Privacy policy
Controller
Qstock Oy (Tullisali)
Business ID: 2811591-8
Kansankatu 53 T 3
90100 Oulu
Contact information for matters concerning the register (data protection officer)
Binta Jabbi
binta.jabbi@qstock.fi
+358 40 456 4113
Name of the register
Qstock Oy (Tullisali) customer data register
Data subjects
The register includes visitors to the Qstock Oy (Tullisali.fi) website who have submitted their contact details. The register also includes persons who have given their authorisation for direct marketing via the Ticketmaster.fi website.
Purpose of the register
Qstock Oy (Tullisali) uses the personal data in the register for customer communication by sending a newsletter, provided that the visitor has authorised direct marketing.
Grounds for data collection and processing
The data of the data subjects are collected and processed with the consent of the data subject for the purpose of conducting prize draws and customer communications via the newsletter.
Data content of the register
Tullisali collects only the necessary contact information, i.e. the e-mail address.
Data retention period
We will only keep personal data for as long as necessary for the purpose for which it is used. After that, the data will be deleted. It is possible for a person to be removed from the direct marketing list if they so wish, and they have the right to request the deletion of their data.
Regular data sources
Data is collected using Google Analytics 4, an analytics tool.
Regular data disclosures and transfers of data outside the EU or the European Economic Area
Qstock Oy’s customer data register is stored electronically in the Creamailer system, the security-related functions of which comply with Finnish and EU legislation and official regulations. The data of the Creamailer service is located on secure servers within the EU. The server centre facilities comply with the Traficom regulation on securing communication networks and services and synchronisation of communication networks (TRAFICOM/54045/03.04.05.00/2020).
The service provider outside the Whistleblowing channel used by Qstock Oy uses subcontractors who provide technical data processing services, some of which are located outside the EU in the United States. Appropriate safeguards outside the EU or EEA have been contractually ensured. See Whistleblowing’s Privacy Policy.
Principles for the protection of the register
The register maintained by Qstock Oy on the Creamailer system is not accessible to third parties. Creamailer pays attention to data security and data protection using a lifecycle approach. Creamailer specifies that its services and the processing of personal data are taken into account in the design, implementation, development and maintenance of its services. Creamailer implements information security and data protection based on the principles of preventive risk management. Creamailer is prepared for data breaches and other risks by taking into account the nature of the data to be protected and the likelihood of risks. No data is disclosed to third parties or outside the EU or EEA.
Qstock Oy does not keep manual records of newsletter subscribers. Designated persons using the Creamailer system will maintain their user IDs and will be bound by confidentiality.
The personal data of those submitting the form will be kept confidential. The use of the register is regulated within the controller’s organisation and access to the personal register is restricted in such a way that only those employees who are entitled to access the data stored in the register by virtue of their duties and who need the data for their work are allowed to do so. Staff handling personal data are bound by a duty of confidentiality.
Right of access and rectification
Any person in the register has the right to check the data recorded in the register and to request that any inaccurate or incomplete data be corrected or completed. If a person wishes to check or request a correction of the data stored about them, the request should be sent to the controller by e-mail. The controller may, if necessary, ask the person making the request to prove their identity. The controller will reply to the customer within the time limits set by the EU General Data Protection Regulation (within one month, as a general rule).
Other rights related to the processing of personal data
A person in the register has the right to request the erasure of personal data concerning them from the register (“right to be forgotten”). Data subjects also have other rights under the EU General Data Protection Regulation, such as the restriction of the processing of personal data in certain circumstances. Requests should be sent to the controller by e-mail. The controller may, if necessary, ask the applicant to prove their identity. The controller will respond to the customer within the time limits set by the EU GDPR (within one month, as a general rule).