Data Controllers
This statement describes the processing of personal data by companies belonging to the City Digital Group. The following listed companies are data controllers. The services to which this statement applies can be found at https://www.citydigital.fi/en/brands/.
City Digital Oy (Business ID: 2110789-4)
Online Technology Group Oy (Business ID: 3104918-1)
TableOnline Finland Oy (Business ID: 2349007-3)
EatAndTheCity Oy (Business ID: 2716427-5)
Ratkojat Oy (Business ID: 2685586-7)
Address: Kuortaneenkatu 1, 00520 Helsinki
Person responsible for data protection and the register: Niko Jokinen, [email protected]
What do we mean by different terms?
In this statement, we use terms: personal data, registered, customer, potential customer, and stakeholder.
By “personal data” we mean all information related to an identified or identifiable natural person (hereinafter “registered”), such as name, address, and phone number. An identifiable natural person is one who can be directly or indirectly identified based on various information about them.
“Registered” refers to the person whose personal data we process.
By “customer” we mean those consumers and the contact persons of companies and other organizations (hereinafter “company”) with whom we have a customer relationship.
“Potential customers” refer to those consumers and contact persons of companies with whom we aim to establish a customer relationship.
“Data Controller” refers to the companies identified at the beginning of this privacy statement.
“Stakeholders” refer to those consumers and contact persons of companies with whom we have a collaboration relationship (for example, representatives of companies providing services to us) or other connection (social decision-makers related to public relations).
For what purposes is my personal data processed?
We process personal data for the delivery of products and services, customer communication, management, development, and analysis of customer and stakeholder relationships, sales and marketing (both our own and in some cases third-party products and services), and the development of products and services.
We process the personal data of registered individuals for the following purposes (one or more simultaneously):
Delivery of Products and Services
We may process your personal data to deliver products and services if you or your represented company, for example, have purchased a product or service from us, registered to use our digital services, subscribed to our content via email, or participated in our events.
Personal data is used for the implementation of rights and obligations based on a contract or other commitment.
Customer Communication
We may use your personal data in our customer communication, for example, to send you notifications related to products and services, change notifications, and ask for feedback.
Management, Development, and Analysis of Customer and Stakeholder Relationships
We may use your personal data to manage, develop, and analyze the customer or stakeholder relationship established with you.
Marketing
We may contact you to inform you about new products, services, or benefits. We may also share your contact information for marketing purposes with our partners. Further information on sharing is provided in the section “Who can my personal data be shared with?” of this privacy statement.
We may use your personal data to provide relevant content and tailor offerings. For example, we may give recommendations or show tailored content and advertisements in our own and third-party services.
Development of Products and Services
We may use your personal data to develop our products and services, such as improving our product range and content.
Other Implementation of Rights and Obligations
We may use your information for purposes such as fulfilling accounting obligations, collecting receivables, or presenting or defending legal claims.
On what basis is my personal data processed?
We process personal data based on consent, for the execution of a contract or legal obligation, or based on legitimate interest.
The legal basis for the processing of personal data is Article 6 of the EU General Data Protection Regulation (GDPR) as follows:
- you have given your consent for the processing of your personal data for one or more specific purposes;
- processing is necessary for the performance of a contract in which you are a party, or to take pre-contractual measures at your request;
- processing is necessary for compliance with a legal obligation of the Data Controller; and
- processing is necessary for the legitimate interests of the Data Controller or a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data outweigh such interests.
For example, when you start using our digital service, we process your personal data to execute the contract. We cannot offer our services as requested, process orders, enable logging into a digital account, verify customer transactions, maintain contact on contractual matters, provide technical support, or bill for our services without processing personal data.
