Supplier privacy policy

Supplier privacy policy

Last updated 24.5.2018


1 Controller

Hanken & SSE Executive Education Ab
P. O. Box 479

(hereafter ”we” or ”Hanken & SSE”)



2 Contact point for register matters
+358 40 352 1515
P. O. Box 479

3 Name of register




4         What is the legal basis for and purpose of the processing of personal data?

The basis for processing personal data is legal requirement, the performance of a contract and the legitimate interest of the company based on supplier and subcontractor relationship.

The purpose of the processing of personal data is:

  • management of ICT, HR and healthcare, financial and other company support services and systems,
  • management of sales and sales support services and systems,
  • management of program support systems such as participant registration systems, learning management systems, feedback processes and systems,
  • fulfilment of contractual obligations and other undertakings of Hanken SSE,
  • disclosures to tax and other authorities,
  • management of supplier relations.


5        What data do we process?

We process the following personal data of the supplier or faculty member or other data subject in connection with the supplier and faculty register:

  • information regarding the supplier company and its contact persons, such as business ID* and names and contact information of the contact persons*;
  • information regarding the suppliership and contract, such as information of past and excisting contracts and orders, other transaction information.

Providing the information marked with an asterisk is a prerequisite for our contractual relationship and/or supplier relationship. We cannot enter into the relationship without the necessary information.


6        From where do we receive information?

We receive data primarily from the data subject him-/herself and/or his/her employer (supplier).

For the purposes described in this privacy notice, personal data may also be collected and updated from publicly available sources and based on information received from authorities or other third parties within the limits of the applicable laws and regulations. Data updating of this kind is performed manually or by automated means.


7        To whom do we disclose data and do we transfer data outside of EU or EEA?

We disclose information to the following parties: Hanken and Stockholm School of Economics. We also disclose information to existing customers, tax and other authorities and Tekes.

We use subcontractors that process personal data on behalf of and for us (data transfer). We have outsourced the IT-management to an external service provider, to whose server the data is stored. The server is protected and managed by the external service provider.

We transfer personal data outside of EU/EEA, including to the United States of America. We have taken care of suitable safeguards for the transfer, and use the EU Commission standard contractual clauses or another transfer mechanism approved by the privacy legislation.


8        How do we protect the data and how long do we store them?

Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use a system containing personal data. Each user has a personal username and password to the system. The information is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and the backup copies of them are in locked premises and can be accessed only by certain pre-designated persons.

We store the personal data for as long as is necessary considering the purpose of the processing. For suppliers’ personal data, this retention period is until the claim and reclamation period related to the supplier’s products or services has elapsed.

We regularly assess the need for data retention in light of the applicable legislation. In addition, we take reasonable measures to ensure that the personal data in the register is not incompatible, obsolete or inaccurate considering the purpose of the processing. We rectify or delete such information without delay.


9        What are your rights as a data subject?

As a data subject you have a right to inspect the personal data concerning yourself, which is stored in the register, and a right to require rectification or erasure of the data, provided that the request has a legal basis. You also have a right to withdraw or change your consent.

As a data subject, you have a right, according to EU’s General Data Protection Regulation (applied from 25.5.2018) to object to processing or request restricting the processing and lodge a complaint with a supervisory authority responsible for processing personal data.

For specific personal reasons, you also have the right to object to profiling and other processing operations, when the processing of your data is based on our customer relationship with you. In connection with your request, you will need to identify the specific situation, based on which you object to the processing. We can refuse the request of objection only on legal grounds.


10         Who can you be in contact with?

All contacts and requests concerning this privacy notice must be submitted in writing or in person to the address mentioned in section two (2).


11        Changes in the Privacy Notice

Should we make amendments to this privacy notice we will place the amended statement on our website, with an indication of the amendment date. If the amendments are significant, we may also inform you about this by other means, for example by sending an email or placing a bulletin on our homepage. We recommend that you regularly visit out webpage and notice possible amendments to this privacy notice. review these privacy protection principles from time to time to ensure you are aware of any amendments made.