Kesko's data protection policy

This policy describes the purpose and guidelines of Kesko Group’s (“Kesko”) data protection policy, as well as the related responsibilities and organisation.

The data protection policy lays the foundation for procedures and guidelines concerning data protection which further specify the provisions laid down in the policy and guide their application in practice.

Data protection is closely linked to information security. The principles concerning information security are defined in Kesko’s information security policy.

Kesko’s operations are based on data and the processing of data in Kesko’s operating environments. Kesko’s operations rely on information and communication technologies and their safe and uninterrupted operation. In its planning and control of personal data processing, Kesko has prepared for various malfunctions as well as for exceptional circumstances to the applicable extent. Special attention is paid on the outsourcing of personal data processing.

Purpose of the data protection policy

Managing data protection is part of Kesko’s compliance operations, risk management and the K Code of Conduct operating principles. The purpose of this data protection policy is to determine principles, procedures and responsibilities to ensure the lawful processing of personal data and a high level of data protection at Kesko.

Principles concerning personal data protection

The right to personal data protection is a fundamental right for everyone.

Kesko plans its personal data processing in advance. The processing is lawful, fair and transparent, and personal data are processed for a specific purpose in accordance with a legal basis laid down by law.   

Kesko processes data only to the extent and for as long as it is necessary for the specified purpose of use.

Kesko aims to ensure the accuracy of the data used, and the data are updated from the person themselves or from reliable sources. When the data are no longer necessary for their purpose of use, the data are erased appropriately.

Personal data protection also refers to everyone’s right to have access to the data collected about them, as well as the right to have any inaccurate personal data rectified and any unnecessary data erased.

Ensuring data protection

Kesko has a risk-based approach to data protection. The management of data protection risks is part of Kesko’s risk management process. To ensure the effective implementation of data protection, Kesko conducts data protection risk assessments during the planning phase of personal data processing and as part of its annual risk assessment. In addition, data protection impact assessments are always conducted in situations specifically determined by the law and official guidelines. The results of the abovementioned assessments are used in determining technical and organisational measures to reduce the risk level of personal data processing throughout the life cycle of the data. At the same time, Kesko ensures compliance with the requirements of data protection legislation. If necessary, prior consultation of authorities is conducted.

Kesko ensures that the data subjects’ rights are implemented in accordance with the EU General Data Protection Regulation by informing the data subjects about the processing of data and by determining procedures and guidelines for situations where data subjects wish to exercise their rights.

Kesko ensures the implementation of data protection by documenting personal data processing practices and by issuing related instructions. Through training and communication, Kesko ensures its employees’ sufficient data protection competence. New employees are systematically provided with induction training on data protection. This is particularly highlighted in positions that involve personal data processing and carrying out processes to implement data subjects’ rights.

As a data controller, Kesko can outsource personal data processing to a service provider. Kesko only cooperates with such personal data processors that comply with good processing practices by means of appropriate technical and organisational measures, meet the requirements of the EU General Data Protection Regulation, and can ensure the implementation of data subjects’ rights. Kesko concludes written agreements with personal data processors in accordance with the law.

Kesko has a data protection compliance programme in place to ensure the achievement of the abovementioned goals and conducts high-quality, lawful personal data processing.

Procedure when data protection is compromised

Kesko aims to protect personal data from data breaches – that is, accidental or unlawful destruction, loss, alteration or unauthorised disclosure of or access to data. Kesko has determined the process to be applied in connection with data breaches. Everyone has an obligation to report any suspected or detected data breaches without delay, in accordance with separate instructions.

If data protection is suspected to have been compromised, the issue is investigated immediately. Representatives of the business unit in question, the information security and risk management teams and a Data Protection Officer will participate in the investigation as necessary. Kesko documents all data breaches in compliance with legal requirements and reports confirmed data breaches to the data protection authorities as required. In the event of a data breach, Kesko also immediately informs the person whose data protection is compromised, when required by the EU General Data Protection Regulation.

Kesko considers non-compliance with personal data processing legislation, this data protection policy and instructions based on this policy to be activities that impose a risk on data protection. Kesko applies measures determined in its compliance model to activities that impose risks on data protection, and data breaches are reported to Kesko’s management and Data Protection Officer.

Responsibilities and organisation

This data protection policy is approved by Kesko’s Board of Directors. Legal Affairs is responsible for maintaining the policy.

Kesko’s Board and its Audit Committee monitor and evaluate the implementation of data protection. Overall responsibility for the implementation and management of data protection lies with the Group Management Board and the General Counsel. The General Counsel is responsible for the administration of compliance with the data protection legislation, this data protection policy, and the instructions based on this policy.

Kesko can have one or more Data Protection Officers. A Data Protection Officer acts as a data protection specialist and provides guidance and training on data protection matters to business operations and monitors compliance with the data protection legislation. A Data Protection Officer reports on their observations about matters concerning data protection to the General Counsel, and to the Board’s Audit Committee when necessary.

The data controller is deemed to be the company of Kesko Group for whose purposes personal data are processed in each case. Responsibility for the implementation of data protection lies with the management of business operations and the Group’s management in their units. The management is responsible for ensuring that the management of data protection is organised clearly, and that each person in charge knows their role.

Each business unit or data controller evaluates and monitors the implementation of data protection in their operations. A Data Protection Officer conducts audits in matters related to data protection as part of their normal operations.

This data protection policy covers the operations of Kesko companies in all Kesko’s operating countries. Kesko’s personnel must comply with this policy. Kesko companies and units are responsible for the implementation of this policy and for sufficient resources in their operations, including stakeholders that process personal data for Kesko within their assignments.

Validity