We and our partners have legitimate business interests, such as the right to promote the sale of products and services through marketing and sales means. Based on legitimate interest, we can engage in direct marketing and sales using your contact details, including the processing of personal data for profiling. Other legitimate interests for which your personal data can be processed include, for example, advice and other customer service to non-customers, further business development, and the prevention and investigation of potential abuses. We consider these purposes necessary and justified for our business based on the reasonable connection between you and the Data Controller and thus in line with our legitimate interests. Considering the nature of the processed data, purposes of use, and the relationship between you and the Data Controller, we believe that the processing does not conflict with the fundamental rights and freedoms of the registered individual. You can object to processing based on legitimate interest at any time.
If processing is not based on a contract or legitimate interest, we may ask for your consent to other types of personal data processing. For example, direct marketing using electronic channels requires your consent in certain situations. Please note that not all direct marketing measures require consent. You can also object to direct marketing or withdraw related consent according to the instructions we provide. Additionally, the processing of sensitive personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, and/or data concerning sexual behavior or orientation, for example, in the E-kontakti service, is based on your consent.
We may also process your personal data as required by legislation, such as accounting laws.
What types of data about me are processed?
We process basic information such as name, contact details, and direct marketing choices, order information such as order history, customer communication, and the use of digital services. Additionally, we process additional information about company representatives and data related to participation in our events.
The personal data we collect may include, among other things, the following types of information and changes made to them:
- Basic Information
- first and last name
- contact details (postal address, email address, phone numbers)
- gender
- date of birth
- language (Finnish, Swedish, other)
- direct marketing choices
- communication targeted at the registered individual and related activities
- recordings of customer service calls and email and online chats related to customer service, such as on social media channels
- Additional Information of Individuals who have Purchased Products or Services from the Data Controller or Registered as Users
- start and end date and manner of the customer relationship or similar relationship
- campaigns targeted at the customer and their use
- information about which email addresses receive messages, which emails are opened, and which links in the email are clicked
- information related to purchasing and payment
- interests and other information reported by the customer
- content of feedback and complaints, related correspondence, and follow-up actions
- usernames for digital services
- Sure, here is the translation of the provided text into English:
- Privacy Policy
- Data Controllers
- This statement describes the processing of personal data by companies belonging to the City Digital Group. The following listed companies are data controllers. The services to which this statement applies can be found at https://www.citydigital.fi/palvelut/
- City Digital Oy, Business ID: 2110789-4 Address: Kuortaneenkatu 1, 00520 Helsinki Email: [email protected]
- Person responsible for data protection and the register: Niko Jokinen, [email protected]
- What do we mean by different terms?
- In this statement, we use terms: personal data, registered, customer, potential customer, and stakeholder.
- By “personal data” we mean all information related to an identified or identifiable natural person (hereinafter “registered”), such as name, address, and phone number. An identifiable natural person is one who can be directly or indirectly identified based on various information about them.
- “Registered” refers to the person whose personal data we process.
- By “customer” we mean those consumers and the contact persons of companies and other organizations (hereinafter “company”) with whom we have a customer relationship.
- “Potential customers” refer to those consumers and contact persons of companies with whom we aim to establish a customer relationship.
- “Data Controller” refers to the companies identified at the beginning of this privacy statement.
- “Stakeholders” refer to those consumers and contact persons of companies with whom we have a collaboration relationship (for example, representatives of companies providing services to us) or other connection (social decision-makers related to public relations).
- For what purposes is my personal data processed?
- We process personal data for the delivery of products and services, customer communication, management, development, and analysis of customer and stakeholder relationships, sales and marketing (both our own and in some cases third-party products and services), and the development of products and services.
- We process the personal data of registered individuals for the following purposes (one or more simultaneously):
- Delivery of Products and Services
- We may process your personal data to deliver products and services if you or your represented company, for example, have purchased a product or service from us, registered to use our digital services, subscribed to our content via email, or participated in our events.
- Personal data is used for the implementation of rights and obligations based on a contract or other commitment.
- Customer Communication
- We may use your personal data in our customer communication, for example, to send you notifications related to products and services, change notifications, and ask for feedback.
