1. Data controller
Metropolia Ammattikorkeakoulu Oy (Business ID: 2094551-1)
Mailing address: PL 4000, 00079 Metropolia
Street address: Myllypurontie 1, 00920 Helsinki
Phone (switchboard): 09 7424 5000
2. Person responsible for the filing system
Metropolia’s data protection officer
- email: firstname.lastname@example.org
3. Name of the filing system
Ceepos – online payment solution
4. Purpose and legal basis for processing personal data
Personal data are collected for the following purposes, among others: delivering orders, allocating payments correctly, identifying customers and/or persons indicated by customers, verifying customers’ order histories and rights to use the service, reporting and marketing.
Data on the users of the software are collected for the purpose of defining access rights and monitoring the use of the software. The software generates log data that contain personal data for the purpose of facilitating the investigation of its usage history and troubleshooting
5. Data included in the filing system
General customer filing system: customer number, first name, last name, street address, town or city, phone number, email address, order history, online payment user name.
Order filing system: Payment number, contact information, ordered products.
Registrations: Registered person’s name, contact information, health (allergies and other restrictions), guardian’s information.
Mailing lists: Email address.
Personal data are stored in the filing system until they are deleted manually. Order data are stored until they are deleted manually or on a scheduled basis. Electronic receipt histories are stored until they are deleted manually and in any case for a minimum of six years.
6. Regular sources of data
External systems integrated into the webshop that relay transactions via APIs. The main source of data is webshop customers who place orders, register participation in events and make online payments.
7. Regular data transfers
Personal data are not disclosed to third parties. Personal data may be transferred to the controller’s other systems, such as a point-of-sale system, accounting, invoicing, access control, appointment booking. Depending on the payment service provider, personal data on customers may be relayed to the payment system in connection with the payment of orders to facilitate troubleshooting and refunds.
8. Data transfers outside the EU or EEA
Data will not be transferred outside the EU or EEA.
9. Principles of data protection
The maintenance of the software is protected with user IDs and passwords and user group-specific access rights. The information in the database is protected with user IDs and passwords, and data processing is limited to use only by the e-commerce system. The data stored on the disks is protected by operating system-level access rights. All data communication between the systems of the system provider and the online store and the payment service provider is SSL protected.
Maintenance access to the e-commerce server is only allowed for server and system suppliers. The supplier of the software has full access to review and delete all collected data.
10. Accepting the processing of personal data
When personal data comes from an external system, approval for the processing of personal data is handled outside the online shopping system.
11. Right of access
The data subject has the right to receive information about the processing of their personal data and to inspect their own personal data. Requests must be submitted via email, see section 2.
12. Right to rectification
The data subject has the right to request the rectification or erasure of incorrect data in the filing system. Requests must be submitted via email, see section 2.
13. Other rights of the data subject concerning the processing of personal data
Making purchases and payments on the webshop is considered acceptance of the processing of personal data, and the consumer is not required to provide their consent for this separately in order to use the webshop. When personal data originates from an external system, consent for the processing of the personal data is obtained outside of the webshop system.