Privacy policy—Kitchen online store

Description of personal data file pursuant to section 10 of the Personal Data Act (523/1999)

1. Controller and the name and contact details of its representative

Name: Fazer Food Services Oy
Contact details: Laulukuja 6, 00420 Helsinki

Representative of the controller Fazer Ravintolatuki
tel. +358 20 729 6343

2. Name of data file

Kitchen customer register

3. Purpose of handling personal data

The data file is used to manage customer relationships, customer contacts, marketing, and the provision of products and services, as well as to organise research, campaigns and competitions. The data file's information is also used for the purposes of direct marketing, provided that the customer has consented to such use. This and any other information generated during the customer relationship are used for the planning of products and services as well as for targeting such products and services.

4. Data content of the file

The file's data content may vary user-specifically, based on the nature of the services used by the customer.
The file may contain the following details about the service's users: First and last name, title or occupation, age, gender, native language, contact information, company or association, information related to the customer account, the customer's interests (such as food preferences) and any information concerning a user's preferences with regard to direct marketing, i.e. consent or refusal with regard to the disclosure and use of the Customer's details for the purposes of direct marketing. The file may also contain the following information: nationality, date of birth, customer or user ID or other equivalent identifying detail, country of residence, the name of the company or association the service's user represents, the contact information of the company or association, the user's position in the company or association, and any other profiling details the service's user has chosen to provide.
In addition, the file may contain the identifying details (user ID) of a registered customer and information about the customer's orders, deliveries and returns.

5. Regular data sources

The file's contact and customer account information is collected when the customer relationship is created and from any notifications the customer sends to the controller during the existence of the relationship. Contact and customer information can also be collected by way of various competitions and marketing campaigns. In accordance with the Personal Data Act, customers will receive a separate request for consent with regard to digital direct marketing (email and/or mobile).
In addition, personal data can be obtained through the Population Register Centre and both collected and updated with the help of any other personal data files of the controller and its group companies, the registers maintained by Posti Group, the direct marketing restrictions list maintained by ASML (Suomen Asiakkuusmarkkinointiliitto) and other equivalent registers.

6. Regular disclosure of information and the transfer of information outside the EU or EEA

The information in the file may be disclosed to parties that belong to the same group of companies as the controller or some other financial joint venture of the controller in the manner and to the extent permitted by law. Personal data may also be disclosed for the purpose of implementing direct marketing, distance selling and other direct marketing and opinion polls and marketing research, unless the service user has separately opted out of such use.
The servers and other technology used to process the data may be owned and controlled by an external service provider employed by the controller. The controller may procure the services required for their use from an external service provider.
The data may be transferred outside the European Union and the European Economic Area, provided that this is necessary for the technical implementation of the service employed by the user or if it is otherwise necessary under the Personal Data Act.

7. Principles of file protection

The manual material is stored in secure premises that can be accessed only by authorised personnel. Digital material: only separately designated employees of the controller and employees of companies that work on the assignment and on behalf of the controller have access to the system containing customer information and the authority to change or edit such information. Each user has a username and password for the system. Access has been restricted solely to the information necessary for each user to take care of their job by way of personal access rights and different access levels to the database. Employees who process customer data have an obligation of confidentiality. The customer file and the hardware required for its processing are located in secure data centres. To prepare for failures, the data is backed up regularly. A firewall protects the system against any external intrusion attempts. The data is disclosed to outsiders only on the basis of a statutory duty of notification, such as at the customer's own request or at the lawful request of an authority.

8. Right of inspection

According to section 26 of the Personal Data Act, service users have the right to verify which information about them has been saved in the register or that the register does not include any information about them. At the same time, the controller must inform the data subject of any regular information sources and what the file's information is used for and to whom it is regularly disclosed.
The inspection request may be submitted in the following ways:
– A written and signed inspection request is addressed to the controller's representative and sent to the address given under section 1 or via email.
– An inspection request is presented in person at the address given under section 1.
Service users may opt to be removed from the register without any consequences.