Semma Privacy Statement
Privacy Statement in brief:
- Our key values include customer focus and quality: we process your data responsibly, and we want to be worthy of your trust.
- In this Privacy Statement, we describe how your personal data is collected, processed and protected at Semma Oy. This Privacy Statement is applied whenever you use our services described in the Privacy Statement.
- Your data will be stored when you do business with us, for instance, when you register as a user of our service, subscribe to a newsletter, purchase products from an online store, use web or mobile services, participate in a marketing campaign or survey, provide feedback or contact our consumer service.
- The data we collect may include data that we receive from you, for instance, when you sign in to a service or participate in a campaign, or data that is recorded when you use the services.
- We process your data in the course of implementing our services, in our marketing and customer communication, as well as in our customer services. In addition, we use the data to target our marketing and communication so that it fits your interests. In the future, we want to create ever better taste sensations, and the data we collect will help us understand our customers better.
- You can affect the way your data is processed. This Privacy Statement tells you about your rights and how you can exercise them.
This Privacy Statement discusses the following matters
- From where do we collect data?
- What kind of data do we collect?
- What is the data used for?
- How long do we store your data?
- Who can process your data and do we disclose it to third parties?
- Do we transfer your data beyond the borders of the EU or EEA (“third countries”)?
- How can you influence the processing of your personal data?
- How do we protect your personal data?
- Can we make changes to our Privacy Statement and how do we notify you of changes?
- Who can you turn to if you have questions concerning the processing of your data?
Semma is committed to protecting your privacy and processing your personal data in accordance with valid legislation and good data protection practices.
In this Privacy Statement, we describe how your personal data is collected, processed and protected at Semma Oy.
If you do not approve of our practices as described in the Privacy Statement, we recommend that you do not provide your data to Semma. Please note that you cannot use all of our services, such as making purchases in our online store, without providing us with your data.
2. From where do we collect data?
We collect data about you, among other occasions, when you:
- Register as a user of our services
- Subscribe to a newsletter
- Make purchases at our online store or use our other web or mobile services
- Take part in one of our marketing campaigns or a marketing survey or opinion poll we organise
- Send us your feedback or leave a contact request
3. What kind of data do we collect?
The data we process may vary depending on which of our services you use and how you use them. You can affect the type of data we collect. We get some of the data directly from you, for instance, when you do business in our online store or participate in one of our campaigns. We get some of the data through cookies and other similar technologies. This way we learn, for instance, how you use our services, and we can offer you the best service experience possible.
Depending on which services you use, we collect the following data concerning you, among other things:
Name and contact details: We collect your first and last name, address, email address, telephone number and other similar contact details.
Demographic data: We collect other descriptive data, such as age and/or date of birth, language and country.
Identification data: We collect registration information for online services, such as user ID and password and other similar security information.
Customer relationship data: We collect, among other things, information on newsletter subscriptions, and purchases and reservations made in online stores or other services. We also collect information on customer feedback and other customer contacts.
Payment data: To be able to process your payments, we collect the necessary information for the payment of your purchases. Among other things, we collect the number of the means of payment (such as credit card number) and the security code of the means of payment. If you order our products and select invoice as the means of payment, we collect the invoicing information.
Data on representation: We collect a service user’s position in the company or other community they represent, and the name and contact details of the community in question.
Campaign data: When you participate in one of our marketing campaigns, such as a prize draw or competition, we collect the data provided in this connection, as well as the data on participation in the campaign.
Market surveys and opinion polls: When we carry out market surveys and opinion polls, we collect data through which we can learn to develop our services and product.
Data on interests and profiling data: We collect data on your interests. In addition to clearly provided data, your interests can be deduced or derived from other data we collect.
Marketing permissions and prohibitions: We collect data on marketing permissions and prohibitions issued.
Visual recordings: We may take photos or record video at Semma events, and your picture may be recorded by our security cameras when you visit Semma facilities.
You can affect the type of data we collect. You can use most of our services without giving us the above information. However, the use of certain services, such as participation in a campaign or purchasing products or services through an online service, requires that you submit your personal data. If you decide not to submit your personal data to us, we may be unable to provide all the offers or content to you, or provide as targeted and personal a service as we could if we had access to your data.
In addition to the above data, in some services we collect data describing their use, such as visitor counts for our web services and browsing data when you use our web or mobile services or receive communication from us. Such data includes:
- data related to the implementation and reception of communication, such as data on which links in email messages have been followed
- data on the terminal device, such as IP address, operating system, browser version and terminal device model
- the webpage that referred the visitor to the Semma online service
- the time when the service was accessed and exited, and the duration of the use of the online service
- data collected by online service analytics systems
- other information that has been recorded concerning the use of our services
4. What is the data used for?
We process your data for business needs, for instance, to deliver the products you order or to fulfil another agreement, or when the data is needed to realize Semma’s legitimate interests. In some cases, we may ask you for your consent for the processing of your data. We combine the data we collect to be able to offer you as good service as possible.
