Privacy Policy


Controller

Jääkiekon SM-liiga Oy [hereafter "Controller"]

Business ID:0218194-1

Address: Konepajankuja 1, FI-00510 HELSINKI

Phone:+358 9 7206 000

E-mail: tietosuoja@liiga.fi

Contact person for data protection issues: Antti-Jussi Aro


1. Definitions

Personal data shall mean any information relating to an identified or identifiable natural person (hereafter “data subject"). An identifiable person is a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier or to one of more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

A customer shall mean, in terms of data subjects, the consumers and the contact persons of the companies and other entities (hereafter “company") with whom the Controller is in a customer relationship.

Potential customers shall mean, in terms of data subjects, consumers and contact persons of companies with whom the Controller strives to establish a customer relationship.

Members shall mean consumers who are members of the Controller's business activities, such as members in a fan club managed by the Controller or players in non-professional teams.

Stakeholders shall mean consumers and contact persons of companies with whom the Controller has a cooperative relationship (such as the representatives of companies producing services for the Controller) or other connection (such as media representatives as parties in communication activities and social decision-makers in social relationship activities).


2. What are our purposes for processing your personal data?

The Controller shall process the personal data of data subjects for the following purposes (one or more simultaneously):

• Management, analysis and development of the customer, member and stakeholder relationship

The Controller may use your personal data to manage, analyse and develop a customer, member or stakeholder relationship established directly with you or with a company that you represent.

• Providing products and services

The Controller may use your personal data to provide products and services if you or the company that you represent has e.g. purchased a product or service from us, used our digital services, subscribed to our newsletter or taken part in our training or other events. Personal data is used to exercise the rights and fulfil the responsibilities based on an agreement or other commitment between the Controller and the customer.

• Customer and member communication

The Controller may use your personal data in its customer and member communication, e.g. to send you notices related to products and services, to notify you of changes made to services and to request for feedback on products and services.

• Marketing

The Controller may contact you to inform you of new products, services or benefits. The Controller may use personal data to customise its supply and to offer relevant content. This means e.g. that we may provide recommendations or show customised content and customised advertisements in our own or third-party services.

• Product and service development

The Controller may use your personal data to develop its products and services.

The legal basis for processing personal data is provided by the following subparagraphs of Article 6 of the EU Data Protection Regulation:

a. you have given consent to the processing of your personal data for one or more specific purposes;

b. processing is necessary for the performance of a contract to which you are party or in order to take steps at your request prior to entering into a contract;

c. processing is necessary for compliance with a legal obligation to which the Controller is subject; and

f. processing is necessary for the purposes of the legitimate interests pursued by the Controller or by a third party, except for where such interests are overridden by your interests or fundamental rights and freedoms which require protection of personal data.

The Controller processes your data for the performance of a contract with you or with a company that you represent (e.g. organising a game related to a purchased ticket, executing a player contract related to non-professional playing, realising an e-commerce purchase, providing a digital service or engaging in sponsorship cooperation).

The Controller has legitimate interests related to the practising of business, such as the right to promote the sales of its products and services through marketing and sales, and the Controller may, on the basis of the legitimate interest, practice direct marketing and sales using your contact information, including the processing of personal data for profiling. Other legitimate interests of the Controller on the basis of which your personal data may be processed include advice and other customer service for non-customers, further business development and the investigation of possible misconduct.

If the processing of data is not based on a contractual need or a legitimate interest, the Controller may request your consent for other type of processing of personal data.

The Controller may also process your personal data when required to do so by law, such as on the basis of the requirement to retain data under the Accounting Act.


3. What types of data may we process?

The personal data collected by the Controller may contain e.g. the following types of data and the changes made therein:

3.1. Basic information on all data subjects

3.2. Additional information in terms of under-age data subjects

3.3. Additional information on company representatives

3.4. Information of data subjects who have purchased the Controller's products or services, provided feedback and/or submitted complaints on them

3.5 Information of data subjects who have taken part in the Controller's events

3.6. Information of customers using the Controller's online services


4. What are our sources for collecting your personal data?

The majority of the information is received from you or, in terms of a minor, from a guardian at the start and during a customer, member and stakeholder relationship, as well as from the software with which you use our products and services.

The Controller also receives personal data and their updates from the authorities, organisations and companies that provide credit and personal data acquisition and updating services, as well as public directories and other public sources of data, such as company websites and social media channels. The Controller receives personal data relating to company representatives also from their colleagues, i.e. the main contact person of a company or other entity may provide personal data to the Controller also in terms of other individuals related to the use of the Controller's products and services.


5. Do we carry out profiling with your personal data?

Profiling, as referred to in the EU Data Protection Regulation, means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.

We do not carry out profiling as described above for the time being. Instead, we may otherwise analyse and utilise the personal data in our data files as well as combine them with data received from third parties.


6. Who may we share your personal data with?

The Controller shall not give, sell or otherwise disclose your personal data with external third parties, unless otherwise indicated below.

The Controller may share your personal data with third parties who carry out services for the Controller. Such services may include e.g. customer service, software services, research activities, marketing and event production. The Controller may share your personal data in order to collect payments for products and services and it may e.g. transfer or sell unpaid invoices to third parties who provide debt collection services.

The protection of your personal data is important to the Controller, which is why it does not allow these parties to use the data for any other purpose except the provision of the services in question, and it requires the parties to protect the user's personal data in compliance with this privacy policy and the applicable legislation.

The Controller shall share your personal data with partners with whom the Controller coordinates and carries out projects together.

