S Group’s co-op member and customer register

PRIVACY POLICY STATEMENT (as of 25 May 2018) General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19

1. Data controller

SOK Corporation Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland S Group’s co-op member service: +358 (0)10 76 5858 Street address: Fleminginkatu 34, 00510 Helsinki, Finland Business ID 0116323-1

2. Contact information of the data protection officer

tietosuojavastaava@sok.fi

3. Keeper of the register

Leena Tikkanen, tietosuoja.asiakkuus@sok.fi

4. Name of the register

S Group’s co-op member and customer register

5. Purpose of processing personal data

Register is used to maintain the co-op stores’ member registers in accordance with the Finnish Cooperatives Act. Additionally, the purpose of processing personal data in this register is maintaining S group co-op membership system and offering services and benefits connected to the system, maintaining relations with co-op members and other private customers, marketing as well as planning and developing S Group's business operations. S Group means the cooperative stores and the SOK Group together with its subsidiary and holding companies. The information in the register may be used in accordance with the General Data Protection Regulation for marketing purposes by and in the organisations and partners belonging to S Group, as well as by partners that belong to the co-op member system.

6. Basis for processing personal data

Personal data is processed on the following basis:

Article 6.1 b) Agreement - Member control of the cooperative - Maintaining S Group’s co-op membership system and offering services and benefits connected to it as well as maintaining relations with co-op members - Customer communication related to the co-op membership system and targeted marketing and advertising - Carrying out personnel discounts

Article 6.1 a) Consent - Direct marketing using electric means - Maintaining relations with other personal customers and focusing advertising and marketing

Article 6.1 c) Legal obligation - Maintaining the cooperative store’s public member register in accordance with the Finnish Cooperatives Act. - Submitting the necessary information to the tax authorities in accordance with fiscal legislation.

Article 6.1 f) Legitimate interest - Planning and developing S group’s business operations, e. g. analytics and attitude and market surveys - Transfer of data between S Group organisations - Direct marketing (for example profiling and targeted advertising online)

7. Description of the data controller’s legitimate interest

Usually, the data controller’s legitimate interest is based on the customer relationship or other equivalent relationship between the data controller and the customer. The data controller ensures that the data subject’s rights and interests are carefully assessed.

8. Processed personal data

In the register, data from following customers is processed:

Co-op members: persons who are or have been members of a cooperative store hose who are a part of a co-op household: persons who belong to or have belonged to a co-op member household but are not members of the cooperative themselves Other customers: persons who do not belong to a co-op member household but have subscribed to some of the services produced using the S Group’s co-op member and customer register, such as the S-code or electronic newsletters.

9. The processed personal data groups

In the register, following types of current or expired personal data regarding the customers can be processed. The types are specified further after the chart below.

Co-op memberMember of a co-op member householdOther customer
Personal dataxxx
Contact informationxxx
Personnel informationxx
Cooperative stores’ member informationx
Invoicing Bonus partnersxx
Information of the co-op member householdxx
Payment account for benefitsx
S-Etukortti cardxx
User identificationxxx
Customer groupsxxx
Subscriptions, services used and data concerning the use of servicesxxx
Service limitationsxx
Purchase information, information of paid Bonus, Tankkausbonus refuelling bonus and payment method benefitxx
Customer’s digital footprintxxx
Online shopping informationxxx

Personal information: - First and last name, personal identity code, date of birth, sex, language, prohibitions on the disclosure of information on basis of personal safety, marketing prohibitions - Customer identification number, starting date and validity period of customer relationship - Information of prohibitions and updates received from the Population Information System and service providers

Contact information: - Permanent mailing address, temporary mailing address, place of domicile, country code, mobile phone, marketing permission for mobile phone, additional phone number, email address, marketing permission for email

Personnel information: - Information on belonging to the personnel, information of right to discount

Cooperative stores’ member information: - Cooperative store of membership, member identification number, member status, starting and termination date of membership, place of affiliation - Status of cooperative membership fee, paid membership fee, date of completing membership fee and payment transactions - Information of paid interest, information of paid return of surplus

Invoicing Bonus partners - Registrations at Bonus partner companies, period of validity

Information of the co-op member household: - Main member of the co-op member household, persons belonging to the same co-op member household as the main member

Payment account for benefits: - Account number and account type for the payment account for benefits

S-Etukortti cards: - Card number, card type, period of validity, reason of cancellation - Information of what co-op member household the Bonus purchases are connected to - Information of which cooperative store membership the card subscription is based on

User identification: - S-code, customer identification

Customer groups: - Customer groups of the customer (e. g. those connected to use of digital services, main Sokos and Emotion purchase locations and customer classifications) - Information of the customer's participation in support groups of associations or other groups

Subscriptions, services in use and information concerning the use of services: - Information of services that have been subscribed or are in use (e.g. newsletters, Ässäraati, S mobiili mobile app, online receipt). - Information of identified use of digital services (e. g. web and mobile services) in use - Information entered by the customer, data produced by use of service - Information of data collector’s customer communication aimed at maintaining the customer relationship

