Data Protection Policy

Ensuring data protection is part of the Port of Loviisa Ltd’s (hereinafter the Port of Loviisa) operations, risk management and socially responsible operating principles. This Data Protection Policy defines the ways in which the lawful processing of personal data and a high level of data protection is ensured in all of the Port of Loviisa’s operations.

Scope and objectives of the Data Protection Policy


Data protection encompasses the privacy protection of individuals and other rights that safeguard privacy in the processing of personal data.

The objective of the Data Protection Policy is to safeguard the legal rights related to the use of personal data of the Port of Loviisa’s customers, employees and individuals belonging to other interest groups as well as to ensure compliance with the rights and obligations of the processor in the processing of personal data. In the implementation of data protection, particular attention is paid to ensuring the confidentiality of personal data and preventing unauthorised access to and the use of the data in a manner that would cause damage to the individual.

Data protection is directly linked to data security. The Port of Loviisa’s Data Security Policy defines what is meant by data security and how it is maintained.

Life-cycle and use of data


The processing of personal data is based on contract, the person’s consent, the legitimate interest of the Port of Loviisa or other grounds defined in legislation. Personal data is only processed for justified purposes and only to the extent that and for as long as is necessary in respect to the purpose in question. Efforts are made to ensure the correctness of the data used and the data is updated using information obtained from the individual or from reliable sources. Once the data is no longer needed for the intended purpose, the data is destroyed in an appropriate manner.

Data is used for the purposes described when collecting them within the confines of currently valid legislation. Data is disclosed only on specified grounds or grounds mentioned in legislation and only to specified recipients or recipients mentioned in legislation. Data may be transferred outside of the country that the controller is located in, if the legislation that the register in question is subject to allows for this type of transfer. Such transfers are carried out in compliance with the practices potentially prescribed in the legislation of each applicable country.

Informing data subjects


The controller is the Port of Loviisa Ltd. Documentation required by legislation is drawn up for each person register. Data subjects are provided with the information referred to in legislation or otherwise necessary about the processing of personal data in connection with the collection of the data and, where possible, in other ways, such as on websites.

Responsibilities and organisation


The party responsible for the realisation of data protection is the business management staff of each unit. Every Port of Loviisa employee should be familiar with and manage the data protection regulation and risks of their own area of responsibility. The Port of Loviisa’s IT office steers and develops the implementation of data protection at the Port of Loviisa and assists operating units in data protection matters.

Each operating unit is responsible for the resource allocation related to data protection and practical implementation in their own unit. The operating unit remains responsible for data protection in the event that data processing is outsourced. The unit must ensure that the chosen partner complies with this Data Protection Policy. Outsourcing the processing of personal data is always subject to the preparation of a written contract that defines the responsibilities and obligations of each party.

Ensuring data protection


Data protection matters are part of the orientation of new employees who process personal data and training concerning such matters is organised regularly for all employees. All persons processing personal data are bound by an obligation of professional secrecy as prescribed in legislation or otherwise agreed and documented.

The use of information systems that contain personal data is controlled by means of user management solutions or other documented practices. Log information is collected at the level of accuracy specifically prescribed in legislation or otherwise deemed adequate about every register.

If data protection is suspected of being or found to be compromised, the matter is investigated without undue delay and communicated to the appropriate parties in accordance with the requirements imposed by legislation. Furthermore, the matter is communicated without undue delay to the data subject whose data protection is compromised, provided that communication is justified for carrying out corrective measures or limiting the damage.

Each operating unit evaluates and supervises the implementation of data protection in their operations. The Port of Loviisa’s internal auditing department conducts audits concerning data protection matters as part of its normal audit operations.

Procedure in the event that data protection is compromised


We consider activities that compromise data protection to encompass all activities in violation of legislation concerning the processing of personal data, this Data Protection Policy and the instructions issued based on it. If we consider activities that compromise data protection to meet the criteria for punishable activities described in legislation, we will hand the matter over to the authorities for investigation. If the compromising activity does not meet the aforementioned criteria, but compromises data protection, the matter may lead to a reprimand, a warning or the termination of an employment relationship.

Information communicated to personnel, data subjects and interest groups


This Data Protection Policy and its amendments are communicated to the staff of the Port of Loviisa on the Port of Loviisa’s intranet. Additionally, the currently valid Data Protection Policy is published on the Port of Loviisa’s website. The Data Protection Policy is updated as necessary. In addition to this, the Port of Loviisa issues internal instructions regarding data protection matters.

Approval of the Data Protection Policy


This Policy was approved by the Port of Loviisa Ltd’s Management Group on 26 March 2018.