PRIVACY POLICY (valid as of April 1, 2024)
General Data Protection Regulation (EU) 2016/679, Articles 12, 13, 14 and 19
1. Data controller
SOK Corporation, Postal address: PO Box 1, 00088 S-Ryhmä, Finland, S Group’s co-op member service: +358 (0)10 76 5858, Street address: Fleminginkatu 34, FI-00510 Helsinki, Finland, Business ID: 0116323-1
2. Contact information of the Data Protection Officer
3. Officer in charge of register matters
4. Name of the register
S Group’s co-op member and customer register
5. Purposes for which personal data is used
We process your personal data to manage S Group’s co-op member system and provide related services and benefits, for online store transactions, to manage co-op member relations and other customer relations, to implement direct marketing, to provide targeted and personalised content, to plan and develop S Group’s business operations, and to prepare analyses, profiling, opinion polls and market surveys for these purposes and for processing customer feedback.
In the register, we maintain the co-operatives’ membership registers in accordance with the Co-operatives Act.
We might process your personal data in organisations that belong to S Group at any given time. We might process your personal data for marketing purposes of our partners and organisations that belong to S Group at any given time. The term “S Group” refers to the cooperatives and the SOK Group together with its subsidiaries and associated companies. The term “partner” means companies that grant Bonus and/or benefits to co-op members, for example, and companies that cooperate with S Group, implement joint marketing or buy media visibility from S Group.
6. Grounds for the processing of personal data
We process your personal data under the following grounds:
Article 6.1 b) Agreement | Member administration of the cooperative Maintaining the S Group’s co-op member system and providing related services and benefits, as well as managing co-op member relations Online shopping Customer communication related to the co-op membership system as well as targeted marketing and advertising User management in online and mobile services Handling personnel discounts Implementation of the electronic receipt service and My Purchases service |
Article 6.1 a) Consent | Direct marketing using electronic means (e-mail or SMS, for example) Sending notification messages of mobile services and targeting marketing and advertising on the basis of mobile device IDs. Services associated with the location of the terminal equipment Maintaining relations with other personal customers and targeting advertising and marketing Disclosing data for partners, for example, to get Bonus or other co-op member benefits. Disclosing data to third parties outside S Group or for external purposes, such as scientific research. Processing of digital footprint data based on cookie choices Processing of survey responses that are personal data on the grounds of consent given by the respondent |
Article 6.1 c) Legal obligation | Maintaining the cooperative’s public member register on behalf of the individual co-operatives in accordance with the Co-operatives Act Submitting the necessary information to the Tax Administration in accordance with fiscal legislation. Disclosing information to authorities when responding to statutory information requests. |
Article 6.1 f) Legitimate interest | Planning and developing S Group’s business operations such as statistics, analytics, customer groupings, profiling, opinion polls and market surveys Processing of customer feedback Disclosure of data between S Group organisations Direct marketing (traditional direct marketing, targeting and personalising of content, as well as targeting advertisements in channels outside S Group) Profiling and inspections made in the pick and scan service Processing of product-level purchase data and recognising irregularities |
7. Description of the data controller’s legitimate interest
We have assessed the legitimate interest on the basis that S Group’s operations are cooperative in nature and S Group is owned by its co-op members. Co-op membership of S Group is optional and the membership system is open to anyone. The purpose of S Group's operations is to provide customer-oriented, meaningful and cost-effective services and benefits to co-op members, and thus promote financial wellbeing of co-op members. The analysing of purchasing behaviour and the calculation of customer profiles, as well as related direct marketing and content targeting, opinion polls and market surveys are key ways to achieve this goal. We ensure that the processing based on a legitimate interest is correctly proportioned to your interests and in compliance with your reasonable expectations.
You have the right to object to the processing of personal data based on a legitimate interest and deny S Group from processing purchase data (apart from the sum total of your receipts), analytics and customer grouping, opinion polls and market surveys, direct marketing and the targeting of advertising in channels outside S Group. To prohibit the processing of personal data, log in to your S User Account at https://s-kayttajatili.fi/en or contact the controller.