- Management, Development, and Analysis of Customer and Stakeholder Relationships
- We may use your personal data to manage, develop, and analyze the customer or stakeholder relationship established with you.
- Marketing
- We may contact you to inform you about new products, services, or benefits. We may also share your contact information for marketing purposes with our partners. Further information on sharing is provided in the section “Who can my personal data be shared with?” of this privacy statement.
- We may use your personal data to provide relevant content and tailor offerings. For example, we may give recommendations or show tailored content and advertisements in our own and third-party services.
- Development of Products and Services
- We may use your personal data to develop our products and services, such as improving our product range and content.
- Other Implementation of Rights and Obligations
- We may use your information for purposes such as fulfilling accounting obligations, collecting receivables, or presenting or defending legal claims.
- On what basis is my personal data processed?
- We process personal data based on consent, for the execution of a contract or legal obligation, or based on legitimate interest.
- The legal basis for the processing of personal data is Article 6 of the EU General Data Protection Regulation (GDPR) as follows:
- you have given your consent for the processing of your personal data for one or more specific purposes;
- processing is necessary for the performance of a contract in which you are a party, or to take pre-contractual measures at your request;
- processing is necessary for compliance with a legal obligation of the Data Controller; and
- processing is necessary for the legitimate interests of the Data Controller or a third party, unless your interests or fundamental rights and freedoms requiring the protection of personal data outweigh such interests.
- For example, when you start using our digital service, we process your personal data to execute the contract. We cannot offer our services as requested, process orders, enable logging into a digital account, verify customer transactions, maintain contact on contractual matters, provide technical support, or bill for our services without processing personal data.
- We and our partners have legitimate business interests, such as the right to promote the sale of products and services through marketing and sales means. Based on legitimate interest, we can engage in direct marketing and sales using your contact details, including the processing of personal data for profiling. Other legitimate interests for which your personal data can be processed include, for example, advice and other customer service to non-customers, further business development, and the prevention and investigation of potential abuses. We consider these purposes necessary and justified for our business based on the reasonable connection between you and the Data Controller and thus in line with our legitimate interests. Considering the nature of the processed data, purposes of use, and the relationship between you and the Data Controller, we believe that the processing does not conflict with the fundamental rights and freedoms of the registered individual. You can object to processing based on legitimate interest at any time.
- If processing is not based on a contract or legitimate interest, we may ask for your consent to other types of personal data processing. For example, direct marketing using electronic channels requires your consent in certain situations. Please note that not all direct marketing measures require consent. You can also object to direct marketing or withdraw related consent according to the instructions we provide. Additionally, the processing of sensitive personal data, such as racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, and/or data concerning sexual behavior or orientation, for example, in the E-kontakti service, is based on your consent.
- We may also process your personal data as required by legislation, such as accounting laws.
- What types of data about me are processed?
- We process basic information such as name, contact details, and direct marketing choices, order information such as order history, customer communication, and the use of digital services. Additionally, we process additional information about company representatives and data related to participation in our events.
