Privacy Notice – RELEX Planning Solutions 

In brief 

RELEX’s platform offers a range of solutions that help companies worldwide with their activities within demand planning, merchandising, and supply chain operations.  

In terms of processing personal data, RELEX’s planning solutions have the following central characteristics:  

• The solution itself processes non-personally identifiable business data for planning purposes. Such business data include for example, inventory transactions and item master data.
• The collection of personal data is primarily focused on user credentials for using and monitoring the RELEX solutions. 
• Some of the data processing activities in our solutions are decided upon by RELEX and some by our customers. 

In full 

This privacy notice (“privacy notice”) informs you about how Retail Logistics Excellence – RELEX Oy (“RELEX Oy”) and its affiliated companies globally (jointly “RELEX”) process the information it collects about the individuals interacting with its solutions in the areas of demand planning, merchandising, and supply chain operations. 

In this privacy notice, “personal data” or “data” herein refers to data that we can connect to an identifiable individual. “You” refers to the contact person of a RELEX customer and prospective customer whose personal data is processed. 

This privacy notice sets out the data processing in the context where you or your employer use RELEX’s solutions.  

For information on how RELEX processes your data in the context of corporate relations in general, please see the dedicated privacy notice on the RELEX customer register. For employees of RELEX whose data is processed in connection with the solutions, pertinent information is also provided in the internal privacy notices.   

Roles and responsibilities 

The responsibilities for controllership are split between RELEX and its customers (typically your employer). This means the following:  

The customer is the controller responsible for data processing, and RELEX for processing data on its behalf in relation to the following activities: 

• User authentication. Making RELEX’s solutions available to you for the following purposes: To carry out work-related tasks, to access related solution authentication, and to inform RELEX when you are no longer eligible to use our solutions. 
• User attributes. User attributes (such as territorial, regional or store location) from customer user authorization system, 
• Storing and accessing your data as part of the delivery of the solution. When storing and otherwise processing your data in the solution and solving technical / operational issues therein (e.g. accessing your data in the services as part of our support activities), 
• Training. We provide services for your employer to keep track of your proficiency in using RELEX’s solutions.

RELEX is the controller responsible for data processing when undertaking the processing in its own name in relation to the following activities: 

• Delivery project management. Tracking and sharing status information of ongoing activities, solution maintenance, meetings, development initiatives, and customer activities. This is done both in connection with the initial delivery and throughout the relationship, whenever necessary. 
• Support ticketing. To operate global support and maintenance framework and services, information on persons who have reported a support issue or who are awaiting its resolution is processed in our support ticketing and communication systems.   
• Solution analytics and monitoring.  To provide our solutions with good operational quality and security RELEX collects logs and metrics of the use of its solutions. Data dependent improvement areas include the user interface and user experience, system performance, best practices for solution usage, load balancing, and license monitoring. Security activities include detecting, preventing, and investigating security incidents in RELEX Services.  
• Communications. Informing you about issues related to our solutions and about collecting feedback. There is a dedicated notice explaining data processing when providing feedback. 

Both RELEX and each of our customers operate as independent controllers over their respective areas of data processing. Typically, our customers may have their own purposes of processing for personal data handled especially in relation to delivery project management and solutions logs.   

While the customer’s role is referred to in this privacy notice, such references are merely informational to provide the full picture, and do not bind the customer company in any way. The customer is ultimately responsible for the processing of your data which it does in the role of controller. 

Personal data processed by RELEX on behalf of its customers

This section sets out the processing where RELEX undertakes personal data processing in the absence of an independent need for such processing activity and where it thus operates as a processor. 

Where applicable, the processing set out in this section is agreed in more detail in a data processing agreement agreed between RELEX and its customer.  

What data is processed 

RELEX processes information of individuals who use RELEX’s solutions. Such individuals are employees, contractors, and representatives of RELEX’s customers. 

We may process the following personal data on behalf of our customers: 

How do we handle personal data 

RELEX receives personal data directly from its corporate customers and employees logging into the solution.   

RELEX processes personal data with due care and protects it with the necessary information security measures as agreed with the customer. The personal data is deleted after the customer stops using RELEX’s solutions.  

