Privacy policy: Customer register

Privacy statement for Alko customer register.

8 May 2020

Contents:

Introduction.
1. The use and processing of personal data.
2. Sensitive data: Alko does not process any sensitive personal data relating to its customers.
3. Data disclosure and transfer.
4. Data security.
5. Access to information and exercising your rights.
6. Data retention.
7. Use of cookies.
8. Amendments to this privacy policy.
9. Controller and contact details.

Introduction

Alko Oy (Alko) is committed to protecting your privacy and processing your personal data transparently and in accordance with current legislation and best practices. This privacy policy covers the processing of personal data that Alko undertakes in order to enable commerce, provide customer service, collect customer feedback, and organise customer events. It applies to the personal details of consumers, corporate customers, and registered users of the Alko.fi website.

This privacy policy details exactly how Alko is committed to collecting, processing and protecting your personal data during and after your customer relationship with us.

Below you will find more detailed definitions of the concepts we have used in this privacy policy.

“Personal data”
Personal data means all the identified and identifiable data relating to a person. For example, name, social security number, location data, network identification information, and address details.

“Processing personal data”  
Processing personal data means all of the information processing operations that are targeted at personal data, either automatic or manual. Examples of processing personal data include collecting, saving, storing, editing, altering, removing or deleting data.

“Data subject”                   
The identified or identifiable natural person whose data is being processed. For example, a customer or employee.

“Controller” 
A natural person, legal person, authority, agency or other body that, either together or with another party, defines the purposes and methods for processing personal data.

1. The use and processing of personal data

Personal data may be processed on the basis of your personal consent, an agreement you make with Alko, our statutory obligations, or a legitimate interest associated with our operations. We collect and process personal data only to the extent that is required for you to use Alko’s services for the following purposes:

Contractual obligations

  • Placing an order in the online shop for either yourself or as a gift, either independently or assisted by an employee at an Alko store or pick-up point; and also collecting orders from a store or pick-up point
  • Processing complaints and product returns
  • Communicating with customers with regard to orders
  • Handling purchase ban agreements
  • Organising customer events

Statutory obligations

  • Fulfilling the obligations pursuant to the statutory and regulatory provisions governing Alko, as well as the fulfilment of responsibility
  • Ensuring the legitimacy of alcohol handovers, and preventing and investigating any misdemeanours and problematic situations

Data subject’s consent

  • Sending the newsletter to a subscriber

Legitimate interest*

  • Registering and creating customer accounts for the online shop or mobile app
  • Processing customer surveys and feedback, including answering customer queries, solving problems, correcting errors, and investigating disturbances and threats
  • Measuring customer satisfaction and enhancing our customer experience to develop customer service staff’s competence and guarantee high-quality service
  • Quality control and assurance for Alko products
  • Developing the online shop and mobile app
  • Analysing use of the online shop
  • Processing the contact details of the contact person for a purchase ban agreement
  • Analysing and keeping statistics on customer service events
  • Processing court-ordered distraint measures

Personal data is primarily collected directly from you. For example, when you place an order in our online shop, seek the assistance of sales staff in our stores, or contact our customer service centre. When you shop in our online shop, we will verify your identity and age using strong electronic identification.  We will check with Suomen Asiakastieto Oy to verify the signatory rights of corporate customer representatives.

The reason why we are processing personal data will define what information we collect at any given time and for what purpose. We will only process the following personal details about you on the legal grounds specified below:

