Phone call recordings
Centralised phone call recordings of the SOK travel and hospitality industry sales services
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)
- Data Controller
Suomen Osuuskauppojen keskuskunta SOK
Postal address: PO Box 1, 00088 S-RYHMÄ
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1
- Contact details of data protection officer
- Contact details of officer in charge of register matters
- Name of the register
Centralised phone call recordings of the SOK Travel and Hospitality Industry sales services
- Purpose of personal data processing
To develop our customer service, the recordings can be used in training offered to customer service personnel, in service level surveys and in the development of instructions. Additionally, the aim is to secure the rights of the parties involved and ensure the accuracy of the service.
- Grounds for personal data processing
The processing of personal data is based on legitimate interest.
- Description of controller's legitimate interests
The processing of personal data is based on the controller's legitimate interest, because the other party is informed about the recording prior to the conversation. Making a reservation is also possible via email, through the online service and via app.
- The personal data processed
Data provided during the phone call.
- The categories of personal data processed
Customers' names and contact information, any eventual history data related to the customer account and other data relevant to the service, such as loyalty programme memberships, information about special diets, special requests and requirements.
- Information source and description of information sources, if the data has been collected from public sources
The data collected is received directly from the customer. In connection with group bookings, the data is provided by the party handling the booking.
Additionally, phone calls to the customer can be performed. In such a case, the data for calling is mainly retrieved from the Travel and Hospitality Industry corporate customer register or from the S-Card customer loyalty register.
- Recipients of personal data
We ensure the adequate level of our partners' personal data protection in the manner required by legislation.
We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.
- Transfer of personal data to third countries or international organisations, and the safeguards employed
Customer data is transferred outside the EU and the EEA when necessary for the service production. Our service provider has committed to the EU's standard contractual clauses with the appropriate contracts.
- Storage period of personal data or criteria for determining the storage period
Any possible phone call recordings are stored for training purposes, for securing the rights of the parties and for ensuring the accuracy of the service for three months, at most, after which they are automatically destroyed. In situations involving a complaint, the recordings are stored during the processing of the complaint.
- Rights of the data subject
The data subject has the right to request access to the recording data and/or request their erasure by contacting the officer in charge of register matters.
The phone call recording can be delivered to the data subject in the form of a transcript unless otherwise agreed.
- Impact of failure to provide personal data on contracts
Customer service cannot be provided over the phone if the phone call recording is denied. Alternative service channels are mentioned in section 7.
- The meaningful information of automated decision-making or profiling
The personal data processing does not involve automated decision-making and no profiling with legal effects for the data subject is carried out on the basis of the personal data.
- Impact of personal data processing and general description of the technical and organisational security measures
We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.
At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the personal data will be misused and that a personal identity code provided to us will be used on false grounds, for example. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.