HSL’s Helsinki and Espoo City Bike Service Customer Register Privacy Statement
1. CONTROLLER OF THE DATA FILE
HSL
PO Box 100 (Opastinsilta 6 A)
00077 HSL (00520 Helsinki)
Tel. +358 9 4766 4000
HSL’s Data Protection Officer:
Address: PO Box 100, 00077 HSL
Telephone (switchboard): +358 9 4766 4444
Email: [email protected]
2. NAME OF THE DATA FILE
HSL’s Helsinki and Espoo City Bike Service Customer Register
Personal data of representatives of companies using the city bike service is processed in HSL’s Corporate Customer Register (see the Corporate Customer Register Privacy Statement | Privacy | HSL | HSL.fi).
3. PURPOSE OF THE PROCESSING OF PERSONAL DATA
The purpose of processing personal data in the register is to manage customer relationships relating to the city bike service and to provide and develop the service.
Customers’ personal data is used to identify customers in cases of problems, to contact customers with messages related to the operation of the system, and to display user information to users themselves on the service website. Users can edit their details themselves in their account settings.
The data is also used to generate statistics on service use in a way that prevents individual users from being identified (Open data | HSL | HSL.fi).
Electronic direct marketing
We may send electronic direct marketing messages (e.g. by email, push notifications to mobile devices or SMS) as follows:
- Electronic direct marketing based on a customer relationship: We send electronic direct marketing messages to our customers based on an existing customer relationship when the customer’s contact information (for example, an email address) has been obtained in connection with the sale of a service or product (for example, when creating an HSL account or when starting to use HSL services). The messages relate to HSL’s products and services that the customer has previously used or to similar products and services. Customers can opt out of marketing messages at any time, for example through the unsubscribe link in email messages, in the settings of their HSL account or by contacting HSL’s customer service.
- Electronic direct marketing based on consent: We may send electronic direct marketing messages that are not based on an existing customer relationship on the basis of the data subject’s consent. Consent may be given, for example, in digital services, in connection with campaigns or through other channels. Consent can be withdrawn at any time using the same channels or by contacting HSL’s customer service.
Invitations to studies and surveys
HSL sends invitations to studies and surveys, for example, based on customers’ use of HSL’s services. You can manage your receipt of survey invitations in the Notifications and privacy settings of your HSL account at hsl.fi and in the HSL app under Notifications and email, where you can also manage how invitations are shown in the app. You can find the options under “Participation in the development of public transport: Invitations to surveys and questionnaires”. You can participate in studies and surveys by clicking the invitation. You will also get more information about the study or survey in question. Participating in studies and surveys is completely voluntary.
The general HSL Customer Register Privacy Statement is available on HSL’s privacy website, Privacy | HSL | HSL.fi.
4. LEGAL BASIS FOR PROCESSING
The legal bases for the processing of personal data are the following, in accordance with the EU General Data Protection Regulation (hereinafter also referred to as the “GDPR”):
Agreement: Processing of personal data is necessary for the execution of an agreement to which the data subject is a party or for the implementation of pre-contractual measures taken at the request of the data subject (GDPR Article 6(1)(b). The following are contractual:
- Provision and delivery of the city bike service to customers
- Account management
Legal obligation: Processing of personal data is necessary for the controller to comply with a legal obligation (GDPR Article 6(1)(c)). The following are based on legal obligation:
- Processing personal data for accounting purposes
Public interest: Processing of personal data is necessary for the performance of a task carried out in the public interest or for the exercise of the official authority vested in the controller (GDPR Article 6(1)(e) and Section 4(1), subsections 2 and 3 of the Data Protection Act). This concerns:
- Studies produced by HSL, customer satisfaction and feedback surveys
- Marketing, planning and measuring the effectiveness of marketing activities
- Development of HSL’s services and operations
- Processing for statistical purposes in the public interest
5. CONTENT OF THE DATA FILE (GROUPS OF PERSONAL DATA PROCESSED)
The City Bike Service Customer Register contains the following data on the users (customers) of the city bike service.
Customer information
Data provided upon registration:
- Name
- Email address
- Phone number
- Information that the customer is aged 15 years or over
- The start and end dates of the pass paid for
- User ID
- PIN code
- Language
- Status, whether the user is currently active
- HSL card number, if the user has added an HSL card as an identifier in the system
- Part of the payment card number provided by the payment service, the expiry date of the card and the name of the company that issued the card. This information is used to show the user which card is linked to the city bike system; the full payment card number is not stored in the register.
Transactions
- Actual use: start and end location, time, the city bike used and the distance cycled
- Payment transactions
- Information on possible uncharged fees.
6. REGULAR SOURCES OF INFORMATION
Personal data is collected from the data subject and from transactions generated by the city bike system.
7. PERSONAL DATA STORAGE PERIOD
Personal data will be stored for as long as necessary to fulfill contractual obligations. As a rule, customer information will be deleted three years after the most recent use of the city bike service. Payment transaction data will be stored for the period required by applicable legislation; as a rule, the storage period is determined in accordance with the Accounting Act (1336/1997).
