Privacy Policy for Stockmann’s PR Mailing List and Stakeholders

CONTROLLER

Stockmann plc
Aleksanterinkatu 52 B, FI-00101 Helsinki
Business ID: 0114162-2
Tel: +358 (0) 9 1211
E-mail: asiakaspalvelu@stockmann.com

 

CONTACT IN MATTERS CONCERNING THE DATA FILE

Matters concerning the PR mailing list

E-mail: pr@stockmann.com
Tel: +358 (0) 9 1211

Matters concerning partners and stakeholder communications

E-mail: asiakaspalvelu@stockmann.com
Tel: +358 (0) 9 1211

 

WHAT DATA DO WE PROCESS?

Members of the PR mailing list

Name; contact details; job title and organisation; in the case of a partnership or an entrepreneur, the contact details of the partnership or the entrepreneur’s company; the details of a blog or personal website; description of the field of work; information on the person’s press card; areas of interest.

Representatives of the stakeholders

Name; contact details; job title and organisation; in the case of a partnership or an entrepreneur, the contact details of the partnership or the entrepreneur’s company.

Representatives of goods/services suppliers

Name; contact details; job title and organisation; in the case of a partnership or an entrepreneur, the contact details of the partnership or the entrepreneur’s company.

 

FOR WHAT PURPOSES IS PERSONAL DATA PROCESSED

Personal data is processed for the following purposes:

Communications with members of the PR mailing list

– Communication with members
– Informing about events and products, such as the sending of invitations to events
– Informing about partnership offers
– Planning of the arrangements for events

Interaction with stakeholders and communication with contractual partners

– Communication with contractual partners and potential contractual partners
– Interaction and communication with stakeholders
– Planning of measures related to Stockmann’s social responsibility and monitoring of their implementation

Data is processed on grounds of legitimate interest (incl. communication with partners and stakeholders, membership of the PR mailing list) and for the purpose of the performance of a contract (incl. communication with contractual partners).

Data may also be processed on grounds of consent if a partner or its representative is sent electronic direct marketing messages.

The groups of data subjects consist of the representatives of the partners and potential partners, the representatives of the goods suppliers/service providers, and persons who are stakeholders. Stockmann’s stakeholders consist of its customers, personnel, shareholders and investors, goods suppliers and service providers, the authorities and various organisations.

 

DURATION OF DATA PROCESSING

A member of the PR mailing list has the right to request that his or her membership be cancelled at any time.

Data on invitations to events and cooperation offers sent are stored for a maximum of 5 years after a message is sent.

Data processed in the course of interaction with stakeholders is erased no later than 5 years after a survey or similar poll is conducted.

Data processed on grounds of consent is erased when the consent is withdrawn.

Data based on a contractual relationship is processed, as a general rule, during the validity of the contractual relationship. For the purpose of fulfilling statutory obligations (e.g. the Accounting Act) and due to periods of statutory limitations, data may also be processed after the contractual relationship has ended.

 

RIGHT TO WITHDRAW CONSENT

When the processing of personal data is based on consent, the data subject may at any time withdraw his or her consent. The processing of personal data is based on consent when the data subject has permitted electronic direct marketing, for example. Consent may be withdrawn by contacting customer service (asiakaspalvelu@stockmann.com) or Stockmann’s PR marketing communications (pr@stockmann.com).

 

INFORMATION ON THE RIGHTS OF THE DATA SUBJECT

You are entitled to request information on whether Stockmann is processing your personal data. If we are processing your information, you are entitled to a copy of the data we are processing. If we are not processing your information, you are entitled to receive confirmation on this.

You are also entitled to rectify or supplement your personal data if it is inaccurate or incomplete.

You may be entitled to have your personal data erased in certain cases referred to in personal data legislation. We will erase the data at your request provided that statutory grounds are met.

If you think your personal data processed by us is incorrect, processed unlawfully, or you have objected to the processing of your data, you may request us to restrict the processing of your personal data. In this case, we may only process your personal data upon your consent if we need the data for establishing, exercising or defending legal claims, or if the processing is necessary for protecting another person’s rights.

In certain circumstances, you have the right to receive your personal data in our possession or to transmit it to another controller. This right concerns personal data that you have submitted to us and which we process with your consent or to perform a contract to which you are a party. This right only concerns data that is processed by automated means.

You have the right to object to the processing of your personal data on grounds of special circumstances pertaining to you.  We will cease the processing of your personal data upon your request in cases that are referred to in legislation.

 

HOW TO EXERCISE YOUR RIGHTS

Should you want to exercise your rights described above, you may submit a request to the address stated on the front page of this privacy policy. In addition, we recommend the following ways of contact.

– You may cancel your membership in the PR mailing list through the link at the bottom of each message you receive from the list.
– You may request the erasure of your personal data related to the PR mailing list by contacting pr@stockmann.com.

