Privacy statement for the SmartumPlus customer register, 17 November 2020

1 General

Smartum Oy (hereinafter ‘Company’ or ‘Us’) is committed to ensuring the confidentiality and data protection of the personal data in its possession. This privacy policy applies to the personal data we collect in relation to our customer register (hereinafter ‘Register’). In the privacy policy, we describe the personal data we collect as well as its processing. For more information on the processing of personal data, please e-mail tietosuoja@smartum.fi.


We may update this privacy statement from time to time, for example as the related legislation changes. We will strive to use any reasonable means to inform you, well in advance, of any changes and their effects. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it. This privacy statement was last updated on 17 November 2020.

2 Data Controller

Name Smartum Oy
Address: Yrjönkatu 11 B, FI-00120 Helsinki
Telephone: +358 (0)600 149 88
Business ID: 2046017-8

3 Whose personal data do we collect?

Within the scope of the Register, we process the personal data of business customer representatives and the beneficiaries of Smartum payment methods (hereinafter also ‘You’).

4 What types of personal data do we collect?

We process the following personal data in the Register:

Information on a business customer’s representative:

  • first and last name
  • personal identity code (in the context of strong authentication)
  • mobile number
  • e-mail address
  • identifying information for the representative’s own Smartum account (e.g. username).

Beneficiary’s information:

  • first and last name
  • personal identity code (in the context of strong authentication; more on the basis for processing in Section 6)
  • employee’s ID number
  • mobile number
  • e-mail address
  • identifying information for the beneficiary’s own Smartum account (e.g. username).

Other data:

  • personal data provided by customers themselves, on topics such as areas of interest
  • direct marketing permissions and prohibitions
  • service charge data (event history).

5 From which sources is personal data collected?

Your employer will disclose some of your personal data to the Company so that you can be registered as a beneficiary of Smartum payment instruments.

We also collect personal data directly from the data subject (e.g. upon registration as a beneficiary of Smartum payment instruments, a contact person for a business or user of the SmartumPay mobile application, or based on a contact request you submitted).

6 Grounds for, and uses and effects of, processing your personal data

Your personal data is processed on the grounds of our legitimate interests relating to the purposes of use mentioned below and the fulfilment of the contract related to using the service provided by the Company as well as any preceding measures.

Processing of the personal identity code

As regards SmartumPlus beneficiaries, we process personal identity codes alongside other personal data. The basis for processing your personal identity code is adherence to your statutory obligations. To the extent that we provide electronic benefits through our service, our Company is covered by the monitoring arrangements of the Finnish Financial Supervisory Authority. This means that we are, under the Act on Payment Institutions (297/2010), obliged to comply with the requirements relating to money laundering legislation. The provisions of the Act on Detecting and Preventing Money Laundering and Terrorist Financing (444/2017) require us to identify customers who are beneficiaries of our electronic payment instruments and collect statutory identifying information on them (including personal identity codes).

Business representatives

As regards business representatives, the processing is based on the Company’s legitimate interest. The purpose of processing personal data is to manage and maintain the customer or partner relationship between the Company and the customer or service business represented by the data subject. In other words, processing your personal data allows us to serve you better. The processing of your personal data does not affect you in any other way.

Beneficiaries of Smartum payment instruments

Your personal data is processed for the following purposes:

  • Ordering, supplying and invoicing for Smartum payment instruments and any essentially linked services, as well as handling customer relationships
  • The management, control and development of a service relationship, general communications, quality assurance, customer service implementation, confirming business and service transactions, service implementation, analysis and reporting
  • Identification of beneficiaries who use Smartum benefits
  • A prerequisite for using Smartum exercise and culture vouchers is that the service provider is able to check a beneficiary’s identity. This is based on the tax authorities’ requirement that employee benefits are personal and that it must be possible to ensure that the user is the person to whom the benefit was originally assigned.
  • Identification of users logged in to the SmartumPay mobile application and enabling the use of the app
  • In order to prevent and resolve misuse and problem situations as well as ensure data security
  • For marketing purposes, such as conventional and electronic marketing relating to Smartum Oy’s products. However, you will always have the opportunity to prohibit the use of your personal data for direct marketing purposes.

7 Regular disclosures of your personal data and transfers to third parties

Our partners and subcontractors may only process your personal data with regard to tasks that are performed on behalf of us in relation to managing and maintaining the customer relationship. We may transfer your personal data to third parties involved in the provision of SmartumPlus services, who are partners and subcontractors such as:

  • data and communications system providers
  • financial administration, payment instrument and payment service providers.

