GDPR (2016/679)
1. Controller
Jamk University of Applied Sciences
P.O. Box 207
FI-40101 Jyväskylä, Finland
2. Contact person in matters concerning the register, contact information during office hours
Director in charge of the register: Director of Administration
Responsible for the process: Financial Manager
Main users in content: ICT-services
3. Name of the register
Ceepos-online shop
4. Purpose of the processing of personal data
Personal data is collected, among other things, for the delivery of orders, the correct allocation of payments, the identification of the customer and/or the person indicated by the customer, the customer’s transaction history and the verification of service rights, reporting and marketing.
Information about the users of the software is collected to determine access rights and to monitor use. The software creates log data containing personal data for the purpose of resolving the software’s usage history and problem cases.
The processing of personal data is based on the consent of the data subject, i.e. the service user, and the controller’s statutory obligation as an education provider (applies to tuition fees in particular).
4. Purpose of the processing of personal data
Personal data is collected, among other things, for the delivery of orders, the correct allocation of payments, the identification of the customer and/or the person indicated by the customer, the customer’s transaction history and the verification of service rights, reporting and marketing.
Information about the users of the software is collected to determine access rights and to monitor use. The software creates log data containing personal data for the purpose of resolving the software’s usage history and problem cases.
The processing of personal data is based on the consent of the data subject, i.e. the service user, and the controller’s statutory obligation as an education provider (applies to tuition fees in particular).
5. Data contents of the register
Possible personal data stored in the registers include:
General customer register: customer number, first name, last name, local address, city, telephone number, email address, order history, username and direct marketing permission.
Order register: Contact information, ordered products.
Customer cards/identifiers: card number and PIN code.
Registrations: Name of the person to be reported, contact information, state of health (allergies and other restrictions), guardian information.
Mailing lists: Email address.
Personal data is stored in registers until it is deleted manually. Order information is retained until deletions are made manually or on a scheduled basis. Electronic receipt histories are retained until deletions are made manually, but for at least six years.
6. Regular information sources
Payment transactions through subscriptions are transmitted by external systems that are integrated into the online store. The main source of information is the customers of the online store when placing orders, registering and paying their online payments.
7. Regular information disclosure
Personal data will not be disclosed to third parties. Personal data may be transferred to the controller’s other systems, such as the cash register system, accounting, invoicing, access control. Depending on the payment service provider, the customer’s contact information is transmitted to the payment system in connection with the payment of the order to facilitate problem situations and refund of payments.
8. Information transfer outside the EU or the European Economic Area
Personal data will not be transferred outside the EU or EEA.
9. Register protection principles
The maintenance of the software is protected by usernames and passwords, as well as user group-specific user rights. The information in the database is protected with usernames and passwords, and the processing of the data is restricted to the use of the online store system only. The data stored on disks is protected by operating system-level permissions. All communication between the system supplier’s systems and the online store and the payment service provider is SSL protected.
The maintenance connection of the e-commerce server is only allowed for server and system suppliers. The software vendor has full access to view and delete all the collected data.
10. Consent to the processing of personal data
Making online purchases and payments is considered as acceptance of the processing of personal data, and this is not separately required from the consumer to use the system. When personal data comes from an external system, the approval of the processing of personal data is handled outside the online store system.
11. Rights of the Data Subject
Under the GDPR, the data subject has the right to:
– Withdrawal of consent
– Access to your personal data
– The right to have errors corrected
– The right to prohibit direct marketing
– Right to object to processing
– Right to restrict processing
– Right to data portability.
To implement the rights of the data subject, a request is to be made to Jamk’s Data Protection Officer (tietosuoja@jamk.fi). More information about Jamk’s data protection officer and the rights of the data subject and their implementation can be found in Jamk’s personal data processing instructions and general privacy policy (Data protection – Data Protection)
12. Right to demand correction of data
The data subject has the right to request the correction or deletion of incorrect information in the personal data file. Requests must be addressed electronically or in writing to the contact person of the register.
13. Automated decision-making and profiling
The personal data in the register is not subject to automated decision-making or profiling.