Data Protection Notice, K-Plussa customer register

This notice applies to personal data processing in the K-Plussa customer register

1. Controller
Kesko Corporation, Helsinki
Business ID 0109862-8
PO BOX 1, FI-00016 KESKO

With regard to this service, you can contact us

By email: tietosuoja.plussa@kesko.fi

By mail:
Data protection / K-Plussa customer register
Kesko Corporation / K-Plussa
FI-00016 KESKO

By phone:
K-Plussa customer service, tel. +358 10 19 8604
Mon-Fri 9-21, Sat 10-15
Calls in Finland are charged either the local network charge or mobile call charge

2. What data do we process?
In this register, we process personal data related to your K-Plussa customer relationship. We only collect data required at each given time. Thus the amount of data collected may vary. We process the following data:

Basic data on you and your customer relationship, including:

General information regarding your K-Plussa customer relationship, for example, data on whether you take part in K Group’s customer programmes or use K-Plussa and/or K Group apps and services.

Data on any bans you may have imposed on the processing of your data, for example:

Data related to the management of your customer relationship, for example, customer feedback, customer service phone recordings, information on marketing and customer service measures, ratings and free comments given in feedback surveys

Your consent to marketing communications sent by email or to a mobile phone

Data on marketing targeted at you

Data on your Plussa purchases, for example, data on purchases made by you with a Plussa card, at the level approved by you

Data related to your Plussa customer relationship or you as a person and your customer category or profile, for example, purchase behaviour category based on your purchases

3. For what purposes will your personal data be processed?
We process your data in order to manage the customer relationship, to calculate Plussa points and inform you of your Plussa points accrued, and to target Plussa benefits to the right person. This involves processing your basic information, customer identifiers and general information related to your customer relationship.
We also form customer categories based on your purchase data, which we use for marketing and service development purposes. The processing is required for the implementation of the Plussa agreement.

We process your data when you contact our customer service in order to ensure the quality of customer service, to respond to your feedback, for training purposes, and to ensure the legal protection of Kesko and the customer. We also collect your data in connection with various customer surveys, in order to be able to respond to you and develop our services. Your data may also be used for marketing purposes. Data related to various services such as sponsoring is processed to execute the service.
The processing is necessary on the grounds of our legitimate interests, that is, as part of our business operations, once we have determined that the processing does not infringe your personal data protection.
In our view, we have a legitimate interest in processing your personal data based on your customer relationship or customer contact, for us to be able to respond to you, offer you the services you want, develop our services, and offer you services we estimate you could likely be interested in.

You can give consent to electronic marketing in the K-Plussa customer register; we process the related personal data based on your consent.

We process data related to your purchases included in receipt materials in our accounting and bans imposed by you regarding the processing of your data in order to meet our statutory obligations.

4. Storage period
We store your personal data in our services as follows:

5. Right to withdraw consent
When the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. The processing of your personal data is based on your consent when you have given consent to electronic direct marketing. You can withdraw your consent for electronic direct marketing by using the link found at the bottom of each email marketing message.

You can also withdraw your consent at My Plussa by logging in at www.plussa.com, or by contacting the K-Plussa customer service by phone, tel. +358 10 19 8604 Mon-Fri 9-21 and Sat 10-15, (local network charge/mobile call charge in Finland), or by sending mail to the Kesko Corporation address given above.

6. What other rights do you have?

Checking the data
When you request access to your data, Kesko will inform you on whether it is processing personal data on you or not, and will provide you with a copy of the personal data being processed.

Correcting the data
You have the right to have incomplete personal data on you completed and inaccurate data corrected.

Removing the data
You have the right to request for your personal data to be removed from the register. Your data will be removed if there are no longer legal grounds for processing them.

Transferring the data
You have the right to obtain the personal data you yourself have provided to us in a machine-readable format and transmit the data from one system to another if the processing is based on consent or contract and if the processing is carried out by automated means.

Objecting the processing of the data
We may process your personal data on the basis of a legitimate interest as part of our business operations if we have determined that the processing does not infringe your personal data protection. In such cases, you have the right to object to the processing of your personal data for personal reasons.

You may also object to the processing of your personal data for direct marketing purposes at any time.

