Sport club of the Travel and Hospitality Industry

PRIVACY POLICY (as of 25 May 2018)
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)

1. Controller

SOK Corporation
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1

2. Contact details of data protection officer

3. Contact details of officer in charge of register matters

4. Name of the register

Sport Club of the Travel and Hospitality Industry

5. Purpose of personal data processing

Personal data is collected and processed within the framework of the register for the following purposes:

  • the maintenance of the Sport Club membership register
  • the identification of a contact person belonging in the Sport Club
  • customer communication related to the membership, contacting customers
  • marketing communications
  • communicating any interruptions or disturbances

6. Grounds for personal data processing

The personal data processing is based on the controller's legitimate interest.

7. Description of controller's legitimate interests

The legitimate interest is driven by the team's needs and desire; the team wants to be part of the Sport Club to receive the benefits offered to teams.

The personal data is needed for communication with the team. To receive information about the benefits offered, the team must provide the contact details of their contact person. Without these details, we cannot inform the team of benefits worth money.

8. The personal data processed 

With respect to the team's contact person (persons): last name, first names, phone number, email address and marketing opt-in.

9. The categories of personal data processed

Contact details, marketing opt-in or opt-out.

10. Information source and description of information sources, if the data has been collected from public sources

The data collected is received directly from the data subject.

11. Recipients of personal data 

The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services. Personal data can be transferred to said service providers insofar as the service providers in question participate in the implementation of measures within the framework of the relevant assignment.

We ensure the adequate level of our partners' personal data protection in the manner required by legislation.

We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.

 12. Transfer of personal data to third countries or international organisations, and the safeguards employed 

We do not transfer personal data to third countries, outside the European Union or the European Economic Area or to international organisations.

13. Storage period of personal data or criteria for determining the storage period

Any personal data related to membership in the Sport Club is stored for the duration of the membership. The data can be erased if the data subject so wishes.

14. Rights of the data subject

Data subjects have the right to check the data concerning them and to rectify it by filling in the information request form available at S Group's customer service points, where the identity of the person making the request is verified. Changes to a team's Sport Club membership, for example, can also be effected by sending a message to, which takes care of club-related matters.

The data subject may exercise their right to object to commercial communications by sending an email to

The data subject has the right to have data concerning them erased and to change for instance the team's contact details by sending a message to

15. Withdrawing consent

Any withdrawal of a consent to direct digital marketing communications should be sent to

16. Impact of failure to provide personal data on contracts

Membership in the Sport Club requires the specification of the team's contact person and their contact details. The team cannot be established in the Sport Club without this data.

17. The meaningful information of automated decision-making or profiling

Profiling is used to target marketing communications in such a way that the message is sent to the email address indicated by the team's contact person, provided that the person has opted to receive said marketing.

Profiling does not have a legal effect on the data subject.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.