Combined Register Description and Information Document in accordance with Sections 10 and 24 of the Personal Data Act (523/1999) and Articles 12 and 13 of the EU General Data Protection Regulation (679/2016).
This privacy statement describes Book Salon Oy's processing of personal data. The subject of the processing is our clients' information in the Book Salon applications and on the booksalon.fi website.
The statement reviews
- Contact details of the controller and contact details of the data protection officer
- What information do we collect and for what purpose?
- What rights does the data subject have and how can they be exercised?
- For what purpose do we use the data and on what basis do we process it?
- How long do we keep the information?
- Recipients of data and transfers of data to third countries
- What are the risks associated with data processing and how do we protect the data?
Contact details of the controller and the data protection officer
Book Salon Oy
Business ID 2786121-4
Data Protection Officer: Jonne Castrén
Book Salon Oy
℅ Data Protection Officer
What information do we collect and for what purpose?
We only collect information from our users that is necessary for the operation and development of the service:
- Information related to identification and authentication, communication and implementation of the service: name and e-mail address. Under no circumstances do we store passwords in a readable form.
- Facebook information accepted by the user in connection with Facebook authentication.
- In connection with Google authentication, an identifier that connects the client to their Google Account.
- Purchase history of registered users (receipts). We retain receipts as required by the Accounting Act and use the information anonymously to profile purchasing behavior.
- Information related to email and chat customer service that we retain to improve customer service.
Personal information we collect directly from the data subject
We mainly collect the above information directly from the registrant themselves when registering, logging in, using the service, adding a payment card, making a purchase or requesting customer service. This information is used to communicate either to provide or produce services to the customer.
Personal information we collect from third parties
We only collect information from third parties in connection with Facebook authentication. In this context, we store the user's email address and Facebook ID.
What rights does the data subject have and how can they be exercised?
The data subject has rights regarding the personal data held by Book Salon Oy. The data subject’s rights are as follows:
Right of access to personal data
The data subject has the right to access the personal data we hold. However, access to information may need to be restricted for reasons of law and the protection of the privacy of others.
Right to rectify data
The data subject has the right to request the correction of incorrect or incomplete information.
Right to delete data
The data subject has the right to request the deletion of his data. Data can be deleted, for example, in the following cases:
- The data subject withdraws their consent and there are no other grounds for processing
- The data subject objects to the processing of the data and there are no other grounds for continuing the processing
Right to restrict processing
The data subject has the right to restrict the processing of their personal data.
Right of objection
The data subject has the right to object to the processing of their data.
Right to data portability
The data subject has the right to receive the personal data provided in a machine-readable form. The right applies to personal data that have been processed automatically on the basis of a contract or consent.
Right to withdraw consent
The data subject has the right to withdraw their consent at any time without prejudice to the lawfulness of the processing carried out before the withdrawal, if the processing is based on consent. Withdrawal of consent may affect our ability to provide services.
Right to lodge a complaint with the supervisory authority
The data subject also has the right to lodge a complaint with the supervisory authority if they suspect that their personal data is being used improperly or unlawfully.
Exercising these rights
To exercise the data subject's rights, please contact Book Salon Oy's data protection officer. Access to stored personal information is also possible through our website and our iOS and Android applications.
Data Protection Officer:
Book Salon Oy
℅ Data Protection Officer
For what purpose do we use the data and on what basis do we process it?
Book Salon Oy processes personal data in order to fulfill its legal and contractual obligations. The legal bases for our proceedings are:
Implementation of the agreement
In addition to the agreements, our operations are subject to legal obligations under which we process personal information. Examples of these are accounting legislation and legislation on payment intermediation.
In order to develop our website, we collect analytical information about the use of the website based on consent. You give your consent by accepting cookies when you visit the site.
How long do we keep the information?
Personal information is retained only for the duration of the contractual relationship, unless otherwise required by law, such as the Accounting Act. For example, purchase transactions are retained for the period required by the Accounting Act, but the information is anonymized at the end of the contractual relationship.
We retain anonymous visitor analytics information for the website only for as long as it is necessary for monitoring and developing marketing and customer service.
Recipients of data and transfers of data to third countries
The data is processed by Book Salon Oy's employees in accordance with the valid Personal Data Act. Book Salon Oy reserves the right to partially outsource the processing of personal data to a third party, such as service providers, in which case we guarantee through contractual arrangements that personal data will be processed in accordance with the Personal Data Act and otherwise properly.
Purchase transaction data may be transferred to our payment service providers' systems for billing purposes. In other respects, the information will not be combined with other registers and will not be disclosed to third parties unless required by law (including the Accounting Act).
What are the risks associated with data processing and how do we protect the data?
The biggest risk associated with user data in connection with the system is that the personal data and purchase history accumulated in the system fall into the wrong hands, for example in connection with a data breach. If this unlikely risk materializes, the data can be used to determine a user's buying behavior, infer their location on the days of the transaction, and send spam.
Large-scale data leaks will always be reported to the contractor (contact person), regardless of whether the matter is subject to notification or not.
The goal of Book Salon Oy's security measures is to secure the availability of information and information systems, ensure their confidentiality, ensure the integrity of information and minimize the damage caused by possible deviations. Hedging measures are based on a risk assessment of the operation and are proportionate to the management of the protected object and the risks to it.
Measures to ensure information security and data protection are:
Measures to increase the availability and usability of information aim to ensure that relevant information is available when needed. Such measures include ensuring the functioning of the systems, backups, deputy staff schemes and the proper archiving of information.
The integrity of the data is ensured through system audits and controls. The purpose of security measures and guidelines is to prevent errors and negligence in the processing of data.
The confidentiality of the information is ensured by organizational and technical means. Organizational means include e.g. non-disclosure agreements, defined business processes, guidelines and staff training. The technical means are e.g. implementation of virus and malware filtering, encryption of communications, strong identification, security and encryption of the data network and terminals, locking and surveillance of premises, and the use of a specialized partner for the destruction of paper material.
Last updated: 1.10.2021