation you represent, managing and developing the business relationship, invoice and payment administration and provision. The legal basis for this processing is our legitimate interest to conduct our business and your relation to the organization with whom we conduct our business.
- Complying with requirements of applicable law, such as tax, and corporate compliance related requirements, and complying with requests of authorities, based on e.g., tax or accounting related legislation or other legal obligation to which we are subject.
- Ensuring and monitoring compliance with an agreement between us and you or the organisation you represent, and investigating suspected malpractice, based on our legitimate interest to conduct our business.
- Communicating with you and third parties, such as current or potential customers, suppliers or other business partners, based on our legitimate interest to our activities in the course of our business to e.g., maintain and improve our relationship with our Business Partners, or respond to requests or enquiries from representatives of potential or existing Business Partners.
- Sending marketing communications e.g., we may provide you with information regarding our products. The legal basis for the processing for marketing purposes is our legitimate interest, namely the sales promotion of our goods and services to individuals or organizations.
- Providing the opportunity to use our Media Bank: When you wish to use our material banks at https://lumene.emmi.fi/ or https://brandhub.lumene.com you are requested to create a user account to the Media Bank. The use of our Media Bank is not possible without registration as a user and creation of a user account. The processing of your personal data in the context of operating the Media Bank is our legitimate interest to conduct our business and your relation to the organization with whom we conduct our business.
- Other legitimate business interests: We may also process your personal data for a limited number of other legitimate business interests, such as for ensuring and improving data security or the security of our premises and data network; protecting our property; preventing and investigating suspected malpractices; analyzing and compiling statistics for business purposes and to develop our business or our products.
In some limited cases, the legal basis for the processing of Business Partner Data may be your consent, for example, if you sign up to receive our newsletter or participate to an event hosted by us.
The provision of personal data in the manner described in this Notice is partially based on the contract between us and the organization you represent. The non-delivery of personal data may prevent us from performing our contractual or other obligations or commitments towards the organization you represent, which may lead to impediments to our business relation with the organization.
3. THE CATEGORIES OF DATA WE PROCESS
In connection with your business relationship with us, we process the following categories of Business Partner Data:
- Identifying data and contact details, such as your name, email and business address, telephone number,
- Specifics related to the business relationship, such as the name of the organisation you represent and business ID, information related to the agreement between us and you or the organisation you represent as well as and your association with the agreement, your job title, and invoicing and payment details,
- Contents of communications with us, such information provided to us in meetings, email correspondence, and by other means of communication, as well as timing and other details of the communications between you and us,
- Information acquired through technical monitoring, such as recordings of camera surveillance at our premises, to the extent permitted by applicable law.
If you are a user of our Media Banks at https://lumene.emmi.fi/ or https://brandhub.lumene.com and you or an organization you represent has no other relationship with us, we process only the data you provide to us in the context of your registration to the Media Bank, i.e., name and email address and, if you choose to provide those, the name of the organization you represent and your business contact information.
4. REGULAR SOURCES OF BUSINESS PARTNER DATA
We primarily obtain your personal data directly from you. You may provide us personal data for instance through our website, by sending us emails, through phone conversations or meetings with us, or through documents you provide to us. We may however obtain personal data relating to you also from other representatives of your organization.
We may collect and update personal data also from publicly available sources, or registers of authorities and companies providing services related to personal data.
We may transfer Business Partner Data to third parties as further described in the following.
When transferred to an entity processing Business Partner Data on behalf of us (i.e., processors), we have, including by contractual arrangements, ensured that Business Partner Data is processed only under our instructions and for the purposes specified in this Notice. The processing carried out by processors may include, for instance, the provision of data systems and other IT and software services.
We may disclose your personal data within the limits permitted or required by the applicable laws, for example to authorities, external advisors, or other third parties including where such disclosure is necessary for compliance with a legal obligation to which we are subject, or for the establishment, exercise or defense of legal claims, whether in court proceedings or in an administrative procedure. For example, we may disclose personal data to a debt collection agency for purposes of debt collection, or to other service providers or partners of ours, but only to the extent that the fulfilment of their tasks requires the disclosure of personal data.
If we are involved in a merger, sale of assets or other business transaction or reorganization, we may disclose limited amounts of Business Partner Data to the purchaser candidates and their representatives in accordance with the applicable law.
