Privacy Policy for Stockmann’s Customer Data

 

CONTROLLER

Stockmann plc
Aleksanterinkatu 52 B, FI-00101 Helsinki
Business ID: 0114162-2
Tel: +358 (0) 9 1211
E-mail: asiakaspalvelu@stockmann.com

 

CONTACT IN MATTERS CONCERNING THE DATA FILE

Customer Service Centre
E-mail: asiakaspalvelu@stockmann.com
Tel: +358 (0) 9 1211

 

WHAT DATA DO WE PROCESS?

 We process the following personal customer data:
Basic information on customer:

– name
– address
– date of birth
– personal identity number
– user and customer IDs
– gender
– language
– telephone number(s)
– e-mail address

 

Data associated with purchases made online and in stores

– Receipt data and data on use of the loyal customer card at Stockmann’s
– Data on accumulated purchases registered on loyal customer cards at Stockmann’s partners
– Data on orders, deliveries and returns
– The delivery and reception data from the survey sent following service or purchase and the customer’s responses

 

Data associated with the use of services

– Data on use and booking of services in the different online transaction channels, the mobile app and the stores
– Data associated with the use of services such as fashion services, interior services, gift services, tailor’s services, sewing services, fur storage services and cosmetics consultation services
– Data collected from the customer in order to provide services, including the measurements, sizes and colour preferences associated with the fashion consultant’s services
– Data associated with the Digital Skincare Advisor Service on the website, including the IP address and the information provided by the customer
– Depending on the services, the stored data may also include photographs
– Data related to online behaviour on the Stockmann website and online services, technical data and cookies sent to the user’s browser and associated data; you can read more about the use of cookies here.

 

Data associated with providing customer service

– Customer’s messages and their content, and data on request classification needed to provide services
– Recordings of phone calls to the customer service centre
– Data associated with customer feedback and replies to it
– Data associated with claims and damages, such as reason, sum and banking details
– The delivery and reception data from the survey sent following service or purchase and the customer’s responses.

 

Data associated with the customer loyalty programme

– Includes category data, data on accumulated purchases and customer loyal customer card data
– In the case of parallel cards, data on parallel card numbers, categories and accumulated purchases are recorded with the principal card but not on individual purchases.

 

Data associated with marketing communications

– Marketing permissions by channel: e-mail, SMS, direct marketing prohibition
– Data from advance orders from the Crazy Days campaign catalogue, for example
– Data from sent messages and the opening and click data from electronic messages
– Data on mailed coupons and their use
– Data on event invitations sent and on participation
– Data on inclusion in a telemarketing campaign and on participation

 

Data associated with customer surveys

– Information on prohibition of reception of surveys
– Data associated with sending and receiving surveys and the customer’s responses.

 

Data on customer analyses and segments

– Data associated with loyal customers
– Data provided by the customer that individualises service and simplifies transactions, such as interests and birth year of minor children
– Customer segmentation data produced by Stockmann
– Data associated with the customer from external sources such as the Population Register Centre, including updates of name and address

 

Data associated with partners

– Data on the credit-line of customer loyal customer cards
– Data on any Stockmann insurance (Chubb as partner)

 

Data associated with credit

– Customer name, address and contact details, line and sum data on purchases, returns, payment methods, credit history, any defaults and other reasons for denial of credit, payment behaviour data, bank details, data required for TUPAS authentication, billing data, service data, transaction and contact data, consents and prohibitions given by customer.

 

FOR WHAT PURPOSES IS PERSONAL DATA PROCESSED?

Personal data is processed for the following purposes:

Sales and provision of services in electronic channels and stores

– Targeting benefits correctly at time of sale with regard to loyal customers and online store product recommendations, for example
– Provision, development and monitoring of Stockmann’s services and providing customer services
– Developing Stockmann’s selection and services
– Managing customer relationships, including service communications, development of customer relationship and service individualisation
– Data associated with payments

Grounds for processing: in the case of loyal customers, implementing agreement and legitimate interest in the case of other customers

 

Online store transactions, and reservations and orders

– Processing of orders, purchase transactions and returns
– Billing and credit
– Collection

Grounds for processing: implementation of agreements and statutory obligations

 

Processing of data associated with the customer loyalty programme

– Including registration of purchases, category calculation and mailing of loyal customer cards

Grounds for processing: implementation of agreements

 

Customer service

– Processing of customer feedback and service requests and replying to them (legitimate interest)
– Processing and replying to refund requests and claims for damages and paying them (statutory obligation)
– Recording phone calls to verify service transactions, ensure legal safeguards and safety, and to train customer service personnel (legitimate interest)

