24 May 2018
What are our purposes for processing your personal data?
Competitions on social media
What types of data may we process?
What are our sources for collecting your personal data?
Do we carry out profiling with your personal data?
Who may we share your personal data with?
Do we transfer your personal data outside the EU territory?
For how long do we process your personal data?
Are you required to give your personal data to us?
How can you exercise your rights relating to your personal data?
Which country’s legislation shall be applied to the processing of your data?
Business ID: 1604871–1
Address: Kissanmaankatu 5, FI-33520 Tampere, Finland
Telephone: +358 3 225 9400
Contact person for privacy matters: firstname.lastname@example.org
“Personal data” shall mean any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Customers” shall mean, in terms of data subjects, the consumers and the contact persons of the companies and other entities (hereinafter “company”) with whom the Controller is in a customer relationship.
“Potential customers” shall mean, in terms of data subjects, consumers and contact persons of companies with whom the Controller strives to establish a customer relationship.
“Members” shall mean consumers who are members of the Controller’s business activities, such as members in a fan club managed by the Controller or players in non-professional teams.
“Stakeholders” shall mean consumers and contact persons of companies with whom the Controller has a cooperative relationship (such as the representatives of companies producing services for the Controller) or other connection (such as media representatives as parties in communication activities and social decision-makers in social relationship activities).
The Controller shall process the personal data of data subjects for the following purposes (one or more simultaneously):
• Management, analysis and development of the customer, member and stakeholder relationship
The Controller may use your personal data to manage, analyse and develop a customer, member or stakeholder relationship established directly with you or with a company that you represent.
• Providing products and services
The Controller may use your personal data to provide products and services if you or the company that you represent has, for example, purchased a product or service from us, used our digital services, subscribed to our newsletter or taken part in our training or other events. Personal data is used to exercise the rights and fulfil the responsibilities based on an agreement or other commitment between the Controller and the customer.
• Customer and member communication
The Controller may use your personal data in its customer and member communication, for example, to send you notices related to products and services, to notify you of changes made to services and to request for feedback on products and services.
The Controller may contact you to inform you of new products, services or benefits. The Controller may use personal data to customise its supply and to offer relevant content. This means, for example, that we may provide recommendations or show customised content and customised advertisements in our own or third-party services.
• Product and service development
The Controller may use your personal data to develop its products and services.
The legal basis for processing personal data is provided by the following subparagraphs of Article 6 of the EU General Data Protection Regulation:
you have given consent to the processing of your personal data for one or more specific purposes;
processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;
processing is necessary for compliance with a legal obligation to which the controller is subject; and
processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except for where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.
The Controller processes your data for the performance of a contract with you or with a company that you represent (e.g. organising a game related to a purchased ticket, executing a player contract related to non-professional playing, realising an e-commerce purchase, providing a digital service or engaging in sponsorship cooperation).
The Controller has legitimate interests related to the practising of business, such as the right to promote the sales of its products and services through marketing and sales, and
the Controller may, on the basis of the legitimate interest, practice direct marketing and sales using your contact information, including the processing of personal data for profiling. Other
legitimate interests of the Controller on the basis of which your personal data may be processed include advice and other customer service for non-customers, further business development and the investigation of possible misconduct.
If the processing of data is not based on a contractual need or a legitimate interest, the Controller may request your consent for other type of processing of personal data.
The Controller may also process your personal data when required to do so by law, such as on the basis of the requirement to retain data under the Accounting Act.
With regard to competitions on social media, we shall inform you, as necessary, of the rules and the processing of personal data separately on a competition-specific basis on the campaign page in question. In general, the rules for competitions and the processing of personal data are as follows, if there are no separate competition-specific instructions:
Any competitions are not endorsed or managed by the social media platform in question (for example, Facebook).
The personal data collected by the Controller may contain e.g. the following types of data and the changes made therein:
Basic information on all data subjects
First name and last name
Contact information (postal address, e-mail address, phone numbers)
Data concerning the use of the Controller’s digital services
Technical data sent by the Controller to the user’s digital devices (such as computers and mobile devices) as well as data concerning cookies and other similar technologies
Communication targeted to the data subject and related activities
Direct marketing preferences
Recordings of customer service phone calls and e-mail and online correspondence related to customer service, for example, in social media channels
Personal identity codes of persons who we will invoice for some of the services. For example, season ticket holders.
Additional information in terms of under-age data subjects
Guardians’ names and contact information and invoicing information provided to the Controller
Additional information on company representatives
Sanna-Sofia Rinne. The person responsible for Ilves-Hockey Oy’s financial administration. After the managing director and sales director, she has the highest responsibility for the company’s office services, such as invoicing and HR administration.
Information of data subjects who have purchased the Controller’s products or services, provided feedback and/or submitted complaints on them
Start and end time and manner of the customer relationship or a similar relationship
Campaigns and offers targeted to the customer and their use
Areas of interest and other information provided by the customer
Contents of feedback and complaints, the related correspondence and follow-up measures
Information of data subjects who have taken part in the Controller’s events
Dietary information (specific information that the user has provided voluntarily)
Date of birth related to events for which e.g. a shipping company requires it
Names and dates of birth of travelling companions when e.g. a shipping company requires them
Information of customers using the Controller’s online services
Login details of the data subject
Behaviour in the online service after login
The majority of the information is received from you or, in terms of a minor, from a guardian at the start of and during a customer, member and stakeholder relationship, as well as from the software with which you use our products and services.