8. Processed personal data
We process your personal data if your belong to any of the following customer groups:
Co-op members: persons who are or have been members of a cooperative
Members of a co-op member household: persons who belong to or have belonged to a co-op member household but are not members of the cooperative themselves
Other customers: persons who do not belong to a co-op member household but have subscribed to some of the services provided on the basis of S Group’s co-op member and customer register, such as the S User Account or electronic newsletters or have performed transactions in the online store.
We process the types of currently valid and/or expired personal data listed in the table below. The types are specified in more detail below the table.
Co-op member | Member of a co-op member household | Other customer | |
Basic personal data | X | X | X |
Contact us | X | X | X |
Employee information | X | X | |
Cooperatives’ membership information | X | ||
Invoicing Bonus partners | X | X | |
Information about the co-op member household | X | X | |
Payment account for benefits | X | ||
S-Etukortti card | X | X | |
Credentials | X | X | X |
Customer groups | X | X | X |
Subscriptions, services used and data concerning the use of services | X | X | X |
Authorizations and prohibitions, i.e., your consents and objections to personal data processing | X | X | X |
Purchase data, data on paid benefits and data on received discounts | X | X | |
Customer’s digital footprint | X | X | X |
Online shopping information | X | X | X |
Customer feedback | X | X | X |
Survey responses based on consent | X | X | X |
Basic personal data:
First and last name, social security code, date of birth, gender, language, order of non-disclosure of information for personal safety reasons
Starting date and validity period of customer relationship
Information of prohibitions and updates from the Population Information System and service providers
Contact details:
Permanent postal address, temporary postal address, domicile, mobile phone, other phone number, email
Employee information:
Information about S Group employee discount
Cooperatives’ membership information:
Membership cooperative, member identification number, member status, starting and ending date of membership, place of affiliation
Status of co-op contribution, paid co-op contribution, date of completing co-op contribution and payment transactions
Information on interest paid on the contribution, information on the return of the surplus paid
Invoicing Bonus partners
Registrations at Bonus partner companies, validity periods
Information about the co-op member household
Main member of the co-op member household, persons belonging to the same co-op member household as the main member
Payment account for benefits:
Account number, validity period and account type for the payment account for benefits
S-Etukortti cards, S-Bank Private Visa cards:
Card number, card type, validity period, reason for cancellation
Information on to which co-op member household the Bonus purchases are connected
Information on the membership of which cooperative the card subscription is based
User identification:
S user account, customer identification
Customer groups:
Customer groupings of the customer (such as groupings connected to the use of digital services, main Sokos store and customer class, grocery store and ABC store segment)
Information about the customer’s participation in support groups of associations or other groups
Subscriptions, services in use and information concerning the use of services:
information on services subscribed to / in use (e.g. S User Account, S-mobiilimobile app)
Information entered by the customer, data produced by the use of services
Information on the data controller’s communication with the customer aimed at maintaining the customer relationship
Authorizations and prohibitions, i.e., your consents and objections to personal data processing:
Email marketing permit, mobile device marketing permit (a mobile phone)
For example, authorisations and prohibitions, such as notification permits, administered in S-mobiili and ABC-mobiili mobile apps.
cookie choices
direct marketing ban, phone marketing ban, Puhelin-Robinson phone ban, Posti-Robinson mail ban, prohibition of surveys
Prohibition on separate direct mail, prohibition to send notifications
Prohibition of processing purchase data in more detail than the total sum of the receipt, prohibition of analytics and customer grouping, prohibition of targeted advertising on channels outside S Group
Purchase data, data on paid benefits and data on received discounts:
Number of the S-Etukortti card used for purchases entitling one to co-op member benefits or the member/customer number, date of purchase, time, place of purchase, manner in which the card was used, purchase data in the receipt total and/or product level
Paid Bonus, Tankkausbonus refuelling bonus and payment method benefits
Co-op price benefits received, personnel discounts received
Online warranty receipts and online receipts
Customer’s digital footprint
website user data and mobile service user data
Information of the identified use of digital services (e.g., online and mobile services)
Online shopping information
Data concerning a saved shopping basket as well as order and delivery data, such as order number, payment information, delivery method and destination; however, more detailed information on deliveries from online grocery stores, such as additional delivery information, is only information from the order and delivery register of the co-operative that delivers the order.
