Privacy policy
Updated on 3rd of July 2024
We collect our customers' personal data in order to provide smooth and effective transport services. Our customers include children and access to public transport is important for them. We hope that guardians will discuss the processing of personal data with their children, taking into account the child's age and level of development. We are happy to provide additional information and answer questions if something about personal data is still unclear.
For information on the collection and processing of personal data, please refer to our Customer Register Privacy Statement on this page, as well as the more detailed service-specific data protection information found in a separate section later on this page.
The privacy of our customers’ data is a top priority. We process the data carefully and securely and require the same of our subcontractors and partners.
HSL's data protection officer: tietosuojavastaava@hsl.fi
HSL Customer Register Privacy Statement
The controller of the data file is Helsinki Regional Transport Authority (hereinafter HSL).
Business ID: 22745863
Address: Opastinsilta 6 A, Helsinki, PO Box 100, 00077 HSL
Telephone: +358 9 4766 400 HSL Customer Service)
The name of the data file is the HSL Customer Register (“Customer Register”) and its data subjects consist of individuals who use HSL's services (“Customers”).
Contact person for the data file: Kristiina Bredenberg
HSL Data Protection Officer: Maria Puhtimäki (tietosuojavastaava(a)hsl.fi)
The HSL Customer Register consists of the user data from the following services:
- HSL card (travel card) and HSL card service
- Applications provided by HSL, such as the HSL app
- fi website and the services they provide
- City bikes
- HSL customer feedback through different channels
- HSL social media channels
- HSL communications
The processing of customer data requires that the customer starts using the above service(s) and that their customer data is registered when they start using the service(s). In addition, the Customer Register data is collected when a penalty fare is issued. HSL’s various services are partly based on the same technical systems and base data, and customer data is shared by different services in this respect. Other service-specific data can also be interconnected for purposes such as carrying out travel surveys and targeting communications.
HSL arranges public transport in accordance with the Act on Cooperation Between Municipalities in the Helsinki Metropolitan Area in Waste Management and Public Transport (829/2009). The purpose of processing personal data is carrying out the tasks of the joint local authority and the provision of transport services to customers. This includes the following functions where personal data is processed:
- Service provision including the sale, use and validation of tickets and inspection of the right to travel
- Account management, such as customer service, agreement management, clarifying ambiguities
- Customer communications, such as disruption alerts, information messages and newsletters and related subscriptions
- Marketing communications for those who have given consent
- Other tasks related to the provision of public transport as defined in the charter in accordance with the Local Government Act (410/2015) that require the processing of municipality of residence data, such as determining the municipal shares in ticket revenue and operating expenses, verifying the right to a tariff subsidy, and statistical purposes.
- Development of services including load studies, the analysis of total trips and trip chains, the development of the transport system, routes and route networks, and development of digital services.
Where possible, municipality of residence data and data related to the development of services will be processed in such a way that individuals cannot be identified.
The Customer Register consists of several types of personal data. Below is a list of the types of customers’ personal data that HSL mainly collects and processes. More detailed information on the data processed in individual services is available in the service-specific privacy notices and in the services.
Personal data:
- Customer’s name
- Contact details, such as postal address, email address ja phone number
- Date of birth
- Personal identity code
- Home municipality
- Information on a potential on-disclosure order
- Service language
- Identification information, such as standard data content obtained from strong electronic identification from the Digital and Population Data Services Agency or a username and password set by the customer
- Entitlement to a companion
- Authorization information
- Student enrollment information and consequent information on current student status
- Customer group and various account, transaction, subscription and service information.
- Travel card identification data such as card number.
- Purchase history by service.
- Payment data in different channels (such as the HSL app, contactless payment, resale points, ticket machines and HSL service points.
- Information on content use and communications in different channels, including information on content, identification and technical aspects regarding phone calls, cookies and other communication channels, as well as social media channels such as Facebook, Instagram, LinkedIn and Twitter.
- The route, stop, location and area selections saved by the customer
- Boarding data, i.e. information on ticket validation or getting on board a vehicle
- Location and travel data (including terminal device location), which is only collected subject to the customer’s explicit consent
- Information related to penalty fares: details of the person charged with the penalty fare, and the date, time and route on which the penalty fare was issued
- City bike use data: information that the individual is currently using a bike (collection time) and use history of the bike including the station of origin and destination, time and date, distance travelled in kilometers.
- Customer feedback information, such as texts, images and the contact details of the person providing feedback
- Information on customer communities and surveys
- Permissions, prohibitions and similar data.
HSL may use the data collected on customers for profiling purposes. Profiling is used for service development, targeting communications, and targeting marketing activities such as special offers to customers.
In this context, profiling refers to defining a customer’s customer segment based on, for example, which HSL’s products they have purchased or which surveys they have taken.
The data created by profiling is not disclosed to third parties outside the service chain without the customer's explicit consent. Direct marketing is also always based on the customer's prior consent, which can be withdrawn at any time.
The customer may request to view their information related to profiling, object to profiling, or request the removal of their customer data. Read more under “Rights of the data subject”.
HSL performs automatic decision-making when verifying the discount entitlement when issuing student-price mobile tickets. Information about student status is generated from the information retrieved from the Finnish National Agency for Education information service based on an automated reasoning that is based on predefined algorithms, and the result of this reasoning is stored in the HSL account as “student”, “not student” or “no permission granted to view this information”. Customers can manage their data transfer permissions through the service of the Finnish National Agency for Education.
The processing of personal data by HSL is always based on one of the following legal bases under Article 6 of the EU General Data Protection Regulation (GDPR, 2016/679).
Agreement: The processing of personal data is necessary for the performance of an agreement to which the data subject is party or for the implementation of pre-agreement measures at the request of the data subject (GDPR Article 6(1)(b)). The following are contractual:
- Delivery of services to the customer
- Installation and use of HSL’s applications
- Registration and use of digital services provided through a web browser (e.g. HSL account)
Consent: The data subject has given their unambiguous consent to the processing of personal data (GDPR Article 6(1)(a)). The following are based on consent:
- Direct marketing
- Processing of location and travel data
- Cookies (excluding cookies necessary for the operation of the services)
Legal obligation: The processing of personal data is necessary for the controller to comply with a legal obligation (GDPR Article 6(1)(c)). The following are based on legal obligation:
- Planning of the transport system and public transport
- Public transport penalty fares
- Processing customer data for accounting purposes
Public interest or official authority: Public interest or exercise of the official authority vested in the controller requires the processing of personal data. (GDPR Article 6(1)(e)). This concerns:
- Studies produced by HSL
- Development of HSL’s services
Legitimate interest: The processing of personal data is necessary for the legitimate interests of the controller or a third party, and the interests or rights of the data subject do not override those interests. (GDPR Article 6(1)(f)).
