PERSONAL DATA FILE DESCRIPTION

Creation date 25/05/2018

  1. Controller

Owner of the filing system
Superoperator Oy (2269329-0)
Tikkurikuja 1, 00750 Helsinki
+358 040 621 3236

  1. Contact person for register-related matters

Riku Uotinen
riku.uotinen@superoperator.com
+358408641354

  1. The name of the filing system

Superoperator Oy customer register

  1. Purpose and basis of the processing of personal data

The processing of personal data is primarily based on a service use
agreement.

Personal data are collected, processed and used for managing customer relationships, communications with customers and processing purchase
agreements. Where personal data are processed to a greater extent than otherwise required by the agreement, the processing is based on the legitimate interest of the data controller in managing and developing customer relationships and advising its customers, as well as future customers preparing the agreement.

Based on a legitimate interest, data may be also used

  • for statistical and business development purposes;
  • for marketing activities; and
  • for profiling purposes. The data can be broken down by type of customer relationship (private and corporate customers) and by car wash location.

We can transfer personal data to other Superoperator group companies and service providers outside the group companies. These entities, acting as data controllers, process personal data on behalf of Superoperator CZ s.r.o and Superoperator Oy in accordance with and within the limits of data protection law.

  1. Data contained in the register

The following information of the data subject can be stored:

name, e-mail address, telephone number, type of customer relationship, any types of agreement and related information, registration numbers of the vehicles used in the service, purchases, vehicle washes and payment method.
Service use logs to be stored and automatic identifications of the registration numbers of the vehicles linked to the customer relationship. Identifications of the registration numbers of the vehicles not linked to the service are not stored.

In addition, billing addresses of billed customers.

  1. Retention time of personal data

The data controller retains the personal data for the duration of the customer relationship and for six years after it ends. The customer’s information can be deleted at the customer’s request when the customer terminates the service agreement, while any payment details will be stored for accounting purposes.

  1. Regular sources of information

Data subjects themselves and data generated through the use of the service by data subjects.

  1. Regular disclosure of data and categories of data recipients

We may disclose personal data to the competent authorities if there is a legal obligation to do so.

If the customer uses so-called manual car care services that require calendar booking, the following customer information is disclosed to the booking system for calendar booking: customer’s name, e-mail address, telephone number, registration number of the car and service purchased. The booking system is implemented and offered by Hakema Solutions Oy ( http://www.hakema.net)

If the customer adds the information of his/her payment card to the service, the following data will be sent to a payment operator (see section 9 for more details about payment operators): customer’s name, e-mail and payment card information (number, expiration date, security code). The data is sent using the payment operator’s own technical means that meet the highest security standards. The payment card information is stored in the payment operator’s register and not in Superoperator Oy’s customer register.

  1. Data transfer outside the EU or the EEA

Personal data can be transferred outside the European Union or the European Economic Area in accordance with and within the limits of data protection
law.

If the customer adds the payment card information, these data will be transferred to the United States, outside the EU. This guarantees that the payment card and payment information is processed in accordance with the best certified security practices in the industry. The data are transferred under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. The customer adds the payment card information from a mobile application, and the payment card information is sent SSL-encrypted to the payment operator directly from the (IOS or Android) mobile device using the payment operator’s own technical means without passing through Superoperator Oy’s systems. Furthermore, the payment card information is not stored in Superoperator Oy’s system.

The payment operator Stripe’s services in Europe are offered by Stripe’s subsidiary Stripe Payments Europe Limited (‘Stripe Payments Europe’), a company based in Ireland. In order to perform the service, Stripe Payments Europe discloses the user’s payment information to Stripe, Inc. in the United States. In order to guarantee the secure processing of personal data and the legality of data transfer, Stripe is certified under the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework.
Stripe’s privacy statement can be found here. Stripe’s Privacy Shield certificate is here. Stripe is certified to the highest level, or Level 1, of The Payment Card Industry Data Security Standard (PCI DSS). The service implemented by Stripe and Superoperator complies with the EU’s new Payment Services Directive (PSD2).

The payment operator Braintree’s services in Europe are offered by PayPal’s subsidiary, a Luxemburg-based company named PayPal (Europe) S.à.r.l. et Cie, S.C.A. In order to perform the service, PayPal processes payment data by servers located in the United States. Braintree’s privacy statement can be found here. Braintree is certified to the highest level, or Level 1, of the Payment Card Industry Data Security Standard (PCI DSS). The service implemented by Stripe and Superoperator complies with the EU’s new Payment Services Directive (PSD2).

  1. Principles of register protection

Manual material

Any manual material is stored in locked facilities that are only accessible by specifically authorised persons.

Electronically processed data

The information provided is protected in the network: the connection is SSL-protected. Register protection: The register is located in the EU area on a SSL-protected server. The register may be accessed only by those working for the data controller and by other specified persons who need the data to perform their duties. They can use an encrypted VPN connection, user names and passwords. The data is protected by firewall and anti-malware technology.

The aim of the above measures is to ensure the confidentiality of personal data, the availability and integrity of data and the fulfilment of the rights of data subjects.

  1. Automated decision-making

Personal data are not used for automated decision making that would have legal or similar effects on data subjects.

  1. Right of the data subject to object to processing of personal data

The data subject has the right, based on his/her particular situation, to object to those profiling and other processing measures concerning him/her that the data controller directs at the personal data of the data subject to the extent that the processing of the data is based on the legitimate interest of the data controller.

The data subject may make a claim regarding the objection in accordance with section 15 of this privacy statement. In connection with the claim, the data subject must specify the particular situation based on which he/she objects to the processing. The data controller may refuse to fulfil the request regarding the objection on grounds stipulated by law.

  1. Right of the data subject to object to direct marketing

The data subject may give or refuse consent to channel-specific direct marketing from the Controller, including profiling used in direct marketing.

  1. Other data subject’s rights related to the processing of personal data


Right of access by the data subject (right to inspect)

The data subject has the right to inspect what data related to him/her is stored in the register. The inspection request must be made in accordance with the instructions in this privacy statement. The right to inspect may be denied on grounds stipulated by law. The exercise of the right to inspect is normally free of charge.

Right of the data subject to request rectification or erasure of data or restriction of processing

Where the data subject may act on his/her own, he/she, on being informed or becoming aware of the error, shall without undue delay rectify, erase or supplement data in the register that are contrary to the purpose of the register, incorrect, unnecessary, insufficient or outdated.

Where the data subject is unable to rectify the data on his/her own, a request for rectification shall be made in accordance with section 15 of this privacy statement.

The data subject is also entitled to request that the data controller restrict the processing of the personal data, for example in a situation in which the data subject is waiting for the data controller’s response to his/her request to rectify or erase the data.

Data subject’s right to data portability

To the extent that the data subject himself/herself has submitted data to the register, which are processed based on his/her consent or in order to execute an agreement to which the data subject is a party, the data subject has the right to obtain such data in a commonly used and machine-readable format and transmit such data to another data controller.

Right to lodge a complaint with the supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data controller has not complied in its operations with applicable data protection regulation.

  1. Other rights

If personal data are processed on the basis of the data subject’s consent, the data subject has the right to withdraw his/her consent by notifying the data controller in accordance with section 5 of this privacy statement.

  1. Contacts

The data subject should contact the data controller on all matters relating to personal data processing and on situations involving rights of the data subject. The data subject may exercise his/her rights by telephone, e-mail or at the data controller’s address.