1. Register controller
Town board of Kristinestad (0216509-5)
Address: P.O. Box 13, 64101 Kristinestad
Phone: +358 6 2216 200
Email: kristinestad@krs.fi
2. Contact person in matters concerning the register
Maarit Mäkelä
Address: PB 13, 64101 Kristinestad
Phone: 040 542 2217
Email: maarit.makela@krs.fi
3. Name of register
Ceepos web shop
4. Purpose of processing personal data
Personal data is collected for the following purposes: order delivery, payment allocation, identification of the customers and/or a person specified by the customer, verification of customers´ transaction history and access rights, reporting and marketing.
Information about the users of the software is collected to determine user rights and to monitor the use of the software. The software generates logs that contain personal data for the purposes that can be used to investigate the earlier use of the program and for problem resolution.
5. Data content of the register
Personal data that may be are stored in the registers include the following:
General customer register: customer number, first name, last name, street address, city, telephone number, email address, order history, username and direct marketing permission.
Order register: contact information, ordered products.
Customer card/-identifiers: card number and PIN code.
Notifications: Name, contact information, health (allergies and other limitations) of the person who signs up, guardian´s information.
Mailing lists: Email address.
Personal data will be stored in the registers until they manually removed. Order information will be stored until manually removed or timed deleted removal. Electronic receipt histories will be until manually removed, but for at least six years.
6. Regular sources of data
External systems that transmit payment transactions through interfaces and that are integrated into the web shop. The primary source of information are web shop customers making orders, registrations and online payments.
7. Regular disclosure of data
Personal data will not be disclosed to external parties. Personal data can be transferred to the register controller´s other systems, such as the cash management system, accounting, invoicing, access control. Depending on the payment service provider, the customer´s contact information is transferred to the payment system in to facilitate problem resolution and the processing of refunds.
8. Transfer of data outside the EU or EEA
Personal data will not be transferred outside the EU or the EEA.
9. Principles of protection of the register
The maintenance of the software is protected by usernames and passwords as well as by user group-specific user rights. The information in the database is protected by usernames and passwords and the processing of data is restricted to the web shop system only. Information stored on drives is protected by operating system level access rights. All data traffic between the system supplier´s systems and the web shop and payment service provider are SSL-secured.
Only the server and system supplier are permitted to establish a maintenance connection to the web shop server. The software supplier has full access to view and delete any collected data.
10. Approval for processing personal data
Making purchases and payments to the web shop is regarded as approval for processing personal data, which means that consumers are not required to provide separate approval to use the system. In cases where personal data is received from an external system, the approval for processing the data is handled outside the web shop system.
11. Right to inspect
Data subjects have the right to inspect any data concerning them that is stored in the register and to receive copies of this data. The inspection request must be issued electronically or in writing and addressed to the contact person for the register.
12. Right to request correction of data
Data subjects have the right to request correction or erasure of any inaccurate data that the person register may contain about them. The request must be sent either electronically or in writing to the contact person for the register.
13. Other rights related to the processing of personal data
Data subjects have the right to prohibit the register controller from processing any personal data about them for the purposes of direct advertising, distance selling another direct marketing, market research and opinion polls.