- Customer communications
- Profiling
- Cookies necessary for the operation of the service)
Personal data is primarily collected directly from the customer in connection with the adoption and use of services referred to in section 2, as well as in connection with customer service and issuing a penalty fare.
Other regular sources of data for the HSL Customer Register include:
- Identification and authentication services provided by third parties, such as the Digital and Population Services Agency’s identification service via Suomi.fi, and the study and degree information disclosure service maintained by the Finnish National Agency for Education.
- Customer data updates from services that provide them: Personal data may also be collected, stored and updated from data controllers providing address, update or other such services, as well as from services providing information on residential areas and customer accounts.
- The services themselves that have collected information on actual use.
- Telephone operators regarding tickets ordered with mobile devices, e.g. telephones
- MaaS operators that provide mobility services in connection with ticket purchases and acting on behalf of other persons
The data collected in the data file will be stored for only as long and only to the extent necessary in relation to the original purposes for which the personal data was collected, as described in Section 3. Personal data stored in the register will be deleted when there are no longer legal grounds for their processing. In addition, HSL will implement all reasonable measures to ensure the immediate deletion or correction of data that is inaccurate, incorrect or obsolete for the purposes of the processing.
Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties. As a rule, this means the data is stored for three (3) years after the end of the customer relationship. The storage period is based on the Consumer Protection Act (38/1978) and the Act on the Statute of Limitations on Debt (728/2003).
Order, delivery, purchase and payment information will be stored for the period required by applicable legislation, i.e. as a rule, the storage period is in accordance with the Accounting Act (1336/1997).
Boarding data is identified by travel card number, which will be stored in the boarding data for the time required for ticket validation and other measures essential to the public transport system. During the storage period, individual HSL employees cannot view both the customer’s boarding data and customer data. After the storage period, the boarding data is pseudonymized by replacing the travel card number with a random identifier and making the data on age, customer group and municipality of residence more general. Pseudonymized boarding data is needed for determining the municipal contributions of the joint local authority, as well as for transport planning and research.
The penalty fare data is stored in the data file for the period required by the Accounting Act (1336/1997) and the regulations and recommendations of the Association of Finnish Local and Regional Authorities, i.e. the current calendar year and the following six (6) calendar years. At the end of the storage period, the data is destroyed.
Requests relating to the exercise of the rights of data subjects shall be kept for two years. If strong authentication is not completed or the request has not been completed, the pending request will be removed after 30 days.
More detailed information on the data processed in individual services and their storage periods is available in the service-specific privacy notices.
When required, personal data contained in the data file will be disclosed to external persons or organizations as follows:
- To payment service partners to deliver the service
- For city bikes, to Helsinki City Transport and the cities of Espoo and Vantaa, which are joint controllers of the city bike register
- Information required for an authorization to act on another person’s behalf for the authorized party
- The feedback received by HSL will be forwarded to the parties responsible for making corrections related to the feedback. Depending on the feedback, such a party may be, for example, a contract operator, a service provider for city bikes, the service provider for the HSL app, some resale points, or a contract partner for lost property services.
- Within the limits allowed and obligated by the current legislation
- For the purpose of conducting surveys or studies on behalf of HSL
Personal data contained in the data file will not be transferred to countries outside the European Union or the European Economic Area. HSL reserves the right to such transfers in accordance with the requirements of the data protection legislation in force at the time, for the transfer of data under appropriate safeguards.
The information security of the HSL Customer Register and confidentiality of personal data will be ensured by appropriate technical and administrative measures in accordance with good data processing practice.
Databases and their backups are located on locked premises. The data in the register is protected against unauthorized viewing, modification and destruction. Security is based on physical access control, personal user IDs, and limiting access rights. Only those employees whose duties involve processing customer data are authorized to use the system containing customer data. The systems also collect log information about user actions.
HSL's system suppliers are obliged, through contracts and the information security and data protection requirements contained therein, to implement adequate safeguards to protect customers' personal data. HSL’s employees, contractors’ employees and system suppliers have undertaken to maintain absolute professional secrecy and the confidentiality of the data they obtain in connection with the processing of personal data.
HSL regularly audits the functional capabilities of systems and performs data security risk assessments.
Data subjects have rights to their personal data, which are determined by the legal basis for processing the data. More information on data subjects’ rights and their implementation is available on our website.
The rights of the data subject are based on the EU General Data Protection Regulation (2016/679).
HSL's privacy policy is part of the services provided by HSL and of the terms of agreement between the customer and HSL. HSL may make amendments to this Privacy Statement by announcing the changes through application notifications, announcements published on websites, by e-mail or by notifications provided at service points or in connection with updates.
Service-specific privacy notices
Service-specific information supplementing the HSL Customer Register Privacy Statement.
Updated on 3 July 2024
Recording of customer calls
1 What data is processed and why?
The main purposes of the use of customer’s data are described in the HSL Customer Register Privacy Statement.
Your phone calls to out customer services will be automatically recorded. Your phone number is also automatically stored, unless it is ex-directory.
The recordings of customer calls are used for verifying service transactions, improving service quality, HSL’s internal training purposes as well as for ensuring your and HSL’s legal protection.
In order to assess the quality of the service, we will send a survey to a selected group of customers via SMS. The customers’ phone numbers used in connection with the surveys will not be stored for future purposes.
Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement.
Only designated persons, whose task is to maintain the system used to manage customer calls, have access to the recordings of customer calls.
All your data is processed as confidential and your data is only disclosed to persons who need the data to perform their duties and who are bound by professional secrecy and confidentiality.
2 How long is my data stored?
The recordings are stored for six months, after which they are automatically destroyed.
Authentication
1. What data is processed in the service and why?
Our customer service can send the customer a link by SMS in order to transfer the customer’s strong authentication data (name and ID number) to customer service. Strong authentication enables customer service situations in our telephone service in which the identity of the customer must be verified.
2. How long is my data stored?
Data delivered by means of strong authentication will not be stored. Such data is destroyed automatically and can only be viewed temporarily by our customer advisor during the customer service situation in question.
