Freight extranet GDPR
Description of the personal data file concerning Finnlines’ B2B freight extranet (short sea) service
The controller and contact details
The controller of the personal data file is Finnlines Plc. Address: Komentosilta1, FI-00980 Helsinki, Finland
The contact person in matters related to this personal data file is Finnlines’ Data Protection Officer E-mail: [email protected]
Telephone: +358 10 34350
This document provides the information that is set out to be provided to the data subject (i.e. the person whose personal data is being processed) the way it is required in the EU General Data Protection Regulation. According to the GDPR, we provide the information where personal data are collected from the data subject as well as where personal data have not been obtained from the data subject, but collected from other sources. In case you want to find more specific information, for example the storage period or where we collect your personal data from, feel free to contact Finnlines’ Data Protection Officer: [email protected]
Purposes of the processing of the personal data
Finnlines processes personal data, depending on the service, for the following purposes:
- Booking, managing and organizing the sea cargo transportation, including organizing the cargo space and invoicing the services.
- Giving notifications and information to the vessel, other services providers (such as port operators) and to official authorities in accordance with the applicable legislation (e.g. passenger lists).
- Giving notifications and information to the vessel in special situations and deviations (e.g. emergency situations) as well as your possible special needs related to the cargo or passenger(s) during the trip that you may have informed Finnlines about.
- Replying to contacts and messages sent by the customer, processing any feedback, complaint or claim given by you and to solve any such complaints or claims.
- Taking care of and maintaining security and safety of the vessel.
In addition, the personal data of the booker of the trip (e.g. possibly including cargo drivers) is processed for the following purposes:
- Administering, managing and performing any obligations and responsibilities related to the customer relationship between Finnlines and the customer.
- Sending a customer satisfaction survey to the customer.
Legal basis for the processing of the personal data
The basis for the processing of personal data is set out in national data protection legislation and the EU General Data Protection Regulation. Finnlines is authorized to process your personal data when:
- you have given a consent for the processing of your personal data for one or more specific purposes;
- processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
- processing is necessary for compliance with a legal obligation to which Finnlines is subject;
- processing is necessary in order to protect your or some other persons vital interests;
- processing is necessary for the purposes of the legitimate interests pursued by Finnlines;
- you have given Finnlines an explicit consent to the processing of special categories of personal data for one or more specified purposes;
- processing of so called special categories of personal data (such as health data given by you) is necessary to protect your vital interests or of another natural person where you are physically or legally incapable of giving consent; and when
- processing of special categories of personal data is necessary to Finnlines for the establishment, exercise or defence of legal claims.
The above mentioned “legitimate interest” means that there is a customer relationship between Finnlines and the passenger or booker of the trip. In this context Finnlines only processes personal data to purposes that the customer can reasonably expect.
Content of the personal data file and categories of personal data concerned
We collect personal data of the following persons:
- The booker of the cargo space and
- The passenger travelling with the cargo (driver)
We collect the following personal data about the booker of the trip:
- Name and contact details,
- Booking reference number and invoice number
We collect the following personal data about the passenger travelling with the cargo (driver):
- Name, Contact details, date and place of birth, passenger type (adult, junior, child, infant), driver type (driver, passenger, co-driver) gender, nationality
- Need of care and the type of needed care, accommodation and special requirements (e.g. cabin for disabled passenger),
- Passport/document ID and eventual visa number of cargo drivers with country of issuance
It is necessary requirement for Finnlines to collect the above described personal data, because in case you (or the person booking the trip) do not give this personal data to Finnlines, we may not be able to make a contract with you and we may not be able to provide our services to you.
Personal data related to a possible claim or complaints: any information and documents delivered to Finnlines by e-mail, as decided by the data subject. Your personal data related to a potential exception, deviation or emergency situation taking place on the ship or otherwise related to the trip. Finnlines doesn’t collect any information on payment cards.
Regular sources of the personal data
Personal data is collected from the booker of the trip, who either gives information about himself/herself as the data subject, or who may give information about the passenger traveling with the cargo. The data is given to Finnlines by the booker of the trip on behalf of the passenger traveling with the cargo or he/she can give the information to Finnlines at the time of the check-in.
Storage period of the personal data
Personal data will be stored only as long as (and only to the extent that) it is necessary for Finnlines to comply with its responsibilities. Finnlines erases special categories or personal data from the data file immediately when there no longer is a reason for its processing.
The recipients or categories of recipients of the personal data and the regular disclosures of personal data
Finnlines may use other companies in processing your personal data. A typical example are companies offering IT solutions to Finnlines. The duties of the processors towards Finnlines are specified in a contract and the companies are not allowed to use your personal data to any other purposes.
Finnlines may disclose personal data to police, insurance companies or customs based on the official disclosure requests. Disclosure is based on legal obligations of Finnlines.
In addition, Finnlines may give personal data on the passenger safety list only to the authorities such as police or the local Border Guard. Disclosing your personal data to the authorities in these situations is based on legal obligations of Finnlines and the disclosure takes place only for purposes such as search or rescue purposes or for investigating or inspecting an accident.
Security principles of the personal data file
The employees and other authorized persons of Finnlines are bound to follow the obligation of confidentiality and to keep confidential any information related to the processing of personal data.
According to this, the databases and ICT systems require access by personal user logins and passwords. In addition, the access and use of data is recorded in the log of the ICT system. Finnlines has restricted the user logins and passwords to only necessary persons with need to legally process and access such data.
Any materials and documents containing personal data (such as databases) are kept in locked rooms and spaces, to which access is limited to only named and authorized personnel. The servers are protected with appropriate firewalls and other technical protection measures.
Your rights
Your rights, in accordance with the EU General Data Protection Regulation, are as follows:
Right of access your personal data
You have the right to know what personal data we process about you, to receive information about how we process it and to receive a copy of this data.
Right to erasure your personal data (‘right to be forgotten’)
In situations set out in EU General Data Protection Regulation, you have the right to have your personal data to be deleted from Finnlines’ systems. This is possible, for example, when we have checked that we no longer need your personal data to comply our legal obligations. In all cases your personal data will be deleted according to Finnlines’ storage/retention schedule/times.
Right to have wrong information about you corrected / rectified
Finnlines has a privacy policy according to which we process personal data about our customers in general. However, in case you find any incorrect information about you, you always have the right to ask us to correct it without undue delay.
Right to restrict the processing of your personal data
In certain circumstances, you have the right to ask Finnlines to restrict processing your personal data. In this case Finnlines will only store the data, but not process it by any other way. This right is applicable for example when you see the processing as unlawful but you do not want to have the data to be erased, but you want to request the restriction of use instead.
Right to data portability
You have a right to receive your own personal data that you have provided to Finnlines, in a structured, commonly used and machine-readable format. You also have a right to ask Finnlines to transmit the aforementioned data directly to another service provider (‘controller’) that you may want to use. This right is applicable only in cases where you have given personal data based on your consent or on a contract and the processing is carried out by automated means by Finnlines.
The right to lodge a complaint
You have the right to lodge a complaint with a supervisory authority (Office of the Data Protection Ombudsman) in case you feel that your rights as a data subject have been infringed. More specific information is found at https://tietosuoja.fi/en
Right to object
You have the right to object processing your personal data in cases when the processing is not based in law, but when we carry out for our legitimate business interests. You have the right to cancel the consent for any notifications and customer satisfaction surveys.