Privacy Policy (combined privacy policy and information document for customer relations and marketing)

1. The controller

Ab LL International Oy
Nihtisillantie 3
02630 Espoo

Business ID: 1790020-8

2. Contact person responsible for the register

Salla Niskanen, Data Protection Officer
gdpr@lli.fi

3. Name of the registers

  • Company customer register
  • Company marketing register
  • Company CCTV recording register

4. Purpose and legal basis for processing personal data

The customer register is used to manage customer relations, to implement the rights and obligations of the customer and the controller, for marketing and statistical purposes. The marketing register is used to market the company's products and services to persons who are not customers of the company but who have given their consent to the use of their personal data for the controller's marketing communications.

The provision of the personal data processed in the customer register is a condition of a contract with us and we cannot enter into a contract without this information. Our processing basis for the management of the customer relationship is the performance of the contract between the customer and us and for marketing on the basis of the customer register, the customer's consent.

The processing of data entered in the marketing register is based on the consent of the data subject.

With regard to customer and marketing registers, the customer has the right to object to the use of their personal data for direct marketing.

The personal data processed in our customer and marketing registers may also be used to develop and target services.

The business CCTV register is necessary for the purposes of the legitimate interests pursued by the controller or a third party (Article 6(1)(f) of the EU GDPR). The legitimate interest of the controller or third party may be legal, economic or non-material. There is a substantial and legitimate reason for the camera surveillance, for example to establish, exercise or defend legal claims (Article 21(1) of the EU GDPR). For example, it is necessary to monitor the entrances to a sports centre when staff are not present. The personal data processed in the CCTV register will not be used for the development or targeting of services.

In all situations, personal data will only be processed in the manner permitted by applicable law. The data will not be used for automated decision-making or profiling without the customer's explicit consent.

The main legislation governing our activities:

  • EU General Data Protection Regulation and Data Protection Act as of 25.5.2018
    • Penal Code 39/1889
    • Accounting Act 1336/1997

5. Recipients of personal data

The personal data you provide to the customer register will be received when you log in to the controller's system and will be received by the controller.

Your personal data contained in the customer register may also be used by sports centres that have concluded a cooperation agreement with the controller and operate in accordance with the controller's concept. These operators have concluded agreements on the processing of personal data in accordance with the GDPR and have undertaken to comply with the controller's instructions on the processing of personal data and data protection.

6. Data content of the register

Customer register

Our customer register contains the following information:

  • Personal data (name, personal identification number, address, telephone number, e-mail address)
  • Services purchased and/or ordered by the customer
  • Tax account
  • Training visits

Marketing register

In our marketing register, we process the above personal data, excluding your personal identification number, and we also ask you to provide at least one of the following identifiers:

  • age or year of birth
  • Sex
  • mother tongue

Surveillance camera register

The sports centre has camera surveillance. Video footage from the surveillance cameras is stored in the company's CCTV recorder.

The information in the register is confidential.

7. Systems for maintaining the register

Customer register

  • DL Prime
  • DL Business Intelligence

Marketing register

  • DL Prime CRM
  • Customer management system per sports centre

8. Regular sources of information

Customer register

The customer when entering into a contract with us or our partners
Access control system for the sports centre

Marketing register

A person who discloses his or her information, for example, when participating in contests, events, lotteries or similar interactions organised by the company. In addition, personal data may be collected and updated from customer records.

Surveillance camera register

We store video footage recorded through CCTV in the surveillance camera's recording register. The location of the surveillance cameras is marked on separate signs.

9. Retention period of personal data

Personal data will only be kept for as long as necessary to fulfil the purposes of the processing of personal data as defined in this Privacy Policy. Obsolete and redundant data will be destroyed without undue delay in an appropriate manner.

In addition, the information in the customer register is kept for as long as required by the Accounting Act or other applicable law. The visit data in the customer register will be anonymised after 5 years from the end of the service contract.

The data in the marketing register will be stored for a maximum of 12 months after the data subject has given his or her consent, unless the data subject renews his or her consent or enters into a customer agreement with us before then. The data subject's personal data will also be deleted without delay after the data subject has withdrawn his or her consent to receive marketing communications.

Surveillance camera footage is stored in an appropriate manner in accordance with data protection and security requirements and is limited to what is necessary in relation to the purposes for which it is processed (Article 5(1)(c) of the EU General Data Protection Regulation). We will keep the CCTV recordings for four weeks, after which we will permanently delete the recordings from the server. Retention of the recordings will safeguard the investigation of property or other potential criminal incidents and damages.

10. Regular disclosures and transfers of data outside the EU or EEA

The information in the customer register will not be disclosed to third parties for marketing purposes.

We may use service providers who may have access to your personal data in order to perform their tasks in the processing of personal data in the customer register. With these service providers we have concluded a contract in accordance with the requirements of the GDPR.

We may use external service providers to process the data in the marketing register The controller is responsible for ensuring that the service provider processes the personal data provided in accordance with data protection legislation and only to provide the separately agreed services to the controller. With these service providers we have concluded a contract in accordance with the requirements of the GDPR.

The controller will not otherwise disclose the personal data provided to third parties. However, the controller has the right to disclose the data if required to do so by law or regulation.

Data processed in our registers can only be published if this has been specifically agreed with the data subject.

The data will not be transferred or disclosed outside the EU or the EU Economic Area.

11. Principles of register protection

Personal data is kept confidential, on servers protected by passwords and appropriate technical measures.

The register is processed with due care and the data processed by the information systems are adequately protected. The controller shall ensure that stored data, server access rights and other information critical to the security of personal data are treated confidentially and only by employees whose job description includes this and who have undertaken to comply with confidentiality provisions and data protection procedures required by the controller.

The electronically processed data contained in the register is protected by firewalls, passwords and other generally accepted technical means used by the security industry. Manually maintained records are kept in premises to which unauthorised access is denied.

12. Rights of the data subject

Every person in the register has the right to request access to data relating to him or her, to check the data stored in the register and to request their rectification or erasure, restriction of processing or the right to data portability. Each data subject also has the right to withdraw his or her consent to the processing of personal data, without prejudice to the lawfulness of the processing carried out prior to the withdrawal.

If a person wishes to exercise any of the above rights, the request should be sent in writing to the controller by filling in the request for inspection form or the form for deletion of data contained in the customer file and sending the form to the following address:

Ab LL International Oy/GDPR
Nihtisillantie 3
02630 Espoo

or by email to gdpr@lli.fi.

Request form for inspection of customer register data (pdf)

Request for deletion of customer data (pdf)

The controller may, if necessary, ask the applicant to prove his or her identity. The controller will respond to the customer within the time limit set by the EU General Data Protection Regulation (usually within one month).

Anyone who is dissatisfied with the processing of their personal data also has the right to lodge a complaint with the supervisory authority concerned in the Member State where they have their habitual residence or place of work or where the alleged infringement has taken place. In Finland, the supervisory authority is the Data Protection Ombudsman. The Data Protection Ombudsman's office is located at Ratapihantie 9, 00520 Helsinki, Finland, and the e-mail address is tietosuoja@om.fi.