If our response contains your personal data, we will either send it encrypted in electronic format or by registered letter, depending on the case. The letter cannot be signed for by anyone other than the person indicated as the recipient. This is to ensure the confidentiality of the data of the actual recipient.

 

INFORMATION ON RECIPIENTS OF PERSONAL DATA

Personal data is processed by employees of Stockmann or its partners whose duties require them to process such data. They are bound by a secrecy obligation.

Personal data will not be disclosed to any party outside the Stockmann Group, except in cases described below, unless so required by law or in matters concerning corporate acquisitions or restructuring.

In addition to Stockmann, Stockmann’s service providers and partners process personal data on behalf of Stockmann and in accordance with Stockmann’s instructions. These subcontractors include providers of IT services responsible, for example, for the technical maintenance of systems.. When personal data is processed on behalf of Stockmann, the partner is bound by a secrecy obligation imposed by Stockmann and the partner is generally not entitled to disclose the data to a third party or use it for any purpose other than to carry out an assignment from Stockmann.

The key recipients and/or processors of the personal data of Stockmann’s partners and stakeholders are:

– Tech Mahindra Limited
– com EMEA Limited
– Companies participating in the conducting of surveys and polls

Whenever possible, Stockmann will process personal data primarily within the EU and the EEA. Personal data is considered to have been transmitted outside the EU and EEA in the provision of IT services when the personal data can be accessed from a country outside the EU or the EEA. For this kind of data transfer, an agreement is concluded with the service providers in compliance with the standard contractual clauses confirmed by the European Commission, or the receiving country has an adequate level of data protection in accordance with a decision of the European Commission, or the company processing the data has implemented Binding Corporate Rules, or there exist lawful grounds for transferring the data, such as the Privacy Shield framework between the EU and the United States. Servers containing personal data can be accessed from outside the EEA from the United States (Salesforce Marketing Cloud) and from India (Tech Mahindra). The Commission’s decisions concerning standard contractual clauses can be found here: https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_fi.

Certain authorities also have a statutory right to receive data. Such authorities include the police, the customs authorities, the border control authorities and the tax administration.

 

RIGHT TO FILE A COMPLAINT WITH A SUPERVISORY AUTHORITY

If you believe we are not processing your personal data in accordance with the EU’s General Data Protection Regulation, you are entitled to file a complaint with a supervisory authority in the EU Member State in which you have permanent residence or employment or where you consider the violation to have occurred. In Finland, complaints are filed with the Data Protection Ombudsman: Office of the Data Protection Ombudsman, PO Box 800, FI-00521 Helsinki, tel. (switchboard): +358 29 56 66700, e-mail: tietosuoja@om.fi.

 

PROFILING

We profile our partners and the representatives of our stakeholders for the purpose of targeting surveys and invitations to events, among other things. Profiling is not based on automated decision making. In our opinion the profiling conducted by Stockmann does not have the legal effects referred to in the regulation or other material effects on the target of the profiling.

As a data subject you are entitled to object to profiling that is based on the controller’s legitimate interest on the grounds of a particular personal reason. You can also at any time object to profiling that is carried out to target direct marketing.

 

WHAT SOURCES IS DATA COLLECTED FROM

Personal data is primarily collected from the data subjects themselves, for example, at events, meetings or seminars, or through blogs or websites using requests for contact.

Personal data is also collected in connection with contract negotiations and notifications by our partner organisations.

Data on stakeholders is obtained from Stockmann’s shareholder register and employee register, as well as from requests for contact, through partners and from data sources where companies and persons have made their data accessible for purposes related to their profession or field of business.

 

EFFECTS OF THE PROCESSING OF PERSONAL DATA

Stockmann is committed to ensuring safe processing of personal data in accordance with the requirements of the EU’s General Data Protection Regulation and other applicable laws.

We protect our business locations, IT systems and the data on the users of the services provided by us with appropriate technical and administrative information security solutions and we develop our protection methods continuously. User and access rights related to the processing of personal data are personal and their scope is determined on the basis of the user’s job duties.

We develop our personnel’s competence in matters related to data protection. We also strive to make sure that the personnel of our partners understand the importance of confidentiality and safety when processing personal data.

We monitor transactions involving processing of personal data, react to deviations detected and strive to prevent any damage caused by such deviations. If, despite all our protection efforts, your personal data falls into the wrong hands, it is possible that, as with other services involving the processing of personal data, a third party may misuse your personal data. We will inform the appropriate authorities and the data subjects of data protection breaches in the manner required by law.

We assess data protection risks regularly as part of Stockmann’s risk management process.

 

DATA PROTECTION OFFICER

In matters concerning the processing of personal data or the exercising of rights based on the EU’s General Data Protection Regulation in relation to Stockmann’s functions, please contact Stockmann’s data protection officer. You may contact the data protection officer by e-mail at tietosuoja@stockmann.com or telephone by calling +358 (0)9 1211 and asking for the data protection officer. The call charge will be based on the standard local network charge/mobile call charge.