Privacy Policy

Under the Data Protection Regulation, the controller is obligated to inform the data subjects in a transparent manner. This statement fulfills the obligation to provide information.

1. Controller

Rautatieto Oy (Business ID: 2412066-4, Ratamestarintie 2B, FI-90150 Oulu, Finland)
Contacts pertaining to matters related to data protection: Arto Nivala, tel. +358 (0)50 3869 382, arto(at)

2. Name of the register

The customer register of Rautatieto Oy.

3. Data protection policy

Rautatieto Oy commits to protect the privacy of the users of its services in accordance with the Finnish Personal Data Act (523/1999), the Information Society Code (917/2014), and all other applicable legislation.

By using our website, the user accepts the terms of this data protection policy. By using the website, the user gives their consent to Rautatieto Oy for the storage and processing of cookie files related to the website.

4. Purpose of processing personal data and legal grounds

Personal data is processed for the purposes of maintenance, management, development, and analysis of the customer relationship, as well as customer communication, which may also be carried out electronically. Additionally, personal data is processed for the purposes of processing personal data under the Personal Data Act for purposes and research activities pertaining to online services. The controller may use the data received from the data subject for direct marketing. The processing of personal data and the legal grounds thereof are based on the General Data Protection Regulation of the EU.

5. Data contents of the register

A relevant connection between the data subject and the operations of the controller based on a customer relationship is formed where, for example, the data subject gives an assignment to Rautatieto Oy or is a party in a transaction or another contract, which is related to an assignment carried out by the company mentioned above or utilizes the services of the company mentioned above in some other manner.

6. Data processed in the register

The register may include the following data, for example: the first and last name of a customer, address information, telephone number, email address, date of birth or Personal Identity Code if unambiguous identification of the data subject is important for the realization of the rights or obligations of the data subject or the controller, gender, first language, information pertaining to marketing permissions and prohibitions, information pertaining to transactions and usage in different channels, customer loyalty information and other corresponding grouping information, user ID and password, alternative delivery addresses, product review information, and information pertaining to participation in marketing campaigns (such as raffles) as well as subscription to the newsletter.

7. Regular data sources of the register

Customer information is received from the customer when a customer relationship or assignment is created or directly from the customer themselves. Additional data sources include companies and authorities that provide services pertaining to personal data, such as the information update service provided by the Population Register Centre and the credit information register of Suomen Asiakastieto Oy.

Feedback, contact requests, etc. may be submitted using the contact form. If you require a response to feedback submitted via the feedback form or email, your message must be accompanied with contact information. Any messages sent via the contact form are archived in the service.

For feedback containing personal data, it should be noted that the level of data security for feedback forms submitted and email messages sent in an unprotected format is low and thus the confidentiality and protection of the data cannot be completely ensured. This should particularly be taken into account in relation to information that is sensitive with regard to privacy.

8. Regular disclosure of data, EU and EEA

The controller does not transfer the personal data of customers to third parties, except as required by law for purposes that are not in conflict with the purposes for data processing mentioned in the Description of file or matters related to collection. Personal data is not transferred outside of the EU or EEA, unless it is necessary to do so for the technical implementation of the data processing.

9. Deletion of data

In principle, personal data is processed for the duration of the customership, i.e. until the assignment is concluded. Data may be removed at the request of a customer. Additionally, it may be necessary to delete data as a result of monitoring if a customer is abusing the service or is using the service to engage in criminal activities etc.

It should be noted that the controller may have a statutory or other right to refrain from deleting data. The controller is obligated to keep accounting materials for a period of time as provided by the Finnish Accounting Act. Therefore, any materials related to accounting cannot be deleted before the prescribed period expires.

10. Data subject’s rights of access, rectification, and restriction

A customer has the right to review what data pertaining to them is stored in the register. The written and signed request must be sent to the controller’s person in charge of matters related to the register.

The controller will respond to the review requests in writing. The request must be sent to the controller’s person in charge of matters related to the register in writing, duly signed: Arto Nivala, Rautatieto Oy, Ratamestarintie 2B, FI-90150 Oulu, Finland.

If data pertaining to a customer contains errors, the customer may request the controller to rectify the error. Customers have the right to prohibit handing over or processing data pertaining to them for mail marketing, remote sales, and other forms of direct marketing.

11. Personal data processors and protection

Personal data is kept confidential at all times. Personal data is processed according to the valid data protection regulation and in an otherwise appropriate manner. Any information stored manually is kept in a locked space at all times. The information included in the controller’s electronic customer register is appropriately protected by a firewall and other technical measures.