Personal Data Act (523/99), Section 10 and 24
1. Register controller
Name (Business ID): City of Rauma (0138780-9)
Address: Kanalinranta 3, FI-26100 Rauma
Telephone: +358 (0) 283 411
2. Contact person in matters concerning the register
Name: Tarja Helminen
Address: City of Rauma/talousohjaus, Kanalinranta 3, FI-26100 Rauma
Telephone: +358 (0) 283 411
3. Name of the register
Ceepos online shop
4. The purpose of processing personal data
Personal data is collected for the following purposes: order delivery, payment allocation, identification of customers and/or persons specified by them, verification of customers’ transaction history and access rights, and reporting and marketing.
Information on the users of the software is collected to determine user rights and to monitor the use of the software. The software generates logs that contain personal data for the purposes of storing data on access and use, and for problem resolution.
5. Data content of the register
Personal data that may be stored in the registers include the following:
General customer register: customer number, first name, last name, street address, city, telephone number, e-mail address, order history, username and direct marketing permission.
Order register: contact information, ordered products.
Customer cards/identifiers: card number and PIN code.
Enrollments: enrollee’s name, contact information, health (allergies and other limitations), guardian’s information.
Mailing lists: e-mail address.
Personal data will be stored in the registers until manually removed. Order information will be stored until manual or timed removal. Electronic receipt histories will be stored until manually removed, but for at least six years.
6. Regular sources of data
External systems that transmit payment transactions through interfaces and that are integrated into the online shop. The primary source of information are online store customers making orders, registrations and online payments.
7. Regular disclosure of data
Personal data will not be disclosed to external parties. Personal data can be transferred to the controller’s other systems, such as the cash management system, accounting, invoicing and access control. Depending on the payment service provider, the customer’s contact information is transferred to the payment system to facilitate problem resolution and the processing of refunds.
8. Transfer of data outside of the EU or EEA
Personal data will not be transferred outside the EU or EEA.
9. Principles of data protection
The administration and maintenance functionalities of the software are protected by usernames and passwords as well as group-specific user rights. The information in the database is protected by usernames and passwords, and the processing of data is restricted to the online shop system only. The information stored on drives is protected by operating system level access rights. All data traffic between the system supplier’s systems and the online shop and payment service provider is SSL-secured.
Only the server and system suppliers are permitted to establish a maintenance connection to the online shop server. The software supplier has full access to view and delete any collected data.
10. Approval for processing personal data
Making purchases in and payments to the online shop is regarded as approval for processing personal data, which means that consumers are not required to provide separate approval to use the system. In cases where personal data is received from an external system, the approval for processing the data is handled outside the online shop system.
11. Right to inspect
Data subjects have the right to inspect any data concerning them that is stored in the register and to receive copies of this data. The inspection request must be issued electronically or in writing and addressed to the contact person for the register.
12. Right to request the correction of data
Data subjects have the right to request the correction or erasure of any inaccurate data that the register may contain about them. The requests must be sent either electronically or in writing to the contact person for the register.
13. Other rights related to the processing of personal data
Data subjects have the right to prohibit the register controller from processing any personal data about them for the purposes of direct advertising, distance selling, other direct marketing, market research and opinion polls.