- The personal data we collect may include, among other things, the following types of information and changes made to them:
- Basic Information
- first and last name
- contact details (postal address, email address, phone numbers)
- gender
- date of birth
- language (Finnish, Swedish, other)
- direct marketing choices
- communication targeted at the registered individual and related activities
- recordings of customer service calls and email and online chats related to customer service, such as on social media channels
- Additional Information of Individuals who have Purchased Products or Services from the Data Controller or Registered as Users
- start and end date and manner of the customer relationship or similar relationship
- campaigns targeted at the customer and their use
- information about which email addresses receive messages, which emails are opened, and which links in the email are clicked
- information related to purchasing and payment
- interests and other information reported by the customer
- content of feedback and complaints, related correspondence, and follow-up actions
- usernames for digital services
- information on the use of digital services
- information about cookies and other similar functions sent to the registered individual’s devices (such as computers and mobile devices) and data collected through them, if the person is identifiable based on these data (for example, information on how ads displayed on our sites are clicked)
- Additional Information of Treffit24 and E-kontakti Dating Service Users
- interest and description information provided in your dating profile, as well as photos
- sensitive information, if you choose to provide it (racial or ethnic origin, political opinions, religious or philosophical beliefs, health data, and/or data concerning sexual behavior or orientation)
- Additional Information of TableOnline Service Users
- your favorite restaurants selected in the profile
- reservations and their history made through the service
- reviews you have made of restaurants
- Additional Information of Company Representatives
- title and/or job description in current and past work tasks related to the activities of the Data Controller
- Information of Registered Individuals who Participated in the Data Controller’s Events
- dietary information (specific information voluntarily provided by the user)
- date of birth for events that, for example, shipping companies require
- names and dates of birth of travel companions when, for example, shipping companies require it
- Information Collected with Cookies and Similar Technologies in the Services as Described Below
From what sources is my personal data collected?
We collect data, for example, when you start using our digital services or participate in competitions or raffles. Additionally, we may collect personal data from external sources.
Most of the data is obtained from you at the beginning and during the customer and stakeholder relationship when you use our products and services.
We also receive personal data and updates from authorities and organizations that provide personal and credit information acquisition and updating services, as well as from public directories and other public sources of information, such as company websites and social media channels.
We also receive personal data about company representatives from their colleagues, meaning the company’s main contact person can also provide us with personal data about other colleagues.
Who can my personal data be shared with?
We do not give, sell, or otherwise disclose your personal data to external parties, unless otherwise mentioned below.
We share personal data such as name, email address, phone number, demographic information, and online behavior data within the City Digital Group. We process data centrally for the creation and modeling of target groups, as described in more detail below.
We may share your personal data with third parties who perform services for us, known as data processors. These services may include customer service, marketing, software services, research activities, and event production.
We may share your personal data in relation to the collection of open invoices, and we may transfer or sell unpaid invoices to third-party collection services.
We do not allow these parties to use the data for any purpose other than providing services to us, in accordance with this privacy statement and applicable legislation. We share your personal data with partners with whom we implement projects, such as events.
We may share your personal data with partners for joint or their independent direct marketing purposes and for updating contact information. If you have given consent to electronic direct marketing by our service partners, your information can also be shared with partners for electronic direct marketing purposes. Information can be shared for these purposes only when the partner’s intended use does not conflict with the purposes of use defined in this privacy statement, and we only share the minimum necessary information about you (mainly just your contact details) with the partner. You have the right to object to the processing of your personal data for direct marketing purposes, and instructions for objection are given in the section “How can I exercise my rights related to my personal data?” of this privacy statement.
We may share your personal data in connection with a business transaction or other business arrangement or when our business is transferred to another company, as well as by order of a court or authority or a justified, legally based request.
We may share the personal data of participants in our events at our discretion with other participants of the event, if it is appropriate due to the nature of the event (for example, an event organized for stakeholders).
Is my personal data transferred outside the EU area?
We may transfer data outside the service country. In that case, we ensure that the transfer can be done legally, the data is protected, and our contractual partner complies with the EU’s General Data Protection Regulation (GDPR).
We may use resources and servers located around the world in conducting our business. Therefore, we may transfer your personal data outside the service country and potentially to countries outside the EU area, where data protection legislation differs.
In these cases, we ensure that there is a legal basis for the transfer of data and that your personal data is protected, for example, by using (if necessary) standard contractual clauses and processor agreements approved by the authorities, and by requiring the observance of appropriate technical and other data protection measures.
Is profiling done with my personal data?
We may utilize analytics and modeling, resulting in profiling, which enables us to produce personalized content or target marketing communication. For this profiling, we combine personal data collected from different services, such as the personal data you provide and usage data from the services.