Data movement 

RELEX delivers its solutions based on regional architecture: 

• EMEA customers are serviced from EU-based cloud platforms 
• NA and LATAM customers are serviced from US-based cloud platforms 
• APAC customers are serviced either from EU, US, or APAC-based cloud platforms 

RELEX’s affiliates globally may take part in provisioning the solution. RELEX maintains a global pool of technical and solution consultants to support, operate, deliver, and maintain services. While doing so, RELEX support personnel may process, store, or otherwise access customer employees’ personal data when handling support issues. Such access is subject to RELEX policies. We may also use external service providers in provisioning both our solutions and support services. External service providers may process limited amounts of personal data from international locations.  

You can read more about our processors and locations of personal data processing here.  
 

Exercising your rights 

You should contact our customer (typically your employer) who appointed you as the user of RELEX’s solutions. Please note that RELEX is not able to answer your requests in relation to the personal data processed by RELEX on behalf of the customers. 

Personal data processed by RELEX in its own name  

This section elaborates on the data processing for which RELEX has defined the purposes and means itself and operates as the controller of personal data. 

What data is processed 

RELEX processes information of individuals who use our solutions, support them, or have a role in related activities. Such individuals are employees, contractors, and representatives of RELEX and its customers. 

The personal data that is processed as part of this privacy notice includes the following: 

Legal basis 

If the data processed by RELEX solutions is identifiable to an individual, RELEX has the following legitimate interests in processing data in relation to the solution and project delivery: 

• Enabling RELEX to monitor its service provisioning, and to secure its solutions from a variety of threats, as well as adjusting and correcting faults based on such information.
• Enabling RELEX to run a global support organization to react to and resolve issues arising from its solutions.
• Enabling RELEX to run smooth delivery projects, monitor progress, request customer resource allocations, organize meetings, and inform customer representatives of relevant matters in furtherance of successful continuous delivery of its solutions and supporting services. 

The data processing undertaken by RELEX for solution and project delivery is mandatory for the efficient delivery and maintenance of its solutions. The usage monitoring and related product communications are typical and mandatory activities when providing software-based services and delivering projects. These cannot be done without processing limited amounts of personal data. 

Some of our solutions utilize solution analytics and employ cookies and similar technologies that track which areas and features of the solutions are used and how they are used. If such activities are not mandatory for providing the solution’s features, or if such activities are otherwise not directly justified by law, the legal basis for collecting and processing the data from your device is by user consent. More information on such processing is made available in the respective privacy notice, which can be accessed from the user interface of the solution. 

Data movement 

Source of data 

RELEX receives personal data directly from you (for example; when contacting RELEX support) or from customers of RELEX (typically your employer). Information, such as logs, is also generated indirectly by user activities when using RELEX’s solutions. 

Exchanges of data with customers and partners 

We exchange some of your data with our customers who have procured our solutions when conducting the above mentioned activities related to our service provisioning. The Solutions are collaborative tools. Hence, both customer users with higher privileges as well as authorized RELEX employees may obtain visibility to solution usage metrics and reports incurred by any person who has been using the solution. 

Where we utilize intermediary partners to deliver our solutions, we may also exchange data with such companies for the same purpose. We provide these companies with access to the personal data that they may need for their agreed activities.  

Transfers of data to processors 

Your data may be made accessible to RELEX’s service providers or other vendors that RELEX uses to support, operate, deliver, and maintain its solutions. While doing so, such third-party service provider personnel may process, store, or incidentally access your data when undertaking their contracted activities. You can read more about our processors here.  

Data processing locations and transfers of personal data outside the European Economic Area (EEA) 

RELEX delivers its solutions based on regional architecture: 

• EMEA customers are serviced from EU-based cloud platforms. 
• NA and LATAM customers are serviced from US-based cloud platforms. 
• APAC customers are serviced either from EU, US, or APAC-based cloud platforms. 

Even when the customer is based in the European Union or the EEA, RELEX may use service providers that are located outside the European Union or the EEA. Also, some of the RELEX affiliates are located outside the European Union or the EEA, and the employees of such affiliates may process the data for the purposes specified in this privacy notice. 

We only do global or cross-border data transfers for a reason and after assessing the resulting privacy risk. 

You can read more about our processors and locations of personal data processing here. 

