Sanctions monitoring registry

S-BUSINESS SANCTIONS MONITORING REGISTRY 
PRIVACY POLICY (updated in March 2025)

Data controller 
S-Business Oy
Flemingsgatan 34,
FI-00510 Helsinki, Finland
Business ID 2389183-8

Contact details of the data protection officer 
tietosuojavastaava@sok.fi 

Contact information of the Data Controller 
S-Business Oy
email: s-business@sok.fi
Phone: +358 10 768 0820

Purpose of personal data processing

Sanctions are a means for states and international institutions (such as the EU or the UN) to influence the actions of individual countries as well as state and non-state individuals and companies to accomplish foreign policy goals. Among other things, sanctions are used to stop products, services or other resources being delivered to specific parties and thereby to hinder or stop the actions of these parties.
 
Company and personal data is processed in the DOKS service for the purpose of carrying out sanctions checks. 
A sanctions check must be carried out for the counterparty before the start of cooperation and the conclusion of an agreement. In addition, the sanctions check must be regularly repeated throughout the life cycle of the contractual relationship. 

Grounds for the processing of personal data

The processing of personal data for the purpose of implementing sanctions monitoring for the counterparty is based on a legal obligation and legitimate interest. 

Organizing appropriate sanctions monitoring at S-Business is important to ensure that S-Business itself will not violate any sanctions regulations and that S Group’s products and services are not intentionally or unintentionally used in violation of sanctions regulations. No business may be carried out with parties subject to sanctions either directly or indirectly. 

S-Business is directly obligated to comply with any EU and UN sanctions that are enforced through legislation. In this regard, the processing of personal data is based on a legal obligation. In addition, financial agreements obligate S-Business to observe sanctions imposed by the United States and the United Kingdom. For these, the processing is based on a legitimate interest.

Information required for a sanctions list check

  • For Finnish companies, business ID and company name 
  • For foreign companies, registration number, company name and country code and, as additional information, contact information such as street address, postal address and town/city 

The personal data processed 

  • The name and date of birth of the beneficial owners of the companies 
  • The name and date of birth of the persons responsible for the company

Processed personal data groups 

Name, date of birth and contact details of the representatives of customers and suppliers. 

Data source and description of data sources if data is collected from public sources 

We collect companies’ data from the S-Business customer register and supplier register, from which they are taken into the system of the sanctions monitoring service. 

The sanctions monitoring system compares the entered data with the data of the Business Information System and sanctions lists.

Recipients of personal data 

The personal data is processed in digital systems and services for the purposes specified in this privacy policy. We use external service partners in the provision of system and support services. Personal data can be transferred to said service providers insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment. 
We ensure that our partners protect personal data sufficiently as required by law. 
We do not disclose any data stored in the register to third parties, except for the disclosure of data to the authorities within the limits permitted and obligated by valid legislation, when responding to the authorities’ data requests, for example.

Transfer of personal data to third countries or international organisations and data protection safeguards used

We do not transfer personal data to third countries outside the European Union or the European Economic Area or to international organisations. 

Period for storing personal data or criteria for determining the storage period 

The personal data referred to in this privacy policy is only stored for as long as, and to the extent that, it is needed, and the data controller will utilise it for actions related to the reported purposes of processing. Sanctions checks are carried out for the the counterparty during the validity period of the agreement, after which the data is manually deleted from the sanctions monitoring service. 

Data retention period for reports made in order to meet the accountability requirement is five years.

Rights of the data subject 

The data subject has the following rights: 

  • Right to access personal data (through a request for information) 
  • Right to rectification of data 
  • Right to restrict processing 
  • Right to object 
  • Right to be informed of personal data breaches

If a data subject wishes to exercise their rights or to obtain further information about the processing of their personal data, they can contact the controller named in this privacy policy. 

Data subjects also have the right to lodge a complaint with the supervisory authority if they deem that the processing of their personal data violates the applicable data protection regulations. 

Effects of not providing personal data on an agreement 

If personal data is not provided to S-Business Oy, a customer relationship cannot be opened.

General description of technical and organisational safety measures 

We protect the personal data for the whole duration of its life cycle by using appropriate security measures. At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups, and by using secure hardware facilities, access control and security systems. The granting and monitoring of user rights is a well-managed process. We regularly train our personnel involved in the processing of personal data. We select our subcontractors with care. We continuously update our internal practices and guidelines. 

If, despite all of our safeguards, we detect a data security breach concerning personal data, we will immediately begin investigating the matter and strive to prevent any damage. We will inform the relevant authorities and data subjects of any data security breaches in accordance with legislative requirements.