We may use your personal data for profiling, i.e., automatically process your personal data and assess certain personal characteristics, especially by analyzing or predicting aspects related to your personal preferences, interests, and behavior.
By doing so, we can better serve our customers, further develop our products and services to better meet our customers’ wishes, and target content and marketing as appropriately as possible.
We do not make automated individual decisions that have legal or similarly significant consequences. The consequences of the profiling we practice are mainly reflected in the personalization of content and targeted advertising for a selected target group.
How long is my personal data processed?
The processing times for personal data of different groups are determined based on various criteria, depending on the basis for processing and legislation.
We process your personal data for as long as we have a basis for processing described in this privacy information in effect, and for a reasonable time thereafter.
The processing time for personal data of different groups is determined as follows:
Users of Services and Consumer Customers
We may process your personal data as long as you are our customer or use our services, and until the end of the fifth year following the decision year.
After this, we may transfer necessary personal data to our marketing registry and process you again as a potential customer.
Representatives of Business Customers
We may process your personal data as long as you represent our business customer, and until the end of the fifth year following the decision year.
After this, we may transfer necessary personal data to our marketing registry and process you again as a representative of a potential business customer.
Potential Consumer Customers and Representatives of Potential Business Customers
We may process your personal data indefinitely until you request the removal of your data from our marketing registry.
Members of Stakeholder Groups
We may process your personal data as long as you are a member of a stakeholder group, such as representing our partner, and until the end of the current calendar year at the time of termination.
How can I exercise my rights related to my personal data?
You can exercise your rights using the forms provided or by specifying your request and sending it to one of the addresses listed below, depending on the group you belong to.
As a registered person, you have different types of possibilities to influence the processing of your personal data. We generally fulfill your request within one month.
You can exercise your rights by sending a request to our customer service using the forms provided, when you want to check your data, request the deletion of your data, or object to their processing. For other requests, specify your request freely.
Please note that we must always be able to identify the requester of the information / processing.
- Data Inspection Form: Inspection Request Form
- Data Deletion Request Form (incl. opposition to processing): Deletion Request Form
- Other requests freely, specify what your request concerns
Send the form or a specified request either to the address City Digital Oy, Kuortaneenkatu 1, 00520 Helsinki, or by email: [email protected]
- Business Customer: the address mentioned above or email address
- Employee, Former Employee or Job Applicant: the address mentioned above or email address
- Registered users of Suomi24, Treffit24, and E-kontakti services: You can check and delete your profile using your own credentials in the service. Inquiries: [email protected]
Your rights include (the extent of the rights depends on the basis on which the processing of your personal data is based, so not all the rights below are available in all situations):
- The right to access personal data collected about you. In practice, this means that based on your appropriate and identified request, we will provide you with a report of the personal data collected about you in the personal register.
- The right to request the correction or deletion of personal data collected about you. If you notice errors or deficiencies in your information, you can make a correction request to us. We will process the request and, if necessary, correct or supplement the data.
- The right to request the deletion of personal data collected about you. We are obliged to delete the personal data you request from our personal register if one of the following reasons is met, and there is no obligation to retain the data due to other legislation or an authority’s order:
- personal data is no longer needed for the purposes for which they were processed;
- you withdraw your consent and there is no other legal basis for processing;
- you object to processing related to your particular situation and there is no justified reason for processing, or you object to the processing of your personal data for direct marketing;
- your personal data has been processed unlawfully;
- your personal data must be deleted to comply with a legal obligation applicable to the Data Controller under European Union law or Finnish legislation; or
- your personal data has been collected in connection with the provision of information society services, such as when subscribing to the Data Controller’s digital information services.
- The right to request the restriction of processing of personal data collected about you. You can ask us to restrict the processing of your personal data if:
- you dispute the accuracy of the personal data we have;
- processing is unlawful, and you request the restriction of use instead of deletion;
- we no longer need the personal data for the purposes of processing, but you need them for the preparation, presentation, or defense of a legal claim;
- you have objected to the processing of personal data pending the verification of whether our legitimate grounds override your reasons.