Updated 3 July 2024
You will receive communications from us if you have provided your email address in one of our services (e.g. hsl.fi, HSL app or HSL card service) or if you use the HSL app and have enabled notifications.
We communicate to our customers via email and notifications on the HSL app. We provide customers with information about HSL area public transport, transport plans, changes to services and other topical issues. In addition, we may send invitations to customer surveys and interviews conducted to improve our services.
You can choose what information you receive from us and how. You can edit your selections in the setting of the HSL app or in the My information section at hsl.fi. You need to log in using your HSL account to edit your settings. In addition, all email messages we send you include a link which you can use to unsubscribe from email messages.
Some information is considered essential for the benefit of customers and critical communications related to HSL’s duty to provide public transport services cannot be prohibited. This includes email notices about significant changes to HSL’s services (pricing, terms and conditions, etc.) as well as major disruptions to public transport such as strikes.
In addition to general customer communications, we send service-specific messages via email as well as notifications via the HSL app. These include, for example, reminders of the expiry of tickets as well as HSL card value balance reminders. You can manage the settings for service-specific messages in the settings of each service.
1 What data is processed in the service and why?
We process your email address and/or your phone number for the purposes of identifying and reaching you. Our right to process customer data as well as our right or obligation to send customer communications are based on customer relationship. If you have also given your consent to direct marketing, our right to process your customer data for marketing purposes and to send you marketing messages is based on your consent.
We will process other customer data than your email address and phone number to send you customized messages.
The data we process includes:
- First and last name
- Email address
- Phone number
- Postcode (retrieved from the population information system or provided by you)
- A specified character string that acts as an identifier in different systems
- Language for emails
- Language used in the HSL app
- HSL app technical identifier
- Consent to direct marketing from customers aged over 15 years
- Email and app notifications settings
- Favorite routes and stops stored in HSL’s services
- HSL app ticket purchases
- Reception and opening of emails and HSL appnotifications and of the links included
2 How long is my data stored?
The data storage time is in accordance with the storage times set out in our Privacy Statement. Read more in HSL’s Privacy Statement and service-specific privacy notices.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality.
4 How can I access my data?
You can check and manage your data as well as your communications settings in the HSL app settings as well as in the My information section at hsl.fi when you log in using your HSL account.
For more information about the exercise of the rights of data subjects, see Privacy > Rights of data subjects.
Updated 2 March 2022
1 What data is processed in the service and why?
The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.
If you would like a response to your feedback or you are logged in with your HSL account when submitting feedback, we will process your name and contact details. If you are logged in when submitting your feedback, we will process: your name, email, phone number and HSL account. If you are not logged in and would like a response to your feedback, we will process: your name, email address and phone number, if provided. You can provide additional information in the free text field.
In case of refund requests, you are also asked to provide, for example, your HSL card number, mobile ticket phone number, street address or PO Box, postcode, personal identity code and bank account number. Refund request forms are filled in at a service point or by HSL’s telephone customer service. In case of a strike, a printable refund request form will be available online at hsl.fi.
Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement.
2 How long is my data stored?
Data included in feedback will be stored for three years. In the case of refunds, personal data will be stored for the the current calendar year and the following six (6) calendar years.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality. Feedback is passed on as relevant. For example, feedback on driver performance is passed on the the relevant bus operator.
4 How can I access my data?
For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.
Updated 3 July 2024
1 What data is processed in the service and why?
The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.
When you start using the app, you are asked to provide the following information:
- Are you over 15 years of age.
- If you are over 15, we ask for your place of residence (postcode, postcode district, or you can tick the option “I live abroad”). The information is used to provide you with more detailed up-to-date information about the use of public transport. The domicile information derived from the place of residence is also needed for the purposes of dividing public transport costs between HSL’s member municipalities.
- If you are under 15, you will be asked your date of birth.
- All customers are asked for location and notification permission. Location permission enables better user experience, for example, by facilitating the use of the Journey Planner. The notification permission allows us to send you reminders about the approaching expiry of your tickets and to provide you with information about extensive disruptions affecting your travel.
- If you are aged 15 or over, we will ask for your consent to collect and use travel data. You can read more about the collection and use of travel data below in section 1.2 “Collection of travel data in the HSL app” and in section 1.3 “Connecting travel data to your HSL account”, as well as in the questions and answers section of this privacy page under “How is the travel data collected via the HSL app stored”.
When buying a ticket, you are asked to provide the following information:
- Your name. The information is used, for example, for communications.
- Phone number. Your phone number is processed for ordering and delivering the ticket and for checking the validity of your ticket.
- If you are aged 15 or over, we will ask for your email address. The information is used, for example for communications.
- If you are aged 15 or over, we will ask for your consent to send you direct marketing by email or SMS.
- If you buy a season ticket, you will be asked to enter a password to create an HSL account. An HSL account provides you easy access to your tickets and your payment card details even if you lose or change your phone.
- If you buy single and day tickets, you can create an HSL account if you want by entering a password. An HSL account provides you easy access to your receipts and your payment card details even if you lose or change your phone. If you are under 15, you will also be asked for your email address.
- If you already have an HSL account, you can log in with your HSL account and we won’t ask your phone number, email address or consent for direct marketing.
- If you are buying a season ticket, you need to strongly authenticate for the purposes of establishing the price subsidy based on the municipality of residence. If you have already authenticated for another service and you log in using your HSL account, you will not need to strongly authenticate again.
- If you choose card payment, your card details, i.e. card number and expiry date, will be transmitted over a secure encrypted connection and stored in a secure PCI DSS compliant environment in the card payment service provider’s database. Only the four last digits of the card number will be stored in HSL’s data systems. You can remove the card details at any time in the application settings.
- Other payment methods: we use third parties to process payments and they may ask additional information when processing information related to the payment method. The payment information is only processed by the third party and HSL will not store the information.
In addition, in connection with ticket purchase:
- The data stored for you includes data about the tickets you order, the application version and potential discount entitlement.
- When you buy a student season ticket, we save your student discount entitlement.
Other:
Information about the services you use via your HSL account is connected to your data. These services include, for example, the HSL.fi service.
If you log in using your HSL account and authenticate strongly, your personal identity code, name, address information and potential non-disclosure order will be saved and automatically updated from the population information system of the Digital and Population Data Services Agency.
Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. HSL also processes the data to perform its basic tasks. Direct marketing, use of location information, notifications and collection and use of travel data are based on your consent.
