Contractual catering

Contractual catering

Travel and Hospitality Industry's contract catering register

PRIVACY POLICY (as of 25 May 2018)
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)


1. Controller

SOK Corporation
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1

2. Contact details of data protection officer

3. Contact details of officer in charge of register matters

4. Name of the register

Travel and Hospitality Industry's contract catering register

5. Purpose of personal data processing

The invoicing of contract catering.

6. Grounds for personal data processing

The invoicing of contract catering in accordance with the contract made with the corporate customer.

7. Description of controller's legitimate interests

The personal data processing is not based on the controller's legitimate interest.

8. The personal data processed

  • Last name, first name
  • Any possible employer information or other reference.

9. The categories of personal data processed

  • Customers

10. Information source and description of information sources, if the data has been collected from public sources

The data collected is provided by the contractual partner, on whose assignment the data is imported to the point-of-sale system for lunch invoicing, for example.

11. Recipients of personal data 

Information on the data subject's service use is delivered to the orderer of the service to enable invoicing.

The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services.

Personal data can be disclosed to said service providers insofar as these service providers participate in the implementation of technical measures within the framework of the relevant assignment.

We ensure the adequate level of our partners' personal data protection in the manner required by legislation.

 12. Transfer of personal data to third countries or international organisations, and the safeguards employed 

The personal data is not transferred to third countries or outside the European Union or the European Economic Area.

13. Storage period of personal data or criteria for determining the storage period

The personal data is stored for the duration of the contract, after which the data is erased from the system no later than within a year.

14. Rights of the data subject

Data subjects have the right to check the data concerning them by contacting the controller. When requesting information about individual payment transactions, we will need information about the location and time of the transaction.

15. Withdrawing consent

The data in the register is not used for the purposes of direct marketing.

16. Impact of failure to provide personal data on contracts

The implementation of contract catering requires the information required by the orderer of the service to be imported to our point-of-sale systems.

17. The meaningful information of automated decision-making or profiling

The personal data processing does not involve automated decision-making and no profiling is carried out on the basis of the personal data.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the data will be misused and that someone will impersonate the data subject on the basis of the data, for example. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.