We extended the validity of all electronic saldo-benefits that are expiring between 17.3.-30.9.2020 by 3 months Read more in our bulletin (in Finnish)

Privacy statement for Smartum Oy’s customer register, 22.5.2018

1 General issues

Smartum Oy (hereinafter referred to as “the Company” or “We”) is committed to ensuring the confidentiality and privacy of any personal data it holds. This privacy statement is applicable to the personal data We collect on our customer register (hereinafter the “Register”). This privacy statement describes the personal data that We collect and how We process it. Further information on how We process your personal data can be obtained via email at tietosuoja@smartum.fi.

We may update this privacy statement from time to time, for example as the related legislation changes. We will strive to use any reasonable means to inform you, well in advance, of any changes and their effects. We strongly encourage you to review this privacy statement whenever you receive information on any changes made to it. This privacy statement was last updated on 22 May 2018.

2 Data Controller

Name:               Smartum Oy

Address:           Yrjönkatu 11 B, 00120 Helsinki

Phone:               0600 149 88

Bus reg. code:  2046017-8

3 Whose personal data do We collect?

We process the personal data of representatives of businesses on the Register and beneficiaries of Smartum Payment instruments (hereinafter also “You”).

4 What types of personal information do We collect?

We process the following personal information in the Register:

Basic information:

  • First and last name
  • Position in company (for business customer representatives)
  • Home address
  • Identity code (for Saldo beneficiaries)
  • Mobile phone number
  • Email address
  • Identification data for your Smartum account (e.g. username)
  • Other identification data related to customer services

Other data:

  • Personal data provided by customers themselves, on topics such as areas of interest
  • Direct marketing permissions and prohibitions
  • Service fee details (transaction history)

5 From which sources is personal data collected?

We primarily collect personal data from the data subjects themselves (e.g. when You sign up for a Smartum payment instrument, as a business contact, or when You register as a user of the Smartum mobile application, or on the grounds of your making a contact request) and, in some cases, from your employer so that You can be registered as a beneficiary of Smartum payment instruments.

6 Grounds for, and uses and effects of, processing your personal information

Your personal data is processed on the grounds of the legitimate interests mentioned below and the fulfilment of the agreement on use of the service.

Company representatives

The purpose of processing personal data is to manage and maintain the customer or partner relationship between the Company and the customer or service company represented by the data subject. By processing your personal data, We will therefore be able to serve You better. The processing of your personal data will have no other impact on You.

Beneficiaries of Smartum payment instruments

Your personal data will be processed for the following purposes:

  • Ordering, delivering, billing and customer relationship management for Smartum payment instruments and the related services
  • The handling, management, development, quality assurance, general communications, implementation of the customer service, securing of business and service events, and the implementation, analysis, reporting and development of services
  • The unambiguous identification of beneficiaries of Smartum payment instruments. Tax exemption for Smartum’s exercise and cultural benefits requires that the service provider has the opportunity to verify the identity of the beneficiary. This is based on the tax authority’s requirement that employee benefits are personal and the user of the benefit must be able to verify that he or she is the person to whom the benefit was originally granted. To this end, Smartum maintains a Register of beneficiaries in order to make the identification data available for service providers.
  • For the production of pre-designated exercise and cultural service vouchers
  • For the delivery to the beneficiaries of exercise and culture vouchers posted to their homes
  • Identifying registered users of the Smartum mobile application and enabling the application’s use
  • To prevent and investigate cases of abuse and problems, and to ensure data security
  • For marketing purposes, such as the conventional and electronic marketing of Smartum Oy’s products. However, You have the right at any time to prohibit the processing of personal data for direct marketing purposes.

Smartum Oy’s exercising of its responsibilities and fulfilment of its statutory and official obligation.

7 Regular transfers of your personal data and transfers to third parties

Our partners and subcontractors may only process your personal data with regard to tasks performed for the purpose of handling or maintaining customer relationships belonging to us. We may transfer your personal data to third parties involved in the provision of Smartum payment instrument services, which are partners and subcontractors such as:

  • Data and communications system providers
  • Financial management, payment instrument and payment service providers
  • Printing services
  • Logistics services

In every case, We ensure that our partners do not process transferable personal data for any purpose other than the above. We may also disclose your information to the following third parties:

  • In the case of the beneficiary, to the employer in respect of the balance sheet of the accounts, in order to return the unused balance to the employer
  • Within the scope permitted by and binding under the applicable law, to the court, the police or the enforcement authorities. It may also be necessary to share information with the competent authorities in accordance with legislation on the processing of personal data.

