HSL Corporate Customer Register Privacy Statement

The name of the data file is HSL Corporate Customer Register (“Corporate Customer Register”) and its data subjects consist of contact persons, employees and other beneficiaries of companies that use HSL's services (“Customers”). More detailed information on the processing of personal data of users of HSL’s services, as well as on the storage of identification data for corporate user accounts is available at www.hsl.fi/en/privacy.

The controller of the data file is Helsinki Regional Transport Authority (hereinafter HSL), business ID 2274586-3.

Adress: Opastinsilta 6 A, Helsinki, PO Box 100, 00077 HSL 
Telephone: +358 9 4766 400 (HSL Customer Service)

HSL Data Protection Officer
Address: PO Box 100, 00077 HSL
Telephone (switchboard) +358 9 4766 4444
E-mail: [email protected]

The purpose of processing personal data in the HSL Corporate Customer Register is the provision of corporate services.

The HSL Corporate Customer Register consists of the following sub-registers for different services:

• Corporate Customer Register (CRM)
• Subscribers to the corporate newsletter and other marketing emails
• Purchase of HSL tickets or issuing benefits to employees or other beneficiaries via the HSL online service
• Corporate customers of the city bike service
• Customers registered in corporate customer events

The purpose of processing the data in the HSL Corporate Customer Register is the provision of corporate services. This includes the following functions for which personal data is processed:

• Service provision, including travel cards and timetable displays, at the use of the HSL online service and city bikes.
• Account management, including customer service, contract management, resolving ambiguities, and other use of personal data for administrative purposes, as well as customer communications, such as communications necessary for the delivery of the service or related to the contract (for example, notifications about major service disruptions, order confirmations, and communications concerning changes to contract and service terms or privacy statements).
• Sales and direct-marketing, including defining target groups, planning and measuring marketing activities, sales and direct‑marketing contacts, permissions and opt‑outs related to direct marketing and newsletters, and arranging sales meetings.

The Corporate Customer Register consists of several types of personal data. More detailed information on the processing of personal data of HSL’s passenger customers and the storage of identification information for corporate user accounts is available at www.hsl.fi/en/privacy.

(a) Customer’s or potential customer’s basic data, such as the contact person’s or admin’s name, the company’s address, e-mail address, phone number, position in the organization, LinkedIn profile address and customer identifiers such as the company’s business ID and customer number to identify customers and offer services to them through various modes and media.

(b) Data related to the customer type, such as customer group and category and various account, service use, order and service information.

customer group and various account, transaction, subscription and service information

(c) Service-specific purchase history

(d) Information on content use and communications through the various channels, including the content, identification and technical data on phone calls, cookies and other communications channels.

information on content use and communications through the various channels, including the content, identification and technical data on phone calls, cookies and other communications channels.

(e) Payment data in various channels.

(f) Permissions, prohibitions and similar data

(g) Data of employees, i.e. individual customers, of a company using the HSL online service, such as name, email address, home municipality, the date of registration for the service, date of purchase, product and zones, period of validity of the product and period of validity of the benefit. The details of the beneficiary, i.e. the recipient of a school pass (individual customer) of a company/organization using the HSL online service to issue school passes: name, personal identity code/date of birth, school information, guardian’s email address, date of joining the service, product and zones, and the validity period of the benefit.

The processing of personal data by HSL is always based on one of the following legal bases under Article 6 of the EU General Data Protection Regulation (GDPR, 2016/679).

(a) Processing is necessary for the execution of an agreementto which the data subject is a party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject (GDPR Art. 6.1(b):

• Service delivery to customers
• Account management

(b) Processing is necessary to perform a task in the public interest or for the exercise of official authority (GDPR Article 6/1e):

• Issuing, managing and delivering school passes to customers
• Sales and direct marketing (additionally based on Section 4(1) of the Data Protection Act)
• Where the data subject is not themselves a party to the contract but acts as a contact person or other representative of a party:
  • Service delivery
  • Administrative tasks related to contract corporate customer account management, as well as related communications and customer service

Electronic direct marketing

We send electronic direct marketing messages (e.g., by email, push notifications to mobile devices or SMS) to representatives of companies or other organizations about products and services related to their work duties or position within the organization. It is possible to opt out of marketing communications at any time, for example via the unsubscribe link included in marketing emails or by contacting HSL’s corporate customer service.

Personal data is primarily collected directly from the customer, and the collection takes place in connection with the adoption of, registration for and customer service related to the services specified in section 2.

Other regular sources of data for the HSL Corporate Customer Register include:

• Customer data updates from services that provide them: Personal data may also be collected, stored and updated from data controllers providing address, update or other such services.
• For school passes, the municipality or school issuing the passes discloses the personal data to HSL.

HSL applies the following principles to the storage period:

(a) Base account data will be stored for the duration of the customer relationship and after that, for as long as necessary to fulfill the rights and obligations of the parties.

(b) Service-specific data will be stored in accordance with service-specific principles.

In addition to the principles stated above, HSL will, as a rule, store personal data for a maximum of three (3) years, unless there are justified grounds for a longer storage period. The data on the recipients of school passes will be stored in the HSL Business Portal for a maximum of one (1) year.

Order, delivery, purchase and payment data will be stored for the period required by applicable legislation, i.e., as a rule, the storage period is in accordance with the Accounting Act (1336/1997).

Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.

HSL reviews the necessity of storing data annually and deletes data if there are no grounds for storing it. Additionally, HSL will take all reasonable measures to ensure that any data that is inaccurate, incorrect, or outdated for the purposes of processing, are promptly deleted or corrected.

HSL can use contract partners working on behalf of HSL for the technical, commercial or operational implementation of data-processing tasks, and can disclose personal data to them within the scope of such cooperation and subject to the data protection agreement.

When required, personal data contained in the data file will be disclosed to external persons or organizations as follows:

HSL may disclose customer data to authorities as permitted and required by legislation.

No personal data is transferred from the register to outside the European Union or the European Economic Area. HSL nevertheless reserves the opportunity to make such transfers to future business partners, subject to the statutory procedures applied to the countries in question.

Materials containing personal data are stored in locked premises, accessible only to designated individuals authorized due to their job responsibilities.

The database containing personal data is held on a server stored in locked premises, accessible only to designated individuals authorized due to their job responsibilities.  The server is protected by appropriate firewalls and technical safeguards.

The databases and systems are only accessible with individually assigned personal usernames and passwords. The controller has restricted access rights and authorizations to data systems and other storage platforms, so that only personnel required for the legal processing of the data can view and process it. In addition, all database and system transactions are registered in the controller's IT system log.

The controller's employees and other individuals are committed to confidentiality and to keeping any information obtained during the processing of personal data confidential.

The rights of data subjects under the EU's General Data Protection Regulation and instructions on how to exercise them are described on HSL’s website at https://www.hsl.fi/en/hsl/privacy-policy#rights-of-the-data-subject

HSL may make amendments to this Privacy Statement by announcing the changes on its website and/or by email.