Description for Fazer Web Services’ User Data File

File description in accordance with Section 10 of the Personal Data Act (523/99)

1. Controller, representative of Controller and contact information

Name: Oy Karl Fazer Ab
Contact information: visiting address: Fazerintie 6, 01230 Vantaa; post address: PL 4, 00941 HELSINKI

Representative for Controller: Sanna Vanhatalo
Tel. +358 20 555 3000

2. Name on the data file

Fazer web services’ user data file

Founded: 30 January 2017              

3. Purpose of processing personal data

Data in the data file may be used for

  • identification of the customer or participant and creating customer relation or other contractual relation
  • realisation of service, maintaining and developing customer relationship
  • provision, realisation and maintenance of Fazer’s electronic services
  • Fazer’s product and service marketing
  • development of customer service and business
  • analytical and statistical purposes
  • correspondence between the service provider and user, and
  • other similar purposes.

Personal data may be processed by entities within the same group of companies with the controller when doing so is permitted by the Personal Data Act and other laws.

Personal data may be used for direct marketing where the user has given their explicit consent thereto or where direct marketing is otherwise permitted by law.

When permitted by law, personal data may be used for profiling where the user has given their explicit consent.

4. Contents of the data file

The register may contain, for example, the following information:

  • first name and last name
  • contact information, such as email address, address and phone number
  • age or place of birth
  • underaged user’s guardian’s name and contact information
  • email address and other possible sign in or registration information, such as pseudonym or other identification information
  • information about customer relationship, such as invoicing information, product and order information, customer feedback and customer support communications, the name of the company or organisation represented by the user, the contact information of the company or organisation, the user’s title in the company or the organisation
  • possible permissions and consent
  • information on the user’s refusal to allow the marketer to use their contact information for direct marketing purposes
  • information relating to enabling communication and information relating to the use of services
  • other profiling or interesting information possibly provided by the user, and
  • other possible information collected at the user’s consent.

The register might differ between customers and users based on what and how services are used.

5. Regular sources of data

User data is regularly obtained from the customer or user when they disclose their information with the controller in conjunction with enrolling in a customer event or campaign or competition or while using services provided by the controller.

Personal data may be updated from the other data files of the entities within the same group of companies with the controller.

The visitor amounts of web pages and other anonymous information are followed through analytics, cookies and other technical tools.

6. Regular transfers of data and transfer of data outside the EU or EEA

Personal data may be transferred to entities within the same group of companies with the controller.

Personal data can be transferred for direct advertising, remote sales or other direct marketing and opinion and marketing study purposes where the user has given their explicit consent.

Third parties may be used in processing personal data wherein personal data may be assigned for processing on behalf of the controller. Other processing of personal data requires the consent of the data subject or is based on a specific provision of law.

Data can be transferred outside the European Union or the European Economic Area (EEA) if it is necessary in realising the required services for the user, or if it is otherwise necessary based on the Personal Data Act Section 23 (2–5). In addition, the data can be transferred to the United States to the controller’s service provider. The controller’s service provider will carry out the necessary data protection level demanded by the law and Privacy Shield framework.

7. Principles of protection of the data file

Only designated employees having authorisation to process user or customer data due to their work duties are entitled to use the system containing user data. Each user has a personal user name and password to the system.

Data is collected to databases protected with firewalls, passwords, and with other technical measures. Databases and their backup files are located in locked premises and the data is accessible only to designated persons. Servers are strongly protected.

8. Inspection right

According to Section 26 of the Personal Data Act, the user of a service shall have a right to inspect what personal data has been collected in the data file, or that no data has been stored.

Request for inspection may be presented as follows:

  • Written and signed request for inspection is sent to the representative of the controller to the address indicated in section 1 or sent by email to the representative of the collector.
  • Request for inspection is presented in person at the address indicated in Section 1.

If there are errors in the data stored in the data file, the registered person may present a request for correction to the person in charge of data file matters indicated
in Section 1.

9. Denial right

The registered person shall have right to deny the collector from processing personal data for the purpose of direct marketing, online selling and other personalised marketing and market research and surveys, as well as for public registers and genealogical research. In matters relating to such denial, we ask that the representative indicated in section 1 is contacted.