Privacy Notice
 

1. General

1.1 Edenred Finland Oy, Business ID 1057825-2 (”Delicard”) respects and cares about user’s personal integrity. We want users to feel safe when we process their personal data. By way of this privacy policy (“Privacy Policy”), we want to inform user about how we ensure that user’s personal data is processed in the right way.

1.2 To be able to provide you as a subscriber with our services, we must process personal data about user. This Privacy Policy applies to user who:

  • Orders a gift card from our website,
  • Redeems an ordered gift card,
  • As a representative of a company orders gift cards over telephone or e-mail, and
  • Is acting as a contact person of a company that we consider to be a potential customer.

 

2. Data controller

Delicard is the data controller for the processing of users’ personal data and is responsible for ensuring that the processing is made in compliance with applicable law. User finds our contact details at the last page of this Privacy Policy.

 

3. Our processing of users personal data

3.1 At Delicard, we process user’s personal data to provide user with the services we offer in the best way possible. We may process user’s personal data to:

  • Administer and carry out our obligations towards user and safeguard our legal interests,
  • Marketing of our services and products, including customer adapted advertising,
  • Administration in connection with company takeovers, restructuring, etc. of Delicard, and
  • Comply with our legal obligations and prevent and take measures against crimes.
  • “Passion for Customers Program” customer satisfaction survey, for more detailed information please see  “Passion for Customers Program” Privacy Notice

 

3.2 In the tables below, user is provided with more information regarding e.g. why we process your personal data, which personal data we store to achieve the purposes of the processing and for how long we store user’s personal data.

 

PURPOSE:
Administer and carry out our obligations towards user and safeguard our legal interests.

PERSONAL DATA:
Contact information such as name, address, email address and company.
Orders and payment information such as order history and payment information. Login information such as email address and password.
Work-related information such as company name and registration number.

WHAT WE DO:
We process user’s personal data to be able to administer and provide them with our services, offer customer services and secure and facilitate delivery.
In case of a dispute regarding e.g. payment, we are entitled to process user’s personal data to establish, exercise or defend the legal claim.

LEGAL BASIS:
To execute a contract or perform any preceding tasks to execute a contract (applicable to private individuals ordering a gift card).

Legitimate interest, as we consider that our interests in managing and performing our duties and in safeguarding our legal interests override the interests related to user’s privacy. (Applicable to persons ordering a gift card as a representative of a company).

RETENTION PERIOD:
User’s personal data is kept during the entire contract period, i.e. until user’s order has been delivered and during the warranty period of 24 months and 12 months thereafter. In total user’s personal data is stored for a maximum of 36 months.

We may keep user’s personal data for a longer time period if necessary, to establish, exercise or defend a legal claim in case of a dispute regarding e.g. payment.

USER’S RIGHTS:
Users have the right to object to processing of their personal data based upon a legitimate interest as legal basis. Please see section 9 below if you want to read more about user’s rights.

PURPOSE:
Marketing of our services and products, including customer adapted advertising.

PERSONAL DATA:
Identification and contact information such as name, telephone number and email address.
Work-related professional information such as company name and role in the company.

WHAT WE DO:
We process user’s personal data within the scope of our B2B marketing. All personal data that we process is within the scope of user’s employment and key position holding in company that is a present or potential customer of ours.

LEGAL BASIS:
Legitimate interest, as we assess that our interest of marketing our services and products override user’s interest of protection of user’s privacy.

RETENTION PERIOD:
If you are a customer of ours: The personal data is stored and processed during the entire contract period, i.e. until your order has been delivered and during the warranty period of 24 months and 12 months thereafter. In total your personal data is stored for a maximum 36 months.

If user is not yet a customer of ours: We have the right to store user’s personal data in the purpose of sending user marketing for a maximum of 12 months from us obtaining user’s personal data. This is preconditioned upon user not having objected to our direct marketing communication. In case user objects to the processing for this purpose, we will thereafter delete all user’s personal data processed.

