S Groups co-op member and customer register
S Group’s co-op member and customer register DATA PROTECTION POLICY (valid as of 1 September 2020) General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
1. Data controller
SOK Corporation Postal address: PO Box 1, 00088 S-Ryhmä, Finland S Group’s co-op member service: +358 10 76 5858 Street address: Fleminginkatu 34, FI-00510 Helsinki, Finland Business ID 0116323-1
2. Contact information of the Data Protection Officer
3. Officer in charge of register matters
Leena Tikkanen, firstname.lastname@example.org
4. Name of the register
S Group’s co-op member and customer register
5. Purposes for which personal data is used
The purposes of the processing of personal data are to manage the S Group’s co-op member system and provide the related services and benefits, to manage co-op member relations and other customer relations, to implement direct marketing, to provide targeted and personalised content, to plan and develop the S Group’s business operations and to prepare analyses, profiling, opinion polls and market surveys for these purposes.
The register is used to maintain the co-operatives’ co-op member registers in accordance with the Co-operatives Act.
Personal data may be processed in accordance with the General Data Protection Regulation for marketing purposes by the organisations included in the S Group, as well as by partners.
The term “S Group” refers to the cooperatives and the SOK Group together with its subsidiaries and associated companies.
6. Basis for processing of personal data
Article 6.1 b) Agreement
Member administration of the cooperative
Maintaining the S Group’s co-op member system and providing related services and benefits, as well as managing co-op member relations
Customer communication related to the co-op membership system as well as targeted marketing and advertising
User management in online and mobile services
Handling personnel discounts
Article 6.1 a) Consent
Direct online marketing (including text messages)
Targeting and sending mobile service notifications on the basis of mobile device identifiers
Maintaining relations with other personal customers and targeting advertising and marketing
Article 6.1 c) Legal obligation
Maintaining the cooperative’s public member register in accordance with the Co-operatives Act.
Submitting the necessary information to the Tax Administration in accordance with fiscal legislation.
Disclosing information to authorities when responding to statutory information requests.
Article 6.1 f) Legitimate interest
Planning and developing the S Group’s business operations, such as analytics, customer groupings, profiling, opinion polls and market surveys
Disclosure of data between S Group organisations
Direct marketing (traditional direct marketing and profiling, as well as targeting advertisements in channels outside the S Group)
7. Description of the data controller’s legitimate interest
The legitimate interest has been assessed on the basis that the S Group’s operations are cooperative in nature and the S Group is owned by its co-op members. Co-op membership of the S Group is optional, and the membership system is open to anyone. The purpose of the operations is to provide customer-oriented, meaningful and cost-effective services and benefits to the co-op members, and thus promote financial wellbeing of the co-op members. The analysing of purchasing behaviour and the calculation of customer profiles, as well as related direct marketing and content targeting, opinion polls and market surveys are keyways to achieve this goal. We ensure that the processing based on legitimate interest is correctly proportioned to the benefits of the data subject and in compliance with their reasonable expectations.
Customers have the right to object to the processing of personal data based on legitimate interest and deny the S Group from processing purchase data (apart from the sum total of their receipts), customer groupings and profiling, opinion polls and market surveys, direct marketing and the targeting of advertising in channels outside the S Group. Prohibitions can be made by logging into Oma S-kanava or by sending email to data controller.
8. Processed personal data
We process personal data on the customers listed below.
- Co-op members: persons who are or have been members of a cooperative.
- Members of a co-op member household: persons who belong to or have belonged to a co-op member household but are not members of the cooperative themselves.
- Other customers: persons who do not belong to a co-op member household but have subscribed to some of the services produced using the S Group’s co-op member and customer register, such as the S-code or electronic newsletters.
We process the types of currently valid and/or expired personal data listed in the table below. The types are specified in more detail below the table.
Member of a co-op member household
Basic personal data
Cooperatives’ membership information
Invoicing Bonus partners
Information about the co-op member household
Payment account for benefits
Subscriptions, services used and data concerning the use of services
Permissions and prohibitions
Purchase data, data on paid benefits and data on received discounts
Customer’s digital footprint
Online shopping information
Basic personal data:
- First and last name, social security code, date of birth, gender, language, order of non-disclosure of information for personal safety reasons
- Starting date and validity period of customer relationship
- Information of prohibitions and updates from the Population Information System and service providers
- Permanent postal address, temporary postal address, domicile, mobile phone, other phone number, email
- Information about S Group employee discount
Cooperatives’ membership information:
- Membership cooperative, member identification number, member status, starting and ending date of membership, place of affiliation
- Status of co-op contribution, paid co-op contribution, date of completing co-op contribution and payment transactions
- Information on paid interest, information on paid return of surplus
Invoicing Bonus partners
- Registrations at Bonus partner companies, validity periods
Information about the co-op member household
- Main member of the co-op member household, persons belonging to the same co-op member household as the main member
Payment account for benefits:
- Account number and account type for the payment account for benefits
- Card number, card type, validity period, reason for cancellation
- Information on to which co-op member household the Bonus purchases are connected
- Information on the membership of which cooperative the card subscription is based
- S-code, customer identification
- Customer groupings of the customer (such as groupings connected to the use of digital services, main Sokos store and customer class, grocery store and ABC store segment)
- Information about the customer’s participation in support groups of associations or other groups
Subscriptions, services in use and information concerning the use of services:
- Information of services that have been subscribed or are in use (e.g. newsletters, Ässäraati, S mobiili mobile app, online receipt)
- Information entered by the customer, data produced by the use of services
- Information of data controller’s customer communication aimed at maintaining the customer relationship
Permissions and prohibitions:
- Email marketing permit, mobile device marketing permit
- Direct marketing prohibition, telemarketing prohibition, Robinson marketing prohibition for telemarketing/direct marketing by post, research survey prohibition, prohibition on saving purchase data (except for the sum total of receipts), prohibition on analytics and profiling, prohibition on targeting in channels outside the S Group, prohibition on the use of email addresses