1.1 Surveys conducted via the HSL app
HSL conducts various surveys and questionnaires based on your use of HSL’s services. If you have enabled invitations to surveys and questionnaires in the notification settings of the app, we will send you invitations to participate in online surveys and questionnaires, as appropriate. You can participate in surveys and questionnaires by clicking on the invitation to participate. The invitations also provide you with more detailed information about the survey or questionnaire in question and the type of study.
Completing questionnaires and surveys is completely voluntary. You can turn invitations to surveys and questionnaires on or off at any time by changing the notification setting available in the HSL app settings under “Notifications and email”.
If you have both enabled the abovementioned notifications and given your consent to the collection of your travel data (see section 1.2 “Collection of travel data in the HSL app” below), you may receive invitations to surveys and questionnaires when travelling in areas relevant to them.
In addition to the actual survey data and potential travel data, we also ask for and store, as appropriate, background information needed for grouping*. We will use this data both for the survey in question and for any subsequent surveys and studies and their analysis.
We will store the data from surveys and questionnaires in the HSL data warehouse for a period specified in the plan of each survey (see section 2 “How long is my data stored” below).
*Background information include aspects affecting mobility such as gender, area of residence, ticket type and validity area, possession of a driver’s license and ownership of a car.
1.2 Collection of travel data in the HSL app
The following description applies to the HSL app from version 4.9.0 onwards. The description applying to the previous app version is available here.
We collect travel data via the HSL app to develop public transport and the transport system comprising all modes of transport as well as the related services within the 15 Helsinki region municipalities*.
The collection of travel data is based on your consent, which you can give and withdraw at any time by changing the settings in the HSL app under Travel data. When you give your consent to the collection of your travel data on the HSL app, the HSL app starts tracking your activity and saving data on your travel chains in the HSL data warehouse. If you withdraw your consent to the collection of travel data, the collection will be terminated and the data on your phone that has not yet been sent to HSL’s data warehouse will be deleted. The travel data stored in the HSL data warehouse will be stored until the end of the specified storage period (see section 2 “How long is my data stored” below).
Collection of travel data is completely voluntary. We will not ask for or try to find out your identity when collecting travel data. We will not link the travel data with your customer profile unless you have given your consent to connecting your travel data to your HSL account on the HSL app (see section 1.3 “Connecting travel data to your HSL account” below).
We will also combine travel data with other spatial data available to us, as appropriate. We process all accumulated individual-level data in accordance with our Privacy Policy**.
For more information about the travel data collected, see the Questions & Answers on this page.
*Helsinki, Espoo, Vantaa, Kauniainen, Kirkkonummi, Siuntio, Vihti, Nurmijärvi, Kerava, Tuusula, Järvenpää, Hyvinkää, Mäntsälä, Sipoo and Pornainen.
**see HSL’s Data Protection Policy
1.3 Connecting travel data to your HSL account
Connecting travel data to your HSL account requires your explicit consent in addition to the consent to the collection of travel data. You can give and withdraw your consent at any time by changing the settings in the HSL app under Travel data. We will not connect the travel data and data collected in the surveys and questionnaires to your customer profile unless you have given your consent to connecting your travel to your HSL account on the HSL app.
From the moment the connection to your HSL account is established, the travel data collected by the HSL app is your personal travel data. This allows you to request access to your travel data and allows your data to be deleted from HSL’s data warehouse, which cannot otherwise be done.
When you connect your travel data to your HSL account on the HSL app, you can use in-app services based on your travel data. If, in addition to connecting your travel data to your HSL account, you also use one or more travel data-based services via the HSL app, HSL may use your travel data together with other information about you not only to improve your mobility options, but also for more targeted research and development of the entire transport system and its services.
If you withdraw your consent to connect your travel data to your HSL account, the connection will be disconnected for all devices on which you are logged in to the same HSL account. After this, requests to access travel data and requests to erase travel data can no longer be executed, and the connection to the previously collected travel data cannot be restored. If you give a new consent, the connection of data only applies to the data collected after the consent has been given.
2 How long is my data stored?
Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties. You are deemed to have terminated the use of the app and your service-specific information will be removed if you have not updated your information for several years, have not logged in using your HSL account and you have not had a valid mobile ticket purchased using the app for several years.
Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.
We will store the data received through survey invitations in the HSL data warehouse for a period specified in the plan of each survey. The storage periods vary from a few months to several years depending on whether the survey in question is a small-scale, individual study or a longer-term pre–post study or a follow-up study. We will keep the responses to the surveys linked to the related travel data as long as the travel data is stored in the data warehouse. After this, only information on the situation to which the survey related will be retained in the survey data.
The travel data is stored in the HSL data warehouse for 28 calendar months. If you have given your explicit consent to connecting your travel data to your HSL account, you can withdraw your consent at any time, after which your travel and survey data can no longer be linked back to you. At the end of this period, the data for the earliest month stored in the data warehouse will be merged into a larger data package.
We store both the travel data and survey and research data in a decentralized way in a data system managed by HSL, which is located on Microsoft servers in the Netherlands. We manage access rights to the data through HSL access control.
Removing the app from your device will not remove the data stored in HSL’s background systems.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. Processors of personal data are bound by professional secrecy and confidentiality.
Payment service partners, including phone operators, are responsible for ticket invoicing.
If necessary, survey, research and travel data sets collected through the app may be disclosed to service providers acting on behalf of HSL, such as IT companies involved in the processing of data. In individual cases, we may disclose data to the Helsinki region and HSL area municipalities, State transport authorities, research institutions and universities as well as to operators in the transport sector for the purposes of statistical, scientific or historic studies relating to traffic and Helsinki region residents’ travel habits, as well as for planning and studies by authorities.
In such cases, appropriate agreements will be entered into between HSL and the recipient of the data to ensure data protection requirements and appropriate processing of the data.
4 How can I access my data?
You can access and update your information in the HSL app settings. You can update your location and notification permissions in the application settings as well as on your device settings.
For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.
Date of compilation 25 May 2018, updated 3 July 2024
1 What data is processed in the service and why?
The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.
When you create an HSL account in the HSL.fi service, you are asked to provide the following information:
- Your name. The information is used, for example, for communications.
- Phone number. The information is used, for example, for communications.
- Email address. The information is used, for example, for communications.
- Your age: are you over 15 years of age
- If you are aged 15 or over, we will ask for your consent to send you direct marketing by email or SMS.
- If you are under 15, you will be asked your date of birth.