“Legitimate interest” refers to Semma's right to process personal data in situations where a significant and pertinent relationship exists between the user of the service, i.e. the data subject, and Semma. When assessing legitimate interest, the interests of the data subject and Semma are evaluated, including the realization of fundamental rights, the nature and purpose of use of the data collected, and data security. In Semma services, the term “legitimate interest” refers to one or more of the following purposes of use.
- Web and mobile services: You can purchase, order or reserve products or services through our online services, subscribe to our newsletters and use our mobile apps. You can also provide your feedback to us or leave a contact request through our certain services. In such cases, we process your data to identify you in order to establish a customer relationship or some other contractual relationship, to offer our online services and to fulfil a contract, such as to deliver a product or service that you have purchased to you, to send you a newsletter you have subscribed to, to respond to your feedback, or to implement some other request from you. We may also target the content of our web and mobile services as described below.
- Customer service and communication: We use your data in our customer services and their development, as well as in customer communication, such as to send you notices about activities you have completed in our online services (e.g. order confirmations for any purchases you have made). We also use your data to resolve disputes.
- Direct marketing as well as marketing surveys and opinion polls: We use your data in marketing our products and services. Our online direct marketing is always based on your consent given in advance, which you can withdraw at any time. We may also use your data for marketing surveys and opinion polls to increase our understanding of our customers and serve you better.
- Targeting communication, marketing and services: The targeting of content is based on interests the customer has indicated or information we have learned about the customer with the help of recorded data. Based on the interests customers have indicated, we form groups to which we target our marketing. We also form target groups based on participation in campaigns and doing business in our online services. We do not target marketing at individual people, but at specific groups. In addition, we may personalize our web and mobile services or other communication, such as the content of newsletters and marketing, to make them more interesting to you. We may also recommend certain products or services that we believe may interest you based on your purchasing history or other information to you through our web and mobile services.
- Analysis, compilation of statistics, and the development of business, products and services: We use the data for analysis, for compiling statistics and reporting, as well as for developing our business, products and services, and improving the user experience. The data is used in a format where individual people cannot be identified.
5. How long do we store your data?
We do not store your data for any longer than is necessary for the purposes described in this Privacy Statement and to comply with any mandatory legislation, such as accounting laws. The retention period of your data is also affected by the connection in which and the purpose for which your data has been collected. You can read more on how the retention periods are determined below.
The retention period of your data is determined based on the following criteria:
- If you have given us marketing permission, we will process your data for as long as the permission remains in force, and for a reasonable period of time after that. Please note that even if you end your subscription to a particular newsletter, your general marketing permission may still be in force if you have not separately withdrawn it. (For more information, see the section “How can you influence the processing of your personal data?”.)
- If you have participated in a campaign, we will erase your data a reasonable period of time after the campaign has ended.
- We will erase your data after a reasonable period of time after all obligations related to the purchase, such as delivery and payment, have been fulfilled and we have no reason to believe that you would get back to us, for instance, due to a product defect or some other similar reason related to the purchase.
Please note that regardless of the above criteria, we may have an obligation due to compelling legislation to process certain data concerning you (such as transaction data for the online store in order to comply with accounting legislation) for a longer time, in which case we will only process the data for the purpose of complying with the legislation in question.
In addition, regardless of what is stated above, we may process the data in an anonymised format, among other things, for analysis and statistical purposes and to improve our business, products and services.
6. Who can process your data and do we disclose it to third parties?
Your data is processed within Semma. We may disclose your data to the authorities, for example, if the law requires us to do so. In addition, we may disclose your data in the context of any disposal of business or some other corporate transaction to the buyer of the business or another relevant party related to the corporate transaction.
We use services provided by third parties in the processing of personal data, but we do not disclose your data to them in such a manner that they would be able to use it for other purposes than those defined by Semma.
We use subcontractors and service providers for processing your data, such as for technical maintenance or the implementation of campaigns and direct marketing. In such cases, we obligate our subcontractors and service providers with appropriate contractual means to maintain a level of information security that is adequate to protect your data and to comply with the valid personal data legislation. The subcontractors and service providers we use only use your data for the purposes defined by Semma, described above. We do not disclose your data to them in a format that would allow them to use it for other purposes.
7. Do we transfer your data beyond the borders of the EU or EEA (“third countries”)?
If we use your data for electronic direct marketing, your data may be transferred to our service provider in the United States in this context. The service provider we use follows rules based on the Privacy Shield agreement between the EU and the United States.
We use the digital tool offered by our service provider located in the United States to implement electronic direct marketing. Our service provider has undertaken to abide by rules based on the Privacy Shield agreement between the EU and the United States, which ensure an adequate level of data protection. The rules in question guarantee strict conditions and liability provisions if our service provider uses third parties in the processing of the data. You can read more about the Privacy Shield agreement between the EU and the United States on the website of the European Commission.
We can also transfer your data outside the EU in cases other than those mentioned above if this is necessary for the purposes of use stated above or the technical maintenance of the data, provided that the requirements set in the EU’s General Data Protection Regulation are met (i.e. the transfer agreement employs model clauses approved by the European Commission).
