SOK CorporationPostal address: P.O. Box 1, FI-00088 S-RYHMÄ, FinlandStreet address: Fleminginkatu 34, FI-00510 Helsinki, FinlandBusiness ID 0116323-1
Contact details of the data protection officer
tietosuojavastaava@sok.fi
Officer in charge of register matters
tietosuoja.it@sok.fi
Purpose of personal data processing
Personal data is processed to process the customer’s product request. The customer can present product requests for the selected store on the www.sinuntoive.fi website. The customer can choose the desired product from the existing selection or write the request as free text.The customer has the option to leave a phone number if they want to be informed about the progress of the processing of the request by SMS. Providing a phone number is not mandatory, you can also leave a request without a phone number. If the customer leaves a phone number, the customer will receive an automated SMS message when the request has been processed.Requests are processed through a separate portal. In the portal, the phone number provided by the customer is not fully visible to the request processors, only the last four digits and the country code.
Grounds for the processing of personal data
The data controller’s legitimate interest.
Description of legitimate interest
The legitimate interest for the processing of personal data is the processing of personal data in the management of the customer relationship, where an additional service is provided to the customer. The starting point of the service is to develop the selections of stores for customers. The customer’s service experience can be improved through product requests.In order to inform the customer of the results of the processing of the product request, it is necessary to provide a phone number for sending an SMS. Providing a number is optional, and the number will not be used for any other purposes. A phone number cannot be left in the case of a free text request. No text message will be sent to the customer and no personal data is collected.
The personal data processed
Telephone number, additional information entered by the customer.
Source of information
Personal data is collected directly from the customer in connection with the product request.
Recipients of personal data
The personal data is processed in digital systems and services for the purposes specified in this privacy policy. We use external service partners in the provision of system and support services. Personal data can be transferred to the service providers used insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment.We ensure that our partners protect personal data sufficiently as required by law.We do not disclose any data stored in the register to third parties, except for the disclosure of data to the authorities within the limits permitted and obligated by valid legislation, when responding to the authorities’ data requests, for example. We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities’ requests for information.
Transfer of personal data to third countries or international organisations and data protection safeguards used
We do not transfer personal data to third countries outside the European Union or the European Economic Area or to international organisations.
Period for storing personal data or criteria for determining the storage period
We only store personal data according to this privacy policy for as long and to the extent that it is necessary, and we use it for activities connected to the reported purposes for processing.The phone number is kept for up to 30 days.
Rights of the data subject
The data subject has the following rights:Right to access personal dataRight to rectification of dataRight to erasureRight to restrict processing (disputing the accuracy of the data or unlawful processing)Right to transfer the data to another system (in case of automatic processing)Right to be informed of personal data breachesIf a data subject wishes to exercise their rights or to obtain further information about the processing of their personal data, they can contact the controller named in this privacy policy. Data subjects also have the right to lodge a complaint with the supervisory authority if they deem that the processing of their personal data violates the applicable data protection regulations.More information about rights can be found on the Your rights page.
Significant information related to automated decision-making or profiling
No automated decision-making or profiling is associated with the personal data processing.
Impact of the processing of personal data and a general description of technical and organisational security measures
We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. System providers process personal data at secure server facilities. Access to personal data is restricted, and the personnel are subject to a confidentiality obligation.The S Group protects personal data by means of, for example, preventive risk management and security planning, protection measures for data communications and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of user rights is a well-managed process. We regularly provide training for our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines.If, despite all of our safeguards, we detect that personal data has been in the wrong hands, we will immediately begin investigating the matter and aim to prevent any damage caused. We will inform the necessary authorities and data subjects about the data breach, in accordance with what the law requires.
