Privacy policy: Customer register of the online shop of the Hakku service

Updated 23 May 2018

Controller Geological Survey of Finland
P.O. Box 96, FI-02151 Espoo, Finland
Tel. +358 29 503 0000, gtk@gtk.fi
Contact person for register matters Eero Lampio
Contact details of the data protection officer tietosuojavastaava@gtk.fi
Register name Customer register of the online shop of the Hakku service
Purpose of and legal grounds for processing personal data The purposes of use are to carry out activities related to the processing and monitoring of orders placed by customers of GTK’s Hakku service, maintain customer contact and customer queries, develop services, compile reports and carry out other actions related to customer management. Personal data is processed within the limits permitted and required by the Personal Data Act.
Data content of the register and groups of personal data Customers’ first and last name, organisation, postal address, optional delivery address, email address, telephone number, customer type, order information and password (customers registered in the online shop only).
Storage period for personal data or, if this is not possible, criteria for defining the storage period Personal data about registered customers is erased from the system when data subjects request it to be erased or when five years have elapsed from the previous login. Personal data about unregistered customers is erased from the system three months after placing an order.
Regular sources of data Personal data about online shop customers is only obtained when customers register in the online shop or place orders from the online shop.
Recipients of personal data or groups of recipients Processors of orders in the online shop, the administrator of the online shop, the administrator of the system from Iwalabs Oy, the administrator of the server (Valtori). Paytrail Oyj processes payment transaction data in conjunction with payment transactions in the online shop.
Information about the transfer of data to third countries and protection used (including information about the existence or non-existence of the Commission’s decision on the sufficiency of data protection), and opportunities to obtain a copy or information about content. No data is transferred to third countries.
Principles of register protection (manual material and electronic processing) The customer register is processed confidentially. The use of registered data requires administrator credentials for GTK’s online shop.

Processors of orders in the online shop also process email messages related to orders. Email messages are erased no later than two years after the delivery of specific orders.

All data transferred between the users’ browsers and the system is encrypted. The server on which the register is stored is protected by means of firewalls, and information security is monitored regularly.

Rights of data subjects

  • Right to access personal data
  • Right to have data rectified
  • Right to have data erased
  • Right to restrict processing
  • Right to object
  • Right to transfer data from one system to another
Data subjects can view their personal data and correct it, or request the administrator of the online shop to make corrections or erase their data.

Productions cannot be ordered from the online shop without providing the personal data required.

If processing is based on consent (article 6.1a) or explicit consent (article 9.2a), information about the right to withdraw consent at any time Data subjects can, at any time, withdraw their consent to using their personal data and request to have their personal data erased.
Right to file a complaint with the supervisory authority Data subjects have the right to file a complaint with the supervisory authority of the member state in which their permanent place of residence or business is or in which the suspected breach of the GDPR has taken place.

If the data controller has refused your right to view your personal data or to correct your data, you can file a complaint with the Finnish Data Protection Ombudsman.

Is the provision of personal data a statutory or contractual requirement or a requirement needed to enter into an agreement? Do data subjects need to provide personal data? What are the consequences of any non-provision of personal data? Providing contact information is a requirement for the delivery of publications, reports and maps by post and the delivery of encrypted download links.
Information about the existence of automated decision-making, including profiling, and significant information about the processing-related logic, at least in these cases, and the significance of specific processing and any consequences for data subjects No automated decision-making or profiling is used.