Information provided by the user about their preferences
Products marked as favourites by the customer
Contact history and phone call recordings concerning online store service, orders and deliveries
Customer feedback
Feedback provided on a feedback form and the feedback functionality in the S-mobiili app.
Survey responses based on consent
Responses given in a survey when the respondent has given their explicit consent to the processing of responses as personal data
9. Data source and description of data sources if data is collected from public sources
We obtain data from the agreement you signed when joining S Group’s co-op membership system and from your personally during the customer relationship by phone, online, email or other similar method, and based on your use of the services.
Updates of name, address and mobile phone data, as well as information about death, can also be received from authorities or companies providing updating services. Information on Robinson marketing prohibitions for telemarketing/direct marketing by post comes from Suomen Asiakkuusmarkkinointiliitto ry. Information of employment in the S Group and information of the right to receive the personnel discount come from the S Group’s employee registers.
We obtain data on your use of the S-Etukortti card and any transactions you perform when identified online from those organisations that belong to S Group's co-op member system and from partners that grant the S Group Bonus. In addition, we might obtain information from organisations belonging to S Group and partners belonging to the co-op membership system that utilise the S-Etukortti card or other credentials to verify your identity in their services.
We obtain limited personal data also on customers shared by SOK and S-Bank from their joint register. For more information, see section 17 of this policy.
10. Recipients of personal data
We disclose information to the Tax Administration about any interest paid to co-op members on their co-op contribution and return on capital paid to resigned members. We can also disclose information within the limits allowed and required by valid legislation, such as when answering authorities’ requests for information.
We disclose information about your online groceries purchases to a co-operative in order for them to deliver your order.
We disclose the delivery information of your order to Posti or other similar operators such as PostNord to deliver products you have purchased. The disclosure of the information is based on the agreement concluded as part of the product purchase.
With your consent, we disclose information about your co-op membership to a partner that grants S Group Bonus.
With your consent, we may disclose your data to third parties outside S Group or for external purposes, such as scientific research.
Your personal data associated with customer feedback is received by S Group’s internal customer service teams, as well as product specialists participating in the processing of your feedback.
Your demographic data and data about you belonging to a customer group can also be processed with other data in SOK’s customer registers in order to develop business operations in analytics and reporting for each customer group. This data can also be used for improving the quality and targeting of customer service, for example, when you book a room in one of S Group's Sokos Hotels.
We disclose limited personal data also on customers shared by SOK and S-Bank to their joint register. For more information, see section 17 of this policy.
11. Transfer of personal data to third countries or international organisations and data protection safeguards used
We use subcontractors to process personal data and the data is transferred in a limited way outside the European Union (EU) or the European Economic Area (EEA) for the purposes of service provision, technical administration and support. We can perform these types of transfers if the European Commission has decided that the target country or organisation has a sufficient level of data protection or we can otherwise ensure a sufficient level of protection of the personal data in accordance with applicable legislation, such as by using standard contractual clauses approved by the European Commission. You can read more about the standard contractual clauses approved by the European Commission here [link: Publications Office (europa.eu)].
We require our subcontractors to agree to follow the data protection and information security requirements of legislation and SOK.
12. Personal data retention period
Your personal data is only retained for as long as necessary, but always for at least as long as your customer and contractual relationship with us is in force. In deviation from the above, we delete all data related to expired basic customer data, contact information (excluding postal code), permission and prohibition data, and orders and service activations after two years from the expiry of the data. Digital footprint data from giving customer feedback or using online and mobile services is deleted after two years from its creation. We regularly delete expired data and data that has become unnecessary from the register in accordance with the lifecycles defined for personal data.
A customer may have an existing customer relationship through an S User Account or co-op membership, either simultaneously or at different times.
Co-op membership begins when a person joins as a co-op member or joins a co-op member household and ends when the co-op membership agreement ends when the person resigns from their co-op membership or leaves the co-op member household, at which time their right to use an S-Etukortti card also ends.
