PRIVACY POLICY (as of 25 May 2018)

Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)

1. Controller

SOK Corporation

Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland

Visiting address: Fleminginkatu 34, 00510 Helsinki

Business ID: 0116323-1

2. Contact details of data protection officer

tietosuojavastaava@sok.fi

3. Contact details of officer in charge of register matters

tietosuoja.mara@sok.fi

4. Name of the register

Travel and Hospitality Industry's S-Card customer loyalty register

5. Purpose of personal data processing

Personal data is processed for the following purposes:

• the maintenance of the S-Card customer loyalty register
• the identification of a person included in the register, the improvement and development of a service event
• customer and service communication related to the customer account, communication with the customer
• the marketing of the controller's products and services
• the management of invitations to customer events
• the invoicing, payment, payment monitoring and collection of membership fees
• the development of the controller's business and the related customer service, and the competence development of the customer service staff
• the registration of activities and benefits under the loyalty programme
• the registration of the benefits of partner companies belonging to the loyalty programme
• the monitoring and analysis of selections related to the accommodation, meals and other service use of customers, and the related customer service development
• the development of services for customers in the loyalty programme, and the targeting of such services
• the implementation of customer surveys and research related to the loyalty programme

6. Grounds for personal data processing

The personal data processing is primarily based on the contract concluded in accordance with the rules of the S-Card loyalty programme. The following data is collected and processed on the basis of the controller's legitimate interest:

• information on participation in events
• contact history and recordings of phone conversations

The following data is furthermore collected at the consent of the person:

• Marketing opt-in
• Any blocks to service messages

7. Description of controller's legitimate interests

The legitimate interest is based on the better consideration of the customer and the improvement of services related to the automatic identification of the customer when they contact our customer services, for example

8. The personal data processed

• The person's first and last name, date of birth, address, email address, phone number, language code, gender, nationality and any other possible invoicing address. Date and time when the person joined the loyalty programme.
• Information related to the use of services, any benefits granted and used.
• S-Card membership number, level of membership, validity.
• Information related to membership fees and renewal.
• In corporate S-Card agreements, information on the main cardholder and other cardholders.
• Information related to direct marketing.
• Contact history and recordings of phone conversations.

9. The categories of personal data processed

Contact details, marketing opt-in or opt-out, phone recordings and contacting.

10. Information source and description of information sources, if the data has been collected from public sources

The data concerning the member of the loyalty programme is received from the person in question, unless the case concerns a corporate S-Card agreement, in which case the data is provided by the party which orders the cards.

Personal data can also be updated from the files of the Population Register Centre and other controllers offering address update and other similar services.

11. Recipients of personal data

The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services. Personal data can be transferred to said service providers insofar as the service providers in question participate in the implementation of measures within the framework of the relevant assignment.

We ensure the adequate level of our partners' personal data protection in the manner required by legislation.

For the purpose of service production, the data can be transferred other registers of S Group; in the context of signing up for membership, for instance, the data is transferred to the customer register of SOK Travel and Hospitality Industry Chain Management to improve customer service.

We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.

12. Transfer of personal data to third countries or international organisations, and the safeguards employed

Customer data is transferred outside the EU and the EEA when necessary for the service production. Our service provider has committed to the EU's standard contractual clauses with the appropriate contracts.

13. Storage period of personal data or criteria for determining the storage period

The personal data specified in this Privacy Policy is stored, at maximum, for the period of time during which the membership is valid and for a period of 28 months as of the end of the membership, to ensure the granting and use of the benefits due to the customer. Any possible recording of phone conversations are stored for a period of six months for the purposes of training and service development.

14. Rights of the data subject

Data subjects may check and rectify data concerning themselves by logging in to the Oma S-Card service or by filling in the information request form available at the customer service points of S Group, where the identity of the person submitting the request is verified. If a data subject wishes to have the contact history concerning them, they may request it separately on the information request form.

In the Oma S-Card service, the data subject can also change any direct marketing opt-in settings concerning themselves.

Data subjects have the right to have data concerning them erased, provided that the controller has no legitimate grounds for storing the data. The request to have data erased is submitted by visiting a customer service point of S Group or at the reception of an S Group hotel, where the identity of the person making the request is verified.

If a data subject wishes to exercise their right to restrict processing or object to processing, they can do so by contacting the controller. The controller must also be contacted if the data subject wishes to have their data transmitted from one system to another.

If a person wishes to exercise their rights or receive further information on the processing of their personal data, they can contact the controller specified in this Privacy Policy.

People also have the right to lodge a complaint with the supervisory authority if they consider the processing of their personal data to violate the applicable data protection provisions.

15. Withdrawing consent

Consent can be withdrawn by modifying one's own data in the Oma S-Card service. The withdrawal can also be done by contacting the S-Card customer service.

16. Impact of failure to provide personal data on contracts

The maintenance of a membership in an S-Card loyalty programme requires the processing of personal data. Registration in the loyalty programme requires the disclosure of the requested data.

17. The meaningful information of automated decision-making or profiling

The saved purchase history data is used for the profiling of marketing communication targets in such a way that members of the loyalty programme who fit the profile and have given their consent to marketing are sent direct marketing messages.

Profiling is used for the targeting of communication in such a way that messages are sent to members who have made transactions in a particular unit, for example, provided that they have opted to receive such messages.

The profiling does not have a legal effect.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the data will be misused and that earned benefits, for instance, will be used on false grounds. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.

Print data request form »