PRIVACY POLICY (as of 25 May 2018)

Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)

1. Controller

SOK Corporation

Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland

Visiting address: Fleminginkatu 34, 00510 Helsinki

Business ID. 0116323-1

2. Contact details of data protection officer

tietosuojavastaava@sok.fi

3. Contact details of officer in charge of register matters

tietosuoja.mara@sok.fi

4. Name of the file

Customer events of the Travel and Hospitality Industry's sales team

5. Purpose of personal data processing

Personal data is collected on a temporary basis for the purpose of organising customer events. The people invited are always informed separately of the purpose and details of the event.

The event may be organised in cooperation with a partner of ours; this, too, will be communicated separately in connection to the invitation.

The collected data is used for purposes of the following kind:

• the management of the invitation and registration lists
• the organisation of any possible transportation, venue and accommodation bookings and catering
• contacting the registered in relation to any possible travel arrangements
• contacting the registered after the event

6. Grounds for personal data processing

The personal data processing is based on consent.

7. Description of controller's legitimate interests

The personal data processing is not based on the controller's legitimate interest.

8. The personal data processed

• The person's first name and last name
• Address, phone number, email
• Information on the person's employer
• When necessary, passport number or the number of some other travel document and any other identifying information Date of birth, personal identity code or other information required for organising travel
• Any other information provided on the basis of consent, such as data concerning any special diet
• The information regarding the person originally invited to the event, if that person has forwarded the invitation, e.g. within the organisation they belong to.

9. The categories of personal data processed

• Name and contact details
• Identifying information when necessary

10. Information source and description of information sources, if the data has been collected from public sources

Information regarding a person to be invited to customer events is mainly retrieved from the customer register of the Travel and Hospitality Industry's sales team, unless that person has specifically forbidden it. People other than the representatives of our partners or customers may also be invited to events.

The data collected is received directly from the people signing up for the event.

11. Recipients of personal data

The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services.

Personal data can be disclosed to said service providers insofar as these service providers participate in the implementation of measures within the framework of the relevant assignment. Such service providers can include tour operators, for example.

When organising an event in cooperation with a partner, the list of participants can be shared with the partner in question. Data on the participants can be saved in the customer registers of both the controller and the aforementioned partner.

We ensure the adequate level of our partners' personal data protection in the manner required by legislation.

12. Transfer of personal data to third countries or international organisations, and the safeguards employed

Customer data is transferred outside the EU and the EEA when necessary for the service production. Our service provider has committed to the EU's standard contractual clauses with the appropriate contracts.

13. Storage period of personal data or criteria for determining the storage period

Registrations and any separate lists derived from them are stored for a maximum period of 3 months after the event. Once the storage period has expired, the data is erased.

14. Rights of the data subject

A data subject may check and change information concerning their registration, or request their erasure or transmission to another system by contacting the event's organiser.

15. Withdrawing consent

Data subjects can request the erasure of information concerning them using the link that can be found in the invitation or communication concerning the event.

16. Impact of failure to provide personal data on contracts

Normally, participation in events is possible only if we are provided with the information requested.

17. The meaningful information of automated decision-making or profiling

The personal data processing does not involve automated decision-making and no profiling with legal effects for the data subject is carried out on the basis of the personal data.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the personal data will be misused and that a personal identity code provided to us will be used on false grounds, for example. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.