Grounds for processing: legitimate interest and statutory obligations

 

Customer communications and marketing

– Implementing customer communications and marketing
– Carrying out competitions and raffles
– Analysis and classification of customer database for targeted communications

Grounds for processing: in the case of loyal customers, implementing agreements, and in the case of other customers, legitimate interest; in the case of newsletters and SMS messages, customer consent

 

Customer surveys and analyses

– Targeting questionnaires following sales and services events, for example
– Gathering customer opinions and views for development purposes
– Customer data is also used in analyses, reporting and system development to improve Stockmann’s business operations

Grounds for processing: legitimate interest

 

Statutory obligations and administrative measures

– Accounting
– Crime prevention and investigation
– Drafting and defending legal claims and responding to them in criminal cases and cases concerning damages and in relation to consumer rights
– Seller’s liability for defects concerning consumer sales, product liability
– Recall of hazardous products

Grounds for processing: statutory obligation or protection of vital interests

 

DATA STORAGE PERIOD

Data storage periods have been planned so that processing is limited to data needed for the relevant purpose. Storage periods and their criteria are explained below.

When your data is processed on the basis of your consent, we will discontinue the processing immediately when you withdraw your consent. This applies to newsletter subscription data, which we will remove immediately when you notify us that you are cancelling the subscription.

Loyal customers’ data is generally stored as long as the loyal customer status exists. Customers’ purchase data is generally stored for five years. Data on attendance at events, including loyal customer events, will be stored no longer than five years after the event.

Data associated with purchases, returns and invoicing is processed as part of Stockmann’s accounting material for the period laid down in the Accounting Act, which is six years from the end of the calendar year during which the relevant financial period ends. Data associated with collection will be stored on average for four years after the conclusion of collection. Data needed to process feedback and claim matters or associated with legal claims will be stored as required by the processing of the case, which typically does not exceed five years. To protect vital interests, data associated with product recalls will be removed immediately after the conclusion of the recall as instructed by the authorities. Data on sending customer surveys, responding to surveys and the responses given by the customer will be stored in customer data for a maximum period of five years. Data associated with the Digital Skincare Advisor Service on the website will be removed when the customer leaves the website. Lists of participants in competitions and raffles will be removed when the winner is chosen in a competition and/or drawn in a raffle and the prize, if any, has been given to the winner. Customer service phone recordings will be stored for a maximum of one year. Data on data subjects’ exercise of their rights and related responses will be kept for one year as of responding to a request; responses to data inspection requests will be kept for three months as of sending the response.

 

RIGHT TO WITHDRAW YOUR CONSENT

When the processing of your personal data is based on your consent, you can at any time withdraw your consent. The processing of your personal data is based on your consent when you have permitted electronic direct marketing, for example. You can withdraw your consent by contacting our customer service or cancelling electronic direct marketing on our website.

You can consent to electronic direct marketing separately for each channel (messages to mobile phone, e-mail). You may prohibit direct marketing and customer surveys.

If you do not consent to electronic direct marketing and prohibit direct marketing via mail and telephone, we will only send you customer relationship messages needed to provide services ordered by or intended for you and needed to manage the customer relationship.

 

INFORMATION ON YOUR OTHER RIGHTS

You are entitled to request information on whether Stockmann is processing your personal data. If we are processing your information, you are entitled to a copy of the data we are processing. If we are not processing your information, you are entitled to a confirmation of this.

You are also entitled to rectify or supplement your personal data if it is inaccurate or incomplete.

You may have the right to have your personal data erased in certain cases referred to in the regulation. We will erase the data at your request provided that statutory grounds are met
More information »

You are entitled to restrict the processing of your personal data. We will restrict processing on your request in cases that are referred to in law
More information »

In certain circumstances you have the right to move your personal data in our possession to yourself or to another controller. This right concerns personal data that you have submitted to us and which we process with your consent or to perform a contract to which you are a party. This right only concerns data that is processed by automated means. Some of this data is stored on paper and is not subject to this right.

You are entitled to object to the processing of your personal data. We will discontinue processing your personal data on your request in cases that are referred to in law
More information »

 

HOW TO EXERCISE YOUR RIGHTS

Should you want to exercise your rights described above, you can submit a request to the Customer Service Centre, the contact details of which can be found on the front page of this privacy policy.

If our response contains your personal data, we will either send it encrypted in electronic format or by registered letter, depending on the case. The letter cannot be signed for by anyone other than the person indicated as the recipient. This is to ensure the confidentiality of the data of the actual recipient.

