This privacy statement describes the practices concerning the processing of personal data of service providers or good suppliers in Yle. Yle is committed to protecting the privacy of its suppliers and service providers and observes the data protection legislation and best data protection practices in its operations.
1. Data controller
Uutiskatu 5, 00024, Yle, tel. +358 9 14 801
2. Contact details in matters related to the register
Mia Hyvärinen, procurement specialist, Postal address: Postal address: Yleisradio Oy, P.O. Box 76, FI-00024 Yleisradio, Telephone: +358 9 14 801 firstname.lastname@example.org
Juha Kirveslahti, Data Protection Officer, Postal address: Yleisradio Oy, P.O. Box 76, FI-00024 Yleisradio, Telephone: +358 9 14 801 email@example.com
3. The purpose of processing personal data
The data of service providers or goods suppliers shall be processed when handling orders, invoices and payments. Through processing the data it is possible to ensure that the orders made by Yle and any invoices resulting from these orders are coupled with the right supplier. The data is used for communicating with and contacting the suppliers with regard to the orders, as well as for company-internal reporting for the purpose of supplier management.
The legitimate basis for the processing of personal data is implementing an agreement. The data subject is a party to the agreement, and his or her personal data is processed for the purpose of implementing the agreement. The agreement relating to ordering goods or services, successful communication and cooperation requires processing personal data in Yle’s data files.
4. Data content of the files and storage of the data
The files on orders contain the supplier’s business and contact details as well as the supplier’s contact person’s name and contact details.
The data are stored only for the period needed for the agreement as well as to comply with the statutory retention periods defined in the Accounting Act.
5. Recipients and processors of personal data
Supplier data is processed by employees of Yle’s finance department and Yle’s employees who place orders. The data is not disclosed to third parties.
6. Regular sources of information
Suppliers submit the data to be entered into Yle’s files on a form designed for the purpose.
7. Transfer of data to countries outside the EU and the EEA
The data are processed in Yle’s finance management system which is located in the EU/EEA. Auxiliary services for the system may be located in countries outside the EU and the EEA. With regard to auxiliary services to a system used by Yle, if the recipient country does not provide an adequate level of data protection, EU standard contractual clauses will be used to ensure adequate data protection.
8. Data protection principles
As the data controller, Yle is responsible for ensuring that data saved in the system is used in compliance with good information security principles and guidelines issued by the data controller.
Only the controller and service providers and administrators authorised by the controller have access to the data in the files. Only persons whose tasks require processing personal data are granted access to the data. Authorised persons can access the data only with a personal user ID and password.
9. Rights of the data subject
According to the data protection legislation, data subjects have the following rights:
- Right to access personal data: The data subject has the right to obtain from the controller information on whether or not their personal data are being processed. Where that is the case, the data subject may access their own personal data.
- Right to request rectification personal data: The data subject has the right to request rectification or completion of inaccurate or incomplete personal data concerning them.
- Right to request erasure of personal data: The data subject has the right to request erasure of personal data concerning them, when grounds for retaining the data no longer exist.
- Right to request restriction of processing personal data: The data subject has the right to request that the controller restricts the processing of the data subject’s personal data, where grounds for such a request exist.
- Right to object to processing personal data: The data subject has the right to object to the processing of the data subject’s personal data, where grounds for such a request exist.
- Right to data portability: The data subject has the right to data portability of the personal data concerning them, in a machine-readable format.
- Withdrawing consent for the processing of personal data: If processing personal data is based consent, the data subject has the right to withdraw their consent at any time.
- Lodge a complaint with the supervisory authority: The data subject has the right complain about shortcomings in the processing of personal data to the data controller, the data processor or the supervisory authority.
Data subjects can exercise their rights pursuant the data protection legislation by sending a request through the Yle data protection web page at https://yle.fi/tietosuoja (in Finnish). To submit the request, you will have to identify yourself using strong authentication by means of your online banking codes or a mobile certificate.