PRIVACY POLICY (as of 25 May 2018)

Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)

1. Controller

SOK Corporation

Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland

Visiting address: Fleminginkatu 34, 00510 Helsinki

Business ID: 0116323-1

2. Contact details of data protection officer

tietosuojavastaava@sok.fi

3. Contact details of officer in charge of register matters

tietosuoja.mara@sok.fi

4. Name of the register

Contact forms of Travel and Hospitality Industry's sales team

5. Purpose of personal data processing

Personal data is collected on a temporary basis for later contacting.

The data is used for contacting the person in question in relation to the organisation of an event or a contract customer account. The contacting may also be based on some other reason, usually commercial cooperation.

If the request for contact involves a prize draw, the data provided is used to carry out the draw and to contact the winner.

6. Grounds for personal data processing

The personal data processing is based on consent.

7. Description of controller's legitimate interests

The personal data processing is not based on the controller's legitimate interest.

8. The personal data processed

• The person's first and last name, their role in the company
• Address, phone number, email
• Information on the person's employer

9. The categories of personal data processed

Name and contact details

10. Information source and description of information sources, if the data has been collected from public sources

The data collected is received directly from the person who submits the request for contact.

11. Recipients of personal data

The data given on contact forms can be collected in separate files to enable contacting throughout the organisation. In the context of such contacting, the personal data provided may, at the consent of the data subject, be imported to other personal data registers of S Group.

After the contacting, the original forms and any separate lists created on the basis of them are destroyed or erased.

12. Transfer of personal data to third countries or international organisations, and the safeguards employed

The personal data is not transferred directly to third countries or outside the European Union or the European Economic Area.

Customer data is transferred outside the EU and the EEA when necessary for the service production. Our service provider has committed to the EU's standard contractual clauses with the appropriate contracts.

13. Storage period of personal data or criteria for determining the storage period

The contact forms and any separate lists derived from them are used for a month, at maximum, as of their submission/creation. Once the storage period has expired, the data is erased.

14. Rights of the data subject

Data subjects have the right to check the data concerning them by contacting the controller or the controller's representative. Likewise, a request for contact can be cancelled by contacting the controller or the controller's representative and requesting the erasure of the data from the register.

15. Withdrawing consent

The data in the register is not used for the purposes of direct digital marketing.

16. Impact of failure to provide personal data on contracts

The contacting requires the data normally requested.

17. The meaningful information of automated decision-making or profiling

The personal data processing does not involve automated decision-making and no profiling with legal effects for the data subject is carried out on the basis of the personal data.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the personal data will be misused and that a personal identity code provided to us will be used on false grounds. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.