When transferring your data outside the European Union or the EEA and to such countries that the European Commission has decided as having an adequate level of data protection, we ensure that the transfer is legal and safe by concluding an agreement based on the EU Commission’s standard contractual clauses (the fixed content of such clauses is available here) or by taking other measures that are required under applicable legislation.  

You can ask for additional details relating to the transfer and the appropriate safeguards that we have put in place, or you can ask for a copy of the related documents from the RELEX contact mentioned below. 

Other use or disclosure of your data 

M&A activities: Where RELEX takes steps to sell, buy, merge, or otherwise reorganize its businesses in certain countries, this may involve disclosing data to prospective or actual purchasers, sellers, or partners and their advisors. In such circumstances, RELEX takes all reasonable steps to ensure that the appropriate measures to protect personal data are taken by such prospective or actual purchasers, sellers, or partners and their advisors.  

There may also be circumstances not covered by this notice where processing or disclosure of your data may be justified or permitted. One such example includes complying with a court order, or a warrant issued by the authorities, where we are compelled to produce the information. 

Other circumstances in which there may be a justifiable legitimate interest to disclose your data to a third party are where such disclosure is necessary to address an ongoing problem, or where we need to meet the legitimate information requirements of our third parties. In any such action, we act according to the applicable laws. 

Retention 

Your data is processed by default for the duration of our contractual relationship with your customer or as long as it is necessary for its intended purposes. Examples of shorter need-based retention periods are, for example, change history (a few months) and security logs (typically from 12 months to a few years). Examples of longer need-based retention periods are support tickets, which are retained for as long as the respective solution is under active maintenance.  

In all cases, we delete or anonymize your personally identifiable data once we no longer need to keep it. 

Also, RELEX removes your data if an objection to us processing your data is successful and/or you ask for a removal of the data based on applicable legislation. 

Security 

RELEX has implemented appropriate technical and organizational measures to ensure sufficient data security. Sufficient security measures are put in place to prevent unauthorized access to your personal data and any unauthorized manipulation of it. This includes restricting access to your data and hosting it with service providers that can demonstrate an adequate level of data security. 

We take appropriate steps to address online security, physical security, risk of data loss, and other such risks taking into consideration the risk represented by the processing and the nature of the data being protected. Also, we limit access to our databases containing personal data to authorized persons having a justified need to access such information. 

Exercising your rights 

You have the following rights to your personal data that we have gathered: 

• You have the right to access and get a copy of the data that we can identify pertaining to you. 
• Should you find any errors in your data, you can ask for these errors to be corrected. 
• You have a right to object to our collection and the use of your data, where our use of your data infringes on your rights more extensively than what can objectively be deemed as permissible. 
• You may request us to cease storing your personal data when we no longer have a defensible need to store it or as otherwise allowed by applicable data protection law. 
• If you establish that the data we have on you is incorrect or we have no legal right to use it, you may request us to cease any further processing of your personal data, or only store it, until the issue is resolved. 
• Where our collection of data is based on user consent, you may also withdraw your consent via the appropriate settings. 

If you have questions on the data processing that RELEX performs for our own purposes or if you want to exercise your rights relating to applicable laws such as the General Data Protection Regulation in the EU, our contact information can be found below. If you feel that RELEX is not fulfilling your statutory rights, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman. 

Profiling 

RELEX does not engage in the profiling of individuals in the context of providing its solutions. 

RELEX contact information  

RELEX Oy acts as the data controller for personal data covered by this privacy notice: 

Retail Logistics Excellence – RELEX Oy 
Business ID FI 1963444-1 
Address: Postintaival 7, FI-00230 Helsinki, Finland 
Website: www.relexsolutions.com 

The contact person in matters relating to this privacy notice at RELEX is: 
RELEX Privacy Director: Hannes Saarinen, privacy@relexsolutions.com

Other RELEX affiliates may process personal data on RELEX Oy’s behalf, for the purposes specified in this privacy notice. 

Changes 

To keep this notice up to date, we make changes and additions to this from time to time. We publish the changed notice on our website or on any other channel where this privacy notice has previously been made available. If the changes are significant, we may also notify you by other means. Any changes apply from the date that we publish the revised notice.