  • Order information: name, telephone number and email address; order date, delivery address and delivery time; content of the order, payment method, gift recipient (if applicable), and any message relating to the order
  • Data processed when handing over orders: handover date, type of ID shown, and a record that ID has been shown
  • Data relating to online shop registration: name, telephone number and email address; reviews, lists, notes, reminders and stores; newsletter subscription (yes/no); chat conversations and order history. For corporate customers, we also collect: company name and business ID, license to dispense alcohol, and the names and roles of other users related to the corporate account.
  • Data relating to returns and complaints: Name, order number, products returned, reason for complaint, and date of return.
  • Data relating to customer service, quality assurance and service development: date of contact, content of the conversation, description of the issue (if applicable), technical details and IP address of the device used
  • Data relating to organising customer events: name, telephone number and email address; event location (municipality)
  • Analysing use of the online shop: browsing history in the online shop, purchase history, location data.
  • Data relating to sending newsletters: email address, newsletter subscription (yes/no)
  • Data relating to purchase ban agreement: customer’s name, postal and email address, telephone number, customer’s photograph provided by the customer of taken from the store’s surveillance camera, purchase ban details, name and contact information of the contact person or the legal guardian.

* “Legitimate interest” refers to data processing that forms an essential aspect of the controller’s business and that the customer can reasonably assume to be part of the controller’s operations. The controller often has to process personal data in order to carry out business-related tasks. In this context, the processing of personal data cannot necessarily be justified on the basis of a statutory obligation or contractual grounds. However, the processing of personal data can be justified on the basis of ‘legitimate interest’. Before personal data is processed on the basis of legitimate interest, the controller must always ensure that conducting business in accordance with this legitimate interest will not seriously violate the data subject’s rights and freedoms.

2. Sensitive data

Certain categories of personal data are classified as “sensitive personal data”. Sensitive personal data will reveal personal characteristics such as race or ethnic origin, political opinions, religious or philosophical beliefs, union membership, genetic or biometric data, or information about a natural person’s health, sexual behaviour or sexual orientation.

Alko does not process any sensitive personal data relating to its customers.

3. Data disclosure and transfer

Alko is committed to protecting the confidentiality of your personal data, and we will only disclose your data to specific partners when necessary, for example, in order to process payments and deliver orders.

When processing the data we have collected, we also use subcontractors and service providers to assist us in areas such as technical system maintenance and customer service. These partners have the right to process your personal data only to the extent that is necessary in order to provide the services in question. This means that they cannot use your data for their own purposes. Our contractual terms and conditions require our partners to comply with data processing legislation and ensure adequate data security.

Your personal data will not be disclosed to any parties outside the European Union and European Economic Area.

4. Data security

Alko has implemented appropriate technical and organisational data security mechanisms to prevent the deletion and misuse of your personal data, as well as any other similar unlawful access to data. These mechanisms include firewalls, encryption and machine room security.

The processing of your personal data is also restricted by access control and the management of user rights. Your personal data will only be processed by employees that have the right and need to do so in order to carry out their job.

5. Access to information and exercising your rights

You have the right to check what data we have collected about you and to say how we may use that data. You can decide whether you wish to receive email communications from us. In certain circumstances, you have the right to have your data removed or request your data to be transferred to another controller. In this section, we will detail your rights under current legislation and how to exercise them:

  • Right to withdraw consent

When your personal data is being processed on the basis of personal consent from you, you have the right to withdraw this consent at any time, For example, you may at any time end your subscription to our newsletter by withdrawing your consent.

  • Right to check and correct data

You have the right to check what data we have collected about you, or to receive assurance that no data about you is being held in our filing system. If there are any errors, inaccuracies or other deficiencies in your data, you can request us to correct or add information.

  • Restricting or objecting to data processing

If your data is incorrect in some respect (for example, it is outdated), you have the right to request a temporary restriction on the processing of your data until we have verified its accuracy. Whenever the processing of your personal data is based on the controller’s legitimate interest, you have the right to object to the processing of your personal data. We will then no longer be able to process your personal data, unless we can present a justifiable reason why this processing is so important and why it can be considered weighty enough to supersede your rights. We will also be allowed to continue processing your data if we need it to prepare, present or defend a legal claim.