- Prohibition to send the Yhteishyvä magazine, prohibition on separate direct mail
Purchase data, data on paid benefits and data on received discounts:
- Number of S-Etukortti card used for purchases entitling to co-op member benefits or the member/customer number, date of purchase, time, place of purchase, manner in which card was used, data on purchases at the receipt total and/or product level
- Paid Bonus, Tankkausbonus refuelling bonus and payment method benefits
- Received personnel discounts
- Online warranty receipts, online receipts
Customer’s digital footprint
- Online and mobile service user information of logged-on customer
- Information of identified use of digital services (e.g. online and mobile services)
- Online and mobile service user information collected using cookies
Online shopping information
- Information of saved shopping baskets, order and delivery data
- Online customer service contact history and recorded telephone conversations
9. Data source and description of data sources if data is collected from public sources
Data is obtained from the co-op member agreement signed with the customer and from the customer personally during the customer relationship by phone/email or other similar method and based on the use of the services. Updates of name, address and mobile phone data, as well as information about death, can also be received from authorities or companies providing updating services. Information on Robinson marketing prohibitions for telemarketing/direct marketing by post comes from Suomen Asiakkuusmarkkinointiliitto ry. Information of employment in the S Group and information of the right to receive the personnel discount come from the S Group’s employee registers. Basic customer data, such as name and address, electronic contact details and information of permissions and prohibitions are updated in the register when the customer informs a company belonging to the S Group or the S-Bank of the change.
Information concerning the use of S-Etukortti cards comes from the point of sale systems of S Group partners which grant Bonus and organisations that belong to the co-op membership system. Information can also be obtained from organisations belonging to the S Group and partners belonging to the co-op membership system that utilise the S-Etukortti card or other credentials given to customers for identification in their services.
10. Recipients of personal data
SOK Corporation discloses to the Tax Administration information about any interest paid to co-op members on their co-op contribution and return on capital paid to resigned members. SOK Corporation may disclose information within the limits allowed and required by valid legislation, such as when answering authorities’ requests for information. SOK Corporation will disclose to the S-Bank any updated basic customer data if the customer is also an S-Bank customer. Based on the customer’s assignment, SOK Corporation will also disclose information about the customer’s co-op membership to the S Group’s Bonus partners.
11. Transfer of personal data to third countries or international organisations and data protection safeguards
We use subcontractors in the processing of personal data, and data is transferred to a limited extent to outside the European Union (EU) or the European Economic Area (EEA). Technical maintenance of customer data systems can, in accordance with the requirements of data protection legislation, also take place from outside the EU or EEA via remote connection.
Customer data is transferred to outside the EU and the EEA when it is necessary for the technical implementation of the processing of personal data. Our maintenance or technical support service partners are committed to following the EU model agreements pursuant to relevant agreements.
Personal data is not transferred to any international organisations.
12. Personal data retention period
Personal data is only retained for as long as necessary. The personal data in the register is retained at least for the duration of the customer relationship or contractual relation. Outdated information is regularly deleted from the register. Purchase data and information on paid Bonus and payment method benefits is retained for five years. Information on previous basic customer data, permissions, prohibitions, subscriptions and co-op member households is deleted after two years. Information about co-op membership and information about co-op contribution transactions is deleted when six years have passed from the end of the accounting period during which the most recent transaction was carried out. Customer grouping and profiling data is deleted after eight years.
13. Rights of the data subject
The customer has the following rights:
- Right to request access to personal data
- Right to rectification of data
- Right to erasure of data (when processing is based on consent or there is no legal obligation to retain the data)
- Right to restrict processing (denying the authenticity of data or illegitimate processing)
- Right of objection (direct marketing or other processing based on legitimate interest)
- Right to withdraw consent
- Right to transfer data to another system (in case of automatic processing)
- Right to be informed of personal data breaches
If a data subject wishes to exercise their rights or to obtain further information about the processing of their personal data, they may contact the data controller named in this data protection policy. Data subjects also have the right to lodge a complaint with the supervisory authority if they are of the opinion that the processing of their personal data violates the applicable data protection regulations.
14. Effects of not providing personal data on an agreement
In order to become a co-op member and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, social security code given by the Finnish civil registrant). If the necessary personal data is not provided, the agreement cannot be concluded.
In order to become a member of a co-op member household and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, social security code given by the Finnish civil registrant or date of birth).
Providing the information required for concluding the relevant service agreement is a prerequisite for the provision of the services based on the register data. The information required for concluding a service agreement varies depending on the service.
15. Important information on automated decision-making or profiling
The data in the register is not used for any profiling or automatic decision-making that would result in legal effects concerning the data subject. If the customer uses the Collect and Scan service, automatic decision-making is performed in the service on the basis of the use of the service and the scanner. The results of such analyses may lead to the customer being directed to have their products verified at the cash counter.
16. Impact of personal data processing and general description of technical and organisational security measures
We diligently protect personal data throughout its lifecycle by employing the appropriate data protection and information security measures. System providers process personal data at secure server facilities. Access to personal data is restricted and the personnel are subject to a confidentiality obligation.
The S Group protects personal data by means of, for example, preventive risk management and security planning, protection measures for data communications and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of user rights is a well-managed process. We regularly provide training to our personnel who participate in the processing of personal data and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We choose our subcontractors with care. We continuously update our internal practices and guidelines.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.