 

INFORMATION ON RECIPIENTS OF PERSONAL DATA

Personal data is processed by employees of Stockmann or its partners whose duties require them to process such data. They are bound by a secrecy obligation.

Customer register data will not be disclosed to any party outside the Stockmann Group, except in cases described below, unless so required by law or in matters concerning acquisitions, restructuring or debt collection.

The holder of the principal card of a loyal customer account is entitled to view the final sums of purchases registered on parallel cards. The holder of the principal card is not entitled to product-level information on purchases registered on parallel cards. The holder of a parallel card is not entitled to information on purchases registered on the principal card or on other parallel cards of the same account.

 

Customer data may be disclosed to partners in the following situations:

– In the case of Stockmann MasterCard holders, Stockmann will disclose to the Nordea Group the customers contact information and data on their loyal customer category and validity;

– Customer data can be disclosed to providers of payment services such as banks, credit institutions and other payment service providers such as ePassi Payments Oy when necessary to provide a service.

– Data included in customer feedback may be disclosed to tenants operating in Stockmann’s department stores and real estate when the feedback concerns the tenant in question.

– When the customer purchases a gift card from a service desk in a department store for, for instance, Haikko Manor, Royal Restaurants, Långvik or Naantali Spa, the customer’s data is registered in the gift voucher sales system (the service provider is PK Verkkotaito Oy), through which the data will be passed to the target company.

– The customer’s name and contact details and the information associated with a service order may be disclosed to the service company in conjunction with the servicing of an electrical appliance or other product. The service company is only entitled to use the data for providing repair service to the customer.

In order to offer services, Stockmann operates as the processor of personal data on behalf of many partners that operate as controllers. Such partners include the Finnish National Opera and Ballet, Posti, Lippupiste, Ticketmaster, Tiketti, Global Blue Finland, Premier e Tax Free Oy, Helsinki Regional Transport Authority, Tampere Regional Transport and Turku Region Traffic Föli.

In addition to Stockmann, customers’ personal data is processed by Stockmann’s service providers and partners on behalf of and in accordance with Stockmann’s instructions. These subcontractors include providers of IT services responsible for the technical maintenance of systems and partners that participate in the delivery process of Stockmann’s products and services. Stockmann’s partners include transport companies, suppliers of security services, tenants in the sales departments of the department stores, and online store and campaign suppliers who deliver products and services directly to customers. When personal data is processed on behalf of Stockmann, the partner is bound by a secrecy obligation imposed by Stockmann and the partner is not entitled to disclose the data to a third party or use it for any other purpose than to carry out an order from Stockmann.

The key recipients and/or processors of Stockmann’s personal data are:

– Partners, e.g. Finnair
– Chubb European Group Limited, Finnish branch; service provider for Stockmann insurance
– Collector Bank AB (one-time credit and billing services provider)
– Payment transaction handlers in stores and the online store; Nets Denmark A/S Finnish Branch and Verifone Finland Oy
– IT service provides, including Salesforce.com EMEA Limited, Oracle, Microsoft, Amazon Web Services Oy, Google LLC (Analytics) and Tech Mahindra Limited
– Providers of marketing services
– Providers of transport and postal services
– Fonecta Oy (updating of address data)

 

Whenever possible, Stockmann will process personal data primarily within the EU and the EEA. Personal data is considered to have been transmitted outside the EU and EEA in the provision of IT services when the personal data can be accessed from a country outside the EU or the EEA. For this kind of data transfer, an agreement is concluded with the service providers in compliance with the standard contractual clauses confirmed by the European Commission, or the receiving country has an adequate level of data protection in accordance with a decision of the European Commission, or the company processing the data has implemented Binding Corporate Rules, or there exist lawful grounds for transferring the data, such as the Privacy Shield framework between the EU and the United States. Servers containing customers’ personal data can be accessed from outside the EEA from the United States (Salesforce Marketing Cloud) and from India (Tech Mahindra). Oracle processes data globally.

Commission decisions concerning standard contractual clauses are available here.

Certain authorities also have a statutory right to receive data. Such authorities include the police, the customs authorities, the border control authorities and the tax administration.

 

RIGHT TO LODGE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If in your opinion we are not processing your personal data in accordance with the EU’s General Data Protection Regulation, you are entitled to lodge a complaint with a supervisory authority in the EU Member State in which you have permanent residence or employment or where you consider the violation to have occurred. In Finland, complaints are lodged with the Data Protection Ombudsman.

