General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
Valid from 1.3.2020
S-Business Oy’s customer register
Fleminginkatu 34, FI-00510 Helsinki, Finland
Business ID 2389183-8
Contact information of the data protection officer
Contact information of the data controller
Telephone: +358 10 768 0820
Name of the register
S-Business Oy’s customer register
Purpose of processing personal data
The purpose of processing the personal data saved into our customer register is to produce and manage S-Business Oy’s invoicing sales service aimed specifically at corporate customers (account holder) (credit decisions, invoicing, customer service, credit monitoring etc.), and to develop and market the service (reporting/analysis) and to carry out in the S Group the statutory storing, reporting and other obligations connected with the service. The S Group refers to the cooperative stores and the SOK Group together with its subsidiaries and holding companies.
We may use the personal data of a contact person named by the account holder or the personal data of a card holder named in the application for producing the service and also for customer communications and marketing in the way described below.
We use the personal data for analytical purposes by following the number of web page and Chat service visitors, and in order to develop the service.
Basis for processing personal data
S-Business Oy processes personal data based on agreements and based on a legitimate interest.
Processing of data based on an agreement
As a rule, the basis for processing the personal data of the card holder and account holder is the card or account application between S-Business Oy and the account holder, which constitutes an agreement between S-Business Oy and the account holder, or an agreement made by the account holder with a leasing company that concerns the use of the S-Business card.
Processing of data based on a legitimate interest
The information in our register may be used in accordance with the General Data Protection Regulation for marketing purposes by the organisations and partners belonging to the S Group.
S-Business Oy may send to a data subject customer communication concerning S-Business’ benefits or new functions as well as electronic marketing (email or mobile) as provided by law. For example, S-Business Oy may send to the data subject information by email about new functions and about the possibilities to use the card at the S Group establishments.
The data subject has at all times the right to forbid the use of their data for marketing purposes. The marketing prohibition may be given by way of contacting the S-Business customer service at firstname.lastname@example.org
The processed personal data groups
- The account holder’s representatives (the contact persons and card holders of the Company)
The processed personal data
The following information about the card holder and account holder:
- Name and contact details of the account holder
- Name of the contact person of the card holder and account holder
- The embossed text on the card
- Native language
- Phone number
- The card’s delivery address
- Invoicing address
- Eventual prohibition of marketing
- Car registration number
- Purchase events
- Internet addresses and contents of the Chat conversations
From where is the personal data gathered?
- From the account holder’s card application
- From the leasing company’s or management company’s card application
- From the account holder or organisation during the customer relationship
- Directly from the card holder (phone, email, Chat, S-Business -mobile)
- From the purchases made by the card holder with the S-Business card
- The company’s credit ratings and the payment history information of the company and its responsible persons from the companies that offer credit information services
- Direct marketing contact information from Suomen Asiakastieto Oy
Processing of personal data
We ensure that our partners protect personal data sufficiently as required by law.
Personal data may be transferred to the following service partners in order to produce the service:
- The card producer
- The invoicing operator
- The collection agency
- Consulting, communication and reporting partners
- The authorities to whom we release information according to the limits allowed and required by the existing legislation, for example in order to answer authorities’ requests for information
Disclosure of personal data
We disclose the card holders’ personal data to their employer acting as the account holder, including, for example, information about the purchases made by the card holder.
The purchase events of the card holders who have an agreement with leasing and management companies are released for invoicing and reporting purposes.
We can also disclose the contact persons personal data (such as name, e-mail address and phone number) to our cooperation partners (e.g. accounting firm) for S-Business’ marketing purposes and for the purposes of customer communication.
Transfer of personal data to third countries or international organisations and the used guarantees of protection
We do not transfer personal data to third countries outside the European Union or the European Economic Area, or to international organisations.
Period for storing personal data or the criteria for determining the period for storing the data
- The S-Business card/account agreement with annexes is stored in an electronic archive during the validity of the agreement and for six (6) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
- The S-Business card/account applications are stored for two (2) years
- The card holder’s or account holder’s contact information is stored in the S-Business customer register during the validity of the agreement and for six (6) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
- The invoices and purchase information of the S-Business card/account are stored for six (6) years starting from the end of the year when the accounting period ended, as described in the Accounting Act.
- Reminders are stored during the validity of the agreement and for three (3) years after the accounting period has ended.
- The contents of Chat conversations are stored for two (2) years.
Outdated information is regularly removed from the S-Business customer register. A general review and deletion of the information stored into the register is performed once a year.
The data subject’s rights
The right to receive information
Everyone entered in the register has the right to receive information about the personal data collected about him/her, to what purposes it is used, the basis for processing the data, and to which receiver’s data is disclosed.
The data subject has the following rights:
- Right to access the information and right to correct incorrect information
- Right to remove the information when there is no other legal basis for storing the information
- Right to restriction of processing
- Right to prohibit direct marketing
- Right to transfer the information from one system to another (for the part of automatic processing)
- Right to be informed of personal data breaches
In case a person wishes to exercise the aforementioned rights or to have more information about the handling of the personal data, then he/she may contact the S-Business customer service: email@example.com.
The data subject also has the right to file a complaint with the supervisory authority if he/she considers that the processing of the personal data does not follow the applicable data protection legislation.
Effects on an agreement of not providing personal data
In case personal data is not submitted to S-Business Oy a S-Business card named for the card holder cannot be granted.
Key information for automated decision-making or profiling
No automated decision-making is used for processing personal data and individuals are not profiled.
Analysis about the account holder’s purchases are made in order to develop the service and for marketing purposes.
Effects of the processing of personal data and a general description of the technical and organised safety measures
We will protect the personal data for the whole duration of its life cycle by using appropriate data protection and data security measures.
The account applications and other account holder’s or organisation’s documents that include personal data are kept in locked and fire safe storing spaces. Electronically saved data is stored in systems that are protected from contacts outside the S Group with firewalls.
Only the designated employees of S-Business Oy and companies working on the assignment of S-Business Oy and on behalf of it whose job description so dictates have the right to use the S-Business customer register and maintain the data contained in it. The data system is protected and only designated users have access to it, using personal usernames and passwords. Each employee who processes information in the S-Business customer register has signed a non-disclosure agreement.
We regularly train our personnel participating in the processing of personal data and ensure that also the personnel of our partners understands the confidential nature of personal data and the importance of secure processing. We choose our subcontractors carefully. We continuously update our internal policies and instructions.
If, in spite of all our safety measures, personal data ends up in the wrong hands, it is possible that the personal data is misused to the detriment of the account holder. If we observe such an event, we will immediately start an investigation and will try to prevent any damage. We will inform the necessary authorities and the registered persons about the data breach in compliance with the requirements of the legislation.