Privacy Policy Statement


General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
Applied from March 2023.

S-Business Oy’s customer register

Data controller
S-Business Oy
Fleminginkatu 34, FI-00510 Helsinki, Finland
Business ID 2389183-8

Contact information of the data protection officer

Contact information of the data controller
S-Business Oy
Telephone: +358 10 768 0820

Name of the register
S-Business Oy’s customer register 

Purpose of processing personal data

The purpose of processing the personal data saved into our customer register is to produce and manage S-Business Oy’s invoicing sales service aimed specifically at corporate customers (account holder) (credit decisions, invoicing, customer service, credit monitoring etc.), and to develop and market the service (reporting/analysis) and to carry out in the S Group the statutory storing, reporting and other obligations connected with the service. The S Group refers to the cooperative stores and the SOK Group together with its subsidiaries and holding companies.

We may use the personal data of a contact person named by the account holder or the personal data of a card holder named in the application for producing the service and also for customer communications and marketing in the way described below. 

We use the personal data for analytical purposes by following the number of web page and Chat service visitors, and in order to develop the service.

Calls made to the S-Business customer service are recorded. To develop our customer service, the recordings can be used in training offered to customer service personnel as well as for service level surveys, the development of instructions and the investigation of complaints. 

SMS queries can be sent to those who contact the customer service by phone, for example, to investigate customer satisfaction. 

We may process personal data for the purpose of handling contact requests. In these cases the personal data is obtained from the data subjects themselves when they fill in a contact request form on the website. 

Newsletter subscription information is only used for sending the messages you subscribed to.  

The information provided when ordering a benefit calculation report is used for the sending of the report. We may also send you information about other benefits and use cases. 

We only disclose personal data to a third party in accordance with applicable legislation and this Privacy Policy Statement.

Basis for processing personal data 

S-Business Oy processes personal data based on agreements and based on a legitimate interest.

Processing of data based on an agreement 

As a rule, the basis for processing the personal data of the card holder and account holder is the account holder’s card or account application, which constitutes an agreement between S-Business Oy and the account holder, or an agreement made by the account holder with a leasing company that concerns the use of the S-Business card.

Processing of data based on a legitimate interest

The information in our register may be used in accordance with the General Data Protection Regulation for marketing purposes by the organisations and partners belonging to the S Group.

S-Business Oy may send to a data subject customer communication concerning S-Business’ benefits or new functions as well as electronic marketing (email or mobile) as provided by law. For example, S-Business Oy may send to the data subject information by email about new functions and about the possibilities to use the card at the S Group establishments. The data can also be used for customer feedback and customer survey purposes.

The data subject has at all times the right to forbid the use of their data for marketing purposes. The marketing prohibition may be given by way of contacting the S-Business customer service at

The processed personal data groups 

  • The account holder’s representatives (the contact persons and card holders of the Company)

The processed personal data  

  • Name and contact details of the account holder
  • Name of the contact person of the card holder and account holder
  • The embossed text on the card
  • Native language
  • Phone number
  • Email
  • The card’s delivery address
  • Invoicing address
  • Fuel oil delivery 
  • Eventual prohibition of marketing
  • Car registration number
  • Purchase events

Additionally, regarding the Chat service the following data is collected:

  • Time of a chat conversation 
  • Network address 
  • Content of the conversations  

Additionally, regarding call recordings the following data is collected: 

  • Time of the call
  • The caller’s number
  • Content of the conversations

From where is the personal data gathered?

  • From the account holder’s card application 
  • From the leasing company’s or management company’s card application 
  • From the account holder or organisation during the customer relationship
  • Directly from the card holder (phone, email, Chat, S-Business -mobile, the S-Business Manager service (Extranet service))
  • From the purchases made by the card holder with the S-Business card
  • From the contact request form
  • From web page (e.g. when ordering a benefit calculation report)
  • The company’s credit ratings and the payment history information of the company and its responsible persons from the companies that offer credit information services
  • Direct marketing contact information from Suomen Asiakastieto Oy 

Processing of personal data

We process personal data for the purposes defined in this Privacy Policy Statement in the S Group’s electronic systems and services. We use outside service partners for producing system and support services. Personal data may be transferred to the active service partners for the part for which they take part in carrying out procedures according to a received assignment. 

We ensure that our partners protect personal data sufficiently as required by law.  

