We extended the validity of all electronic saldo-benefits that are expiring between 17.3.-30.9.2020 by 3 months Read more in our bulletin (in Finnish)

Privacy Statement for Smartum Oy’s Marketing Register, 25.5.2018

1 General information

Smartum Oy (hereinafter referred to as “the Company” or “We”) is committed to ensuring the confidentiality and privacy of any personal data it holds. This privacy statement is applicable to the personal data We collect in our marketing register (hereinafter the “Register”). This privacy statement describes the personal data that We collect and how We process it. Further information on how We process your personal data can be obtained via email at tietosuoja@smartum.fi.

We may update this privacy statement from time to time, for example as the related legislation changes. We will strive to use any reasonable means to inform you, well in advance, of any changes and their effects. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it. This privacy statement was last updated on 25 May 2018.

2 Data controller

Name:     Smartum Oy
Address: Yrjönkatu 11 B, FI-00120 Helsinki, Finland
Phone:    +358 600 149 88
Business ID: 2046017-8

3 Whose personal data do we collect?

We process the personal data of our existing and potential business customer representatives (employers and service providers). Furthermore, We process the personal data of beneficiaries of Smartum Payment instruments (hereinafter also “You”).

4 What types of personal data do we collect?

Regarding existing business customer representatives and beneficiaries, We process the following personal data in the Register:

Basic information:

  • first and last name
  • position in company (for business customer representatives)
  • name of employer (for business customer representatives)
  • mobile phone number
  • e-mail address.

Other data:

  • personal data provided by customers themselves, on topics such as areas of interest
  • direct marketing permissions and prohibitions
  • data based on behaviour and location.

Regarding potential business customer representatives, We process the following personal data in the Register:

Basic information:

  • first and last name
  • position in company
  • name of employer
  • mobile phone number
  • e-mail address.

Other data:

  • personal data provided by customers themselves, on topics such as areas of interest
  • direct marketing permissions and prohibitions
  • data based on behaviour and location.

5 From which sources is personal data collected?

Primarily, We collect personal data from

  • our customer register
  • the data subject him or herself (e.g. via a contact form)
  • registers disclosed by our collaboration partners
  • public sources, such as from Asiakastieto, Vainu, companies’ own websites, the Business Information System (YTJ), Fonecta and Kauppalehti Yrityshaku.

6 Grounds for, and uses and effects of, processing your personal data

Your personal data is processed on the grounds of our legitimate interests mentioned below or on the consent of the data subject.

The purpose of personal data processing is

  • managing and developing customer relationships
  • executing electronic and traditional direct marketing
  • targeting marketing at existing and potential business customers and current beneficiaries
  • sending invitations to occasions and events.

7 Regular transfers of your personal data and transfers to third parties

Our partner and subcontractor may only process your personal data with regard to tasks performed for marketing purposes belonging to us.

We may transfer your personal data to third parties involved in the provision of Smartum payment instrument services, which are partners and subcontractors such as:

  • data and communications system providers
  • printing services
  • logistics services.

In every case, We ensure that our partners do not process transferable personal data for any purpose other than the above.

We will not disclose any personal data in our marketing Register to third parties.

8 Transfers of your personal data outsode the EU or the European economic area

We will transfer your personal data (name, address, company, e-mail address) outside the European Union or the European Economic Area in accordance with the legislation on the processing of personal data for marketing and, in the case of business representatives, for the submission of tenders. Data is only transferred to the following organisations located in the United States complying with the EU-US Privacy Shield Framework:

  • the Rocket Science Group (all data subjects)
  • HubSpot, Inc. (business representatives only, does not apply to beneficiaries)
  • PandaDoc, Inc. (business representatives only, does not apply to beneficiaries).

In all situations, We will only transfer your personal data outside the EU or the European Economic Area on one of the following grounds:

  • the European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned;
  • We have implemented the appropriate safeguards for the transfer of your personal data by using the standard privacy statements approved by the European Commission. In such a case, You have the right to a copy of the standard statements by contacting us in accordance with the “Contacts” section; or
  • You have given your explicit consent to the transfer of your personal data, or there are other legitimate grounds for transferring your personal data from outside the EU or the European Economic Area.

9 Principles for retaining personal data

Personal data is retained for the time being unless the data subject has exercised his or her opt-out right. Personal data will be regularly updated, and it will be deleted based on business rules related to the purpose for processing.

10 Rights of the data subject with regard to personal data processing

In accordance with the applicable data protection legislation, You have the right at any time to:

  • have access to your personal data;
  • have access to your personal data and inspect any personal data that We are processing concerning You;
  • demand the correction and supplementing of any inaccurate and incorrect personal data;
  • require the deletion of your personal data;
  • object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data;
  • obtain your personal data in machine-readable format and transfer the data to another data controller, provided that You have personally submitted the personal data to us, We are processing the personal data on the basis of a contract and it is being processed automatically; and
  • demand the restriction of your personal data.

To exercise the above right, You must submit a request to us in accordance with the Contacts section of this privacy notice. We may ask You to specify your request in writing and to verify your identity before the processing of your request. We may refuse to implement your request on the basis of the applicable legislation.

In any case, you have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if You believe that We have not processed your personal data in accordance with data protection legislation.

11 Principles of data protection of the register

We respect the confidentiality of your personal data. Materials recorded on paper are kept in a locked space accessible only to the persons required for the task in question. Digitally processed personal data is stored in our information system and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords. Personal identity codes are not unnecessarily entered in documents printed out or drawn up on the basis of the personal Register.

Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the marketing Register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or feeding data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS) security.

We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third-party system must be provided on a need-only basis.

A “cookie” is a commonly used, small character string that your web browser stores on your computer or other terminal when You visit a website. Your browser will send data back to the webpage when You revisit it. All modern web pages use cookies to provide You with a more personalised browser experience.

Each cookie is individually installed on each terminal and cookies can only be read by the server on which the cookie is installed. Because a cookie is tied to a certain browser and cannot, in principle, be shared between different browsers or devices (unless a browser, add-on or other application specifically allows this), your cookie management choices are only applicable to that particular browser. A cookie cannot run software and cannot be used to deliver viruses or other malicious code, and it will not damage your terminal or files.

We use Google Analytics in our service and on our website, to analyse how users use our service and website. Google Analytics is a web analytics service provided by Google Inc. (“Google”), which operates by using cookies. Please note that cookies installed by Google are subject to Google’s terms and policies, on which more information can be found at https://www.google.com/analytics/terms/en.html. Google Analytics does not transfer personal data from the Smartum Register, and Google Analytics data is not linked to personal data on the Register.

13 Contacts

All requests related to exercising the above-mentioned rights, questions about this privacy statement and other contact information should be sent by email to: tietosuoja@smartum.fi or call number +358 600 149 88. In privacy matters, select option 1 (employer) from the call menu, upon which the cost of the call will be the local network charge or mobile phone charge.