8 Transfers of your personal data outside the EU or the European Economic Area

We will transfer your personal data (name, address, company, e-mail address) outside the European Union or the European Economic Area in accordance with the legislation on the processing of personal data for marketing and, in the case of business representatives, for the submission of tenders. Data will only be transferred to the United States with respect to the following organisations that comply with the EU-US Privacy Shield framework:

  • The Rocket Science Group (all data subjects)
  • HubSpot, Inc. (business representatives only, does not apply to beneficiaries)
  • PandaDoc, Inc. (business representatives only, does not apply to beneficiaries)

In all situations, We will only transfer your personal data outside the EU or the European Economic Area on one of the following grounds:

  • the European Commission has decided that an adequate level of data protection has been ensured in the recipient country concerned;
  • We have implemented the appropriate safeguards for the transfer of your personal data by using the model clauses approved by the European Commission. In such a case, You have the right to a copy of the model clauses by contacting us in accordance with the “Contacts” section; or
  • You have given your express consent to the transfer of your personal data, or there are other legitimate grounds for transferring your personal data from outside the EU or the European Economic Area.

9 Principles for retaining personal data

The grounds for retaining your personal data on the Register are the validity of the customer relationship or partnership. After the relationship expires, your personal data will be retained for a maximum of six years after the end of the calendar year following the expiry of the relationship, in accordance with the Accounting Act, the Income Tax Act and the Money Laundering Act. Please note that your personal data may need to be retained longer if the applicable law or our binding contractual obligations towards third parties require longer retention periods.

Smartum will retain the data in accordance with the applicable statutory and ethical disclosure requirements, and document retention requirements.

10 Rights of the data subject with regard to personal data processing

In accordance with the applicable data protection legislation, You have the right at any time to:

  • have access to your personal data;
  • have access to your personal data and inspect any personal data that We are processing concerning You;
  • demand the correction and supplementing of any inaccurate and incorrect personal data;
  • require the deletion of your personal information;
  • object to the processing of your personal data on the basis of your personal circumstances, insofar as our legitimate interests (e.g. direct marketing) form the grounds for processing your personal data;
  • obtain your personal data in machine-readable format and transfer the data to another data controller, provided that You have personally submitted the personal data to us, We are processing the personal data on the basis of a contract and it is being processed automatically; and
  • demand the restriction of your personal data.

To exercise the above right, You must submit a request to us in accordance with the Contacts section of this privacy notice. We may ask You to specify your request in writing and to verify your identity before the processing of your request. We may refuse to implement your request on the basis of the applicable legislation.

In any case, you have the right to appeal to the appropriate supervisory authority or the supervisory authority of the EU Member State in which your residence or place of work is located, if You believe that We have not processed your personal data in accordance with data protection legislation.

#### 11 Principles of data protection of the Register

We respect the confidentiality of your personal data. Materials recorded on paper are kept in a locked space accessible only to the persons required for the task in question. Digitally processed personal data is stored in our information system, and is accessible only to persons who need such data for the performance of their duties. The persons in question use personal usernames and passwords. Personal identity numbers are not unnecessarily entered in documents printed out or drawn up on the basis of the personal Register.

Smartum personnel require a personal user name and password in order to engage in personal data processing and to gain access to the customer Register. A username and password are issued alongside personal access rights. Access rights are defined by the person in charge of the Register together with the administrator of the information system. The data is protected from both intentional and unintentional destruction. Internal data connections within the system are implemented in a closed network. External connections are protected by firewalls. When using, or feeding data into, the Register through a public network, the connection is protected with Transport Layer Security (TLS).

We protect personal data transferred to third parties by using all available means to limit access to such data. Access rights to the processing of data in a third party system must be provided on a need-only basis.

A “cookie” is a commonly used, small character string that your web browser stores on your computer or other terminal when You visit a website. Your browser will send data back to the webpage when You revisit it. All modern web pages use cookies to provide You with a more personalised browser experience.

Each cookie is individually installed on each terminal and cookies can only be read by the server on which the cookie is installed. Because a cookie is tied to a certain browser and cannot, in principle, be shared between different browsers or devices (unless a browser, add-on or other application specifically allows this), your cookie management choices are only applicable to that particular browser. A cookie cannot run software and cannot be used to deliver viruses or other malicious code, and will not damage your terminal or files.

We use Google Analytics in our service and on our website, to analyse how users use our service and website. Google Analytics is a web analytics service provided by Google Inc. (“Google”), which operates by using cookies. Please note that cookies installed by Google are subject to Google’s terms and policies, on which more information can be found at https://www.google.com/analytics/terms/en.html. Google Analytics does not transfer personal data from the Smartum Register, and Google Analytics data is not linked to personal data on the Register.

13 Contacts

All requests related to exercising the above rights, questions about this privacy statement and other contact information should be sent by email to: tietosuoja@smartum.fi or call number 0600 149 88. In privacy matters, select option 1 (employer) from the call menu, upon which the cost of the call will be the local network charge or mobile phone charge.