Ab LL International Oy
Vattuniemenkuja 4 E
Business ID: FI17900208
2. Contact person for the filing system
Salla Niskanen, Data Protection Officer
3. Names of the filing systems
- The company’s customer filing system
- The company’s marketing filing system
- The company’s surveillance camera recording filing system
4. Legal basis and purpose of processing personal data
The customer filing system is used to manage customer relationships, to implement the rights and obligations of the customer and the controller, as well as for marketing and statistics. The marketing filing system is used for marketing the company’s products and services to people who are not the company’s customers but who have given the controller their consent to use their personal data for marketing communications.
Providing personal data, which will be stored in our customer filing system, is the prerequisite for entering into a contract with us and we cannot make such a contract without this data. As regards the management of customer relationships, the basis for our data processing is the implementation of the contract between our customer and ourselves and, as regards marketing based on our customer filing system, it is the customer’s consent.
The processing of data in our marketing filing system is based on the data subject’s consent.
As regards the customer and marketing filing systems, the customer has the right to object to the use of their personal data for direct marketing.
The personal data contained in our customer and marketing filing systems may also be used for developing and targeting our services.
The company’s surveillance camera recording filing system is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (EU General Data Protection Regulation, point (f) of Article 6(1)). The legitimate interest of the controller or the third party may be legal, financial or intangible. There are compelling legitimate grounds for camera surveillance, e.g. for the establishment, exercise or defence of legal claims (EU General Data Protection Regulation, Article 21(1)). Among other things, the monitoring of the sports centre’s entrances is necessary when there is no personnel present. The personal data contained in our surveillance camera recording filing system shall not be used for developing and targeting our services.
All personal data is processed in all situations strictly according to the valid legislation. The data is not used for automated decision-making or profiling without the customer’s specific consent.
Our operations are directed by national and EU-wide legislation:
- EU General Data Protection Regulation (GDPR) starting from 25 May 2018
- Criminal Code 39/1889
- Accounting Act 1336/1997
5. Recipients of personal data
When you log in to the controller’s system, the personal data you have provided for the customer filing system is received by the controller.
Your personal data, which is in our customer filing system, may also be used by sports centres which have entered into a cooperation agreement with the controller and which follow the controller’s principles of conduct in this cooperation. The controller and these operators have entered into contracts on the processing of personal data which comply with the GDPR, and the operators have committed themselves to follow the controller’s instructions on the processing of personal data and in all matters relating to data protection.
6. Data content of the filing system
Customer filing system
Our customer filing system contains the following data:
- Personal details (name, identification number, address, phone number, email address, possible photo taken when purchasing a membership)
- Services bought and/or ordered by the customer
- Payment ledger
- Training visits
Marketing filing system
Our marketing filing system contains the above-mentioned personal data, excluding the identification number, and we also request at least some of the following identifiers:
- age or year of birth
- first language
Surveillance camera recording filing system
The sports centre is equipped with electronic surveillance. Video material collected by the surveillance cameras is recorded into the company’s surveillance camera recording filing system.
All the data in the filing system is confidential.
7. Maintenance systems for the filing system
Customer filing system
- DL Prime
- DL Business Intelligence
Marketing filing system
- DL Prime CRM
- Sports centre-specific customer relationship management system
8. Regular sources of information
Customer filing system
We obtain the personal data from the customer when they enter into a contract with us or with one of our partners.
We obtain the personal data from the sports centre’s passage control system.
Marketing filing system
A person provides us with their personal data, for example, when participating in one of our competitions, events, raffles or a corresponding interaction. In addition, we may collect and update personal data from our customer filing system.
Surveillance Camera Recording Filing System
Storage for video material collected by surveillance cameras. The location of surveillance cameras is marked by signs.
9. Duration of personal data storage
Additionally, the personal data in the customer filing system is stored for as long as required by the Accounting Act or any other legislation concerning customer relationships. The customer filing system's visitor data is anonymised 5 years after the contract of service has ended.
Personal data in the marketing filing system is stored for a maximum of 12 months from the data subject's consent, unless the data subject renews their consent or enters into a customer contract with us before that. The data subject’s personal data is erased immediately after the data subject has withdrawn their consent for receiving marketing messages.
Electronic surveillance recordings will be stored in a relevant manner and as required by privacy protection and data security and limited to what is necessary in relation to the purposes for which they are processed (EU General Data Protection Regulation, point (c) of Article 5(1)). We shall store surveillance camera recordings for the duration of four weeks, after which the recordings shall be permanently deleted from the servers. The storage of recordings secures the investigation of the events and damages of property crimes and other possible crimes.
10. Regular data disclosure and transfer of data outside the EU or EEA
We never disclose data in the customer filing system to third parties for marketing purposes.
We may use service providers for the processing of the personal data in the customer filing system. In such cases, access to the personal data is only provided to persons authorised to process the data. With such service providers we have made a contract that complies with the provisions of the GDPR.
In processing the data in the marketing filing system, we may use external service providers. The controller is responsible for making sure that that the service provider processes the personal data in the way required by data protection legislation and only in order to offer the specifically agreed-upon services to the Controller. With such service providers we have made a contract that complies with the provisions of the GDPR.
The controller does not disclose the personal data provided by data subjects to outsiders, except carefully selected service providers. However, the controller has the obligation to disclose data when required by law or government regulation.
The data contained in our filing systems can only be disclosed if it has been separately agreed upon with the data subject.
No personal data will be transferred or disclosed outside the EU or the European Economic Area.
11. Principles of filing system protection
Personal data will be kept confidential on servers protected with passwords and other necessary technical measures.
Care will always be taken when processing the personal data in our filing systems, and personal data processed using data systems will be appropriately protected. The controller makes sure that the stored personal data, the rights of use of servers and other data critical for the security of the personal data are processed confidentially and only by employees whose job description includes this task and who are committed to complying with the required secrecy orders and the data security procedures required by the controller.
Electronically processed personal data contained in the filing system is protected by firewalls, passwords and other generally accepted technical measures used in the data security sector. Manually maintained material data is stored in facilities to which unauthorised access is prevented.
12. The rights of the data subject
Everyone whose personal data is included in our filing system has the right to request access to personal data concerning themselves, check the personal data stored in the filing system about themselves and request that their personal data is erased or incorrect personal data is rectified, or that the processing of their personal data is restricted, or that their personal data is transmitted to another controller. Every data subject also has the right to withdraw their consent for the processing of their personal data. Please note that this does not alter the lawfulness of the processing performed before the withdrawal.
If a person wishes to apply any of their rights as mentioned above, the request for this must be sent in writing to the controller by filling in the form for requesting to check personal data in our filing systems or the form for requesting the erasure of personal data and by sending the form to the following address:
Ab LL International Oy/GDPR
The controller may ask the person making the request to prove their identity. The controller will reply to the customer within the time limit set in the EU General Data Protection Regulation (usually within one month).
If a data subject considers that the processing of their personal data infringes the GDPR, they have the right to lodge a complaint with a supervisory authority in the member state of their habitual residence, place of work or place of the alleged infringement. In Finland, this supervisory authority is the Data Protection Ombudsman. The Office of the Data Protection Ombudsman is located on Ratapihantie 9, 00520 Helsinki and the email address is firstname.lastname@example.org.