Controller
City of Lahti
PO Box 202
15101 Lahti
Business ID 0149669-3
Name and purpose of the data file
City of Lahti’s online store and online payments
Contact person
Pasi Halme, Head of Planning
Telephone: +358 50 398 5992
Email: firstname.lastname@lahti.fi
For which purposes is personal data processed?
The City of Lahti’s online store enables customers to buy products or services and pay for them via online payments. Online payment interfaces transfer payments to the online payment service from different systems.
The City of Lahti’s online store collects personal data for the purposes of identifying the customer and/or the customer’s designated person, processing orders, delivering products, allocating payments, and reporting.
The data may be used for the purposes of developing the functionality of the online store, testing, statistics, and marketing. Personal data is processed in accordance with the EU General Data Protection Regulation, the Finnish Data Protection Act, and other applicable legislation and official guidelines. The data in the file may be used in the online store’s registers for targeting advertising without disclosing personal data to third parties.
What is the legal basis for processing personal data?
The performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (EU General Data Protection Regulation, Article 6(1)(b)). The contract concerns purchases and payments in the City of Lahti’s online store.
What personal data is collected and processed?
The personal data that may be saved in the file includes:
General customer register: first name, last name, phone number, postal address, email address, username, order history, permission to send direct marketing
Order register: contact details, ordered products
Registrations: the participant’s first and last names, phone number, postal address, sex, date of birth, additional details (such as allergies, medication, illnesses, and other messages to the organisers). The first and last names, phone number, and email address of a guardian of an underage participant.
Swimming pool customer cards: customer card number and PIN code
Reservations: contact person’s name, company/association, phone number, email address
Where is the data obtained from?
The data is obtained from customers of the online store when they register, place an order, or make an online payment. Data is also obtained from third-party systems that are integrated into the online store and that send payment transactions via online payment interfaces.
Where is the data stored and for how long?
Personal and order data is stored in the system until it is deleted at the customer’s request. Personal data is automatically deleted six years after the last order. Electronic receipts are stored in the system for ten years and deleted manually.
How is the data protected?
The administration of the software is protected by usernames and passwords, and access rights are only granted to specific groups of users. The data in the database is protected by usernames and passwords. The processing of the data is restricted so that only the online store system can use it. The data stored on hard drives is protected by user rights imposed by the operating system. All data communications between the system supplier’s systems and the online store and payment service provider are encrypted with SSL.
Only the server and system suppliers are permitted to establish administration connections to the online store server. The software supplier has access to view and erase data.
Is data disclosed to third parties?
Personal data is not disclosed to third parties. When a customer pays for an order, the customer’s contact details are sent to the payment service provider.
In deviation from this, the contact details of reservation contact persons for guide reservation products at Lahti museums are transferred to the guide of the relevant group.
Personal data may be transferred to the controller’s other systems, such as the Ceepos point-of-sale system.
Is any data transferred outside the EU/EEA?
No
City of Lahti’s information system
Ceepos online store
Data subject’s rights
If a data subject wishes to check, rectify or restrict the use of their data or erase their personal data from the City of Lahti’s files,
they should contact the data protection officer or use the City of Lahti’s data request channels related to data protection.
Tiina Häyrinen, Data Protection Officer, tietosuoja@lahti.fi,
tel. +358 40 1834 334
Right to file a complaint with the supervisory authority
Data subjects are entitled to file a complaint with the supervisory authority concerning the processing of personal data.
Statement date 22.4.2022
