Privacy statement for Smartum Oy’s Saldo and Voucher Customer Register, 18 September 2023
1 General issues
Smartum Oy (hereinafter referred to as “the Company” or “We”) is committed to ensuring the confidentiality and privacy of any personal data it holds. This privacy statement is applicable to the personal data We collect on our customer register (hereinafter the “Register”). This privacy statement describes the personal data that We collect and how We process it. Further information on how We process your personal data can be obtained via email at email@example.com. We may update this privacy statement from time to time, for example as the related legislation changes. We will inform you of any essential changes to the Privacy Statement and their implications on our website or by email. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it. This privacy statement was last updated on 29.12.2022.
2 Data Controller
Name: Smartum Oy
Address: Yrjönkatu 11 B, 00120 Helsinki
Phone: 0600 149 88
Bus reg. code: 2780101-9
3 Whose personal data do We collect?
We process the personal data of representatives of businesses on the Register and beneficiaries of Smartum Payment instruments (hereinafter also “You”).
4 What types of personal information do We collect?
We process the following personal information in the Register:
- First and last name
- Position in company (for business customer representatives)
- Identity code (for Saldo beneficiaries)
- Mobile phone number
- Email address
- Identification data for your Smartum account (e.g. username)
- Other identification data related to customer services
- Personal data provided by customers themselves, on topics such as areas of interest
- Direct marketing permissions and prohibitions
- Service fee details (transaction history)
5 From which sources is personal data collected?
We primarily collect personal data from the data subjects themselves (e.g. when You sign up for a Smartum payment instrument, as a business contact, or when You register as a user of the Smartum mobile application, or on the grounds of your making a contact request) and, in some cases, from your employer so that You can be registered as a beneficiary of Smartum payment instruments.
6 Grounds for, and uses and effects of, processing your personal information
Your personal data is processed on the grounds of the legitimate interests mentioned below and the fulfilment of the agreement on use of the service.
Regarding personal data of Saldobeneficiaries we also process identity numbers. The basis of processing identity numbers is our legal obligation to identify beneficiaries who have been granted employment benefits.
The purpose of processing personal data is to manage and maintain the customer or partner relationship between the Company and the customer or service company represented by the data subject. By processing your personal data, We will therefore be able to serve You better. The processing of your personal data will have no other impact on You. We also process your personal data for marketing purposes, such as the conventional and electronic marketing of Smartum Oy’s products. However, You have the right at any time to prohibit the processing of personal data for direct marketing purposes.
Beneficiaries of Smartum payment instruments
Your personal data will be processed for the following purposes:
- Ordering, delivering, billing and customer relationship management for Smartum payment instruments and the related services
- The handling, management, development, quality assurance, general communications, implementation of the customer service, securing of business and service events, and the implementation, analysis, reporting and development of services
- The unambiguous identification of beneficiaries of Smartum payment instruments. Tax exemption for Smartum’s exercise and cultural benefits requires that the service provider has the opportunity to verify the identity of the beneficiary. This is based on the tax authority’s requirement that employee benefits are personal and the user of the benefit must be able to verify that he or she is the person to whom the benefit was originally granted. To this end, Smartum maintains a Register of beneficiaries in order to make the identification data available for service providers.
- For the production of pre-designated exercise and cultural service vouchers
- For the delivery to the beneficiaries of exercise and culture vouchers posted to their homes
- Identifying registered users of the Smartum mobile application and enabling the application’s use
- To prevent and investigate cases of abuse and problems, and to ensure data security
- For marketing purposes, such as the conventional and electronic marketing of Smartum Oy’s products. However, You have the right at any time to prohibit the processing of personal data for direct marketing purposes.
- Smartum Oy's exercising of its responsibilities and fulfilment of its statutory and official obligation.
7 Regular transfers of your personal data and transfers to third parties
Our partners and subcontractors may only process your personal data with regard to tasks performed for the purpose of handling or maintaining customer relationships belonging to us. We may transfer your personal data to third parties involved in the provision of Smartum payment instrument services, which are partners and subcontractors such as:
- Data and communications system providers
- Financial management, payment instrument and payment service providers
- Printing services
- Logistics services
In every case, We ensure that our partners do not process transferable personal data for any purpose other than the above. We may also disclose your information to the following third parties:
- In the case of the beneficiary, to the employer in respect of the balance sheet of the accounts, in order to return the unused balance to the employer
- Within the scope permitted by and binding under the applicable law, to the court, the police or the enforcement authorities. It may also be necessary to share information with the competent authorities in accordance with legislation on the processing of personal data.
