Privacy Policy Statement

PRIVACY POLICY

General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
Valid from December 2024 onwards

Processing of the personal data of S-Business Oy’s customers’ contact persons, cardholders and potential customers’ contact persons.

S-Business Oy customer register

Data controller
S-Business Oy
Fleminginkatu 34, FI-00510 Helsinki, Finland
Business ID 2389183-8

Contact details of the data protection officer
tietosuojavastaava@sok.fi

Contact information of the Data Controller
S-Business Oy
email: s-business@sok.fi
Phone: +358 10 768 0820

Name of the register
S-Business customer register

Purpose of personal data processing

The purpose of processing the personal data stored in our customer register is to produce and manage S-Business Oy’s invoicing sales service aimed specifically at corporate customers (the Account Holder) (credit decisions, invoicing, customer service, credit monitoring etc.), to develop and market the service (reporting/analysis), and to carry out the statutory storage, reporting and other obligations connected with the service at S Group. The term “S Group” refers to the cooperatives and SOK Corporation together with its subsidiaries and associated companies. 

We may use the personal data of a contact person named by the Account Holder or a cardholder named in the application for producing the service and for customer communications and marketing in the way described below. 

We use the personal data for analytical purposes by following the number of visitors to the web pages and the Chat service, and in order to develop the service.  

Calls made to the S-Business customer service will be recorded. To develop our customer service, the recordings can be used in training offered to customer service personnel, service level surveys, the development of instructions and the investigation of complaints. 

Those who contact the customer service by phone can be sent SMS queries, for example, to investigate customer satisfaction. 
We may process your personal data for the purpose of handling contact requests. Personal data is obtained from the data subjects themselves when a data subject completes the contact request form on the S-Business.fi website or when a representative of an S-Group outlet completes the contact request form on behalf of the customer.

Newsletter subscription information is only used for sending the messages you subscribed to. 
Benefit calculation order information is used for sending the calculation you have requested. We can also send you information on other S-Business benefits and uses.  

We only disclose personal data to a third party in accordance with applicable legislation and this Privacy Statement. With the separate consent of the data subject, we may disclose their contact information to S Group companies for marketing purposes.

Grounds for the processing of personal data
S-Business Oy processes personal data based on agreements and based on a legitimate interest.

Processing of personal data based on an agreement
As a rule, the basis for processing the personal data of a cardholder and an Account Holder’s contact person is the card or account application by the Account Holder, which constitutes an agreement between S-Business Oy and the Account Holder, or an agreement made by the Account Holder with a leasing company that concerns using the S-Business card. 

Processing of personal data based on a legitimate interest
The information in our register may be used in accordance with the General Data Protection Regulation for marketing purposes, such as sending event invitations, by the organisations and partners belonging to the S Group at any given time. 

S-Business Oy may send to a data subject customer communication and electronic marketing (email or mobile) that concerns the S-Business benefits or new functions as allowed by the legislation. For example, S-Business Oy may send to the data subject information by email about new functions and about the possibilities to use the card at the S Group establishments. The information in the register can also be used for implementing customer feedback, customer surveys and questionnaires, and for processing the results. 

The data subject has at all times the right to forbid the use of their data for marketing purposes. The marketing prohibition can be issued by contacting the S-Business customer service at s-business@sok.fi. 

Processing of personal data based on consent
With the separate consent of the data subject, we may disclose their contact information to S Group companies for direct marketing purposes. The data subject may withdraw their consent to receiving direct marketing by contacting the S-Business customer service at s-business@sok.fi. 

Processed personal data groups

The Account Holder’s representatives (the contact persons and cardholders of the company)

The personal data processed

  • name and contact information
  • name of the cardholder and the Account Holder’s contact person
  • the embossed name on the card
  • native language
  • phone number
  • email address
  • the card’s delivery address
  • invoicing address
  • fuel oil delivery address 
  • any marketing prohibitions
  • car registration number
  • purchase events


For email and chat services, we additionally store the following information: 

  • time of a conversation
  • sender email address/URL
  • content of the conversations


For recorded calls, we additionally store the following information:

  • time of the call
  • the caller’s number
  • content of the conversations

From where is the personal data obtained?

  • From the Account Holder’s card application
  • From the leasing company’s or management company’s card application
  • From the Account Holder or organisation during the customer relationship 
  • From the cardholders themselves (e.g. phone, email, chat, S-Business mobile, the S-Business Manager service) 
  • From the purchases made by the cardholder with the S-Business card
  • From the contact request form
  • Through our website (e.g., ordering a benefit calculation) 
  • The company’s credit ratings and the payment history information of the company and its responsible persons from companies that offer credit information services
  • Direct marketing contact information from Suomen Asiakastieto Oy ( https://www.asiakastieto.fi/web/fi/tietosuoja-gdpr-asiakastiedossa.html)

Processing of personal data

We process personal data for the purposes defined in this Privacy Policy Statement in the S Group’s electronic systems and services. We use external service partners in the provision of system and support services. Personal data can be transferred to said service providers insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment. 

