File description for Fazer's campaign “A small piece of Finland”

File description pertaining to section 10 of the Personal Data Act (523/99)

1. Controller and the name and contact details of its representative

Name: Fazer Confectionery Ltd
Contact details: visiting address: Fazerintie 6, 01230 Vantaa; mailing address: P.O. Box 4, 00941 HELSINKI
Representative of the controller: Matti Markkola

2. Name of the file

File description for Fazer's campaign “A small piece of Finland”

3. Purpose of handling personal data

The information included in the register may be used:

  • to carry out the campaign and to send campaign-related chocolate to recipients
  • to send confirmation messages to participants' email addresses, to exchange other messages between the controller and participants, and to serve customers
  • for analysis and statistics, and to develop business operation, and
  • for other similar uses.

Personal information may also be handled in other companies within the Fazer Group in accordance with and within the scope of the Personal Data Act and other applicable legislation.

4. Data content of the file

The file may include the following information:

  • the first name, last name and address details of recipients
  • email addresses of participants
  • information related to communications and the use of the service
  • any accepted or rejected direct marketing requests
  • IP address

5. Regular data sources

Information about participants is obtained from the participants as they take part in the campaign. Information about recipients of chocolate is obtained from participants. The number of visitors to websites and other general anonymous data are monitored using analytics and cookies or other similar technologies.

6. Regular disclosure of information and the transfer of information outside the EU or EEA

As a rule, no personal data will be disclosed. Third parties may be used to handle personal data, and these may handle data in the name of the controller. Data will be transferred to the service provider of the controller's subcontractor located in the United States. The controller's service provider meets the data protection requirements stipulated by the Privacy Shield Framework. Information may also otherwise be transferred outside the EU or EEA if it is necessary for the technical implementation of the service required by the user or it is otherwise necessary under section 23, paragraphs 2–5 of the Personal Data Act.

7. Principles of file protection

The system containing personal data may only be accessed by employees who have a work-related right to handle this data. Each user has a username and password for the system. Information is collected in databases that are protected using firewalls, passwords and other technical means. The databases and their backup copies are located in a locked space where information may only be accessed by specific persons appointed in advance. The servers have strong security. Written agreements have been signed with any external service providers governing the confidential handling and protection of information.

8. Right of inspection

According to section 26 of the Personal Data Act, service users have the right to verify which information about them has been saved in the register or that the register does not include any information about them. A verification request can be presented as follows:

  • A written and undersigned verification request is sent to the controller to the address stated in Section 1 or to the controller's representative via email.
  • The verification request is presented personally at the address stated in Section 1.

If there are errors in the registered information, the registered person may present a request to the person responsible for the register stated in Section 1 to correct the error.

9. Right of refusal

Registered persons have the right to refuse to allow the controller to handle their information for direct advertising, remote sales and other direct marketing, opinion polls and market surveys, as well as a personal register or genealogy. In matters concerning the right of refusal, please contact the controller's representative stated in Section 1.