Privacy Policy
1. Data controller
Kiinteistö Oy Jyväskylän Seppä
Business ID 2647398-1
Shopping Centre Seppä
Ahjokatu 3-5,40320 Jyväskylä
2. Contact person in matters pertaining to the register
Mikko Seppälä
Shopping Centre Manager
3. Name of register
Marketing Register
4. Legal basis for and purpose of processing personal data
The processing of personal data is based on the data controller’s legitimate interest (e.g. direct marketing) and the data subject’s consent (e.g. electronic direct marketing).
Personal data is collected, processed and used for the management of the shopping centre’s customer relations, delivery and maintenance of services, direct marketing, targeted marketing, distance selling, customer communications, opinion and market research, and monitoring and analysis of the shopping centre’s customer behaviour and experiences. Personal data is also used for statistical purposes and the development of the shopping centre’s services.
5. Data content of the register
The register may contain the following data of data subjects:
- First name
- Last name
- Telephone number
- Address
- Postal code
- Company and position
- Date of birth
- Mobile phone operator
- Mobile phone model
- Profession
- Identification data, such as password (GSM number) and user ID
- Information on the expiry of service use
- Interests and preferences for profiling
- Any direct marketing restrictions
6. Regular sources of information
Personal data is collected regularly from shopping centre customers when they register with the online service, by SMS or by other means.
Information collected directly from the data subjects function as regular sources of information. Information is collected from customers when they register with the online service and throughout the customer relationship. Personal data is collected through the shopping centre’s website, through both electronic and non-electronic forms (e.g. feedback and order forms) and by phone.
The Finnish Population Information System may be used to update collected personal data. The Population Information System is also used to generate target groups for marketing, together with the Finnish Transport and Communications Agency Traficom’s vehicle information system or other public registers.
7. Regular disclosure of data
In principle, personal data is never disclosed to third parties. However, personal data may be disclosed to third parties inside the EU, such as the shopping centre’s partners and companies providing services ordered by the data subject, unless the data subject has prohibited the disclosure of their data to such parties, and to public authorities.
Data may be disclosed for the purpose of delivering goods and services or implementing an agreement between the shopping centre and the data subjects as well as direct marketing and distance selling.
Personal data shall not be disclosed to third parties without the explicit consent of the party concerned for purposes other than those mentioned above, unless otherwise provided by law.
8. Erasure of data
Data may be erased on the data subject’s request or at the end of the customer relationship.
9. Principles of data protection
Personal data stored in the register is maintained in machine-readable format by the data controller or an entity authorised by the data controller. The information system is protected against external security breaches with appropriate technological safeguards. Only persons who are required to use the data stored in the register for work purposes have access to the register. User-specific user IDs and passwords are used to monitor the use of the register.
10. Right to object to the processing of personal data
Under the Personal Data Act, the data subject is entitled to access the data collected of them and object to the processing of their data and its disclosure for purposes of direct marketing and distance selling.
The data subject has the right to, on request, access and review the data collected of them. The data controller has the right to receive reasonable compensation to cover the direct costs of providing access to the data subject’s data if less than one (1) year has passed since the last time the data subject was given access to their data for review.
11. Google reCAPTCHA
To ensure sufficient data security, we use the reCAPTCHA service provided by Google Inc when filling out forms in certain instances.
The legal basis for using the service is the processing GDPR art. 6, due to the fact that processing is necessary for the purposes of the legitimate interest pursued by the controller. reCAPTCHA works to prevent risk of unwanted activities from bots. Its purpose is to protect websites from bot-driven abuse and fraud.
reCAPTCHA primarily serves to determine whether the submission is made by a natural person, or as a result of misuse in the form of mechanical and automated processing. For this purpose, reCAPTCHA analyses the behavior of the website visitor using various features. This analysis starts automatically as soon as the website visitor opens the website. reCAPTCHA evaluates various information for its analysis (for example IP address, device, and application data, time spent by the visitor on the website, and mouse movements by the user). The data recorded during the analysis are forwarded to Google and may also be shared with other third parties.
The service includes sending the IP address and any other data required by Google for the reCAPTCHA service to Google. The service is provided by Google Ireland and does not involve transfer of the data outside of the EEA.
The IP address transmitted from your browser in the reCAPTCHA process will not be conflated with other Google data, unless you are logged into your Google account when you use the “reCAPTCHA” plug-in. The service is subject to the separate privacy policies for Google Inc. More information about Google’s privacy policies can be found at http://www.google.de/intl/de/privacy or https://www.google.com/intl/de/policies/privacy/