We ensure that our partners protect personal data sufficiently as required by law. 

Personal data may be transferred to the following service partners in order to produce the service: 

  • The card producer
  • The electronic signature service provider 
  • The invoicing operator
  • The collection agency
  • The forwarding, consulting, communications and reporting partners for payment services
  • The authorities to whom we release information according to the limits allowed and required by the existing legislation, for example in order to answer authorities’ requests for information

Releasing of personal data

We release the cardholder’s personal data to their employer acting as the Account Holder, including, for example, information about the purchases made by the cardholder.

The purchase events of the cardholders who have an agreement with leasing and management companies are released for invoicing and reporting purposes. 

We may disclose a contact person’s personal data (such as their name, email address or phone number) within S Group to customer service and service development, for example, as well as to our contractual partners (such as an accounting firm) for marketing measures and customer communications for S-Business services.   

Transfer of personal data to third countries or international organisations and data protection safeguards used

We do not transfer personal data to third countries outside the European Union or the European Economic Area, or to international organisations.

Period for storing personal data or criteria for determining the storage period

We store the personal data according to this Privacy Policy only for the time and in the extent to which they are necessary, and we utilise them for activities connected to the reported purposes for processing. 

  • The S-Business card/account agreement with its annexes is stored in an electronic archive during the validity of the agreement and for ten (10) years starting from the end of the year when the accounting period ended, as provided in the Accounting Act.
  • S-Business card/account applications are stored for two (2) years. 
  • The cardholder’s or Account Holder’s contact information is stored in the S-Business customer register during the validity of the agreement and for six (6) years starting from the end of the year when the accounting period ended, as provided in the Accounting Act. 
  • The invoices of the S-Business card/account are stored for six (6) years starting from the end of the year when the accounting period ended, as provided in the Accounting Act. 
  • Purchase transaction information for the S-Business card/account is stored for ten (10) years starting from the end of the year when the account period ended.
  • Reminders are stored during the validity of the agreement and for three (3) years starting from the end of the year when the accounting period ended.
  •  Emails are stored for five (5) years.
  • The contents of chat conversations are stored for two (2) years.
  • Recordings of calls are stored for three (3) months.
  • Subscriptions for messages are erased after one month from the time of unsubscribing.
  • The email address provided when ordering a benefit calculation or in connection with other content downloaded from the website will be deleted three (3) months after the information has been submitted.
  • Data submitted in connection with a contact request will be deleted twelve (12) months after receipt of the contact request. 
  • Event attendee data will be stored for a maximum of twelve (12) months.

Outdated information is regularly removed from the S-Business customer register. The checking and deletion of the information stored in the register is performed once a year. 

Rights of the data subject

The right to receive information

Everyone entered in the register has the right to receive information about what personal data is collected, to what purposes it is used, what is the basis for processing the data, and to which receivers data is disclosed. 

  • The data subject has the following rights:
  • Right to access the information and right to rectify incorrect information
  • Right to remove the information when there is no other legal basis for storing the information
  • Right to restrict processing
  • Right to prohibit direct marketing
  • Right to transfer data to another system (in case of automatic processing)
  • Right to be informed of personal data breaches

If a data subject wishes to exercise their rights or to get more information on the handling of their personal data, they can contact the S-Business customer service at s-business@sok.fi.

The data subject also has the right to file a complaint with the supervisory authority if they consider that the processing of the personal data does not follow the applicable data protection legislation

Effects of not providing personal data on an agreement

If personal data is not submitted to S-Business Oy, the S-Business card named for the cardholder cannot be granted.

Significant information related to automated decision-making or profiling

There is no automated decision-making connected to the processing of personal data, and individuals are not profiled.
Analysis about the Account Holder’s purchases is made to develop the service and for marketing purposes.

Impact of the processing of personal data and a general description of technical and organisational security measures

We protect the personal data for the whole duration of its life cycle by using appropriate data protection and data security measures. 

The account applications and other Account Holder’s or organisation’s documents that include personal data are kept in locked and fire safe storing spaces. Electronically saved data is stored in systems that are protected from contacts outside the S Group with firewalls. 

Only the designated employees of S-Business Oy and companies working on the assignment of S-Business Oy and on behalf of it whose job description so dictates have the right to use the S-Business customer register and maintain the data contained in it. The data system is protected and only designated users have access to it, using personal usernames and passwords. Each employee who processes information in the S-Business customer register has signed a non-disclosure agreement. 

We regularly provide training for our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines. 

If, in spite of all our safety measures, personal data ends up in the wrong hands, it is possible that the personal data is misused to the detriment of the Account Holder. If we notice that such an event has happened, we will immediately begin an investigation and will make efforts to prevent any damage from occurring as a result. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements. 

12/2024