Privacy statement - Combined privacy policy and information document

Privacy statement for Alko customer register.

20 March 2019

Contact information of controller

Alko Oy
Arkadiankatu 2
P.O. Box 99, 00101 HELSINKI
Tel. +358 20 711 11
Fax +358 20 711 5386
Business ID: 1505551-4
Domicile: Helsinki

Contact person in matters related to the register

Alko Customer Service
Arkadiankatu 2
P.O. Box 99, 00101 HELSINKI
020 692 771 (local network rate)

Name of register

Alko customer register

Purposes for which personal data in the register is processed

The register is maintained on the basis of the customer relationship, the consent given by the Customer, the assignment the Customer has given to Alko, as well as the fulfilment of Alko's legal obligations.

Alko collects personal data in its customer register in accordance with legislation that binds Alko for the following purposes:

  • Identification of the Customer's identity and access management
  • Verification of the signing authority of business customers
  • Processing, delivery and archiving of orders and returns through the online shop and mobile app
  • Communication related to online store and mobile app orders, deliveries and returns, such as order and delivery confirmations
  • Ensuring the legitimacy of handovers
  • Customer relationship management and development
  • Measurement of customer satisfaction Customer satisfaction is measured to develop Alko’s customer experience and to ensure service quality.
  • Carrying out customer service tasks, processing customer feedback and developing customer service activities.
  • Hosting customer events organised by Alko
  • Fulfilling the obligations pursuant to the statutory and regulatory provisions concerning Alko, as well as the fulfilment of responsibility
  • Legitimacy of alcohol handovers, prevention and solving of misdemeanours, as well as ensuring the information security of the register
  • For use in the quality control and development of the online store,
    mobile app and Alko products
  • Statistical purposes
  • Communication with stakeholders

Data content of the register

Alko’s customer register contains the following information:

Customer information:

  • First and last name
  • Date of birth
  • Street address
  • Postcode
  • City
  • Email address
  • Telephone

Identification unique to the registered Customer:

  • Business ID (business customers)
  • Customer ID
  • Password

Order and payment transaction information:

  • Information regarding the Customer's orders and returns
  • Information on payment transactions performed by the Customer

Data collected when delivering orders:

  • First and last name
  • Business ID (business customers)
  • Information on the legitimacy of alcohol handover
  • Information related to alcohol sales supervision

Customership information:

  • Information necessary for implementing customer service
  • Customer product reviews and favourite products
  • Information provided by the Customer for measuring customer satisfaction
  • Personalising information provided by the Customer
  • Customer’s location data during online shop and mobile app orders, if consented to by the Customer
  • Customer’s location data during use of the mobile app, if consented to by the Customer
  • Purchasing restrictions set by the Customer
  • Customer feedback
  • Customer service contact history
  • Customer service chats
  • Customer service phone conversations

Regular sources of personal data

The Customer's personal data will mainly be collected from the Customer him- or herself when he or she is registered for the online store and mobile app or when using them. Private customers can order products from the online store without registering.

When ordering from the online store and mobile app, the identity and date of birth of a private customer are verified from the customer's bank through online bank credentials. For business customers, online bank credentials are used to verify, in addition to the information above, the business ID and signing authority from Suomen Asiakastieto Oy.

Personal data is also collected when the Customer conducts ordering and payment activities in the online shop and mobile app, as well as from the Customer him/herself when he/she collects or returns an order at an Alko store. If the order is made and collected by a different person, the personal data of the recipient will also be processed and stored, so that Alko can verify that the collection is legitimate. If the order is intended as a gift or is to be delivered by a different person, the contact information of said person will be stored upon order.

Personal data is obtained upon registration and payment transactions in customer events from customers and on participants entered by the customer upon registration.

Personal data is collected in connection with customer service communications.

Personal data is also collected from Posti, the Finnish national postal service. Business customers can choose business delivery as the delivery method, in which case Posti will collect personal data when delivering orders. Alko may request Posti to disclose such data.

Determination of the period of storage of personal data

The storage period is determined by the duration of the customer relationship or pending violations. The Customer's personal data will be stored until the Customer requests its removal from the register, unless legislation prevents the removal of such data.

Disclosure and transfer of personal data to third parties

The Customer's personal data may be transferred to third parties associated with the provision of the Alko online shop in conjunction with technical implementation, data processing, maintenance, customer service and the packaging and delivery of orders.

The Customer's personal data will not be disclosed for direct marketing purposes.

Transfer of personal data outside the EU or the European Economic Area

Alko will not transfer personal data outside the EU or European Economic Area. However, some of Alko’s partners who process personal data on behalf of Alko have stated that in certain situations they may transfer such data outside the EU or EEA. We have ensured that the level of information security is also protected in such situations by standard contractual clauses drafted by the EU or under data protection legislation. Our website and mobile app utilise tools whose service providers may be located outside the EU or EEA. An example of such a service provider is Google Analytics. If such tools are used, a sufficient level of protection will be ensured by securing data transfer with protective measures in accordance with data protection legislation.

Use of cookies

Under the Information Society Code (917/2014), the cookie files used on Alko Oy’s website are used in a manner that does not infringe the privacy of website users. Cookies are used, for example, for measurement and research purposes to determine the type and volume of use of the service and to develop websites. Cookies are also used for targeted communications. Website users may block the acceptance of cookies using their own internet browser settings, but this may cause reduced site functionality. Alko cannot guarantee the functionality of the site if cookies are disabled.

Register information security

All personal data is collected in online shop and mobile app databases that are secured by firewalls, passwords and other technical means. The physical databases are located in locked and controlled facilities. Access to personal data in the register is restricted within Alko's organisation to those who require access and to third parties who are involved in the provision of services as Alko's subcontractors. Login requires a personal username and password, which are granted and administered by Alko. Personal data will be transferred in encrypted form over the public network in the background systems of the online shop and mobile app. Persons processing personal data in the register are bound by a nondisclosure agreement.

Right to access data 

Data subjects have the right to access and review their personal data stored in the customer register. Requests for access must be made in writing, signed and delivered either via email to or in person at an Alko store. Proof of identity must be shown if delivered at an Alko store. The access request must include the data subject’s first and last name, personal identification number, address information and phone number. A reply to the request for access will be sent via email or mail.

Right to rectify inaccurate or outdated information

A registered Customer can edit his/her customer information by logging in to the online shop. Rectification of other personal data can also be requested by contacting In addition, data subjects have the right to request the erasure or partial erasure of their personal data, unless storage is required under legal obligations. Requests for the erasure of data may be addressed to

Right to transfer data between controllers

Insofar as data subjects have provided and consented to the processing of their personal data by Alko, they have the right to receive a copy of such data primarily in a machine-readable format and the right to transfer said data to another controller.

Right to file a complaint to supervisory authorities

Data subjects have the right to file a complaint to the competent supervisory authority if they find Alko to have acted in violation of the applicable legislation on data protection.