The Controller also receives personal data and its updates from the authorities, organisations and companies that provide credit and personal data acquisition and updating services, as well as public directories and other public sources of data, such as company websites and social media channels. The Controller receives personal data relating to company representatives also from their colleagues, i.e. the main contact person of a company or other entity may provide personal data to the Controller also in terms of other individuals related to the use of the Controller’s products and services.
Profiling, as referred to in the EU General Data Protection Regulation, means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
We do not carry out profiling as described above for the time being. Instead, we may otherwise analyse and utilise the personal data in our data files as well as combine it with data received from third parties.
The Controller shall not give, sell or otherwise disclose your personal data with external third parties, unless otherwise indicated below.
The Controller may share your personal data with third parties who carry out services for the Controller. Such services may include, for example, customer service, software services, research activities, marketing and event production. The Controller may share your personal data in order to collect payments for products and services and it may, for example, transfer or sell unpaid invoices to third parties who provide debt collection services.
The Controller shall share your personal data with partners with whom the Controller coordinates and carries out projects together.
The Controller may share the personal data of the participants in the Controller’s events at its discretion with other participants at the event in question, if it is appropriate due to the nature of the event (such as a game event organised for company representatives).
The Controller may share your personal data in connection with a corporate acquisition or other corporate transaction or when a service is transferred to another service provider. The Controller may share your personal data by order of a court or similar.
When providing services, the Controller may use resources and servers located in different parts of the world. Therefore, the Controller may transfer your personal data outside the country where the services are used and possibly also to countries outside the EU territory which have different data protection laws.
In such cases, the Controller shall make sure that there is a legal basis for the data transfer and that the user’s personal data is protected using, for example (when necessary), standard agreements approved by the appropriate authorities and by requiring compliance with the appropriate technical and other measures of data protection.
The processing time of the personal data of different groups of people is determined on the following basis:
The Controller may process your personal data during your customer relationship and until the end of the third year following the year of termination.
After this, the Controller may transfer your necessary personal data into a marketing register and process you as a potential customer once more.
Representatives of corporate customers
The Controller may process your personal data for as long as you represent the Controller’s corporate customer and until the end of the third year following the year of termination.
After this, the Controller may transfer your necessary personal data into a marketing register and process you as a representative of a potential corporate customer once more.
The Controller may process your personal data during your member relationship and until the end of the third year following the year of termination.
Potential consumer customers and representatives of potential corporate customers
The Controller may process your personal data for the time being until you become a customer or until you demand that your data is removed from the Controller’s marketing register.
Members of stakeholder groups
The Controller may process your personal data for as long as you are a member of a stakeholder group, e.g. you represent the Controller’s partner or the media.
Are you required to give your personal data to us?
In order for the Controller to fulfil its contractual obligations relating to your mutual relationship, the Controller must obtain and process personal data relating to you. Without the necessary personal data, we cannot offer you the products and services for which it is necessary to process personal data.
Right of access to personal data that has been collected concerning you. In practice, this is done by sending you a report of the personal data that has been collected concerning you in the personal data file, based on your appropriate and identified request.
Right to rectification or erasure of personal data collected concerning you. If you notice any errors or omissions in your data, you may submit a request for rectification to us.
Right to erasure of personal data collected concerning you. We have the obligation to erase personal data from our personal data file upon your request if one of the following grounds applies, and an obligation to retain data does not result from other legislation or an official regulation:
the personal data is no longer necessary in relation to the purposes for which it was processed;
you withdraw consent and there is no other legal ground for the processing;
you object to the processing relating to your particular situation and there are no overriding legitimate grounds for the processing, or you object to the processing of your personal data for direct marketing;
your personal data has been unlawfully processed;
your personal data has to be erased for compliance with a legal obligation in European Union or Finnish law to which the Controller is subject; or
your personal data has been collected in relation to the offer of information society services, such as in connection with an order for the Controller’s digital information services.
Right to restriction of processing personal data collected concerning you. You may request the Controller to restrict the processing of your personal data if:
you contest the accuracy of your personal data that the Controller has;
the processing is unlawful and you request the restriction of its use instead of erasure;
the Controller no longer needs the personal data for the purposes of processing, but you require it for the establishment, exercise or defence of legal claims;
you have objected to processing pending the verification whether the legitimate grounds of the Controller override your grounds.
Right to data portability. If the automatic processing of your personal data is based on consent or an agreement, you shall have the right to receive the personal data, which you have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit that data to another controller.
Right to withdraw consent. If all or part of your personal data is processed in this data file on the basis of consent given by you, you shall have the right to withdraw your consent.
Right to lodge a complaint with a supervisory authority. If any dispute relating to the processing of your personal data cannot be settled in an amicable way between you and the Controller, you shall have the right to bring the case before a data protection authority.
We are a Finnish entity operating in Finland. This personal data file and the processing of personal data included therein shall be governed by the Finnish law and the EU legislation directly applicable in Finland, such as the EU General Data Protection Regulation.