  • Right to have data removed (Right to be forgotten)

In certain circumstances, you have the right to be forgotten. In that case, we will remove all the data we have collected about you, unless this data is still required for the purposes it was originally collected for (such as to investigate a misdemeanour). Unless there are other justifiable grounds for processing your data, we will also remove your data if you object to the processing of your personal data, or if the processing of your personal data is based on your personal consent and you withdraw this consent. However, please note that we may have statutory legal obligations to retain your personal data for a certain period of time.

  • Right to transfer data from one system to another

You may request your personal data to be transferred, in which case we will send your personal data to you in machine-readable format, so you can either retain it yourself or transfer it to another controller. If it is technically possible, we will also transfer your data directly to another controller at your request. This is only possible in situations in which we are processing your personal data on the basis of your personal consent or contractual grounds, and only covers data that you have provided us with yourself.

  • Right to appeal

In addition to the aforementioned rights, you also have the right to appeal to the supervisory authorities with regard to the processing of your personal data.

How can I submit a request to check personal data?

You can submit a request to check your personal data at an Alko store or by emailing us at tietosuoja@alko.fi. If you have created an account in our online shop, you can also send a request to check personal data via your Profile page. 

Before disclosing personal details, we will need to verify your identity, so that we do not disclose your data to the wrong person. You can prove your identity either at an Alko store when submitting your request, or by logging into the online shop with your access codes.

6. Data retention

We will retain your personal data for the period required in order to carry out the purpose for processing your data, for as long as we are required to do so by law, or until you request us to remove your data.

We will only retain your data for as long as required in order to carry out the purposes specified in Section 1, and always within the current boundaries of the law.

After this, your data will either be deleted or made unidentifiable, by irreversibly converting it into a format in which individual persons can no longer be identified.

The retention period is determined by the duration of your customer relationship or while any action relating to misdemeanours is still pending. A customer’s personal data will be stored until the customer requests its removal from the register, unless legislation prevents the removal of such data.

Registered customers can edit their customer information by logging in to the Alko.fi online shop. You can also request corrections to your data by contacting tietosuoja@alko.fi.

7. Use of cookies and social plugins

A cookie is a tiny text file that your browser stores on your computer. Cookies contain a unique identifier, and we use them to identify and count visitors to our website. Cookies can be used for measurement and research purposes, for example, to develop websites or to determine how and how much a service is used.

However, some of the cookies used by Alko’s e-services are so-called functional cookies. These cookies are necessary for the service to function properly, as they perform tasks such as transferring products to your shopping basket. We also use cookies that help us to target our communications about the responsible consumption of alcohol or job opportunities to suitable target groups. We do not use cookies to market or promote the sale of Alko products.

You have the right to block the use of cookies, but this may affect the functionality of our services. We cannot guarantee the functionality of the Alko website if cookies are disabled. You can use your browser settings to clear cookies or block their use. Using your browser in “incognito” mode will also prevent cookies from being collected. 

Alko's websites also have so called social media plugins to third party websites (e.g. Facebook's and Twitter's Share buttons). These social plugins are uploaded on these third-party service providers' servers. Social media service providers process data as controllers and as joint controllers with Alko when applicable.

The platform providers collect via social media plugins information regarding users' visited sites.

Data relating to a data subject is disclosed only when data subject actively shares material through social media plugins, e.g. Share button.

8. Amendments to this privacy policy

We will regularly update this privacy policy, both as we develop our data protection practices and as a consequence of legislative amendments. We recommend that you check for changes in our privacy policy from time to time.

A summary of the latest changes to our privacy policy has been placed at the beginning of this document, to make it as easy as possible for you to monitor the processing of your personal data.

9. Controller and contact details

Controller

Alko Inc
Arkadiankatu 2
P.O. Box 99, 00101 HELSINKI
Tel. +358 20 711 11
Fax +358 20 711 5386
Business ID: 1505551-4
Domicile: Helsinki

Contact person in matters related to the register

Alko Customer Service
Arkadiankatu 2
P.O. Box 99, 00101 HELSINKI
tietosuoja@alko.fi
+358 (0)20 692 771 (local network rate)