- Password. The information is used for logging in to services.
When you log in to HSL.fi using your HSL account, you can update your information and settings in the My information section.
Information about the services you use via your HSL account is connected to your data. These services include, for example, the HSL app and city bikes.
If you log in using your HSL account and authenticate strongly, your personal identity code, name, address information and potential non-disclosure order will be saved and automatically updated from the population information system of the Digital and Population Data Services Agency.
Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. Direct marketing is based on your consent.
2 How long is my data stored?
Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties. Your service-specific information will be removed if you have not logged in to a service using your HSL account for several years.
You can submit a request for erasure of data at our service point. You need to present an identification document. The contact details of our customer service points are available on our website. Your account will be erased from the system after three years.
Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality.
4 How can I access my data?
You can review and update your information in the My information section of the HSL.fi service by logging in using your HSL account.
For more information about the exercise of the rights of data subjects, see Privacy > Rights of data subjects.
Date of compilation 24 May 2018, updated 3 July 2024
1 What data is processed in the services and why?
The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.
Customer data is collected on individual customers and corporate customers to manage customer relations and to perform the service.
The data includes:
- first name, last name and address (street address, postcode, town/city, home municipality) obtained from the population information system,
- customer’s other address information (street address, postcode, city/town, country),
- invoicing address (street address, postcode, city/town, country),
- phone number,
- email address,
- personal identity code,
- potential non-disclosure order, and
- customer group,
- language,
- consent to direct marketing,
- authorization information,
- “Entitled to a companion” data item,
- refund information, and
- date of death.
The name and address information is automatically updated with information obtained from the population information system of the Digital and Population Data Services Agency.
Personal identity code is used to verify the right to buy a personal HSL card, to store personal data on a multi-user HSL card, as well as to verify the customer’s identity.
In case of corporate customers, business ID serves as identifying information.
Basic HSL card data includes:
- HSL card number,
- card type (personal or multi-user),
- issue time of the card,
- HSL card pricing factors (customer group and home municipality),
- language,
- HSL card status information, e.g. card cancellation information or information about a lost and found card; and
- value and season ticket information.
HSL card transaction data includes:
- value and season ticket purchases,
- loading transactions, and
- value transactions.
HSL card activity data includes:
- validation data from onboard card readers (boarding data).
HSL card history data is collected in the backend system to safeguard your rights as well as for the purposes of reconciliation and reporting of sales data and for verifying the accuracy and integrity of transactions on the system level as well as for each individual HSL card. In addition, the data is needed to determine the municipal contributions of HSL’s member municipalities and for public transport planning.
The following data is processed in the HSL card service:
- Your HSL account which you use to log in to the service
- Your email address for the purposes of sending email reminders and receipts
- The card numbers of HSL cards that you have added in the service as well as their names
- In connection with strong authentication (optional), identifier retrieved from HSL’s ticketing and information system as well as the card numbers of personal HSL cards and their names
- Notification settings you have added in the services (season ticket and value reminder on / off)
- Value and season ticket purchases made via the service
- Information about email reminders that the service has sent you
The data is processed on the basis of an agreement between the customer and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. HSL also processes the data to perform its basic tasks. Direct marketing is based on your consent.
2 How long is my data stored?
Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties.
Service-specific data about your HSL card will be deleted when the HSL card service in its current form has terminated. HSL will notify customers of the change, of switching to an account-based ticketing system and of the deletion of the data in good time before the changes take effect.
The HSL card number will be stored in the boarding data for the time required to validate tickets and perform other functions essential to the public transport system. Boarding data will be stored in pseudonymized form without the card number for as long as is necessary for the purposes of public transport cost allocation between municipalities, transport planning and research.
Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. The persons processing the data are bound by professional secrecy and confidentiality.
HSL can disclose customer data to authorities as permitted and required by legislation.
4 How can I access my data?
You can review your HSL card information by logging in to the HSL card service.
You can also use the My Travel Card app available for Android and Windows phones.
You can check the information of tickets on your HSL card as well as your value balance on a card reader, at a ticket machine or at HSL card sales and service points.
HSL card customer information and card information related to purchase and sales transactions are available as printouts from HSL service points. Please bring with you a valid ID document. You do not need to have your HSL card with you.
For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.
Updated 3 July 2024
1 What data is processed in the service and why?
The purpose of the processing of personal data is the management of penalty fare notices and collection of payments as well as the development of the controller’s operations.
Under Section 8 of the Act on Penalty Fares in Public Transport (469/1979, a passenger who fails to produce an appropriate ticket must, at an inspector’s request, provide the following personal details to the inspector: their name, personal identity code and address.
The data file contains the following personal data of data subjects:
- The name, personal identity code and address of the person charged with the penalty fare
- Date, time and route on which the penalty fare was issued
- Reason for the penalty fare
- Method of verifying the personal data (driver’s license, passport, etc.)
- First and last name of the ticket inspector who issued the penalty fare
- Incident report
- Information about the payment of the penalty fare (original amount, cancelled/paid/unpaid)
- Number of unpaid penalty fares
- Information about penalty fare enforcement
- Settlements received through enforcement (money/impediment), transfer notices and notices of filing
- Date of the District Court decision on the commencement of debt settlement
- Information about a rectification claim made against the penalty fare and information about the decision concerning the claim
- Information about an appeal lodged in the Administrative Court of Helsinki: (date of the request for information by the Administrative Court and date of the court ruling, retention/repeal of the penalty fare)
- Information about interfering with the inspector
- Information about ticket abuse
- Date of criminal complaint and compensation paid
According to the HSL Public Transport Conditions of Carriage and Ticket Terms and Conditions, a holder of a personal season ticket must, if asked by an inspector, show a reliable proof of their identity. If the passenger does not have an identity document in the event of a ticket inspection, they will be asked to enter their personal identity code, name and address on a personal data form in order to avoid ambiguity and protect the customer’s privacy. The ticket inspector will then check the personal data in the Population Information System.
The personal data forms are intended for HSL’s internal use and are not, in principle, given to passengers. If a penalty fare is issued, the data will be registered in the penalty fare system and the form is archived. The form will be stored until the penalty fare process is completed. If a penalty fare is not issued, the data will not be registered anywhere; the ticket inspector will securely destroy the personal data form immediately upon arrival at HSL’s premises.