 

Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor
FI-00520 Helsinki

Postal address: PO Box 800
FI-00521 Helsinki

Tel. (switchboard): +358 29 56 66700
Fax: + 358 9 56 66735
E-mail: tietosuoja@om.fi

 

DATA THAT IS NECESSARY FOR SERVICES ASSOCIATED WITH THE CUSTOMER RELATIONSHIP 

In order to offer you loyal customer and delivery benefits and services, or benefits and services referred to in another agreement, we must process personal data that is necessary to implement the relevant agreements.

Necessary data associated with loyal customers are name, contact information, date of birth, gender, purchase data, transaction language and, when registering as a customer in the online store, telephone number and e-mail address. We need this data to be able to accumulate your purchases, to ensure that you stay abreast of the benefits that you are entitled to and of the changes to the loyal customer programme, and to adapt our selection for our customers. You can read the terms and conditions of the loyal customer programme here.

To deliver orders made in the online store, we need the customer’s name, address, telephone number, date of birth and data on the payment transaction.

If you want to have your loyal customer data in your Stockmann mobile app, you must enter your loyal customer number in the application.

To offer Stockmann’s services, including the fashion, interior, gift, tailoring and sewing services and cosmetics consultation, we need your contact information and the information required by each service, such as measurements and gift wishes.

Consent to electronic marketing is not necessary data but without it we cannot send you the newsletter that is part of electronic direct marketing.

Stockmann is entitled to interrupt the provision of services or offering of products or prevent access to services to customers who do not provide information essential to a service or demands its erasure.

 

INFORMATION ON AUTOMATED DECISION-MAKING AND PROFILING

Profiling means the processing of personal data where the data is used to evaluate some of your personal aspects. We profile customers to target marketing and invitations to events. In our opinion the profiling conducted by Stockmann does not have the legal effects referred to in the regulation or other material effects on the target of the profiling.

In addition, we profile online store customers who prefer to pay by invoice or using commodity-specific one-time credit. Such profiling constitutes assessment of the credit applicant’s creditworthiness as required by law and necessary under law for the purpose of an agreement between the credit applicant and provider or for its implementation. In such an event the controller must take action warranted to protect the rights and freedoms and legitimate interests of the data subject; at minimum, this applies to the right to demand that the data is processed by a natural person on behalf of the controller and to express an opinion and to dispute a decision.

Stockmann’s partner and service provider in invoicing and installment payment services is Collector Bank AB in Stockmann.com-webstore, and Collector Payments Finland Oy in Crazy Days (Hullut Päivät) -webstore. Collector Bank AB and Collector Payments Finland Oy are independent data controllers and consumer creditors for customers, who choose to pay through invoice or by installments in Stockmann.com and Crazydays.com.

As a data subject you are entitled to object to profiling that is based on the controller’s legitimate interest on the grounds of a particular personal reason. You can also at any time object to profiling that is carried out to target direct marketing.

 

YOUR DATA IS NOT USED FOR OTHER PURPOSES WITHOUT YOUR KNOWLEDGE

We will not use your data for other purposes than those declared in this document. Should new uses later emerge that are compatible with the uses for which the data was originally collected, we will inform you of the new uses and associated legal grounds for processing. If needed, we will request your consent to process your personal data for new purposes.

 

DATA OBTAINED FROM SOURCES OTHER THAN YOU

We update address and change of name data and prohibitions of addressed direct marketing (Posti-Robinson) based on data from our partners such as the Population Register Centre if the data subject has not prohibited the disclosure of the data.

Data on loyal customers’ accumulated purchases are collected from the following sources: Nordea provides data on the total sum of purchases registered on Stockmann MasterCards outside of Stockmann; the insurance company Chubb provides information on Stockmann insurance taken out by the customer and of the amount of paid insurance premiums.

If you register your loyal customer card when you make purchases, Stockmann’s partners will provide Stockmann with data on the purchase (date, sum and place of purchase).

In addition, we collect data from the following sources: Suomen Asiakastieto Oy credit data register; feedback systems of shopping centres and feedback received by partners and tenants insofar as they concern Stockmann; data from Lindorff Oy on the termination of collection in the case of invoices that Lindorff has been assigned to collect.

 

EFFECTS OF THE PROCESSING OF PERSONAL DATA

Stockmann is committed to protecting its customers’ privacy and ensuring safe processing of personal data in accordance with the requirements of the EU’s General Data Protection Regulation and other applicable laws.

We protect our business locations, IT systems and the data on the users of the services we provide with appropriate technical and administrative information security solutions and we develop our protection methods continuously. User and access rights related to the processing of personal data are personal and their scope is determined on the basis of the user’s job duties.