USER’S RIGHTS:
User always have the right to demand that we stop using their personal data for direct marketing. User has the right to object to processing of their personal data based upon a legitimate interest as legal basis. Please see section 9 if you want to read more about user’s rights.

PURPOSE:
Comply with our legal obligations and take measures against crimes.

PERSONAL DATA:
Invoice information such as name on invoice and transaction history.

WHAT WE DO:
We process user’s personal data to comply with our legal obligations under applicable law, e.g. legislation regarding accounting, audit and tax. We will also give out user’s information if we receive a request from prosecutor or police.

LEGAL BASIS:
Compliance with a legal obligation.

In case giving out user’s information is not directly based on our legal obligation, our legal basis is to fulfill our legitimate interests in order to prevent and take action against crimes.

RETENTION PERIOD:
User’s personal data is kept for as long as necessary to comply with applicable legal obligation such as e.g. 7 years according to the accounting act., counted from the close of the calendar year of the financial year to which the information belonged is concluded.

USER’S RIGHTS:
Please see section 9 below.

 

4. Where we collect user’s personal data from

4.1 The personal data we process about user is obtained from different sources. User provides us with information such as their name, address, telephone number, email address and company name in connection with the registration of user account, when ordering our products and services and when user leaves instructions for the performance of our services. We may also acquire contact information, such as email addresses, from third parties for marketing our products and services to potential customers.

4.2 For the user (private person or a representative of a company) to be able to enter into an agreement with us and to enable us to provide user with our services, user must provide us with their personal data. If user does not provide us with their personal data, we unfortunately cannot enter into an agreement with user or provide our services.

 

5. Automated decision-making

We do not use any automated decision- making, which would have any legal or otherwise similar significant effects on user.

 

6. For how long do we keep user’s personal data?

6.1 We only keep user’s personal data for as long time as necessary to achieve the purposes for which they were collected in accordance with this Privacy Policy. When we do not longer need user’s personal data, we remove the data from our systems, databases and backups. In the tables above under section 3, user may read more information about for how long time we keep user’s personal data for different purposes.

6.2 We may be required to keep user’s personal data for other reasons, such as to comply with legal obligations or to safeguard our legal interest, or for any other important public interest. The access to this personal data is restricted, so that only a limited number of persons are authorized to access the data.

 

7. With whom do we share user’s personal data with?

7.1 Delicard may share user’s personal data with third parties such as our services providers and companies with which we cooperate with to provide our services. We will therefore share user’s personal data with some of our service providers, such as IT vendors and card vender in order to carry out our obligations to user or to assist user if user redeems a gift card. We may also in certain cases be required to share user’s personal data with public authorities or other third parties in connection with court proceedings, corporate acquisitions or similar reasons.

7.2 We never sell user’s personal data to any third party.

 

8. Where do we process your personal data?

Delicard only processes user’s personal data within the EU/EEA and does not share or facilitate access to your personal data with any operator outside of the EU/ EEA.

 

9. Users rights

 

9.1 Our responsibility for user’s rights

9.1.1 Delicard is in the capacity as data controller responsible for ensuring that users personal data is processed in accordance with applicable law and that user’s rights have an impact on the processing. User may at any time contact us to exercise their rights. User finds our contact details at the last page of this Privacy Policy.

9.1.2 Delicard is obliged to answer user’s request to exercise their rights within one month from our receipt of user’s request. If user’s request is complicated, or if we have received a large extent of requests, we are entitled to prolong our response period with two additional months. If we assess that we cannot perform the actions user has requested, we will within one month explain why and inform user about your right to lodge a complaint with the data protection authority.

9.1.3 All information and communication, and all actions we carry out, is at no cost for user. If the action user requests is manifestly unfounded or unreasonable, we are entitled to charge user a reasonable administrative fee to provide user with the requested information or carry out the requested action or refuse to meet user’s request.