The Controller may share your personal data with carefully selected third parties for the purposes of joint or independent direct marketing. Data may be shared for these purposes only when the purpose intended by the third party is not inconsistent with the purposes set out herein in the Controller's privacy policy.

The Controller may share the personal data of the participants in the Controller's events at its discretion with other participants at the event in question, if it is appropriate due to the nature of the event (such as a game event organised for company representatives).

The Controller may share your personal data in connection with a corporate acquisition or other corporate transaction or when a service is transferred to another service provider. The Controller may share your personal data by order of a court or similar.


7. Do we transfer your personal data outside the EU territory?

When providing services, the Controller may use resources and servers located in different parts of the world. Therefore, the Controller may transfer your personal data outside the country where the services are used and possibly also to countries outside the EU territory which have different data protection laws.

In such cases, the Controller shall make sure that there is a legal basis for the data transfer and that the user's personal data are protected using e.g. (when necessary) standard agreements approved by the appropriate authorities and by requiring compliance with the appropriate technical and other measures of data protection.


8. How long do we process your personal data?

The Controller shall process your personal data in this data file for as long as the Controller has a valid basis for processing the data, as described in clause 2 of this privacy policy, and for a reasonable time after this.

The processing time of the personal data of different groups of people is determined on the following basis:

The Controller may process your personal data during your customer relationship and until the end of the third year following the year of termination.

After this, the Controller may transfer your necessary personal data into a marketing register and process you as a potential customer once more.

The Controller may process your personal data for as long as you represent the Controller's corporate customer and until the end of the third year following the year of termination.

After this, the Controller may transfer your necessary personal data into a marketing register and process you as a representative of a potential corporate customer once more.

The Controller may process your personal data during your member relationship and until the end of the third year following the year of termination.

The Controller may process your personal data for the time being until you become a customer or until you demand that your data is removed from the Controller's marketing register.

The Controller may process your personal data for as long as you are a member of a stakeholder group, e.g. you represent the Controller's partner or the media.


9. Are you required to give your personal data to us?

In order for the Controller to fulfil its contractual obligations relating to your mutual relationship, the Controller must obtain and process personal data relating to you. Without the necessary personal data, we cannot offer you the products and services for which it is necessary to process personal data.


10. How can you exercise your rights relating to your personal data?

As a data subject, you have various ways to influence how your personal data is processed. As a rule, we will fulfil your request within one month. We ask you to please contact the contact person stated in clause 1 of this privacy policy in matters relating to the exercising of your rights. You have the following rights:


a) Right of access to personal data that has been collected concerning you. In practice, this is done by sending you a report of the personal data that has been collected concerning you in the personal data file, based on your appropriate and identified request.


b) Right to rectification or erasure of personal data collected concerning you. If you notice any errors or omissions in your data, you may submit a request for rectification to us.


c) Right to erasure of personal data collected concerning you.We have the obligation to erase personal data from our personal data file upon your request if one of the following grounds applies, and an obligation to retain data does not result from other legislation or an official regulation:

    1. the personal data is no longer necessary in relation to the purposes for which they were processed;
    2. you withdraw consent and there is no other legal ground for the processing;
    3. you object to the processing relating to your particular situation and there are no overriding legitimate grounds for the processing, or you object to the processing of your personal data for direct marketing;
    4. your personal data have been unlawfully processed;
    5. your personal data have to be erased for compliance with a legal obligation in European Union or Finnish law to which the Controller is subject; or
    6. your personal data have been collected in relation to the offer of information society services, such as in connection with an order for the Controller's digital information services.

d) Right to restriction of processing personal data collected concerning you. You may request the Controller to restrict the processing of your personal data if:

    1. you contest the accuracy of your personal data that the Controller has;
    2. the processing is unlawful and you request the restriction of their use instead of erasure;
    3. the Controller no longer needs the personal data for the purposes of processing, but you require them for the establishment, exercise or defence of legal claims;
    4. you have objected to processing pending the verification whether the legitimate grounds of the Controller override your grounds.

e) Right to object the processing of personal data concerning you. If the Controller processes your data on the basis of a legitimate interest, you shall have the right to object, on grounds relating to your particular situation, to processing of personal data concerning you. All those included in the data files covered by this privacy policy shall have the right to object to processing of their personal data for direct marketing.

f) Right to data portability. If the automatic processing of your personal data is based on consent or an agreement, you shall have the right to receive the personal data, which you have provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller.

g) Right to withdraw consent. If all or part of your personal data is processed in this data file on the basis of consent given by you, you shall have the right to withdraw your consent.

h) Right to lodge a complaint with a supervisory authority. If any dispute relating to the processing of your personal data cannot be settled in an amicable way between you and the Controller, you shall have the right to bring the case before a data protection authority.


11. Which country's legislation shall be applied to the processing of your data?

We are a Finnish entity operating in Finland. This personal data file and the processing of personal data included therein shall be governed by the Finnish law and the EU legislation directly applicable in Finland, such as the EU Data Protection Regulation.


12. How may we update this privacy policy?

We are constantly developing our business activities and this may also result in changes related to the processing of personal data. If necessary, we shall update the privacy policy to correspond to changed practices. The changes may also be based on changes to the legislation. We recommend that you regularly browse the contents of the privacy policy.

If we start to process your personal data for a purpose other than the one for which your personal data were collected, we will inform you of this and the updated privacy policy before such further processing. In terms of other changes, we will announce updates to the privacy policy on our website.