Oriola privacy notice

Date of issue 24 May 2018

1. Controller

Oriola Finland Oy
Orionintie 5
02200 Espoo, Finland

Oriola Sweden AB
Fibervägen, Solsten, Box 252
435 25 Mölnlycke, Sverige

(each hereinafter Oriola)

Oriola Sweden AB is responsible for Personal Data collection and processing to the extent it concerns activities and business conducted in Sweden under the legal entity Oriola Sweden AB and respectively Oriola Finland Oy is responsible for Personal Data collection and processing to the extent it concerns activities and business conducted in Finland under the legal entity Oriola Finland Oy.

2. Name of the Personal Data File

Oriola Finland Oy Customer Register / Oriola Sweden AB Customer Register

3. Lawfulness and Purposes of Personal Data Processing

The data subject may be either Oriola’s customer, a representative of Oriola’s customer or a user of Oriola’s webshop or webpages. The data subject may also be a part of Oriola’s other interest groups or stakeholders. The grounds for processing of the personal data is either fulfilment of an agreement concluded between Oriola and the data subject or the legitimate interest of the data controller. In order to fulfil an agreement between Oriola and the data subject, Oriola may e.g. process personal data for delivering and billing orders. Oriola’s legitimate interests consist of receiving and managing orders, as well as managing and developing Oriola’s customer relationships, business functions and communications as well as fulfilling reporting or legal obligations towards authorities or stakeholders. To fulfil said legitimate interests, Oriola may e.g. record calls made to Oriola’s customer service and recommend products to the data subject based on inter alia the data subject’s purchase history and the preferences, which he/she has communicated to Oriola. In some cases, Oriola may process personal data on the basis of the data subject’s consent for e.g. conducting direct marketing relating to its webshop.

Maintaining the customer register is necessary for Oriola to enable efficient and customer-oriented marketing, sales activities and delivery management as well as to establish and maintain good customer relationships. The customer register is also used for more general communications purposes that do not directly relate to sales promotion.

Oriola may use customer related personal data also for improving customer experience by developing the services and analysing the customer’s interests.

4. Content of the Register

Oriola’s customer base consists of pharmacists and other professionals in the pharmaceutical and healthcare as well as legal entities and authorities. In order to establish and maintain a customer relationship, Oriola may process personal data of natural persons, who are acting as either sole traders or representing and/or working for the customer companies and other legal entities. Oriola may also collect personal data of a prospective customer’s representatives.

The personal data Oriola may collect and process includes the following personal data:
•phone number
•e-mail address
•trade name and business ID
•veterinary identification number
•voice recordings of the data subject’s calls to Oriola’s customer service
•information on the right to purchase or prescribe medicines
•information on webshop purchases
•information on product preferences
•cookie data

5. Regular Sources of Information

Personal data in Oriola’s customer register is mainly collected from the data subject himself/herself or from the company which he/she represents. In the context of Oriola’s webshop, information about the data subject may either be actively submitted by the data subject or otherwise collected during the course of use of the webshop. Information may also be collected from the authorities or publicly available sources within the limits of the applicable laws and regulations.

6. Data Disclosure and Transfers

Personal data from the customer and sales register may be disclosed to Oriola’s auditors, insurance companies and different governmental authorities/agencies (or similar) for the purposes of their regulatory tasks. Personal data may also be disclosed to other companies within the Oriola Group for purposes compatible with the processing purposes defined in this privacy notice. The disclosure of data will be carried out in accordance with applicable law.

Personal data may be transferred outside of the European Union or the European Economic Area, if it is necessary to carry out the purposes of the data processing. In such case, appropriate technical and organisational measures, such as the use of EU Commission’s standard contractual clauses, will be carried out to ensure a sufficient level of data protection in accordance with the applicable data protection regulation. Upon the data subject’s request in accordance with section 10 of this privacy notice, Oriola will provide a copy of these measures to the data subject.