Restricting the processing of the data
You may have the right to restrict the processing of your personal data. Once the processing has been restricted, the controller as a rule will not process your data in any other way except for storing the data. This right exists, for example, if you contest the accuracy of your personal data, if the processing is unlawful, or if you have objected to the processing of your personal data and are waiting for a response to your request.

7. How do you exercise your rights?
Kesko has a data protection portal at www.kesko.fi/tietosuoja. In the portal, you can submit a request by strong identification using your online banking codes. We will primarily use the portal to answer requests received through the portal, unless you specifically request a different delivery method.

If you do not want to or cannot use the portal's services, you can also send a request to us with a personally signed letter to the above address. Mark the envelope with "data protection". We will respond to this type of request by letter. If the response contains your personal data, we will deliver the letter by personal registered post. Only the person marked as the recipient can acknowledge receipt of the letter. This allows us to ensure the correct recipient of the letter and the confidentiality of the data.

You may also be in contact via email or phone; the contact details can be found above under section ‘1. Controller’.

8. Information on recipients of personal data
Kesko as the controller will process personal data itself, but will also use various service providers. Kesko strives to use the best, reliable partners and is responsible for the actions of the service providers it has selected with regard to the processing of personal data. Such service providers may vary, but include:

Personal data is deemed to be transferred outside the EU/EEC in connection with the provision of information technology services when the information can be accessed from India. An agreement based on EU standard contractual clauses has been made with the service provider regarding the transfer. The standard contractual clauses can be viewed at http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=en.

Data from the register will be disclosed for marketing purposes to companies belonging to the Plussa programme, in accordance with the rules of the Plussa system.

The personal data of the card holder may also be disclosed from the register to the customer registers of companies belonging to the Plussa programme for register updates, unless the person has prohibited such disclosure.

If a person permits the disclosure of data in connection with adopting a service, data may be disclosed to the service provider in question (e.g. MobilePay).

Some authorities also have a legal right of access to the data, for example, the police, customs, border guard and tax authorities.

9. Appeal directions
If you consider that we do not process your personal data in accordance with the EU General Data Protection Regulation, you can file a complaint with the supervisory authority. In Finland, this authority is the Data Protection Ombudsman.

10. Necessary data for our services
For us to be able to offer you services under the K-Plussa customer programme, we must process necessary personal data, including information such as your name, contact details and year of birth.

You may choose yourself the level at which we record your purchase data. If you ban the collection of your purchase data completely, we cannot grant you points benefits based on your purchases, and you will only receive other benefits based on showing your card at checkout.

Electronic marketing consent is also not essential, but without your consent we cannot provide electronic, usually targeted direct marketing.

You may also impose a ban on profiling, in which case we cannot target the marketing communications sent to you. You will only receive general marketing communications, not information on products we deem you could be interested in based on profiling.

11. Information on automated decision-making, including profiling
Profiling means any form of processing of personal data consisting of the use of the data to evaluate certain aspects relating to your person. We profile customers e.g. for the purposes of marketing and the development of our services. However, in our view, this type of profiling does not produce legal effects as referred to in the regulation or other notable effects for the target of the profiling.

For example, based on purchase data, we categorise customers into different customer segments considered to be interested in certain types of products or services. 

12. Use of data for other purposes
We do not use data for purposes other than those stated in this document. If other needs arise later, we will inform you of those needs and of the grounds for processing. If necessary, we will request consent from you to process personal data for other purposes.

13. Data obtained from other sources than you
We update information regarding addresses and name changes and the death of customers from Posti Ltd’s address information system unless you have set a disclosure ban on the information. We also update statistical data regarding your area of residence in our register. We update information on bans on direct marketing from the Data & Marketing Association of Finland.

If you have chosen to add the K-Plussa feature to your bank card, we will obtain data on you from our partner bank and record that data. The banks and financial institutions that are Plussa partners will provide information on the fact that the K-Plussa feature has been added to payment card issued by them, the related Plussa card number, and any marketing permissions and contact details potentially related to your customer relationship.

14. Data protection officer
You can contact Kesko's data protection officer if your request concerns personal data processing or the exercise of your rights under the EU General Data Protection Regulation in the operations of Kesko or its subsidiaries.

You can contact Kesko Corporation's data protection officer by email at tietosuojavastaava@kesko.fi.