HSL Corporate Customer Register Privacy Statement
Updated 13 September 2024
The name of the data file is HSL Corporate Customer Register (“Corporate Customer Register”) and its data subjects consist of contact persons of companies that use HSL's services (“Customers”). HSL processes the personal data of the employees and other beneficiaries of the corporate customer as described in HSL Customer Register Privacy Statement.
The controller of the data file is Helsinki Regional Transport Authority (hereinafter HSL), business ID 2274586-3.
Contact person for the data file:
Sales and Partnerships, B2B, Tapio Salomaa
Address: Opastinsilta 6 A, Helsinki, PO Box 100, FI-00077 HSL
Telephone (switchboard): +358 9 4766 4444
E-mail: etunimi.sukunimi@hsl.fi
HSL Data Protection Officer:
Antti-Pekka Röntynen.
Address: PO Box 100, FI-00077 HSL
Phone number (switchboard) +358 9 4766 4444
E-mail: tietosuojavastaava@hsl.fi
The purpose of processing the data in the HSL Corporate Customer Register is the provision of corporate services.
The HSL Corporate Customer Register consists of the following sub-registers for different services:
- Corporate Customer Register (CRM)
- Registered users of the Commuting Calculator
- Subscribers to the corporate newsletter and other marketing emails
- Purchase of HSL tickets for employees or other beneficiaries via the HSL online service
- Corporate customers of the city bike service
- Customers registered in corporate customer events
The purpose of processing the data in the HSL Corporate Customer Register is the provision of corporate services. This includes the following functions where personal data is processed:
- Service provision, including selling and/or use of commuter vouchers, fixed-term travel cards, multi-user travel cards, timetable displays and the Commuting Calculator, as well as the use of the HSL online service and city bikes.
- Account management such as customer service, agreement management, clearing up ambiguities and other use of personal data for administrative purposes.
- Customer communications such as newsletters and other marketing emails and related subscriptions.
The Corporate Customer Register consists of several types of personal data. More detailed information on the processing of personal data of HSL’s passenger customers is available at www.hsl.fi/en/privacy.
(a) We use the customer's base data such as the contact person’s or admin’s name, the company’s address, e-mail address, telephone number and customer identifiers such as the company’s business ID and customer number to identify customers and offer services to them through various media and modes of transport.
(b) Data related to the customer type such as customer group and category and various account, service use, order and service information.
(c) Purchase history by service.
(d) Information on content use and communications through the various channels, including the content, identification and technical data on phone calls, cookies and other communications channels.
(e) Payment data in various channels.
(f) Permissions, prohibitions and similar data.
(g) Data of employees, i.e. individual customers, of a company using the HSL online service, such as name, email address, home municipality, the date of registration for the service, date of purchase, product and zones, period of validity of the product and period of validity of the benefit.
The processing of personal data by HSL is always based on one of the following legal bases under Article 6 of the EU General Data Protection Regulation (GDPR, 2016/679).
(a) Processing is necessary for the execution of an agreement to which the data subject is party or for the implementation of preliminary measures for concluding an agreement at the request of the data subject (GDPR Art. 6.1(b):
- Service delivery to customers.
(b) The explicit consent of the data subject (that can be withdrawn at any time) ( GDPR Art. 6.1()a:
- Sending newsletters and marketing emails.
Personal data is primarily collected directly from the customer, and the collection takes place in connection with the adoption of, registration for and customer service related to the services specified in section 2.
Other regular sources of data for the HSL Corporate Customer Register include:
- Customer data updates from services that provide them: Personal data may also be collected, stored and updated from data controllers providing address, update or other such services.
HSL applies the following principles to the storage period:
(a) Base account data will be stored for the duration of the customer relationship and after that, for as long as necessary to fulfill the rights and obligations of the parties.
(b) Data specific to individual services will be stored in accordance with service-specific principles.
In addition to the principles stated above, HSL will, as a rule, store personal data for a maximum of three (3) years, unless there are justified grounds for a longer storage period.
HSL reviews the necessity of storing data on an annual basis and deletes data if there are no grounds for storing it.
In addition, HSL will implement all reasonable measures to ensure the immediate deletion or correction of data that is inaccurate, incorrect or obsolete for the purposes of the processing.
For the following services, also HSL’s subcontractor (Commuting Calculator) participates in the processing of the data
HSL can use contract partners working on behalf of HSL for the technical, commercial or operational implementation of data-processing tasks, and can disclose personal data to them within the scope of such cooperation and subject to the data protection agreement.
When required, personal data contained in the data file will be disclosed to external persons or organizations as follows:
(a) HSL may disclose personal data to its consulting partners (Commuting Calculator) for the purposes of service provision.
(b) HSL may disclose customer data to authorities as permitted and required by legislation.
No personal data is transferred from the register to outside the European Union or the European Economic Area. HSL nevertheless reserves the possibility to make such transfers to future business partners, subject to the statutory procedures applied to the countries in question.
Materials containing personal data will be stored in locked premises to which only designated and authorized persons in the performance of their duties will have access.
The database containing personal data is held on a server stored in locked premises to which only designated and authorized persons in the performance of their duties will have access. The server is protected with the appropriate firewall and technical safeguards.
The databases and systems are only accessible with individually assigned personal usernames and passwords. The controller has restricted the access rights and authorizations to data systems and other storage platforms, so that only the personnel required for the legal processing of the data is able to view and process it. In addition, all database and system transactions are registered in the controller's IT system log.
The controller's employees and other persons have undertaken to maintain professional secrecy and the confidentiality of the data they have obtained in connection with the processing of personal data.
The rights of data subjects under the EU's General Data Protection Regulation and instructions on how to exercise them are described on HSL’s website at https://www.hsl.fi/en/hsl/privacy-policy#rights-of-the-data-subject
HSL may make amendments to this Privacy Statement by announcing the changes on the HSL website and/or by email.