2 How long is my data stored?
The data shall be stored for the current calendar year and the following six (6) calendar years. The retention period is based on Chapter 2, Section 10(2) of the Accounting Act (1336/1997), as the data in question is included ihe subledger subject to the said Act and the storage period provided for therein. Therefore, the data may not be removed from the register before the expiry of the retention period.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. Processors of personal data are bound by professional secrecy and confidentiality.
4 How can I access my data?
For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.
Updated 3 July 2024
1 What data is processed in the service and why?
The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.
The data is used to improve HSL’s services and to provide better customer service, for example, by guiding customers to the right product. Bots may be used to gauge awareness of a product or service in order to better design marketing. In addition, personal data is collected for the purposes of prize draws, prize delivery and targeted marketing.
If you provide your contact details to participate in a prize draw or competition, or if you indicate on the form that you wish to be contacted, your responses can be linked to you. Your personal data is processed based on your consent. If you give your consent to direct marketing via a bot, we may target advertising to you.
The data stored includes data collected via the bot such as
• First name, last name, email address, phone number
• Address
• Date of birth or age category (e.g. 31–40 years)
• Profile (e.g. how you perceive yourself as a public transport user)
• Opinions and data related to user experiences (e.g. experiences of using the website; on what topics would you have liked to have more information; or, e.g. “In my opinion, route number 500 would have been better for the light rail line”)
• Quiz answers (e.g. How many metro stations are there along the light rail line)
• Other open-ended responses and feedback
2 How long is my data stored?
All data collected via a bot will be stored for 13 months.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. Processors of personal data are bound by professional secrecy and confidentiality.
General analyses of the responses may be made to create proposals of measures to improve services.
4 Rights of the data subject
Withdrawal of consent
You can withdraw any consent to receive marketing communications you have given when taking a quiz or in other similar situations directly on each marketing platform, for example, by blocking advertisements in Meta (Facebook, Instagram), or via the link at the bottom of the marketing email.
For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.
HSL Mobile ticket app
Date of compilation: 24 May 2018, updated 3 July 2024
1 What data is processed in the service and why?
Asiakkaan tietojen yleisiä käyttötarkoituksia on kuvattu HSL:n asiakasrekisterin tietosuojaselosteessa.
Sovelluksen käyttöönoton yhteydessä sinulta kysytään:
- Puhelinnumero ja kotikunta. Puhelinnumeroa käsitellään lipun tilausta ja toimittamista sekä lipun voimassaolon tarkastamista varten. Kotikuntatieto tarvitaan joukkoliikenteen kulujen kuntajakoa varten HSL-kuntayhtymän jäsenkuntien välillä.
- Oletko alle 18-vuotias ja onko sinulla huoltajan suostumus käyttää palvelua.
- Jos olet yli 18-vuotias, sinulta kysytään nimi- ja yhteystiedot (etunimi, sukunimi, postinumero ja sähköpostiosoite). Tietoja hyödynnetään esimerkiksi asiointi- ja viestintätilanteissa.
- Jos olet yli 18-vuotias, voit antaa suoramarkkinointiluvan.
- Maksutapa (korttimaksu tai mobiilimaksu). Mikäli valitset maksutavaksesi korttimaksun, maksupalveluun tallennettavia tietoja ovat maksukortin numero ja viimeinen voimassaolopäivä. Korttitiedot siirretään salatun verkkoyhteyden avulla ja tallennetaan suojatussa PCI DSS –sertifioidussa ympäristössä. Mobiilimaksun osalta operaattori veloittaa liput puhelinlaskulla.
Tietojesi yhteyteen tallentuu tietoja mm. tilatuista lipuista ja sovellusversiosta.
Tietoja käsitellään HSL:n ja sinun välisen sopimuksen perusteella. Sopimus syntyy, kun käytät HSL:n palveluita. HSL käsittelee tietoja myös perustehtäviensä toteuttamiseksi. Suoramarkkinointilupa perustuu antamaasi suostumukseen.
2. Kuinka kauan tietoja säilytetään?
Kirjanpidon kannalta tarpeellisia osto-, myynti-, tilaus-, laskutus- ja maksutietoja säilytetään enintään 10 vuoden ajan.
3. Ketkä käsittelevät tietoja?
Tietoja käsittelevät henkilöt, jotka työtehtäviensä takia tarvitsevat pääsyn tietoihin. HSL käyttää tietojen käsittelyssä sopimuskumppaneita, joille siirretään tehtävien kannalta tarpeellisia tietoja. Henkilötietojen käsittelijät ovat salassapito- ja vaitiolovelvollisia.
Maksupalvelukumppanit ml. puhelinoperaattorit vastaavat lipun laskutuksesta.
4. Miten voin tarkastaa tietoni?
Lisätietoa rekisteröidyn oikeuksien toteuttamisesta HSL:n verkkosivuilla kohdassa Tietosuoja > Rekisteröidyn oikeudet
HSL Mobile ticket
Date of compilation: 24 May 2018
1 What data is processed in the service and why?
The main purposes of the use of customer’s data are described in the HSL Customer Register Privacy Statement.
Your phone number is processed for ordering and delivering tickets and for checking the validity of your ticket. Your phone operator is responsible for ticket invoicing.
Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement.
2 How long is my data stored?
Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.
3 Who processes the data?
The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. The persons processing personal data are bound by professional secrecy and confidentiality.
Your phone operator is responsible for ticket invoicing.
4 How can I access my data?
You get information about the SMS tickets invoiced from your phone operator.
Verkkokauppa
Laatimispäivä 26.11.2018
1. Mitä tietojani palvelussa käsitellään ja miksi?
Asiakkaan tietojen yleisiä käyttötarkoituksia on kuvattu HSL:n asiakasrekisterin tietosuojaselosteessa.
Verkkokaupassa tietojasi käsitellään tilauksen käsittelemistä ja toimittamista varten. Toimitusehtojen mukaisesti verkkokaupasta voivat tehdä ostoksia vain 15 vuotta täyttäneet henkilöt.
Verkkokaupassa annat tilaajan nimen ja yhteystiedot (etunimi, sukunimi, osoite, postinumero, kaupunki, puhelin, sähköpostiosoite). Tarvittaessa voit antaa toimitustiedot erikseen (etunimi, sukunimi, osoite, postinumero, kaupunki, puhelin).
Henkilökohtaisen HSL-kortin tilauksen yhteydessä tunnistaudut vahvasti verkkopankkitunnuksilla, mobiilivarmenteella tai varmennekortilla. Väestörekisterikeskuksesta saatavan henkilötunnuksen avulla tarkistetaan tietosi, koska sinulla voi olla vain yksi henkilökohtainen HSL-kortti.
