PRIVACY POLICY STATEMENT (as of 25/05/2018)
General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
Kymi Region Cooperative Society
P.O. Box 157, 45101 Kouvola
Tel. +358 10 76 2400
Tommolankatu 9, 45130 Kouvola
kso.tietosuoja@sok.fi
tietosuojavastaava@sok.fi
The purposes of personal data processing are:
In direct marketing, the purposes of processing personal data are:
Personal data is processed based on the following grounds:
Article 6.1 b) Agreement
Article 6.1 a) Consent
The processing of personal data is not based on the data controller’s legitimate interest.
Request for an offer:
Offer:
Subscription agreement:
Newsletter subscription:
Season pass order:
Bonus payout
Customer contact form
Prize draw or contest
Organisation of events
Customers and potential customers
As a rule, the information is obtained from the customers themselves.
Recipients of personal data
The personal data is processed in digital systems and services for the purposes specified in this privacy policy. We use external service partners in the provision of system and support services. Personal data can be transferred to the service providers used insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment.
We ensure that our partners protect personal data sufficiently as required by law.
We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities’ requests for information.
We use subcontractors to process personal data. Data is transferred outside the European Union (EU) or the European Economic Area (EEA) for the purpose of providing, maintaining and supporting the services to the extent necessary.
We can perform these types of transfers if the European Commission has decided that the target country or organisation has a sufficient level of data protection, or if we can otherwise ensure a sufficient level of protection of the personal data in accordance with applicable legislation, such as by using standard contractual clauses approved by the European Commission. You can read more about the standard contractual clauses approved by the European Commission here.
We require our subcontractors to agree to follow the data protection and information security requirements set by legislation and us.
The personal data referred to in this privacy policy is only stored for as long as, and to the extent that, it is needed, and the data controller will use it for actions related to the reported purposes of processing.
Offers are retained for the duration of processing, after which the data is either anonymised or completely destroyed.
Subscription contracts are stored for 2 years from the fulfilment of the contract, after which customer data is deleted from the system.
Order history for the online store is stored in the system for the current year plus six years, after which the data is anonymised.
In the case of a prize draw or contest, personal data will be stored for the duration of the drawing and delivery of the prize. The data will be deleted within one month at the latest.
The data subject has the following rights:
If a data subject wishes to exercise their rights or to obtain further information about the processing of their personal data, they can contact the controller named in this privacy policy.
A data subject also has the right to lodge a complaint with the supervisory authority if they deem that the processing of their personal data violates the applicable data protection regulations.
The data subject has the right to withdraw their consent at any time. After the withdrawal, the data controller no longer has the right to use the personal data for such purposes that have no other grounds for processing except for the consent. If you wish, you can withdraw your consent via the link provided with the marketing message.
You can unsubscribe from the newsletter via the link provided with each letter.
In the case of a prize draw or contest, withdrawal of consent should be made by contacting the organiser of the prize draw or contest.
The transaction or reservation does not take place.
No automated decision-making or profiling is associated with the personal data processing.
We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. System providers process personal data at secure server facilities. Access to personal data is restricted, and the personnel are subject to a confidentiality obligation.
At S Group, we protect personal data with, among other tools, anticipatory risk management and security planning, means of data communication protection, the continuous maintenance of information systems and backups, and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of user rights is a well-managed process. We regularly provide training for our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we notice that such an event has happened, we will immediately begin an investigation and will make efforts to prevent any damage from occurring as a result. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.