Saka
Overview of the car door

Privacy policy

 
Privacy Notice of SAKA Finland Oy and Saka Ab under the EU General Data Protection Regulation (GDPR)
This is the privacy notice of SAKA Finland Oy and Saka Ab (hereinafter: SAKA) in accordance with the EU General Data Protection Regulation (GDPR).
This notice explains how we process your personal data in connection with:
  • the sale and purchase of cars
  • the provision of insurance, financing, and other services
  • cookies and the chat service on our website
  • acting as a driver for the transfer and delivery of our cars
  • employment at our company
 
Last updated: 7 July 2023

1. Controller

SAKA Finland Oy Business ID: 3205932-2 Address: Portinkaarre 3, 90410 OULU, Finland

2. Contact Person for Data Protection

Kaisa Meriläinen, Data Protection Officer All inquiries related to personal data processing should be sent to: tietosuoja@saka.fi

3. Categories of Data Subjects and Purposes of Processing

Our processing of personal data is divided into the following categories:

I. Customers

  • We process customer data for matters related to car sales and customer relationships, including the purchase, trade-in, and resale of vehicles and the provision of related services (financing, insurance, and other add-ons). We also process data for marketing, business development, and analytics.
  • Processing is mainly based on contracts. In some cases, the legal basis may also be the customer's consent, a legal obligation, or our legitimate interest.

II. Website Visitors

  • Visitor data is processed based on legitimate interest (e.g., for cybersecurity and statistical analysis), where applicable as personal data.
  • With the visitor’s consent, data is processed for marketing when cookies and tracking technologies are accepted.

III. Drivers

  • Drivers’ data is primarily processed based on a contract to manage vehicle transfers and deliveries related to sales, purchases, or inventory.
  • Processing may also rely on legal obligations or legitimate interest linked to employment.

IV. Salespeople and Other Employees

  • Employee data is mainly processed based on an employment contract for managing employment-related matters.
  • In some cases, processing may also be based on legal obligations or legitimate interest related to the employment relationship.
No data is used for automated decision-making or profiling without the explicit consent of the data subject.

4. Personal Data Processed

I. Customers

In relation to vehicle sales, purchases, and test drives, we process:
  • Name
  • Personal identity number
  • Contact information, address, place of residence
  • Non-disclosure requests for contact information
  • Driver’s license data
  • Vehicle information
  • Business information for corporate customers
  • Financing and insurance details and application data
  • Consent for data sharing with finance and insurance companies
  • Communication and customer relationship data
  • We retain this data only as long as needed for the customer relationship.
 
For marketing and customer communications:
  • Name
  • Contact information
  • Vehicle details
  • Business details for corporate customers
  • Consent and objections to electronic direct marketing per channel
  • Electronic direct marketing to consumers requires consent. If customer data is obtained from another source, consent will be confirmed.
  • We retain marketing data as long as consent is valid. Customers may opt out of electronic marketing at any time.
 

II. Website Visitors

IP address, device and browser information Cookie data (if accepted) Behavioral data inferred from browsing (e.g., targeted ads) Security-related visitor data is retained as long as necessary. Anonymous statistical data is retained indefinitely. Marketing data is retained for an appropriate time, based on accepted cookies or tracking. Users can delete cookies via browser settings. Google and Facebook users can manage data use through their account settings.

III. Drivers

  • Name
  • Business information (for third-party service providers)
  • Contact and address information
  • Workplace
  • Driver’s license data
  • Data on transfers/deliveries (work hours and related costs)
  • Salary and billing information
  • Data is retained as long as necessary for vehicle logistics, and may be archived for statistical or record-keeping purposes.
 

IV. Salespeople and Other Employees

  • Name
  • Contact and address details
  • Workplace
  • Driver’s license data
  • Vehicle transfer/delivery details (work hours and costs)
  • Employment contract information
  • Salary data
  • Other essential employment-related data
  • Employee data is processed for the duration of employment needs.
 

5. Regular Sources of Data

Data is collected from the data subjects themselves via online forms, chat, SMS, phone, email, social media (e.g., WhatsApp, Facebook, Instagram), contracts, meetings, and other similar situations.
We may also collect data from public sources such as the vehicle register maintained by Traficom, credit registers, and third-party service providers.
Website visitor data is collected automatically through technical tracking.

6. Regular Disclosures and Transfers Outside the EU/EEA

Customer data may be disclosed to the Finnish Transport and Communications Agency Traficom for vehicle registration. With consent, data may also be shared with finance and insurance providers.
Data may be disclosed to competent authorities or other parties based on valid legal requirements. It may also be shared for scientific or historical research in anonymized form. In cases of business sale, acquisition, or restructuring, customer data may be disclosed to buyers and their advisors.
Data may be shared for direct marketing, opinion and market research, in compliance with legislation.
For electronic direct marketing, advertising platforms (e.g., Google, Meta) may combine customer data with profile data for targeting purposes. These platforms act as data processors, not independent controllers, unless otherwise specified.
In situations where third-party cookies or similar technologies (e.g., from Meta) are used, Meta may act as a joint controller with SAKA. Otherwise, when customers consent to optional cookies or marketing, Meta may act as an independent controller.
Meta’s privacy policy: https://www.facebook.com/privacy/policy
Data may be processed by service providers acting as processors on our behalf under written agreements.
Types of processors include:
  • Accounting firms and auditors
  • Car logistics service providers (e.g., Biila Go)
  • Customer communication providers (e.g., Zendesk)
  • Email and cloud services (e.g., Google)
  • Social media platforms (e.g., Meta)
  • Providers maintaining company websites, systems, and servers
  • Web analytics and digital marketing service providers
 
We generally do not transfer data outside the EU/EEA. If we do, we ensure adequate protection via contractual safeguards (e.g., standard contractual clauses or explicit consent), in accordance with GDPR.
Data may also be processed outside the EU/EEA by our employees using company systems while working abroad.

7. Data Security Principles

We use necessary technical and organizational measures to protect personal data from unauthorized access, disclosure, destruction, or processing. These include firewalls, secure server environments, access controls, encryption, staff training, and careful selection of subcontractors.
Only authorized employees whose job duties require it have access to personal data. All such employees are bound by confidentiality obligations.

8. Right of Access and Rectification

All data subjects have the right to access their data and request correction of inaccurate or incomplete data.
Requests must be submitted in writing to the controller. Identity verification may be required. The controller will respond within the timeframe defined in the GDPR (typically within one month).

9. Other Rights Related to Personal Data

Data subjects may request the deletion of their data (“right to be forgotten”) and have other GDPR rights, such as restriction of processing in certain cases.
You may object to direct marketing or data sharing for such purposes by contacting us.
Requests must be submitted in writing. Identity verification may be required. The controller will respond within the GDPR-defined timeframe (typically within one month).
If you are dissatisfied with how your data is handled, you have the right to lodge a complaint with the data protection authority.
As outlined in Section 6, third parties like Meta may collect or use data through cookies or similar technologies for analytics or advertising. You can withdraw your consent at any time through those services.
More information on your rights is available at the Finnish Data Protection Ombudsman’s website: https://tietosuoja.fi/en/registered-persons-rights

10. Changes to the Privacy Notice

We continuously improve our services and reserve the right to update this privacy notice by posting changes on our website. Updates may also result from legal changes. We recommend reviewing this notice regularly.

11. Contact Regarding Privacy Matters

For inquiries, withdrawal of consent, or other matters related to this privacy notice, please contact: tietosuoja@saka.fi
Last updated: 13.11.2025

Saka’s privacy policies:

Camera surveillance