Personal Data Act (523/1999), sections 10 and 24

1. Controller

University of Helsinki
Business Identity Code: 0313471-7  

PO Box 53 (Fabianinkatu 32)
Phone: +358 2941 911

2. Contact person

Jere Reinikainen / Elina Ekholm
Email: firstname.lastname​

3. Name of register

Customer register of the University of Helsinki’s online payment service

4. Purpose of processing personal data

To process and invoice orders as well as manage customer relationships; use of the online payment service does not require registration.

5. Data content of the register

The register includes information that has been saved to manage customer relationships and process orders, such as the Customer’s name and email as well as information on products ordered.

6. Regular sources of data

As a rule, disclosed by the Customer

7. Regular disclosure of data and the transfer of data outside the EU or the European Economic Area

No data will be disclosed or transferred outside the EU or the European Economic Area unless it is necessary for the provision of the service.

8. Principles for protecting the register

The register will not be disclosed to third parties. The right to use the register requires user rights determined by the University of Helsinki, and the register is located on a University of Helsinki server protected by a firewall and user authorisation.
Information will be distributed both internally and externally to the following groups:

•    University of Helsinki staff who need the information to perform their work tasks
•    Authorities as required by law (e.g., social services and tax authorities)
•    Partners and subcontractors (e.g., parties related to payment and delivery) necessary to process orders and manage customer relationships

Access to the information in the register can only be granted to pre-determined members of the register controller’s staff whose job description includes processing the information.  These staff members are bound by confidentiality.

9. Right of access and its exercise

Those registered can access the information about them in the register. Signed access requests must be submitted in writing to the controller’s contact person.

10. Data rectification and its implementation

Those registered can request the rectification of erroneous information in the register. Written rectification requests must be sufficiently detailed.
Rectification requests must be addressed to the controller’s contact person.