8. How can you influence the processing of your personal data?
Your rights are important to us. You can control how Semma collects and uses your data. Below, you can read about your rights and the methods you can use to exercise them.
You are entitled to influence the processing of your data in the following ways:
- You have the right to forbid the processing of your personal data for the purposes of direct marketing at any time (right to object). If you do not want to receive direct marketing from us, we will also not process your data for profiling. Please note that even if you forbid direct marketing, you may still see our advertisements in online services external to Semma and receive customer communication from us, such as confirmation of an order you made through our online store.
- In some situations, you may have the right, for reasons related to special personal circumstances, to forbid the processing of your personal data beyond the purposes of direct marketing. In such cases, your right only pertains to your data that we process by virtue of Semma’s legitimate interests. When you ask us to stop processing your personal data on these grounds, you must tell us what the special personal reason is due to which the processing of your data should be stopped.
- You have the right to request access to the data concerning you or to receive confirmation that we do not process data concerning you (right of access). You can request access by sending a written and signed request to us using the controller’s address mentioned below or by requesting access in person at the visiting addresses mentioned in section 11. In certain situations, you also have the right to receive the personal data you provided to us in digital format so that you can transfer it to another controller (right to data portability).
- You have the right to have data rectified (right to rectification). This means that if your data is incorrect, inaccurate or deficient, you are entitled to ask us to rectify or complete the data. In certain situations, you may have the right to restrict the processing (right to restriction of processing). This means that if you dispute the accuracy of your data, you have the right to restrict its processing for a period of time that allows us to ensure that your data is accurate.
- You have the right to have your data erased in certain situations, including situations where the processing of your personal data is no longer necessary for the purposes for which it was collected, or if the processing of your personal data was based on your consent and you wish to withdraw your consent, and there are no other grounds for processing your personal data (right to be forgotten). Please note that if the processing of your personal data is necessary for the purpose of, for instance, delivering an online store order you have made or complying with your desire to opt out of direct marketing, we cannot erase your data.
9. How do we protect your personal data?
Your personal data is only processed by those Semma employees who need to process the data due to their work tasks. Each user has their own username and password for systems containing personal data. Semma has appropriate technical and organizational security practices and processes in place to safeguard personal data from being lost, from misuse or from other illegal access.
The data is collected in databases that are protected by firewalls, passwords and other technical means. The databases and their backup copies are located in secured premises where the data can only be accessed by specific persons designated in advance. The servers have strong security.
Written agreements that require the confidential processing and protection of data have been signed with external service providers.
10. Can we make changes to our Privacy Statement and how do we notify you of changes?
We continuously develop our practices and services related to the protection of privacy, so we reserve the right to change this Privacy Statement as necessary. Changes in applicable legislation or interpretations thereof may also result in changes to our Privacy Statement.
The up-to-date Privacy Statement can always be found in our online services. We recommend that you regularly review the content of our Privacy Statement. You can review the changes using the link at the top of our Privacy Statement: “See here which changes have been made”. If necessary, we may also notify you directly of changes using the contact details you have provided.
11. Who can you turn to if you have questions concerning the processing of your data?
In any questions concerning the processing of your data, you can turn to the representative of the controller.
Representative of the controller: Sirpa Vilppunen
Tel. +358 40 805 4006
Controller’s visiting address: Mattilanniemi 2 E, Spinaakkeri, Jyväskylä
If you think that we have, despite the principles mentioned in this Privacy Statement, infringed upon your rights based on personal data legislation, you can also file a complaint with your local data protection ombudsman. We nevertheless recommend that you first get in touch with a representative of the data controller to clear up the matter.
Semma has served its customers since 1997 on the University of Jyväskylä campus. Semma is a joint venture of the University of Jyväskylä, the Student Union of the University of Jyväskylä and Compass Group FS Finland Ltd. We offer high-standard settings for meetings with quality food and a cosy atmosphere – from student and staff meals to meeting and catering services.
Postal Address: Keskussairaalantie 4, 40600 Jyväskylä
See here what has changed
Semma Privacy Statement change history: February 2018 Semma is preparing for the EU’s General Data Protection Regulation that will enter into force in May 2018. We have harmonised and centralised the processing of personal data to be able to protect your personal data in the best way possible. The most significant change is that in the future, Semma will be the controller of personal data. In the updated Privacy Statement, we will describe in more detail how your personal data is processed in Semma and how you can exercise your rights as easily and effectively as possible.
The central changes are the following:
We have refined the From where do we collect data? section.
In the What kind of data do we collect? section, we have refined the examples of the types of personal data we collect about you. Our goal is that in the future, you will be more aware of what kinds of data we record concerning you.
We have refined the description of what your data is used for. Our goal has been to be increasingly clear on the basis for using your data.
We have added details to the description of how long we store your data.
We have refined the description of who can process your data.
We have included a section where we describe how you can exercise your rights and affect the processing of your personal data.
We have also included a section where we describe how you can follow the changes in our Privacy Statement