We process product-level purchase data accumulated from the customer relationship throughout the co-op membership. The processing of customer data based on legitimate interest for the purposes of analytics ends when the customer is no longer part of a co-op member household, meaning their co-op membership agreement has ended. We delete product-level purchase data processed based on legitimate interest and data on paid Bonuses and payment method benefits, data on former co-op member households and postal codes, as well as customer groupings six months after the end of the co-op membership. We delete other data related to the co-op membership agreement (Bonus purchase data no more than five years old (total sum accumulating purchase Bonuses) and co-op member household data) no later than five years after the end of the co-op membership.
We will delete information about co-op membership and information about co-op contribution transactions when six years have passed from the end of the accounting period during which the most recent transaction was carried out.
An S User Account customer relationship is formed when the user accepts S Group’s terms of use for its digital services, meaning when they conclude an S User Account agreement. We process product-level purchase data for purchases made while logged in to the S User Account throughout the S User Account customer relationship. The customer relationship based on the S User Account ends when it is requested that the account be deleted, or the customer has not used the account in two years. The S User Account’s product-level purchase data is deleted when the customer relationship ends. Please note that for technical reasons, we are currently unable to delete S User account data that has expired due to user inactivity. The customer can request the deletion of their account and S User account data.
13. Right of the data subject
You have the following rights:
You can withdraw your consent and object to data processing and direct marketing based on a legitimate interest and thereby control how we use your personal data. To do this, you can grant and withdraw authorisations and prohibitions by logging in to your S User Account at https://s-kayttajatili.fi/en, in the S-mobiili mobile app or by clicking the link in the email message you received.
To exercise your rights or get more information on how your personal data is processed, you can also contact the controller by sending an email to tietosuoja.asiakkuus@sok.fi. You also have the right to file a complaint with a supervisory authority if you are of the opinion that we are in breach of the applicable data protection legislation when we process your personal data.
.
14. Effects of not providing personal data on an agreement
In order to become a co-op member and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, social security code given by the Finnish civil registrant). If the necessary personal data is not provided, the agreement cannot be concluded.
In order to become a member of a co-op member household and to join the S Group co-op member system, the customer must provide the necessary information so that the agreement can be concluded (name, address, social security code given by the Finnish civil registrant or date of birth).
Providing the information required for concluding the relevant service agreement is a prerequisite for the provision of the services based on the register data. The information required for concluding a service agreement varies depending on the service.
15. Significant information related to automated decision-making or profiling
We do not perform automatic profiling or automatic decision-making on the basis of the data in the register that would result in legal effects concerning the data subject. If you have adopted the Collect and Scan service, automatic decision-making is performed in the service on the basis of the use of the service and the scanner. The results of such analyses may lead to you being directed to have your products verified at the cash counter.
16. Impact of personal data processing and general description of technical and organisational security measures
We diligently protect your personal data throughout its lifecycle by employing the appropriate data protection and information security measures. Our system providers process your personal data at secure server facilities. Access to personal data is restricted, and the personnel are subject to a confidentiality obligation.
S Group protects your personal data by means of, for example, preventive risk management and security planning, protection measures for data communications, and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of user rights is a well-managed process. We regularly provide training for our personnel who participate in the processing of personal data and ensure that our partners’ personnel also understand the confidential nature of personal data and the importance of secure processing. We select our subcontractors with care. We continuously update our internal practices and guidelines.
If, despite all of our safeguards, your personal data falls into the wrong hands, it is possible that your identity will be stolen or that your personal data will be otherwise misused. If we notice that such an event has happened, we will immediately begin an investigation and will make efforts to prevent any damage from occurring as a result. We will inform the relevant authorities and you of the data security breach in accordance with legislative requirements.
17. Data protection concerning the joint data register and controller role for shared customer data of SOK and S-Bank
17.1. Purpose and data subjects of the joint register
Suomen Osuuskauppojen Keskuskunta (SOK) as a data controller and S-Bank Plc as a data controller are the joint controllers of data described in this policy. In this description, we will define the data subjects and what kind of information is processed in the register. We will also explain how the roles of joint data controllers have been determined in relation to the data subjects. This section supplements the privacy policies of the SOK and S-Bank customer registers.