7. Data Retention

Oriola manages the personal data within the customer register during the customer relationship and regularly deletes and corrects unnecessary and outdated data. When the relationship between the data subject and Oriola becomes passive, Oriola retains the personal data only for as long as the personal data is necessary for Oriola’s genuine needs and the regulatory requirements Oriola is subject to. Personal data is deleted gradually in accordance with these data retention guidelines.

8. Data Security

Oriola and its service providers monitor the safety and integrity of Oriola’ ICT and other environment and have implemented technical measures to prevent and detect any safety breaches that may threaten the personal data. Information networks are protected by firewalls and intrusion detection and prevention systems. Data is transferred to and from customers using secured communication solutions (VPN, SSL VPN).

The use of systems and data is limited to only those needing them in their work, and the use of the services requires an individual, protected user ID and password. The operating systems and programmes are up-to-date and protected with antivirus and anti-malware programmes.

The premises are protected by an electronic access control system and 24-hour electronic surveillance.  A separate area and lockable storage space have been designated for confidential work.  The personnel are obliged to maintain professional secrecy.

9. Data Subject’s Rights

Right to object to Direct Marketing

The data subject has the right to object to direct marketing at any time. The data subject may use the right by contacting Oriola in accordance with section 10 of this privacy notice.

Access to Information

The data subject has the right to obtain information of the personal data concerning him/her, which Oriola is processing, and obtain a copy of such personal data. For submitting such request, please refer to section 10 of this privacy notice. Use of this right is primarily free of charge.

Right to Rectification, Erasure and Restriction

The data subject is entitled to have any personal data that is inaccurate, outdated, unnecessary or contrary to the purposes of data processing corrected or erased. Where the data subject has access to Oriola’s digital service platforms, he/she may correct or erase any inaccurate, outdated, unnecessary data in the service himself/herself.  Requests concerning rectification and erasure may be presented in accordance with the instructions in section 10 of this privacy notice.

The data subject is also entitled to request Oriola to restrict processing of the data subject’s personal data for example when the data subject is waiting for Oriola’s response to his/hers access or erasure request.

Right to Object Personal Data Processing

On grounds relating to his/her particular situation, the data subject is entitled to object processing of personal data concerning him/her, provided that the processing is based on the data controller’s legitimate interest.

Data subject may send his/her request to restrict the processing in accordance with section 10 of this privacy notice. In this request, the data subject shall define the particular situation based on which data subject is objecting the data processing. Oriola may decline the request on statutory grounds.

Right to Withdraw Consent

Where the processing of personal data is based on the data subject’s consent (e.g. electronic direct marketing), the data subject’s has the right to withdraw this consent by notifying Oriola in accordance with the instructions in section 10 of this privacy notice.

Right of Data Portability

To the extent that the data subject has by him-/herself submitted data to the register, which are processed in order to execute the agreement between Oriola and the data subject or are processed under his/her consent, the data subject has the right to obtain a copy of such data in a commonly used and machine-readable format and transmit such data to another data controller (if technically possible).

Right to Lodge a Complaint

If the data controller does not follow the applicable data protection regulation, a data subject is entitled to lodge a complaint with a competent data protection authority.

10. Contact Details


Oriola Finland Oy

Orionintie 5
02200 Espoo
Tel. +358 10 429 99
Fax +358 10 429 3415

Customer service for pharmacies Finland:

E-mail: laakemyynti@oriola.com
Tel. +358 10 429 555


Oriola Sweden AB

Fibervägen, Solsten, Box 252
435 25 Mölnlycke, Sverige
Tel. 031 88 70 00

Customer service for pharmacies Sweden:

E-mail: kundservice.lakemedel@oriola.com
Tel. +46 31 88 72 50


E-mail: info@oriolashop.fi
Tel: +358 20 33 4242

Data protection officer:

E-mail: GDPR-DPO@oriola.com
Tel: +46-701 981 322

The data subject may contact the data controller in all questions and matters relating to personal data processing or rights of the data subject. Data subjects may use their rights by sending e-mail or post to the above-mentioned addresses.