Tietoja käsitellään HSL:n ja sinun välisen sopimuksen perusteella. Sopimus syntyy, kun käytät HSL:n palveluita.
2. Kuinka kauan tietoja säilytetään?
Kirjanpidon kannalta tarpeellisia osto-, myynti-, tilaus-, laskutus- ja maksutietoja säilytetään enintään 10 vuoden ajan. Henkilötunnusta säilytetään enintään 2 viikkoa.
3. Ketkä käsittelevät tietoja?
Tietoja käsittelevät henkilöt, jotka työtehtäviensä takia tarvitsevat pääsyn tietoihin. HSL käyttää tietojen käsittelyssä sopimuskumppaneita, joille siirretään tehtävien kannalta tarpeellisia tietoja. Henkilötietojen käsittelijät ovat salassapito- ja vaitiolovelvollisia. Maksamisen osalta tietoja välitetään maksupalvelukumppanille ja tilausten toimituksen osalta varastointi- ja logistiikkakumppanille.
4. Miten voin tarkastaa tietoni?
Lisätietoa rekisteröidyn oikeuksien toteuttamisesta HSL:n verkkosivuilla kohdassa Tietosuoja > Rekisteröidyn oikeudet.
Corporate Customer Register Privacy Statement
Functional cookies
Functional cookies improve the usability of the website by remembering choices the user makes in relation to the layout and functionality of the site. However, functional cookies are not necessary for the website to function.
Rights of the data subject
Updated 3 July 2024
The HSL Customer Register Privacy Statement and service-specific privacy notices describe what data is processed in different services and for what purposes as well as outline the data storage principles.
HSL’s customers have the right to know what personal data about them is collected.
You can view and update your service-specific data in the following HSL’s mobile and online services:
- HSL app (settings)
- fi (HSL account) (My information)
- City bike service (front page, HSL account users)
- HSL card service (HSL card information, hsl.fi/kortti) and My Travel Card app for Android and Windows devices
HSL card customer information and card information related to purchase and sales transactions are available as printouts from HSL service points by presenting a valid identification document. You do not need to have your HSL card with you.
You can read more about the data provided on request below in “Submitting a request to exercise data subject rights to us”.
You can submit a request for erasure of data at our service point. You need to present an identification document. The contact details of our customer service points are available on our website.
You can make a request to delete your personal data to us also by filling out and sending an electronic form.
If you do not have the opportunity to make a strong electronic authentication, you can direct the request to the address tietosuojavastaava@hsl.fi
Please note that as long as you use our services, we cannot remove your data from our travel-related system. Our system obtains up-to-date home municipality and address information from the Digital and Population Data Services Agency. Address information is checked when a ticket is loaded so that we can sell you or a MaaS operator a discount-rate ticket, as residents of HSL member municipalities get tickets at a different price than non-residents. Residency is verified on the basis of home municipality and address information. However, if you are no longer using our services, we will remove your data as per your request.
We cannot remove your data from our Penalty Fare Register because the register is part of our accounting.
We will inform the recipients to whom personal data has been disclosed about any rectification, erasure or restriction of the processing of personal data, unless this proves to be impossible or involves a disproportionate effort.
You can edit your HSL account personal data by logging in to the service. In addition, you have the right to demand HSL to correct inaccurate and incorrect personal data about you without undue delay. You have the right to have incomplete personal data completed by providing a supplementary statement to HSL.
You have the right to restrict the processing of your personal data if you contest the accuracy of your personal data. In such cases, the processing shall be restricted for a period enabling us to verify the accuracy of the personal data. The restriction of the processing of personal data means, for example, restricting the personnel’s right to process your personal data. HSL has the right to store the data whose processing has been restricted by the customer.
You have the right to object to the processing of your personal data and not to be subject to a decision based solely on automated processing, such as profiling, and which produces legal effects concerning you or similarly significantly affects you. The right to object to the processing of personal data shall not apply to data files of public bodies maintained on legal basis.
You have the right to object to the processing of your personal data for profiling.
You have the right to receive the personal data about you, which you have provided to us in a structured, commonly used and machine-readable format and to transmit this data to another data controller, where the processing is based on consent or an agreement and the data is stored electronically.
Where a personal data breach is likely to result in a high risk to the rights and freedoms of customers, we must notify customers of the data breach without undue delay.
The notification shall contain:
- A description of the data breach
- The name and contact details of HSL’s Data Protection Officer from whom more information can be obtained
- A description of the likely consequences to the customer
- A description of the measures we propose to take or have already taken to mitigate the possible adverse effects.
You have the right to file a complaint with a supervisory authority if you consider there has been a breach in the processing of your personal data.
Supervisory authority: Office of the Data Protection Ombudsman, switchboard: +358 29 566 6700, email: tietosuoja@om.fi
You can submit a request to review you data using this form or at our service point. If you use the online form, you must authenticate strongly. The person who authenticates must be the same person whose data you request to be reviewed. If you submit the request to review your data at our service point, you need to present an official identification document. The contact details of service points are available on our website at https://www.hsl.fi/en/customer-service.
If you do not have the opportunity to make a strong electronic authentication, you can direct the request to the address tietosuojavastaava@hsl.fi
We will process your request as soon as possible and respond within 30 days of receiving the request. The time may be extended by a maximum of two months where necessary, taking into account the complexity and number of the requests. We will inform you of any delay in the delivery of the data and the reasons for it within one month of receiving the request.
The implementation of the access/erasure request must not have a detrimental effect on the rights and freedoms of other customers or data subjects. Consequently, we cannot, on a customer’s or data subject’s request, provide or erase data where we cannot fully ensure that the person who has provided the data and the person making the request are the same.
You have the right to obtain a copy of the personal data being processed free of charge. If you request more than one copy, we will charge a reasonable fee corresponding to the administrative costs of fulfilling the request. We can provide data from the following services:
- HSL card (personal travel cards)
- HSL app (buyers of mobile season tickets, purchases made through strong authentication)
- fi (HSL account) (strongly authenticated)
In addition, we can provide data subjects with data from the penalty fare register.
Requests relating to the exercise of the rights of data subjects shall be kept for two years. If strong authentication is not completed or the request has not been completed, the pending request will be removed after 30 days.
Questions and answers
Updated 3 July 2024
We collect basic information about our customers including, for example, name and address, as well as information needed to provide and develop services.