8. RECIPIENTS OF PERSONAL DATA (RECIPIENT GROUPS) AND REGULAR DISCLOSURE OF DATA
As the controller of the data file, HSL processes the data itself and uses service providers that process personal data on behalf of and for the controller.
HSL may use contract partners working on its behalf for the technical, commercial or operational implementation of data-processing tasks and may disclose personal data to them within the scope of such cooperation and subject to the data protection agreement.
When required, personal data contained in the data file will be disclosed to external individuals or organizations as follows: CityBike Finland Oy (service provider and operator), Fifteen (technical provider to CityBike Finland), Stripe (payment service), and Metropolitan Area Transport Ltd and the City of Espoo (city bike service clients).
9. TRANSFER OF DATA TO OUTSIDE THE EUROPEAN UNION OR THE EUROPEAN ECONOMIC AREA
Personal data contained in the data file is not transferred to countries outside the European Union or the European Economic Area, except to a third country for which the European Commission has deemed to provide an adequate level of data protection (so-called adequacy decision) or, in the case of the United States, to a recipient certified under the EU–US Data Privacy Framework. HSL reserves the right to make other transfers in accordance with the requirements of the applicable data protection legislation, applying appropriate safeguards.
10. PRINCIPLES OF DATA SECURITY
The security of the City Bike Service Customer Register and the confidentiality of personal data are ensured through appropriate technical and administrative measures in accordance with good data processing practice.
The controller’s employees and other individuals are committed to confidentiality and to keeping any information obtained during the processing of personal data confidential. Agreements to safeguard the Customer Register have been concluded between the Controller and system suppliers. System suppliers manage the register and the related storage of data in accordance with good data processing practice and are subject to strict professional secrecy.
Only employees whose duties involve processing customer data are authorized to use the system containing the data. Every user logs into the system using personal credentials provided when access rights to the system are granted. Access rights expire when the person is no longer responsible for the tasks for which they were granted. The obligations of confidentiality and professional secrecy will continue to apply after the employee ceases to perform duties involving the processing of customer data or after the termination of employment.
The data is compiled into logically and physically secured databases. The databases and their backups are located on locked premises, and only designated personnel are permitted to access the data.
Card payments are made using a secure payment form provided by Stripe Payments Europe Ltd. Metropolitan Area Transport Ltd, HSL, the City of Espoo, Fifteen, and CityBike Finland Oy do not have access to card details, nor are payment card details stored in our systems as such. The only card details stored are the part of the payment card number provided by the payment service, the expiry date of the card and the name of the company that issued the card. This information is used to show the user which card is linked to the city bike system. We are is authorized only to charge the user the fees in accordance with the Terms of Use.
11. RIGHTS OF THE DATA SUBJECT
Data subjects have the following rights under the EU's General Data Protection Regulation (GDPR):
(a) The right to obtain from the controller confirmation as to whether or not personal data concerning them are being processed, and, where such personal data are being processed, access to the personal data and the following data: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of the processing of personal data concerning the data subject or to object to such processing; (vi) the right to file a complaint with a supervisory authority; (vii) where the personal data are not collected from the data subject, any available information as to their source; [(GDPR Art. 15)]. The basic data referred to hereinabove in (i)–(vii) are provided to the data subject with this statement; Users can also view their personal data at hsl.fi through their HSL account.
(b) The right to withdraw their consent at any time with no impact on the legality of processing performed by virtue of the consent before its withdrawal (GDPR Article 7).
(a) The right to demand the controller to correct inaccurate and incorrect personal data concerning the data subject without undue delay, and to have incomplete personal data completed, for example, by means of providing a supplementary statement, taking into account the purposes of the processing (GDPR Article 16). At HSL.fi, data subjects can edit their personal data themselves through their HSL account.
(b) The right to obtain from the controller the erasure of personal data relating to them without undue delay, provided that (i) the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed; (ii) the data subject withdraws the consent on which the processing is based and where there is no other legal basis for the processing; (iii) the data subject objects to the processing on grounds relating to their particular situation, and there are no overriding legitimate grounds for the processing, or the data subject objects to processing for direct marketing purposes; (iv) the personal data have been unlawfully processed; or (v) the personal data have to be erased for compliance with a legal obligation in the Union or Member State law to which the controller is subject; [(GDPR Art. 17)].
(c) The right to obtain from the controller the restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes to t he erasure of the personal data and requests the restriction of their use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to their particular situation, pursuant to the pending verification as to whether the legitimate grounds of the controller override those of the data subject. [(GDPR Art. 18)].
(d) The right to access to personal data concerning them, which they provided to a controller in a structured, commonly used and machine-readable format and to transmit this data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent or agreement referred to by the Regulation and is carried out by automated means [(GDPR Art. 20)].
(e) The right to file a complaint with a supervisory authority (Office of the Data Protection Ombudsman, switchboard: +358 29 566 6700, email: [email protected]), if the data subject considers that the processing of his or her personal data is in violation of the EU's General Data Protection Regulation (GDPR Article 77).
Requests concerning the exercise of the rights of data subjects should be addressed to the controller in accordance with instructions provided at www.hsl.fi/privacy.
12. UPDATING THE PRIVACY STATEMENT
This privacy statement may be updated as required.