Personal data may be transferred to the following service partners in order to produce the service:

  • The card producer 
  • The electronic signature service supplier 
  • The invoicing operator 
  • The collection agency 
  • Payment service transmission, consulting, communication and reporting partners 
  • The authorities to whom we release information according to the limits allowed and required by the existing legislation, for example in order to answer authorities’ requests for information 

Disclosure of personal data

We disclose the card holders’ personal data to their employer acting as the account holder, including, for example, information about the purchases made by the card holder.

The purchase events of the card holders who have an agreement with leasing and management companies are released for invoicing and reporting purposes.

We can also disclose the contact persons personal data (such as name, e-mail address and phone number) within the S-Group eg for the development of the service and customer service and to our cooperation partners (e.g. accounting firm) for S-Business’ marketing purposes and for the purposes of customer communication.

Transfer of personal data to third countries or international organisations and the used means of protection.

We do not transfer personal data to third countries outside the European Union or the European Economic Area, or to international organisations.

Period for storing personal data or the criteria for determining the period for storing the data

We store the personal data according to this Privacy Policy Statement only for the time and in that extent for which they are necessary and we use them for the purposes connected with the reported uses for processing. 

  • The S-Business card/account agreement with annexes is stored in an electronic archive during the validity of the agreement and for ten (10) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
  • The S-Business card/account applications are stored for two (2) years
  • The card holder’s or account holder’s contact information is stored in the S-Business customer register during the validity of the agreement and for six (6) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
  • The invoices of the S-Business card/account are stored for six (6) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
  • Transaction data regarding the S-Business card/account is stored for ten (10) years starting from the end of the year when the accounting period ended. 
  • Reminders are stored during the validity of the agreement and for three (3) years after the accounting period has ended. 
  • The contents of Chat conversations are stored for two (2) years. 
  • Recordings of calls are stored for three (3) months
  • Data relating to newsletter subscriptions is deleted within one month from the cancellation of the subscription 
  • The email address provided in connection with the ordering of the benefit calculation report and/or other downloadable content is deleted within three (3) months from the sending or downloading of the material. 
  • The data provided in connection with a contact request is deleted within three (3) months from the receipt of the contact request.
  • The participant data relating happenings is deleted within six (6) months.

Outdated information is regularly removed from the S-Business customer register. A general review and deletion of the information stored into the register is performed once a year. 

The data subject’s rights

The right to receive information

Everyone entered in the register has the right to receive information about the personal data collected about him/her, to what purposes it is used, the basis for processing the data, and to which receiver’s data is disclosed.

The data subject has the following rights:

  • Right to access the information and right to correct incorrect information
  • Right to remove the information when there is no other legal basis for storing the information
  • Right to restriction of processing 
  • Right to prohibit direct marketing 
  • Right to transfer the information from one system to another (for the part of automatic processing)
  • Right to be informed of personal data breaches

In case a person wishes to exercise the aforementioned rights or to have more information about the handling of the personal data, then he/she may contact the S-Business customer service: 

The data subject also has the right to file a complaint with the supervisory authority if he/she considers that the processing of the personal data does not follow the applicable data protection legislation.

Effects on an agreement of not providing personal data

In case personal data is not submitted to S-Business Oy a S-Business card named for the card holder cannot be granted. 

Key information for automated decision-making or profiling

No automated decision-making is used for processing personal data and individuals are not profiled.

Analysis about the account holder’s purchases are made in order to develop the service and for marketing purposes. 

Effects of the processing of personal data and a general description of the technical and organised safety measures

We will protect the personal data for the whole duration of its life cycle by using appropriate data protection and data security measures. 

The account applications and other account holder’s or organisation’s documents that include personal data are kept in locked and fire safe storing spaces. Electronically saved data is stored in systems that are protected from contacts outside the S Group with firewalls. 

Only the designated employees of S-Business Oy and companies working on the assignment of S-Business Oy and on behalf of it whose job description so dictates have the right to use the S-Business customer register and maintain the data contained in it. The data system is protected and only designated users have access to it, using personal usernames and passwords. Each employee who processes information in the S-Business customer register has signed a non-disclosure agreement.

We regularly train our personnel participating in the processing of personal data and ensure that also the personnel of our partners understands the confidential nature of personal data and the importance of secure processing. We choose our subcontractors carefully. We continuously update our internal policies and instructions.

If, in spite of all our safety measures, personal data ends up in the wrong hands, it is possible that the personal data is misused to the detriment of the account holder. If we observe such an event, we will immediately start an investigation and will try to prevent any damage. We will inform the necessary authorities and the registered persons about the data breach in compliance with the requirements of the legislation.