Privacy statement for the Smartum Oy Service provider register, 14 September 2018

1 General

Smartum Oy (hereinafter referred to as “the Company” or “we”) is committed to ensuring the confidentiality and privacy of any personal data it holds. This privacy statement applies to personal data that the Company processes in the Register for its Service Provider service (hereinafter referred to as “Service”). This privacy statement describes the personal data that we collect and how we process it. Further information on how we process your personal data can be obtained via email at

We may update this privacy statement from time to time, for example as the related legislation changes. We will strive to use any reasonable means to inform you, well in advance, of any changes and their effects. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it.

2 Data Controller

Name: Smartum Oy

Address: Yrjönkatu 11 B, 00120 Helsinki

Telephone: +358 600 149 88

Business ID: 2046017-8

3 Whose personal data do we collect?

The Register contains the personal data of persons employed in the service of our service provider partners (hereinafter also referred to as “you”) that we process for the purpose of using the Service.

4 What types of personal data do we collect?

We process the following personal data in the Register:

Basic information:

  • First and last name
  • Telephone number
  • Email address
  • User role (person responsible for an agreement, location main user, salesperson, person responsible for settlement)

5 From which sources is personal data collected?

Upon entering into an agreement on the reception of Smartum payment methods, the Service Provider partner shall disclose to Smartum the personal data of contact persons appointed to use the service. After this, you can be registered as a user and will have access to the Service in the manner and scope specified by Smartum.

6 Grounds for processing personal data and its uses and effects

Your personal data is processed on the grounds of the legitimate interests mentioned below and the fulfilment of the terms and conditions of the service.

Your personal data will be processed for the following purposes:

Facilitating the use of the Service in the manner agreed in the service agreement between our partner (your employer) and Smartum. Management, development and quality assurance of the Service, general communications, customer service activities, verification of service events, ensuring information security (identification, access control and prevention of misuses), and the targeting and provision of support services to users.

7 Regular transfers of your personal data and transfers to third parties

Subcontractors that we use to provide the Service may process your personal data only for activities carried out on our behalf and related to the provision of the Service. For purposes of providing the Service, we may transfer your personal data to the following involved third parties:

  • Data and communications system providers
  • Financial administration providers

In every case, We ensure that our partners do not process transferable personal data for any purpose other than the above.

We do not disclose your personal data to other third parties. Under exceptional circumstances, we may disclose your personal data to authorities or the courts within the limits of the law, if such disclosure is requested by those parties.

8 Transfers of your personal data outside the EU or the European Economic Area

We will not transfer your personal data outside the EU or EEA.

9 Principles for storing personal data

Personal data is stored according to the role you have been assigned in the Service:

1. Person responsible for the agreement or settlement:

After your role expires, your personal data will be retained for a maximum of six years after the end of the calendar year following the expiry of the role, in accordance with the Accounting Act and the Money Laundering Act.

2. Location main user and salesperson

Your data will be erased after your role expires.

Your personal data may need to be retained longer if the applicable law or our binding contractual obligations towards third parties require longer storage periods.

10 Rights of the data subject with regard to processing

In accordance with the applicable data protection legislation, you have the right at any time to:

  • gain access to your personal data;
  • gain access to your personal data and inspect any personal data that we are processing concerning you;
  • request the rectification and supplementing of inaccurate or incomplete personal data;
  • request the erasure of your personal data;
  • object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data;
  • obtain your personal data in machine-readable format and transfer the data to another data controller, provided that you have personally submitted the personal data to us, and that we are processing the personal data on the basis of a contract and it is being processed automatically; and
  • demand the restriction of processing of your personal data.

To exercise the above right, you must submit a request to us in accordance with the section on contacts in this privacy statement. We may ask you to specify your request in writing and to verify your identity before the processing of your request. We may refuse to implement your request on the basis of the applicable legislation.

In any case, you have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if you believe that we have not processed your personal data in accordance with applicable data protection legislation.

11 Principles of protection

We respect the confidentiality of your personal data. Digitally processed personal data is stored in our information system and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords.

Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the Register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or feeding data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS) security.

We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third-party system must be provided on a need-only basis.

You can read more about the cookie policy the Smartum Service Provider service at

13 Contacts

All requests related to exercising the above-mentioned rights, questions about this privacy statement and other contact information should be sent by email to: or call number +358 600 149 88. In privacy matters, select option 2 (service provider) from the call menu, upon which the cost of the call will be the local network charge or mobile phone charge.