- The right to object to the processing of personal data concerning you. If we process your data based on legitimate interest, you have the right to object to the processing of personal data concerning you on the basis of a particular situation related to you. You always have the right to object to the processing of your personal data for direct marketing purposes.
- The right to transfer the data you provided from one system to another. If the automatic processing of your personal data is based on consent or a contract, you have the right to receive the personal data you have provided to us in a structured, commonly used, and machine-readable format, and the right to transfer this data to another data controller.
- The right to withdraw consent. If all or part of your personal data is processed based on your consent, you have the right to withdraw your consent at any time.
- The right to file a complaint with the supervisory authority. If a possible disagreement regarding the processing of your personal data cannot be amicably resolved between us, you have the right to bring the matter before the data protection authority for resolution.
How and when do we act as joint controllers?
The companies mentioned in the first section of this privacy statement process personal data independently on their own behalf. Additionally, these companies act as joint data controllers when they combine and model personal data from different registers, such as names, email addresses, phone numbers, demographic information, and behavior data collected with cookies and similar technologies. This means that the companies jointly determine the purposes and means of using personal data and process the data centrally to offer services and display advertisements that correspond as closely as possible to your interests. To the extent that sensitive data is collected in the services, for example, in Treffit24 and E-kontakti dating services, such data is used only for the implementation of these services and is not shared outside the service or used for profiling.
We also act as joint data controllers with Facebook when we have a page on Facebook (e.g., facebook.com/Suomi24fi/). Regarding the visitor data of these Facebook pages, we are joint data controllers, and you can find more information about how Facebook processes personal data in Facebook’s privacy description at www.facebook.com/privacy. Together with Facebook, we collect information such as likes and visits, comments on our posts, inbox messages, and the visibility of our posts.
How can this privacy information be updated?
We update our privacy information as needed, for example, as we develop our services or processing methods, and as legislation changes.
We are continuously developing our business, which may also involve changes in the processing of personal data. We will update our privacy statement as necessary to reflect changed practices. Changes may also be based on changes in legislation. We recommend regularly reviewing the content of the privacy statement.
If we start processing your personal data for a purpose other than for which they were collected, we will inform you about this and the updated privacy statement before such further processing. For other changes, we will inform on our website about the updating of the privacy statement.
Other Conditions
The registers covered by this privacy statement and the processing of personal data therein are subject to Finnish legislation and the EU General Data Protection Regulation, among other laws.
To fulfill our contractual obligations in our relationship with you, we need to process your personal data.
Without the necessary personal data, we cannot offer you those products and services that require the processing of personal data, such as our digital services that require registration.
The registers covered by this privacy statement and the processing of personal data therein are subject to Finnish legislation and directly applicable EU legislation in Finland, such as the EU General Data Protection Regulation.
Are cookies set in my browser?
We use cookies and other technologies to produce, develop, and target advertising for digital services. For example, we collect information about how you use our services, which browser you use, and which sections of the service you have browsed. We cannot personally identify you based solely on cookies. If you are logged into our services and have given consent to cookies, we can create a customer profile for you and combine web behavior data collected through cookies with your other data.
Most of the technologies we use are prerequisites for delivering and developing the service. We need cookies to ensure that our service works, to develop it further, and to offer you interesting content.
For non-essential cookies, such as those used for targeted advertising, we ask for your permission. We believe these cookies are beneficial to you, so you receive advertising that interests you.
We have tools that allow you to manage settings for cookies related to targeted advertising and, if you wish, disable them in our services. Cookie settings are made separately on each website. You can access the tool via the cookie banner and links found at the bottom of the site. More information about our use of cookies is available in our cookie information at https://www.citydigital.fi/en/city-digital-groups-cookie-information/.