We at Kuusakoski (Kuusakoski Oy, business ID 1589236-3) (Kuusakoski) respect your privacy.

This page contains information about how we process your personal data as the data controller, if you represent a company that provides products and services for us or another type of partner company (“Partner”).

Please note that this page is not about the processing of personal data in the case of (potential) customers. For information on personal data processing, see here for customers and other stakeholders, here for other Kuusakoski group companies, and here for personal data related to our website. If the goods supplied by you or the company that you represent are recyclable materials, we consider you or the company a customer of Kuusakoski, including cases where Kuusakoski pays for the materials in question.

For information about your rights, see Information about data subject rights and how to exercise them below.

We may update this privacy policy as needed to keep up with legislation, for example, and we will announce all material changes.

This page was last updated on: 26/10/2021

What personal data is processed?

What personal data is processed?

We collect the following basic details about every Partner and their representatives:

  • contact person name

  • contact information (street address, phone number and email address)

  • contact person employer and position or job information.

In addition, we collect other data related to the partner relationship and other appropriate connections, for example:

  • contract, order and invoicing information

  • information regarding purchasing or purchasing project meetings, phone calls, and other conversations, including email correspondence

  • position and route data obtained from transport company vehicles’ terminals, if the company shares this data with Kuusakoski.

In some cases, a security clearance may be ordered for transport company drivers in accordance with the Finnish Act on security clearances (726/2014, including amendments), if the subject has consented to this in advance. Kuusakoski then receives a decision to approve or reject from the competent authority, but no other information related to the security clearance.

What is the purpose and basis for processing personal data?

What is the purpose and basis for processing personal data?

We process personal data based on the following:

  • Fulfilling an agreement for a product or service that we have ordered from the organisation that you represent. This basis also includes measures related to invoicing and the actions taken to correct the same.

  • Legitimate interest (when one exists). A legitimate interest exists when, for example, managing and developing the relationship with a Partner and preventing and investigating abuse. For more information on how we prevent and investigate abuse, see [here].

  • Statutory obligations. For example, accounting regulations and regulations concerning waste transport and/or treatment.

How long is personal data kept?

How long is personal data kept?

We keep personal data only for as long as is necessary for the purpose of said data. Partner data is typically kept for three (3) years after the end of the partner relationship, after which we passivate the information. Passive supplier data includes name, address and contract information, and is kept for ten (10) years after the end of the relationship.

Your personal data may be kept for longer if required by mandatory legislation, legal claims presented to us, or a period for filing a suit or claim based on law or an agreement. For example, accounting regulations require that data included in accounting records must be kept for six or even ten years, regarding the legislation applicable to the data controller.

Data that is processed for legitimate interests is kept for as long as the legitimate interest can be reasonably considered to exist. We determine this primarily based on contact between yourself and Kuusakoski, such as communication about active purchasing processes.

Once your personal data is unneeded, it is destroyed in a secure manner or anonymised beyond recovery. Data that is obsolete and marked for deletion will be destroyed during regular database batch runs.

Any position and route data collected from transport company vehicles’ terminals is deleted from our systems so that only the data for the latest route is visible in our systems. Please note that your employer may share position and route data with us from a longer period through their fleet monitoring system.

How is personal data protected?

How is personal data protected?

The databases containing your personal data are protected by firewalls, passwords, and other technical means. The databases and their backups are located in secure facilities. We ensure that the data is only accessible by those Kuusakoski employees and the employees of companies working for Kuusakoski who need it to carry out their work.

As a rule, any non-electronic materials (supplier data forms on paper, for example) are scanned and sent to be archived electronically in a database. The original material is then destroyed in a secure manner, unless there is a specific reason to keep it (statutory requirements, for example). Manually processed documents that contain personal data are kept in secure facilities that prevent unauthorised access.

How is personal data collected?

How is personal data collected?

We primarily collect data from you or the Partner that you represent by using the supplier data forms provided with contracts, different communications (calls and email), and from driver’s logs and fleet monitoring services in the case of transport service Partners.

We may also collect and update data from our other registers, including group company registers, based on legitimate interests, as well as public sources (LinkedIn or your employer’s website, for example) and those authorities and companies who offer personal data services, such as Suomen Asiakastieto Oy, to the extent that these parties are allowed to disclose information for Kuusakoski’s legitimate interests (calls for supplier tenders, for example).