In every case, we ensure that our partners do not process transferable personal data for any other purpose. We may also disclose your personal data to the following third parties:

  • Partners participating in the implementation of the service provided by the Company (including various sports, culture and restaurant service providers) in accordance with current legislation, a court of law, the police or execution authorities. It may also be necessary to share information with competent authorities in compliance with the applicable legislation.

8 Transfers of your personal data outside the EU or the European Economic Area

We will transfer your personal data (name, address, company, e-mail address) outside the European Union or the European Economic Area in accordance with legislation on the processing of personal data for marketing and, in the case of business representatives, for the submission of tenders. Data is only transferred to the following organisations located in the United States:

  • Sendgrid
  • HubSpot, Inc. (business representatives only, does not apply to beneficiaries)
  • PandaDoc, Inc. (business representatives only, does not apply to beneficiaries)

In all situations, we will only transfer your personal data outside the EU or the European Economic Area on one of the following grounds:

  • The European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned.
  • We have implemented the appropriate safeguards for the transfer of your personal data by using the standard privacy statements approved by the European Commission. In such a case, you have the right to a copy of the standard contractual clauses by contacting us in accordance with the ‘Contacts’ section.
  • You have given your explicit consent to the transfer of your personal data, or there are other legitimate grounds for transferring your personal data outside the EU or the European Economic Area.

9 Principles for retaining personal data

Personal data is retained in the Register for the duration of the customer or partner relationship. Once the relationship is over, your personal data will be retained for no more than five years. However, please note that it may be necessary to retain your personal data for longer, if the applicable legislation (e.g. Accounting Act or Income Tax Act) or any of our contractual obligations to third parties require a longer retention period.

Smartum shall store the data in accordance with the applicable statutory and ethical requirements pertaining to the duty of notification and document storage.

10 Rights of the data subject with regard to personal data processing

In accordance with the applicable data protection legislation, you have the right at any time to:

  • receive information on the processing of your personal data
  • have access to your personal data and inspect any personal data that we are processing concerning you
  • demand the correction and supplementation of any inaccurate and incorrect personal data
  • require the deletion of your personal data insofar as the processing of your personal data is based on a contract or our legitimate interest
  • object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data
  • obtain your personal data in machine-readable format and transfer the data to another data controller, provided that you have personally submitted the personal data to us, we are processing the personal data on the basis of a contract and it is being processed automatically
  • demand restriction on the processing of your personal data.

To exercise the above right, you must submit a request to us in accordance with the Contacts section of this privacy statement. We may ask you to specify your request in writing and verify your identity before the processing of your request. We may refuse to implement your request on the basis of applicable legislation.

In any case, you shall always also have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if you believe that we have not processed your personal data in accordance with applicable data protection legislation.


11 The register’s principles of data protection

We respect the confidentiality of your personal data. Materials recorded on paper are kept in a locked space accessible only to the persons required for the task in question. Digitally processed personal data is stored in our information system and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords. Personal identity numbers will not be unnecessarily recorded in documents printed out or created on the basis of the Register.

Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the customer register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or entering data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS) security.

We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third-party system must be provided on a need-only basis.


12 Information on cookies and related technologies

A ‘cookie’ is a commonly used, small character string that your web browser stores on your computer or other terminal when you visit a website. Your browser will send data back to the webpage when you revisit it. All modern web pages use cookies to provide you with a more personalised browser experience.

Each cookie is individually installed on each terminal and cookies can only be read by the server on which the cookie is installed. Because a cookie is tied to a certain browser and cannot, in principle, be shared between different browsers or devices (unless a browser, add-on or other application specifically allows this), your cookie management choices are only applicable to that particular browser. A cookie cannot run software and cannot be used to deliver viruses or other malicious code, and it will not damage your terminal or files.

We use Google Analytics in our service and on our website, to analyse how users use our service and website. Google Analytics is a web analytics service provided by Google Inc. (hereinafter ‘Google’), which operates by using cookies. Please note that cookies installed by Google are subject to Google’s terms and policies, on which more information can be found at https://www.google.com/analytics/terms/us.html. Google Analytics does not transfer personal data from the Smartum Register, and Google Analytics data is not linked to personal data in the Register.

Our website uses Fonecta’s Audience Insights tool to analyse visitors in order to improve the user experience on our site. More information is available at https://audience-insights.fonecta.fi/.


13 Contacts

All requests related to exercising the above-mentioned rights, questions about this privacy statement and other contact information should be directed by e-mail to tietosuoja@smartum.fi or by telephone to +358 (0)600 149 88. For privacy matters, select option 1 (employer) from the call menu, upon which the cost of the call will be the local network charge or mobile charge.