We develop our personnel’s competence in matters related to data protection. We also strive to make sure that the personnel of our partners understand the importance of confidentiality and safety when processing personal data.

We monitor transactions involving processing of personal data, react to any deviations detected and strive to prevent any damage caused by such deviations. If, despite all our protection efforts, your personal data falls into the wrong hands, it is possible that, as with other services involving the processing of personal data, a third party may misuse your personal data. We will inform the appropriate authorities and the data subjects of any data protection breaches in the manner required by law.

We assess data protection risks regularly as part of Stockmann’s risk management process.

 

DATA PROTECTION OFFICER

In matters concerning the processing of personal data or the exercising of rights based on the EU’s General Data Protection Regulation in relation to Stockmann’s functions, please contact Stockmann’s data protection officer. You can contact the data protection officer by e-mail at tietosuoja@stockmann.com or telephone by calling +358 (0)9 1211 and asking for the data protection officer. The call charge will be based on the standard local network charge/mobile call charge.

 

  • In accordance with the regulation you are entitled to have your personal data erased from our system, if
    1. the personal data is no longer needed for the purposes for which it was collected or otherwise processed, or
    2. you have withdrawn your consent on which the processing is based and there is no other legal basis for the processing, or
    3. you object, referring to personal reasons, to processing that is necessary for implementing the legitimate interests of the controller or a third party, such as profiling;
      1. In this case the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
    4. the personal data has been processed unlawfully;
    5. the personal data has to be erased to meet a statutory obligation arising from EU or Member State law to which the controller is subject;
    6. the personal data has been collected from a child in relation to the offer of information society services.
  • You can restrict the processing of your personal data if
  1. you contest the accuracy of your personal data, in which case the processing is restricted for the period during which we are able verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead;
  3. as the controller we no longer need the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of a legal claim;
  4. you have objected on grounds relating to personal reasons, to processing that is necessary for either the performance of a task concerning the public interest or in the exercise of official authority vested in the controller or in implementing the legitimate interests of the controller or a third party pending the verification whether the legitimate grounds of the controller override your legitimate grounds.
  • If the processing of your personal data is restricted, the personal data shall, with the exception of storage, only be processed with your consent; or to establish, exercise or defend a legal claim; or protect the rights of another natural or legal person; or for reasons of important public interest of the EU or of a Member State.
  • You can object to the processing of your personal data
    1. that is necessary for implementing the legitimate interest of the controller or a third party, such as profiling, referring to personal reasons;
      1. In this case the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
    2. at any time if your personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.

 


 


Additional information 1

  • In accordance with the regulation you are entitled to have your personal data erased from our system, if
    1. the personal data is no longer needed for the purposes for which it was collected or otherwise processed, or
    2. you have withdrawn your consent on which the processing is based and there is no other legal basis for the processing, or
    3. you object, referring to personal reasons, to processing that is necessary for implementing the legitimate interests of the controller or a third party, such as profiling;
      1. In this case the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
    4. the personal data has been processed unlawfully;
    5. the personal data has to be erased to meet a statutory obligation arising from EU or Member State law to which the controller is subject;
    6. the personal data has been collected from a child in relation to the offer of information society services.


Additional information 2

  • You can restrict the processing of your personal data if
  1. you contest the accuracy of your personal data, in which case the processing is restricted for the period during which we are able verify the accuracy of the personal data;
  2. the processing is unlawful and you oppose the erasure of your personal data and request the restriction of its use instead;
  3. as the controller we no longer need the personal data for the purposes of the processing, but you need it for the establishment, exercise or defence of a legal claim;
  4. you have objected on grounds relating to personal reasons, to processing that is necessary for either the performance of a task concerning the public interest or in the exercise of official authority vested in the controller or in implementing the legitimate interests of the controller or a third party pending the verification whether the legitimate grounds of the controller override your legitimate grounds.
  • If the processing of your personal data is restricted, the personal data shall, with the exception of storage, only be processed with your consent; or to establish, exercise or defend a legal claim; or protect the rights of another natural or legal person; or for reasons of important public interest of the EU or of a Member State.


Additional information 3

  • You can object to the processing of your personal data
    1. that is necessary for implementing the legitimate interest of the controller or a third party, such as profiling, referring to personal reasons;
      1. In this case the controller may no longer process the personal data unless the controller can demonstrate compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or if it is necessary for the establishment, exercise or defence of a legal claim.
    2. at any time if your personal data are processed for direct marketing purposes, which includes profiling to the extent that it is related to such direct marketing.