 

9.2 User’s right to access, rectification and erasure of personal data and restriction of processing

9.2.1 User has the right to request:

a) Access to their personal data. This means that user has the right to request an abstract from our data record regarding our use of user’s personal data. User also has the right to request a copy of the personal information being processed at no cost. However, we may charge user a reasonable administrative fee to provide user with additional copies of the personal data. If user makes their access request by electronic means such as email, we will provide user with the information in a commonly used electronic format.

b) Rectification of user’s personal data. We will at user’s request, or at our own initiative, rectify, anonymize, erase or complement personal data that user or we discover is inaccurate, incomplete or misleading. User also has the right to complement the personal data with additional data if relevant information is missing.

c) Erasure of user’s personal data. User has the right to request that we erase their personal data if we do no longer have an acceptable reason for processing the data. Given this, erasure shall be made by us if:

  1. the personal data is no longer necessary for the purposes for which it was collected,
  2. user objects to the processing of their personal data based on their legitimate interest and there is no overriding legitimate ground for the processing,
  3. the personal data has not been lawfully processed,
  4. we are required to erase the personal data due to a legal obligation.

However, there might be requirements under applicable law, or other weighty reasons, that entail in that we cannot immediately erase user’s personal data. In such case, we will stop using user’s personal data for any other reasons than to comply with the applicable law, or the relevant weighty reason.

d) Right to restrict processing: This means that we temporarily restrict the processing of user’s personal data. User has (from the 25th of May 2018) the right to request restriction of the processing when:

  1. user has requested rectification of their personal data in accordance with section 9.2.1 b) above during the time period we are verifying the accuracy of the data,
  2. the processing is unlawful, and user does not want the personal data to be erased,
  3. Delicard, in its capacity as data controller, does no longer need the personal data for the purposes for which it was processed, but user requires us to retain the information for the establishment, exercise or defense of legal claims, or
  4. user has objected to our legitimate interest for the processing in accordance with section 9.3 below during the time period we determine whether the legitimate interest overrides user’s privacy rights.

9.2.2. At Delicard, we will (from the 25th of May 2018) take all reasonable and possible actions to notify any recipients of your personal data as set out in section 7 above regarding any rectification, erasure or restrictions carried out by us. At user’s request, we will also inform them of which third parties we have shared user’s personal data with.

 

9.3 User’s right to object to the processing

9.3.1 User has the right to object to such processing of their personal data based upon our legitimate interest (please see section 3 above). If user objects to such processing, we will only continue with the processing if we have a compelling legitimate reason for the processing that outweighs user’s interest, rights or freedoms, or unless continued processing is necessary for the establishment, exercise or defense of a legal claim.

9.3.2 If user does not want Delicard to process their personal data for direct marketing, user always has the right to object to such processing by getting in touch with us. When we have received user’s objection, we will cease to process user’s personal data for this marketing purpose.

 

9.4 Your right to portability

User has the right to portability. This means that user has the right to receive certain of their personal data in a structured, commonly used and machine- readable format and have the right to transmit those data to another controller. User only has this right when their personal data is processed by automated means and our legal basis for the processing is performance of a contract between user and Delicard. This means e.g. that user has the right to receive and transfer all of the personal data that they have provided us with to create a user account at our web page.

 

9.5 User’s right to lodge a complaint with the data protection authority

User has the right to lodge complaints regarding our processing of their personal data with the data protection authority. The competent data protection authority in Finland is the Office of the Data Protection Ombudsman.

 

10. We protect user’s personal data

User shall always feel safe when providing us with their personal data. Therefore, Delicard has implemented appropriate security measures to protect user’s personal data against unauthorized access, alteration and erasure. In the case of a security breach that may significantly affect user or user’s personal data, e.g. when there is a risk of fraud or identity theft, we will contact user and inform them of what user can do to reduce this risk.

 

11. Amendments to this privacy policy

Delicard has the right to amend this Privacy Policy at any time. When we make any amendments that are not only linguistic or editorial, user will be provided with clear information of the amendments and which impact they will have on user before the amendments are effective.

 

12. Contact information

For any request relating to personal data, and in particular to exercise the rights referred to in art. 9 above, you may contact

Edenred Finland Oy Data Protection

Elimäenkatu 15

00510 Helsinki

dpo.finland@edenred.com

+358 (0)9 7594 2848.