Data protection policy – suppliers, subcontractors and other stakeholders

Destia Group companies (“Destia”) are committed to processing personal data in a reliable, safe and transparent manner. This data protection policy describes how Destia processes the personal data of the employees and other representatives of current and potential suppliers, subcontractors and other stakeholders (hereinafter also referred to as “stakeholder”). The policy also covers the processing of personal data by Destia in connection with stakeholder-related communications and marketing.

1. Data controller companies

The controller of the personal data of the data subject is one of the following companies:

Destia Oy, business ID: 2163026-3
Firdonkatu 2 T 151, FI-00520 Helsinki

Destia Rail Oy, business ID: 1508718-8
Firdonkatu 2 T 151, FI-00520 Helsinki

Destia Oy mainly acts as a data controller referred to in the data protection legislation. However, in the case of railway services and thus Destia Rail Oy’s business operations, the controller is Destia Rail Oy.

You can contact either of the data controller companies to ask for more information about the processing of your personal data and to exercise your rights as a data subject. You can contact us at and we will forward your enquiry to the right party. The enquiry and request can be informal.

2. Purposes of and legal bases for the processing of personal data

Destia may collect and process personal data, inter alia, for the following purposes:

  • Execution of a service or product under an agreement
  • Management and development of the stakeholder relationship
  • Implementation and development of digital services related to stakeholder relations, including personalisation
  • Stakeholder communications and other communications related to operations and services
  • Sales and marketing, including direct marketing, marketing research and distance selling
  • Business development and analysis
  • Research and statistical purposes
  • Safeguarding of legal rights
  • Fulfilment of legal obligations

The processing of personal data in connection with stakeholder relations is typically based on the performance of the contract between Destia and the stakeholder. The processing of personal data may also be based on the consent of the data subject or on the legitimate interest of Destia. As regards the fulfilment of Destia’s legal obligations, such as accounting obligations, the processing of personal data is based on legal obligations.

3. Personal data processed

Destia may collect and process the following personal data:

  • Identification data, such as name, social security number and tax number
  • Contact details, such as address, telephone number and email
  • Data related to the stakeholder relationship
  • Payment and invoicing information
  • Occupational and employer information
  • Image and video material and other media material
  • Marketing-related information
  • Consents and prohibitions of the data subject, for example in relation to direct marketing
  • Other information provided or generated by the data subject, such as a request for contact
  • Cookie data; you can find more information about our cookie policy here
  • Destia’s online and mobile service user credentials, log data and generated content

In addition, Destia may collect and process personal data as part of the operation of IT systems and services, applications and website. A separate data protection policy for IT services has been published regarding the processing of personal data in this context.

4. Retention periods of personal data

We will retain your personal data for as long as the data is necessary to fulfil the purposes set out in this data protection policy, unless the law obliges us to retain your personal data for a longer period of time.

Personal data related to contractual relations is retained for a maximum of ten (10) years after the termination of the contractual relationship. In situations where Destia does not have a contractual relationship with the data subject, personal data is retained for as long as the data is necessary for the purpose of processing. 

5. Regular sources of personal data

We usually receive personal data from the person themselves, for example, through direct communication. In addition, we receive data from the stakeholder represented by the person based on its stakeholder relationship with Destia. We also collect personal data by monitoring the data subject’s online activity, for example through cookies.

We also process personal data collected from other sources, such as data obtained from other parties involved in the implementation of the stakeholder relationship. Data can also be collected from public administration registers, commercial information services and publicly available sources such as the internet and social media.

6. Disclosure of personal data

Personal data may be disclosed at Destia’s discretion to the extent permitted by the legislation in force at any given time. The disclosure of data may, in principle, take place only for legitimate purposes that support Destia’s mission statement, and where the purpose of processing of the data is compatible with Destia’s purposes.

Personal data may be disclosed, for example, to the following recipients:

  • To the authorities at their request, when required by law and to exercise Destia’s rights
  • In the context of mergers and acquisitions to potential buyers, financiers and their advisors, if Destia sells or otherwise organises its business

If your personal data is disclosed to a third party, we will ensure that your data is protected by appropriate contractual protective measures.

7. Transfer of data outside the European Economic Area

Generally, we process personal data within the European Economic Area (“EEA”). Data may also be processed outside the EEA if it is necessary for the purposes of processing personal data mentioned in this data protection policy or for the technical or practical implementation of the processing of the data, such as the location of servers.

If personal data is transferred outside the EEA, we will ensure that the requirements of data protection legislation are complied with in the transfer of data.

8. Safety of the processing of personal data

When processing personal data, we ensure appropriate security and data protection of personal data, including protection of personal data against unauthorised processing and accidental loss.

Personal data processed electronically is protected by firewalls, passwords and other commonly accepted means in the field of data security. On websites and other services, data is protected by a SSL-certified connection and other necessary means. Personal data can only be accessed by specific Destia employees with access right granted by Destia.

9. Automated decision-making including profiling

Destia may utilise automated decision-making in some cases, if it is permitted by law or if you have specifically consented to it.

10. Rights of the data subject

As a data subject, you have the right to:

  • request access to the personal data relating to you; 
  • request the rectification, erasure or restriction of processing of your data; 
  • object to the processing of your data; 
  • request the transfer of your data from one system to another; and 
  • where the processing is based on your consent, withdraw your consent. Please note that this will not affect any processing prior to the withdrawal. 

You can exercise your rights under data protection legislation by contacting us at We will evaluate the prerequisites for complying with your request as soon as possible and, if necessary, ask you for any additional information we may need. If we consider the request to be manifestly unfounded or unreasonable, we may charge a fee for the execution of the request or refuse to execute it.

If you believe that your personal data is not being processed lawfully, you have the right to make a complaint with the Data Protection Ombudsman.