Some of our service providers to whom we transfer personal data are located or may store personal data outside the EU or the EEA , and therefore, to the extent necessary, personal data may be transferred to countries outside the EU or the EEA. In such cases, we will ensure the adequate level of data protection. Information on transfers of personal data outside the EU or EEA area and on the appropriate safeguards applied thereto from time to time is available from the contact person mentioned inthe beginning of this Notice.
6. HOW LONG WILL WE KEEP YOUR PERSONAL DATA?
We retain Business Partner Data only for the time necessary to achieve the purposes for which the data was collected, in accordance with applicable legislation. When we no longer need the Business Partner Data for such purposes, the data will be removed from our systems and records and/or the data will be irreversibly anonymised.
If you are a representative of our customer, supplier or a business partner, the retention period of your personal data is ultimately tied to the term of the business relation between us and the organization you represent. We may however continue to store your personal data after the end of the business relation to the extent necessary for certain legitimate business interests or if the data is necessary for purposes of protecting our rights.
The general minimum retention period for the personal data of representatives of Business Partners is until two calendar years have passed from termination of the agreement with the Business Partner.
However, personal data may be stored for a longer period if the retention is justified on the basis of an appropriate connection between Lumene and the data subject in question, for example for marketing purposes, and the person has not prohibited such processing.
The agreement documents themselves, which may also contain personal data, are stored for at least 10 years from the end of the calendar year during which the contract expired. The foregoing applies also to all communications which form part of the agreement or clarify the content of the agreement. Further, personal data that has been recorded to documents that are deemed to form a part of accounting material, such as invoices, will be retained for at least 10 years from the end of the calendar year in which the financial year ended.
7. WHAT RIGHTS DO YOU HAVE?
Below we have summarized the rights that you as a data subject have under the European data protection legislation. The “data subject” refers to a natural person whose personal data is processed by us, that is, the representatives of our Business Partners. Some of the rights are complex and are subject to certain exceptions, and to keep this Notice concise, not all of the details have been included in the below summaries.
You have the right to obtain from us confirmation as to whether personal data related to you is processed, and, where that is the case, to access such personal data as well as certain information about our processing of it and your rights in relation to it. Where the personal data we hold about is inaccurate, you have the right to obtain from us rectification of the data.
You also have the right at any time to request us to erase the personal data concerning you and processed by us and we are obliged to erase the data if there is no longer a legal ground for processing the data. Please note that certain data processed by us are subject to statutory retention requirements, and regardless of a request of erasure, such data we cannot erase until the end of the statutory retention period.
Where the legal basis for processing your personal data is your consent or an agreement directly entered between you and us, and we process your data by automated means, you may have the right to be provided with the personal data we hold about you in structured, commonly used and machine-readable format and to transmit the data to another controller.
You also have the right to object to the processing of your personal data if the data has been processed on the basis of our legitimate interest, and we are obliged to stop processing such personal data unless we can demonstrate compelling legitimate grounds for further processing of such personal data. If you wish us to stop processing your personal data for marketing purposes, we will stop processing your personal data for this purpose. When we first collect your personal data, you may be provided the possibility to choose whether or not you wish to receive marketing communications from us. If you wish to stop receiving marketing communications, you can opt out at any time by clicking an ‘unsubscribe’ link at the bottom of one of our emails or by contacting us by other means.
Finally, you also may have the right to obtain from us restriction of our processing of your personal data.
If you have declared your consent regarding certain types of processing activities, you can withdraw this consent at any time with future effect. Such a withdrawal will not affect the lawfulness of the processing prior to the consent withdrawal.
To exercise the above rights, please reach out to us using the contact details mentioned in the beginning of this Notice. Your request must be in written or in electronic form and shall contain the basic information needed for finding the data to which your request relates. After receiving and processing the request, we will send you a response by mail or electronically which, depending on your request contains the copy of the personal data or other information on our processing of your request. We reserve the right not to complete your request if the request is manifestly unfounded. Should you request for multiple copies when using your right of access, or should you wish to submit more than one request per year, we may charge you a reasonable fee based on administrative costs for the execution of your request.
If you consider that our processing of your personal data infringes the data protection laws, you have the right to lodge a complaint with a data protection supervisory authority. You may do this in the EU member state of your habitual residence, your place of work or the place of the alleged infringement.