Data protection comprises persons’ right to private life and the other rights that safeguard the right to privacy when personal data is processed.
The objective of the data protection policy is to secure the statutory rights of Kesko’s customers, employees and other stakeholders related to the use of personal data in each of Kesko’s operating countries as well as to verify the rights of those who process personal data and their compliance to rules as they process personal data. When implementing data protection, special attention is paid to the non-disclosure of personal data and to making sure that unauthorised people do not have access to the data and data is not used in a way that might harm the data subject.
Data protection is closely linked to information security. Kesko’s information security policy defines what information security encompasses and how it is maintained.
The processing of personal data is based on the person’s consent or on another ground defined in the law. Personal data is processed only for a justified purpose of use and only to the extent and for the period of time necessary for the purpose of use. Measures are taken to confirm the accuracy of the data and the data are updated with data obtained from the person himself/herself of from reliable sources. When the data are no longer needed for their purpose of use, they are destroyed as appropriate.
Data are used for the purposes described at the time they were collected and within the limits set by the currently applicable law. Data are disclosed only for reasons expressly mentioned or specified by the law and only to recipients expressly mentioned or specified by the law. Data may be transferred outside the country where the controller is established, provided that the law governing that personal data file allows the transfer. In that case, any procedures specified by the law of the country in question that are applicable to the transfer are followed.
The controller is the company within Kesko Group for whose purpose of use the personal data have been collected. Each personal data file is documented as appropriate according to the local law. The data subjects are offered information on how the personal data are processed as required by law or otherwise necessary at the time the data are collected and, as far as possible, also in other ways, for example on the web pages of the controllers.
The responsibility for implementing data protection lies with business and Group management within their units.
Every Kesko employee shall know and master the data protection regulations and risks related to their responsibility areas. There is a data protection expert working under the guidance of Group Legal Affairs who guides and develops the realisation of data protection in the Group and who is assigned to assist the business units in matters related to data protection.
Each business unit is responsible for the resourcing and practical implementation of data protection in its own unit. The business unit is responsible for data protection also when outsourcing data processing. It makes sure the partner selected adheres to this data protection policy. Outsourcing personal data processing always involves drawing up a written contract that defines the responsibilities and obligations of the parties.
Data protection matters are included in the induction of new employees who process personal data, and all employees receive regular training on the subject.
Everyone processing personal data is bound by non-disclosure obligation either as regulated by law or expressly agreed and documented.
Access to information systems containing personal data is controlled by the Group’s user management solution or by other documented procedures. Log information is collected as specified by the law or otherwise at a sufficient level of detail from all personal data files.
If data protection is suspected of found to have been compromised, the issue is investigated without delay. In addition, the matter is reported without delay to the data subject whose data protection has been compromised, provided that reporting is needed in order to take corrective action or limit the damage.
Each business unit or data controller assesses and monitors the realisation of data protection in its own operations. Kesko Group’s internal audit function performs data protection audits as part of its normal audit operations.
Any activity that is in breach of the laws on personal data processing, this data protection policy or guidelines given based on this policy, is considered an action compromising data protection. In case we estimate that the action compromising data protection fulfils the criteria of a penal offence described by legislation, we will submit the matter to the authorities for investigation. If the compromising action does not fulfil these criteria but does compromise data protection, it may result in a reminder, a warning or termination of employment.
Kesko personnel is informed about this data protection policy and changes to it on Kesko’s intranet. In addition, the data protection policy valid at any given time is published on the kesko.fi site. The data protection policy is updated as needed. In addition, there are internal guidelines on data protection issued in Kesko Group.
The Audit Committee of Kesko Corporation’s Board has confirmed this policy on the 23rd of April 2014.