Sections 10 and 24 of the Personal Data Act (523/1999)

Date of drafting: 1 March 2017

1. Controller / Company

Orion Corporation (Company Identification Number: 1999212-6)

Orionintie 1
02200 Espoo
Tel. 010 4261

2. The person in charge / contact person

Associate Global Brand Manager Saara Heikari

Orion Corporation
Orionintie 1A
02200 Espoo
Tel. 010 426 3944


3. Name of the data file

Orion product website information data file


4. The purpose for processing the personal data / the purpose for the use of the data file / recipients (or categories of recipients) of personal data / the legal basis for processing the personal data


The company will not disclose the collected data for commercial purposes. The collected data will be used to the following purposes

  • To manage the access/password requests to the website
  • To identify the persons requesting access as healthcare professionals
  • To inform users of password expirations or changes
  • To manage feedback and contact requests from

The legal basis for processing of the personal data is consent of the data subject (EU General Data Protection Regulation Article 6.1.a).


5. Content of the data file


The following personal data is collected in the data file:

  • Name
  • Occupational e-mail address
  • Occupation
  • Employer and employer’s address
  • Possible question or contact request from the data subject 

6. Regular sources of information 

Information is only received from the data subject.

7. Regular destinations of disclosed data and whether the data is transferred to countries outside the the European Union or the European Economic Area

Personal data is not assigned nor transferred to countries outside the European Union or the European Economic Area.

8. Retention period of the personal data

The personal data shall be retained only for the period necessary to fulfil the purposes outlined in this description of the file unless a longer retention period is required or permitted by law, or until the data subject requests it to be removed.

9. The principles how the data file is secured

The data file is located on a web server protected with personal username and password. The server is protected technically and physically in a way that third party individuals cannot gain access to it. The access to the data file shall be granted only to those Orion employees involved in the management of the data file. Using the data file requires a personal Orion e-mail account. Access (both reader and maintenance) can be gained only through special request

10. Right of access and realization of the right of access

The data subject shall have the right of access to the data on himself/herself in the data file, or to a notice that the file contains no such data. The controller shall at the same time provide the data subject with information of the regular sources of data in the file, on the uses for the data in the file and the regular destinations of data.

The data subject who wishes to have access to the data on himself/herself, as referred to above, shall make a request to this effect to the person in charge at Orion Corporation by a personally signed or otherwise comparably verified document.

11. Right to withdraw consent

The data subject has the right to withdraw the consent he/she has given for the processing of his/her personal data. Data subject shall make a request to this effect to the contact person at Orion Corporation named under section 2. above by a personally signed or otherwise comparably verified document in writing. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.

12. Rectification, erasure and realization of the rectification

A controller shall, on its own initiative or at the request of the registered data subject, without undue delay rectify, erase or supplement personal data contained in its personal data file if it is erroneous, unnecessary, incomplete or obsolete as regards the purpose of the processing.

If the data controller refuses the request of the data subject of the rectification of an error, a written certificate to this effect shall be issued. The certificate shall also mention the reasons for the refusal. In this event, the data subject may bring the matter to the attention of the Data Protection Ombudsman.

The data controller shall notify the rectification to the recipients to whom the data have been disclosed and to the source of the erroneous personal data. However, there is no duty of notification if this is impossible or unreasonably difficult.

Requests for rectification shall be made by contacting the representative of the data controller named under section 2. above.