Data protection policy – video and image material

Destia Group companies (“Destia”) are committed to processing personal data in a reliable, safe and transparent manner. This data protection policy describes how Destia processes personal data collected by surveillance cameras, game cameras and drones.

1. Data controller companies

The controller of the personal data of the data subject is one of the following companies:

Destia Oy, business ID: 2163026-3
PO Box 206, FI-01301 Vantaa

Destia Rail Oy, business ID: 1508718-8
PO Box 206, FI-01301 Vantaa

Destia Oy mainly acts as a data controller referred to in the data protection legislation. However, in the case of railway services and thus Destia Rail Oy’s business-related camera surveillance operations, the controller is Destia Rail Oy.

You can contact either of the data controller companies to ask for more information about the processing of your personal data and to exercise your rights as a data subject. You can contact us at and we will forward your enquiry to the right party. The enquiry and request can be informal.

2. Purposes of and legal basis for the processing of personal data

Destia may collect and process personal data for various purposes, including:

  • Ensuring safety
  • Protection of Destia’s property
  • Ensuring the legal protection of employees, customers and other stakeholders
  • Prevention and investigation of criminal and hazardous situations and misconducts
  • Monitoring the progress of projects, for example by videotaping the reviews carried out

The processing of personal data is typically based on Destia’s legitimate interest.

3. Personal data processed

Destia may record image and audio footage of data subjects and vehicles moving on Destia’s grounds, such as Destia’s premises and construction sites, and in their immediate vicinity. The date and time of the event are recorded in connection with the image and audio footage.

4. Retention periods of personal data

We will retain your personal data for as long as the data is necessary to fulfil the purposes set out in this privacy statement, unless the law obliges us to retain your personal data for a longer period of time.

The image and audio footage collected for the fulfilment of a contract is retained for a maximum of ten (10) years from the completion of the project or the beginning of the warranty period, calculated from the latest. Other image and audio material is retained for as long as necessary for the purpose for which it is processed.

5. Regular sources of personal data

Image and audio material is typically collected with cameras installed on Destia’s premises, construction sites, in areas managed by Destia and in their immediate vicinity. Destia may also collect image and audio material with drones and similar equipment.

6. Disclosure of personal data

Personal data may be disclosed at Destia’s discretion to the extent permitted by the legislation in force at any given time. The disclosure of data may, in principle, take place only for legitimate purposes that support Destia’s mission statement, and where the purpose of processing of the data is compatible with Destia’s purposes.

Personal data may be disclosed, for example, to the following recipients:

  • To the authorities at their request, when required by law and to exercise Destia’s rights
  • In the context of mergers and acquisitions to potential buyers, financiers and their advisors, if Destia sells or otherwise organises its business

If your personal data is disclosed to a third party, we will ensure that your data is protected by appropriate contractual protective measures.

7. Transfer of data outside the European Economic Area

Generally, we process personal data within the European Economic Area (“EEA”). Data may also be processed outside the EEA if it is necessary for the purposes of processing personal data mentioned in this data protection policy or for the technical or practical implementation of the processing, such as the location of servers.

If personal data is transferred outside the EEA, we will ensure that the requirements of data protection legislation are complied with in the transfer of data.

8. Safety of the processing of personal data

When processing personal data, we ensure appropriate security and data protection of personal data, including protection of personal data against unauthorised processing and accidental loss.

Personal data processed electronically is protected by firewalls, passwords and other commonly accepted means in the field of data security. On websites and other services, data is protected by a SSL-certified connection and other necessary means. Personal data can only be accessed by specific Destia employees with access right granted by Destia.

9. Automated decision-making including profiling

Destia does not use automated decision-making or profiling in connection with the processing of personal data described in this data protection policy.

10. Rights of the data subject

As a data subject, you have the right to:

  • request access to the personal data relating to you; 
  • request the rectification, erasure or restriction of processing of your data; 
  • object to the processing of your data; 
  • request the transfer of your data from one system to another; and 
  • where the processing is based on your consent, withdraw your consent. Please note that this will not affect any processing prior to the withdrawal. 

You can exercise your rights under data protection legislation by contacting us at We will evaluate the prerequisites for complying with your request as soon as possible and, if necessary, ask you for any additional information you may need. If we consider the request to be manifestly unfounded or unreasonable, we may charge a fee for the execution of the request or refuse to execute it.

If you believe that your personal data is not being processed lawfully, you have the right to lodge a complaint with the Data Protection Ombudsman.