PRIVACY POLICY

PRIVACY POLICIES:

A) Competition and prize draw register of SOK ABC chain management; B) Access control register for ABC lorry driver and tour leader breakrooms; C) Technical surveillance

A) COMPETITION AND PRIZE DRAW REGISTER OF SOK ABC CHAIN MANAGEMENT

PRIVACY POLICY (as of 25 May 2018) General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19

1. Controller SOK ABC chain management Postal address: PO Box 1, FI-00088 S-RYHMÄ, Finland SOK tel.: +358 10 76 8011 Visiting address: Fleminginkatu 34, 00510 Helsinki Business ID: 0116323-1

2. Contact information of the data protection officer tietosuojavastaava@sok.fi

3. Officer in charge of register matters Tiina Viksten, tietosuoja.abc@sok.fi

4. Name of the register Competition and prize draw register of SOK ABC chain management

5. Purpose of the processing of personal data Personal data is collected and stored temporarily to organise a prize draw or competition. The data is used to implement the prize draw or competition, contact the winner and deliver a potential prize. The participants in the competition or prize draw provide the competition organiser, with their separate consent, with the right to publish each winner’s name and municipality of residence in media services selected by the competition organiser without any separate notification or compensation.

6. Grounds for the processing of personal data Article 6.1 a) Consent Consent given to the processing of personal data as part of a competition or prize draw. Consent given to publishing the winner’s name and municipality of residence in the media services selected by the organiser of the competition or prize draw.

7. Description of the controller’s legitimate interest The processing of personal data is not based on the controller’s legitimate interest.

8. Processed personal data Personal data processed in competitions or prize draws • name • telephone number • email address • address • postal code • city/town

9. Processed personal data groups Participants in the competition or prize draw.

10. Data source and description of data sources if data is collected from public sources Personal data is collected from participants in the competition or prize draw using the competition or prize draw form or by registering in the competition or prize draw on social media.

11. Recipients of personal data Personal data is processed in electronic systems and services for the purposes described in this privacy policy. We use external service partners in the provision of system and support services. Personal data can be transferred to said service providers insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment. Personal data is processed in Finland. We ensure that our partners protect personal data sufficiently as required by law. We do not disclose any registered data to third parties, except for the disclosure of data to the authorities within the limits permitted and obligated by valid law, when responding to the authorities’ data requests, for example.

12. Transfer of personal data to third countries or international organisations, and the safeguards employed We do not transfer personal data to third countries outside the European Union or the European Economic Area or to international organisations.

13. Personal data retention period or criteria for determining the retention period The personal data referred to in this privacy policy is only retained for as long as, and to the extent that, it is needed, and the controller uses it in activities related to the reported purposes of processing. All collected personal data will be erased after the delivery of prizes or, at the latest, within one month of the delivery.

14. Rights of data subjects Data subjects have the following rights: • Right to request access to personal data • Right to rectification of data • Right to erasure • Right to restrict processing • Right to object • Right to withdraw consent • Right to data portability If a data subject wishes to exercise their rights or to obtain further information on the processing of their personal data, they may contact the controller named in this privacy policy. Data subjects also have the right to lodge a complaint with the supervisory authority if they deem that the processing of their personal data violates the applicable data protection regulations.

15. Withdrawing consent Data subjects have the right to withdraw the consent they have given to the processing of personal data. The withdrawal of consent has no effect on the lawfulness of the processing of personal data based on consent conducted prior to the withdrawal. Consent can be withdrawn by contacting the competition or prize draw organiser.

16. Impact of not providing personal data on an agreement The processing of personal data is not based on an agreement.

17. Data significant for automated decision-making or profiling No automated decision-making or profiling is associated with the processing of personal data.

18. Impact of the processing of personal data and a general description of technical and organisational security measures We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. The ABC chain’s system providers process personal data in secure server facilities. Access to personal data is restricted, and the personnel are subject to a confidentiality obligation. At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups, and by using secure hardware facilities, access control and security systems. After initial processing, the physical documents that contain personal data are kept in locked and fireproof storage areas. The granting and monitoring of user rights is a well-managed process. We regularly provide training for our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines. If, despite all our protective measures, personal data falls into the wrong hands, there is a possibility that this data will be misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.

B) ACCESS CONTROL REGISTER FOR ABC LORRY DRIVER AND TOUR LEADER BREAKROOMS

PRIVACY POLICY (as of 25 May 2018) General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19

1. Controller

SOK ABC chain management Postal address: PO Box 1, FI-00088 S-RYHMÄ, Finland SOK tel.: +358 10 76 8011 Visiting address: Fleminginkatu 34, 00510 Helsinki Business ID: 0116323-1

2. Contact details of the data protection officer

tietosuojavastaava@sok.fi

3. Officer in charge of register matters

Tiina Viksten, tietosuoja.abc@sok.fi

4. Name of the register

Access control register for ABC lorry driver and tour leader breakrooms

5. Purpose of the processing of personal data Personal data is collected to grant access rights to breakrooms. If required, this data can be used to contact persons who have accessed the facilities (damage, vandalism and other crime).

6. Grounds for the processing of personal data Each person must apply for access rights to breakrooms by completing the breakroom access right form, based on which access rights to breakrooms will be granted.

7. Processed personal data Person’s name, mobile number, name of company, access rights, date and place.

8. Processed personal data groups Users of lorry driver and tour leader breakrooms.

9. Recipients of personal data Personal data is processed in electronic systems and services for the purposes described in this privacy policy. We use external service partners in the provision of access control system and support services. Personal data can be transferred to said service providers in Finland insofar as the service providers participate in the implementation of measures within the framework of the relevant assignment. Personal data is processed in Finland. We ensure that our partners protect personal data sufficiently as required by law. We do not disclose any registered data to third parties, except for the disclosure of data to the authorities within the limits permitted and obligated by valid law, when responding to the authorities’ data requests, for example.

10. Transfer of personal data to third countries or international organisations, and the safeguards employed We do not transfer personal data to third countries outside the European Union or the European Economic Area or to international organisations. The system’s server and database are located in Finland.

11. Personal data retention period or criteria for determining the retention period The personal data referred to in this privacy policy is only retained for as long as, and to the extent that, it is needed, and the controller uses it in activities related to the reported purposes of processing. All collected personal data will be erased after access rights are no longer in effect.

12. Rights of data subjects Data subjects have the following rights: • Right to request access to personal data • Right to rectification of data • Right to erasure • Right to restrict processing

If a data subject wishes to exercise their rights or to obtain further information on the processing of their personal data, they may contact the controller named in this privacy policy.

Data subjects also have the right to lodge a complaint with the supervisory authority if they deem that the processing of their personal data violates the applicable data protection regulations.

13. Impact of not providing personal data on an agreement The right to use breakrooms will end.

14. Impact of the processing of personal data and a general description of technical and organisational security measures

We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. The ABC chain’s system providers process personal data in secure server facilities. Access to personal data is restricted, and the personnel are subject to a confidentiality obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups, and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fireproof storage areas. The granting and monitoring of access rights is a well-managed process. We regularly provide training for our personnel who participate in the processing of personal data, and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines. If, despite all our protective measures, personal data falls into the wrong hands, there is a possibility that this data will be misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.

C) TECHNICAL SURVEILLANCE

Read more here.

Benefits

footer-abc-logo