Natural persons covered by the joint register:
S Group and S-Bank have a shared task of providing their customers with benefits and services. The purpose of the joint register is to enable the production and development of these benefits and services so that you as a data subject can get the most out of both your shopping and banking memberships. With the joint register, we can also develop S Group’s and S-Bank’s shared mobile app (S-mobiili) and provide an even better service.
We also use the joint register to ensure that you can maintain your customer information as easily as possible and manage consent matters included in the joint register.
As the data controller, we will use the data included in the joint register for the shared purposes described below. The data will also be used for purposes determined separately in the privacy policies of S Group’s co-op member and customer register and S-Bank’s customer register.
17.2. Data areas included in the joint register
These are the shared data that S-Bank and SOK process for joint purposes.
Data: | Purpose of use: | Storage period in the joint register *) | Legal grounds: |
Basic personal data (name, social security number, date of birth, language, gender, date of death) | Maintaining and updating data for the provision of co-op member and employee benefits. | For as long as the customer is included in the joint register, as described in section 1. | Contract, legitimate interest in relation to gender data |
Contact information (permanent and temporary postal address, mobile phone number, other phone number, email address) | Maintaining and updating data for the provision of co-op member and employee benefits. | For as long as the customer is included in the joint register. | Agreement |
Employee information (information on belonging to the personnel, information of right to employee discounts) | Maintaining and updating data for the provision of employee benefits. | For as long as the customer is included in the joint register. | Legitimate interest |
Co-op member’s household (information about a person belonging to a co-op member’s household, validity period, member/customer number) | Maintaining and updating data for the provision of co-op member and employee benefits. | For as long as the customer is included in the joint register. | Agreement |
Payment account for benefits (valid account number for the payment of benefits) | Maintaining and updating data for the provision of co-op member and employee benefits. | For as long as the customer is included in the joint register. | Agreement |
S-Etukortti Visa (card type, card validity, information on which cooperative’s membership was used to order the card) | Creation of an S-Etukortti Visa card with the customer’s details. Managing settlements on matters related to the production of co-op member benefits. | For as long as the customer is included in the joint register. | Agreement |
Consent and prohibitions (direct marketing prohibition, email marketing permission, mobile marketing permission, telemarketing prohibition, survey prohibition and prohibition information of the Robinson prohibition service offered by Suomen Asiakkuusmarkkinointiliitto ry) | Maintaining and updating data. | For as long as the customer is included in the joint register. | Legitimate interest |
* Personal data will be processed also as part of SOK’s co-op member and customer register and S-Bank’s customer register independently for their own purposes.
17.3. Recipients and recipient groups of personal data
We disclose personal data from the joint register to S Group’s co-op member and customer register and S-Bank’s customer register in accordance with the table above. The purpose of use of these data is to maintain basic information, develop S-mobiili and customer analytics. We may disclose register data to third parties in accordance with the privacy policies of the registers.
We ensure that the transfer of data is lawful if transferring customer data to countries outside the EU/EEA is necessary for technical aspects related to the processing of personal data.
17.4. Data subject’s rights in the joint register
As a data subject, you can approach either data controller to enforce your rights related to the joint register data. We recommend contacting the data controller that is relevant to the rights you wish to enforce. In store customer matters, you can turn to SOK, and in banking matters, to S-Bank.
If you think the processing of personal data is unlawful, you have the right to lodge a complaint or contact the Office of the Data Protection Ombudsman acting as the supervisory authority.
You can prohibit the processing of personal data for advertising and analytics by using your right to opt out or by revoking your previously given consent. As a result, the contents of S-mobiili may be less personalised and we will not be able to provide you with targeted announcements or advertising in the best way possible.
17.5. Contact details of the parties to the joint register
Contact details of the joint data controllers of the register:
Contact details of the SOK data protection officer: tietosuojavastaava@sok.fi
Contact details of the S-Bank data protection officer: tietosuojavastaava@s-pankki.fi