The HSL Customer Register Privacy Statement and service-specific privacy notices describe what data is processed in different services.
We primarily collect information directly from customers when they register for or use a service. We also collet information from other sources such as the population information system of the Digital and Population Data Services Agency.
We collect personal data about our customers to provide our customers with transport services.
The storage period depends on the service used, and it is always based on the legal basis for processing.
Your personal data is processed by HSL’ employees whose duties involve processing of such data, as well as by service providers who provide services for HSL.
We will only disclose personal data to third parties when obliged by law or if explicit consent has been given to do so.
Personal data is protected by technical (e.g. storage in locked premises, use of firewalls) and organizational (e.g. restricted access and non-disclosure agreements) measures.
We will ensure that any data that is subject to a non-disclosure order obtained from the population information system is not disclosed or made available to any third party unless otherwise provided by law. The data may only be processed by designated persons whose duties directly involve processing of such data.
Our websites use cookies. Cookies are small text files, which are stored on a user’s computer. They enable the user to save their service login information, for example. The cookies enhance the user experience and help us to improve our services. You can change your browser settings to enable or disable cookies or block them altogether. However, disabling cookies may affect your ability to access and use certain features of the services.
We use the common target groups provided by advertisement media (such as news sites, social media and Google services) to target ads. The target groups are based on information provided by the users or on classifications made based on browser use. The information used include, for example, age, gender, areas of interest and location. In addition, we use cookies to target ads to web browsers used to visit our services.
On Meta's, Google's, Alma Media's and Sanoma’s ad networks, we use customized target groups created by identifying those customers who also use Meta's services or have a Google, Alma or Sanoma Account. We do not receive any information on what identifiers are included in the final target group, and Meta, Google, Alma Media and Sanoma, on the other hand, are not aware of the identity behind the identifier or why HSL wants to target advertising to them. Meta, Google, Alma Media and Sanoma are committed to using the target group only for HSL’s marketing.
As to fan and community pages on Facebook and Instagram, Meta Platforms Ireland Limited and HSL are join controllers, where applicable.
The HSL Customer Register Privacy Statement and terms governing the processing of personal data specified in each service are applied when you use HSL’s mobile services. These terms are stated and you must agree to them when signing in to a service.
We use your device location information if you are using HSL’s mobile services, have agreed to the use of location information and if you have enabled location services in your device settings.
Before the first ticket purchase, you log in using your strongly authenticated HSL account and give your authorization. If you do not have a strongly authenticated HSL account, you can create an account and/or perform strong authentication of your HSL account and then give your authorization. Your authorization allows the MaaS operator to buy personal HSL mobile tickets on your behalf.
The authorization is valid for 12 months from the latest ticket purchase requiring the operator to act on your behalf, unless you withdraw it. HSL will forward your authorization and the data required for purchasing tickets, in encrypted form, to the Maas operator authorized to act on your behalf. In addition to your authorization, your home municipality will be stored in HSL’s customer register for the purposes of public transport cost allocation between municipalities.
In order to authorize a MaaS operator to buy personal tickets on your behalf, you need to have a strongly authenticated HSL account. You can also set up the account when making the authorization. Ending the use of the MaaS service will not terminate your customer relationship with HSL. You can read more about the HSL account and terminating your account under the service-specific privacy notices (HSL account) at hsl.fi/privacy.
We use your phone number for the purposes of processing your order, delivering your ticket, checking the validity of your ticket and for solving any problems you may experience.
We collect and save
- travel routes,
- times of the different parts of your journey,
- modes of transport used on different parts of the journey, and
- any HSL Bluetooth beacons detected.
We interpret the information using the location data of your smartphone or smart device and the data collected by motion detectors. In addition, we use data from Bluetooth beacons located in public transport vehicles and at stations and stops, as well as information about the location of HSL’s public transport vehicles along their routes.
We store the travel data and data from surveys and questionnaires in the following way:
- For the time being, we only save and use travel data for journeys made within the 15 municipalities* of the Helsinki region.
- Once you have enabled the collection of your travel and location data on the HSL app, we will collect your travel data regardless of whether you use public transport for your journey or not.
- We use random identifiers generated by smartphones or devices and the back-end system as identifiers. We will link data obtained from the same HSL app using these identifiers.
- When you travel by public transport services or in their immediate vicinity, we save your route in detail. For the other parts of the journey, only information about the areas where you travel is saved. The start and end times of the journey are rounded to the nearest 15 minutes, but the times of any changes in the mode of transport observed during the journey are not rounded.
- We use the 250-meter YKR grid** to indicate the locations. If the journey starts or ends in a grid cell with only a small number of residents, the first or last cells of the travel chain are not saved to ensure that the journeys of individuals residing in the areas covered by individual cells would not stand out among other journeys.
- After the storage period, we will merge the travel data into larger sets, for example, by deleting the random identifiers, combining the journey observations in the data set and by averaging them, and by using larger grid cells in sparsely populated areas. After the merging of data, we will destroy the individual-level data for the month in question and store the merged data in the HSL data warehouse for long-term reviews and studies.
- We do not intend to collect travel data of children aged under 15. Children aged under 15 are excluded from the data collection based on the age customers have provided on the HSL app.
*Helsinki, Espoo, Vantaa, Kauniainen, Kirkkonummi, Siuntio, Vihti, Nurmijärvi, Kerava, Tuusula, Järvenpää, Hyvinkää, Mäntsälä, Sipoo and Pornainen.
**YKR = Yhdyskuntarakenteen seurantajärjestelmä (Monitoring System of Spatial Structure and Urban Form; the website is in Finnish)
We may change our privacy policy information if need be. We will inform our customers of any changes on our website.
We process personal data in compliance with the EU's General Data Protection Regulation (2016/679), national legislation on personal data protection and other applicable special provisions and applicable general legislation such as the Local Government Act, Administrative Procedure Act and Act on the Openness of Government Activities.
You can contact HSL customer service on +358 9 4766 4000 (Mon-Fri 7am-7pm, Sat-Sun 9am-5pm).
In addition, HSL has a Data Protection Officer whom you can contact at tietosuojavastaava@hsl.fi.
Need more information?
You can contact HSL customer service on +358 9 4766 4000 (Mon-Fri 7am-7pm, Sat-Sun 9am-5pm). In addition, HSL has a Data Protection Officer whom you can contact at tietosuojavastaava@hsl.fi.