Data protection policy – IT services

Destia Group companies (“Destia”) are committed to processing personal data in a reliable, safe and transparent manner. This data protection policy describes how Destia processes personal data in connection with Destia’s IT systems and services, Destia’s applications and Destia’s websites (hereinafter also collectively referred to as “IT Services”). This policy does not apply to Destia’s whistleblowing channel; you can find the policy of the whistleblowing channel here.

1. Data controller companies

The controller of the personal data of the data subject is one of the following companies:

Destia Oy, business ID: 2163026-3
Firdonkatu 2 T 151, FI-00520 Helsinki

Destia Rail Oy, business ID: 1508718-8
Firdonkatu 2 T 151, FI-00520 Helsinki

Destia Oy mainly acts as a data controller referred to in the data protection legislation. Destia Rail Oy may act as a data controller for the IT services it offers.

You can contact either of the data controller companies to ask for more information about the processing of your personal data and to exercise your rights as a data subject. You can contact us at and we will forward your enquiry to the right party. The enquiry and request can be informal.

2. Purposes of and legal bases for the processing of personal data

Destia may collect and process personal data, inter alia, for the following purposes:

  • Providing, targeting and development of services and website content, including personalisation
  • Tasks and services related to the management and development of employees’ employment relationships
  • Communications related to operations and services 
  • Sales and marketing, including direct marketing, marketing research and distance selling
  • Business development and analysis 
  • Research and statistical purposes
  • Responding to contact requests
  • Fulfilment of legal obligations

The processing of personal data is typically based on the consent of the data subject, performance of an access rights contract or Destia’s legitimate interest. As regards the fulfilment of Destia’s legal obligations, the processing of personal data is based on legal obligations.

3. Personal data processed

Destia may collect and process the following personal data:

  • Identification data, such as name and social security number
  • Contact details, such as address, telephone number and email
  • Occupational and employer information
  • Image and video material and other media material
  • Marketing-related information
  • Consents and prohibitions of the data subject, for example in relation to direct marketing
  • Other information provided or generated by the data subject, such as a request for contact
  • Cookie data; you can find more information about our cookie policy here
  • Information generated from the use of the website, such as terminal equipment, operating system and telecommunication data generated by cookies and other similar technologies
  • Destia’s online and mobile service user credentials, log data and generated content

4. Retention periods of personal data

We will retain your personal data for as long as the data is necessary to fulfil the purposes set out in this data protection policy, unless the law obliges us to retain your personal data for a longer period of time.

You can find more information about our cookie retention here.

5. Regular sources of personal data

We usually receive personal data from the person themselves through their active activities, for example, when the person uses an IT service or fills in a form on the website. We also collect personal data by monitoring the data subject’s online activity, for example through cookies.

6. Disclosure of personal data

Personal data may be disclosed at Destia’s discretion to the extent permitted by the legislation in force at any given time. The disclosure of data may, in principle, take place only for legitimate purposes that support Destia’s mission statement, and where the purpose of processing of the data is compatible with Destia’s purposes.

Personal data may be disclosed, for example, to the following recipients:

  • To the authorities at their request, when required by law and to exercise Destia’s rights
  • In the context of mergeres and acquisitions to potential buyers, financiers and their advisors, if Destia sells or otherwise organises its business

If your personal data is disclosed to a third party, we will ensure that your data is protected by appropriate contractual protective measures.

7. Transfer of data outside the European Economic Area

Generally, we process personal data within the European Economic Area (“EEA”). Data may also be processed outside the EEA if it is necessary for the purposes of processing personal data mentioned in this data protection policy or for the technical or practical implementation of the processing of the data, such as the location of servers.

If personal data is transferred outside the EEA, we will ensure that the requirements of data protection legislation are complied with in the transfer of data.

8. Safety of the processing of personal data

When processing personal data, we ensure appropriate security and data protection of personal data, including protection of personal data against unauthorised processing and accidental loss.

Personal data processed electronically is protected by firewalls, passwords and other commonly accepted means in the field of data security. On websites and other services, data is protected by a SSL-certified connection and other necessary means. Personal data can only be accessed by specific Destia employees with access right granted by Destia.

9. Automated decision-making including profiling

Destia may utilise of automated decision-making in some cases, if it is permitted by law or if you have specifically consented to it.

10. Rights of the data subject

As a data subject, you have the right to:

  • request access to the personal data relating to you; 
  • request the rectification, erasure or restriction of processing of your data; 
  • object to the processing of your data; 
  • request the transfer of your data from one system to another; and 
  • where the processing is based on your consent, withdraw your consent. Please note that this will not affect any processing prior to the withdrawal. 

You can exercise your rights under data protection legislation by contacting us at We will evaluate the prerequisites for complying with your request as soon as possible and, if necessary, ask you for any additional information you may need. If we consider the request to be manifestly unfounded or unreasonable, we may charge a fee for the execution of the request or refuse to execute it.

If you believe that your personal data is not being processed lawfully, you have the right to lodge a complaint with the Data Protection Ombudsman.