8 Transfers of your personal data outside the EU or the European Economic Area
We will transfer your personal data (name, address, company, e-mail address) outside the European Union or the European Economic Area in accordance with the legislation on the processing of personal data for marketing and, in the case of business representatives, for the submission of tenders. Data will only be transferred to the following organisations that comply with the EU-US Privacy Shield framework:
- The Rocket Science Group (all data subjects)
- Trustmary Finland Oy (all data subjects)
- HubSpot, Inc. (business representatives only, does not apply to beneficiaries)
- PandaDoc, Inc. (business representatives only, does not apply to beneficiaries)
- Zapier, Inc. (business representatives only, does not apply to beneficiaries)
- Twilio Sendgrid (business representatives only, does not apply to beneficiaries)
In all situations, We will only transfer your personal data outside the EU or the European Economic Area on one of the following grounds:
- the European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned;
- We have implemented the appropriate safeguards for the transfer of your personal data by using the model clauses approved by the European Commission. In such a case, You have the right to a copy of the model clauses by contacting us in accordance with the “Contacts” section; or
- You have given your express consent to the transfer of your personal data, or there are other legitimate grounds for transferring your personal data from outside the EU or the European Economic Area.
9 Principles for retaining personal data
The grounds for retaining your personal data on the Register are the validity of the customer relationship or partnership. After the relationship expires, your personal data will be retained for a maximum of six years after the end of the calendar year following the expiry of the relationship, in accordance with the Accounting Act, the Income Tax Act and the Money Laundering Act. Please note that your personal data may need to be retained longer if the applicable law or our binding contractual obligations towards third parties require longer retention periods.
Smartum will retain the data in accordance with the applicable statutory and ethical disclosure requirements, and document retention requirements.
10 Rights of the data subject with regard to personal data processing
In accordance with the applicable data protection legislation, You have the right at any time to:
- have access to your personal data;
- have access to your personal data and inspect any personal data that We are processing concerning You;
- demand the correction and supplementing of any inaccurate and incorrect personal data;
- require the deletion of your personal information;
- object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data;
- obtain your personal data in machine-readable format and transfer the data to another data controller, provided that You have personally submitted the personal data to us, We are processing the personal data on the basis of a contract and it is being processed automatically; and
- demand the restriction of your personal data.
To exercise the above right, You must submit a request to us in accordance with the Contacts section of this privacy notice. We may ask You to specify your request in writing and to verify your identity before the processing of your request. We may refuse to implement your request on the basis of the applicable legislation.
In any case, you have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if You believe that We have not processed your personal data in accordance with data protection legislation.
11 Principles of data protection of the Register
We respect the confidentiality of your personal data. Materials recorded on paper are kept in a locked space accessible only to the persons required for the task in question. Digitally processed personal data is stored in our information system, and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords. Personal identity numbers are not unnecessarily entered in documents printed out or drawn up on the basis of the personal Register.
Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the customer Register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or feeding data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS).
We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third party system must be provided on a need-only basis.
12 Information on cookies and related technologies
Smartum’s web pages, online service and mobile apps utilise cookies and related tracking pixels. A cookie is a small text file that is saved on the user’s computer, smartphone or tablet. A visitor cannot be identified based on cookies alone, and cookies do not harm the user’s device or files. Most big websites generally utilise cookies.
Essential cookies are necessary for the functionality of the website. These cookies are typically installed only upon your using functions that create service requests, such as selecting data protection settings, logging in or filling in forms.
Functionality cookies enable us to provide better and more personalised functionalities, such as videos (Vimeo and YouTube) and a real-time chat (Intercom). The cookies are set by us or any third-party service providers whose services we have added to our site.
Social medial and advertising cookies (Facebook, Instagram, LinkedIn, Adform, Google) can be used to create personalised recommendations and identify interests. The information collected by means of cookies can also be linked to data collected from the users in other contexts to provide a better user experience.
All requests related to exercising the above rights, questions about this privacy statement and other contact information should be sent by email to: firstname.lastname@example.org or call number 0600 149 88. In privacy matters, select option 1 (employer) from the call menu, upon which the cost of the call will be the local network charge or mobile phone charge.