Service limitations: - Prohibition to send the Yhteishyvä magazine, prohibition of independent direct mailings, prohibition of telemarketing, warranty receipt prohibition, product-level purchase information prohibition, email announcement prohibition

Purchase information, information of paid Bonus, Tankkausbonus refuelling bonus and payment method benefit: - The number of the S-Etukortti card used for purchases entitling to co-op member benefits or the member/customer number, date of purchase, time, place of purchase, information of purchases on a receipt total, product and/or product group level - Bonus paid, Tankkausbonus refuelling bonus and payment method benefit - Received personnel discounts - Online warranty receipts, online receipts

Customer's digital footprint - Web and mobile service user information of logged-on customer - Web and mobile service user information collected using cookies

Online shopping information - Information of saved shopping baskets, order and delivery information - Online store customer segment

10. Data source and description of data sources, if data is collected from public sources

The data is received from the co-op member agreement made by the customer and from the customer personally during the customer relationship by phone, via the internet, email or other equivalent method, and use of services. Updates to name, address, mobile phone and information of death can also be received from the public authorities or companies providing the updating services. Information of employment in S group as well as information of right to personnel discount are received from the S group employee registers. Basic customer information, such as name and address, electrical contact information and information of permissions and prohibitions are updated in the register when the customer informs a company belonging to S Group or S-Bank of the update. Information concerning the use of S-Etukortti card is received from point of sale systems of S Group partners and organisations that belong to the co-op membership system. Information can also be received from organisations that belong to S Group and partners that belong to the co-op membership system that utilise the S-Etukortti card or other credentials given to customers for identification in their services.

11. Recipients of personal data

SOK Corporation gives the tax authorities information about any interest paid to co-op members on their membership fee and about capital distribution to resigning co-op members. SOK Corporation may disclose information within the limits allowed and required by existing legislation, for example, in order to answer authorities’ requests for information. SOK Corporation transfers to S-Bank any updated basic customer information if the customer is also S-Bank’s customer. By the customer’s order, SOK Corporation will disclose information about the customer’s co-op membership to S Group’s bonus partner.

12. Transfer of personal data to third countries or international organisations and the used guarantees of protection

We use subcontractors for processing of personal data, and the data is transferred outside the European Union (EU) or European Economic Area (EEA) in a limited capacity. The technical maintenance of customer information systems can, in accordance with the requirements of the Data Protection Regulation, also be performed from outside the EU or EEA via remote access. Customer data is transferred outside the EU and the EEA when necessary for the technical implementation of the personal data processing. Our partners in maintenance or technical support have committed to the Privacy Shield programme or model agreements of the European Union with the appropriate contracts. Personal data is not transferred to international organisations.

13. Duration of storing personal data

Personal data is only used for as long as necessary. The personal data in the register is stored at least for the duration of the customer relationship or contractual relation. Outdated information is regularly removed from the register. Purchase information and information of paid Bonus and payment method benefits, as well as information of previous basic customer information, permissions, prohibitions and subscriptions and co-op member households, is removed after 2 years. Information connected to the cooperative store membership and information of cooperative membership fee transactions are removed after 6 years have passed from the end of the accounting period during which the latest financial transaction was carried out. Profiling information is removed after 2 years.

14. Rights of the data subject

The customer has the following rights: - Right to access personal data - Right to correction of data - Right to erasure of data (when processing is based on consent or there is no legal obligation to store the data) - Right to restriction of processing (denying the authenticity of data or illegitimate processing) - Right of objection (direct marketing or other processing based on legitimate interest) - Right to withdraw consent - Right to transfer the information from one system to another (for the part of automatic processing) - Right to be informed of personal data breaches

If a data subject wishes to exercise their rights or to obtain further information about the processing of their personal data, they may contact the data controller mentioned in this privacy policy.

Data subjects also have the right to lodge a complaint with the supervisory authority if they consider the processing of their personal data to violate the applicable data protection provisions.

15. Effects of not providing personal data on an agreement

In order to become a co-op member and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, personal identity code given by the Finnish civil registrant). If the necessary personal data is not provided, the agreement cannot be concluded.

In order to become a member of a co-op member household and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, personal identity code given by the Finnish civil registrant or date of birth). If the personal data is not provided, the agreement cannot be concluded.

Providing the information required for concluding the relevant service agreement is a prerequisite for the services produced based on the register data. The information required for concluding a service agreement varies depending on the service in question. If the personal data is not provided, the agreement cannot be concluded.

16. Important information on automated decision-making or profiling

Based on the data in the register, no profiling or automatic decision-making that would result in legal effects concerning the data subject is performed.

17. Effects of the processing of personal data and a general description of the technical and organised safety measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. The system providers process personal data in data secure server spaces. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation. S Group protects personal data, for example, by preventive risk management and safety planning, protection measures for data communication and by using secure equipment facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of user rights is a well-managed process. We regularly train those of our personnel who participate in the processing of personal data, and work to ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We choose our subcontractors carefully. We continuously update our internal practices and guidelines.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.