Who is personal data shared with? (partners and third partners)

Who is personal data shared with? (partners and third partners)

We may transfer your personal data to third parties, such as service providers acting as our subcontractors, if it is necessary for the purpose of your personal data’s processing. If we transfer personal data to a party who processes it on our behalf (data processor), we have contractual and other arrangements in place to ensure that the personal data is only processed according to our written instructions and only for the purposes specified in this privacy policy. Furthermore, we ensure that access to the personal data is restricted to people who need it for their work.

We may transfer your personal data in order to realise services or tasks that we have delegated to data processors. These tasks include, for example, providing and maintaining information systems and software, providing data processing services, and producing transport services.

We also disclose information to the authorities as required by law – the Tax Administration for taxation purposes, for example.

Based on legitimate interests, your personal data may also be processed by other companies within the Kuusakoski group. If Kuusakoski sells its personal data processing business or a part thereof or otherwise reorganises its operations, Kuusakoski may hand over personal data to the buyers and their advisors in accordance with the current regulations.

Is personal data transferred outside the European Economic Area?

Is personal data transferred outside the European Economic Area?

We keep your data on servers located within the European Economic Area (EEA), but some of our subcontractors can access your personal data from outside the EEA. Kuusakoski operates as a single global organisation, and the employees of companies belonging to the Kuusakoski group have non-EEA access to your personal data as required (from China, the UK and the USA, for example).

In such cases, we ensure that these parties are committed to a sufficient level of data protection in personal data processing by

  •  verifying that the European Commission has issued a decision on sufficient data protection in the target country (the UK, for example); OR

  • verifying that the data transfer is based on the protections required by the European Union’s General Data Protection Regulation (GDPR), such as the standard contractual clauses approved by the European Commission.

For more information on cross-border personal data transfers and the applicable protection, please contact Kuusakoski’s customer service (see the contact information at the end of the page).

Information about data subject rights and how to exercise them

Information about data subject rights and how to exercise them

The GDPR gives you a set of rights that you may exercise in different situations to dictate how your personal data is processed. You may exercise the following rights with Kuusakoski when Kuusakoski is the data controller of your data:

  • Right of access: You have the right to receive confirmation of whether Kuusakoski is processing your personal data and also the right to access and review your information.

  •  Right to rectification: You have the right to have inaccurate or incorrect personal data rectified and have incomplete data completed.

  • Right to erasure: You have the right to have your personal data erased and Kuusakoski is obligated to delete such data once there is no legitimate basis for their processing, the statutory or contractual obligation for their keeping has expired, or you have revoked your consent for the processing of data.

  • Right to restriction of processing: You have the right to request the restriction of your personal data’s processing (when waiting for a response to a request to correct or erase your personal data, for example).

  • Right to data portability: If certain statutory requirements are met, you have the right to receive your personal data in a commonly used and machine-readable format and to transmit said data to another data controller without hindrance from Kuusakoski.

  •  Right to object: You have the right to object to the processing of your personal data when Kuusakoski processes it based on a legitimate interest. In this case, Kuusakoski is obligated to comply with your request, unless compelling legitimate grounds can be demonstrated that override the interests, rights, and freedoms of the data subject, or the processing is required for the establishment, exercise, or defence of legal claims.

In certain situations, you may review and correct your information in electronic services provided by Kuusakoski. If you cannot access these electronic services, you may contact Kuusakoski’s customer service (see the contact information below). Requests for erasure and transmission, as well as objections, must be presented to Kuusakoski’s customer service.

Customer service contact information

Customer service contact information

Norokatu 5, 15170 Lahti, Finland
+358 800 308 80

Upon your request, Kuusakoski will take immediate action and will generally deliver a report of its actions within one month of receiving your request.

In addition, you have the right to lodge a complaint with the supervisory authority regarding Kuusakoski’s processing of personal data. The complaint must be addressed to the competent supervisory authority – in Finland, this is the Data Protection Ombudsman – in accordance with their instructions. The Office of the Data Protection Ombudsman has a website,

This page was last updated on: 25/10/2021