Skip to main content


Date of drafting: 24 May 2018

1 Data Controller

Finnish Standards Association SFS
Business ID: 0202290-8
Visiting address: Malminkatu 34, 00100 Helsinki, Finland
Postal address: PO Box 130, 00101 Helsinki, Finland
Telephone: +358 9 149 9331
Contact person: Pirjetta Laine

2 Name of the Register

Finnish Standards Association SFS’ customer register

3 Grounds for and Purpose of Processing of Personal Data

The processing of personal data is primarily based on the performance of an agreement between the customer and the Finnish Standards Association SFS. To the extent that personal data are processed more extensively than what the performance of the agreement requires, the grounds for the processing is the legitimate interest of the Finnish Standards Association SFS to maintain and develop customer relationships and its services and to provide advice to customers and future customers preparing an agreement. Marketing and communication activities carried out on the basis of the data in the customer register are also considered processing based on the legitimate interest.

The Finnish Standards Association SFS processes the personal data of customers in accordance with applicable data protection regulation for the following purposes:

  • management and development of customer relationships
  • offering and delivery of products and services
  • sending newsletters
  • payments, tracking and collection of payments
  • marketing and distance selling of the data controller’s products and services
  • development of the data controller’s business operations and the customer service related thereto
  • defence against legal claims
  • accounting and other obligations based on legislative requirements

4 Data Content of the Register and Required Data

In general, the data that are collected for the customer register are the name and the address and contact information of a customer’s contact person or a private customer. In addition, data related to the management of the customer relationship, such as notes related to customer meetings, are entered into the customer register.

In addition, the register contains information on the customer’s consent for the receipt of newsletters and on possible participation in the events arranged by SFS.

If the customer refuses to disclose the basic data required for the performance of the agreement to the Finnish Standards Association SFS, the products or services requested by the customer cannot necessarily be offered to the customer.

5 Regular Sources of Data

As a general rule, personal data are obtained from customers themselves (e.g. in conjunction with orders, agreements and other contacts).

Personal data can also be collected and updated from business information services as well as from other reliable parties, such as authorities and companies providing marketing-related services.

6 Regular Transfers and Disclosures of Data

The Finnish Standards Association SFS does not generally disclose customer register data to third parties. However, the payment intermediary (bank, credit card company) used by the customer will receive information on the customer’s purchase transaction when the purchase is made.

In addition, SFS can technically transfer data to such ordinary IT service providers that act on SFS’ behalf and responsibility (e.g. server hotel, data centre service and corresponding service providers). With agreements, the Finnish Standards Association SFS ensures that these parties do not process personal data in any other ways than those permitted by law in compliance with instructions issued by the Finnish Standards Association SFS and this privacy policy.

In addition, SFS uses in the online store ( and in the SFS Online service ( external analytics services, such as Google Analytics, which can also place cookies on the website user’s device. Further information is provided by Google Analytics at

7 Storage of Personal Data

The Finnish Standards Association SFS will store the personal data for the duration of the customer relationship. After the end of the customer relationship, customer data can be stored in the register passively for accounting purposes, for defending possible claims or for any other reason attributable to a legislative requirement.

Upon the end of the customer relationship, the customer’s basic data and information on previous agreements can be transferred to the Finnish Standards Association SFS’ marketing register. Further information on the processing of personal data according to the marketing register is available in the privacy policy of the marketing register.

8 Transfer of Data outside the EU or EEA

The data will not be transferred outside EU or EEA. Depending on the payment service used by the customer, it is, however, possible that the data concerning the payment transaction will also be processed abroad. The customer must ensure this from the own payment intermediary service.

However, some of SFS’ technical service providers mentioned in section 6 above can also process personal data outside EU/EEA. SFS has ensured the secure processing of these data also outside EU/EEA with various protection mechanisms, generally by incorporating the ‘model contract clauses’ approved by the EU Commission into an agreement that will be concluded with a service provider. Some of the service providers can also be subject to the scope of the ‘Privacy Shield programme’: Under the EU Commission’s decision, the US service providers committed to the Privacy Shield programme are considered to provide an adequate level of data protection for the personal data, even though US law does not, as such, correspond to the level of the European data protection legislation. At the request of the data subject, SFS delivers the data subject copies of the additional mechanisms used by it for ensuring data protection.

9 Security Principles for the Register

The data in the customer register will be collected into databases which are protected with firewalls and passwords. The rights of use will be determined by the person responsible for register matters.

The server devices are placed in locked premises which may only be accessed by SFS’ or business partners’ personnel. Only the persons employed by the Finnish Standards Association SFS or its authorised operators that need the data in their work have the right to use the data.

The Finnish Standards Association SFS requires that its personnel and business partners have undertaken to comply with confidentiality. The access to the information systems is possible only by using a username and password. Data set in a physical form is stored in the business premises that are used by the Finnish Standards Association SFS and that are monitored from external persons. The customer data may only be processed by the Finnish Standards Association SFS’ or the service provider’s the employees who need them to fulfil the purposes described in section 4 in conjunction with their duties.

10 Rights of the Data Subject

The data subject has the right to access his or her personal data included in the register and obtain a copy of the personal data being processed.

The data subject has also the right to demand the correction or erasure of the personal data, if the data are incorrect, unnecessary, inadequate or outdated.

In relation to his or her particular situation, the data subject is entitled to object to processing activities that the Finnish Standards Association SFS carries out on the data subject’s personal data to the extent that the processing is based on the data controller’s legitimate interest.

The data subject has the right to demand the Finnish Standards Association SFS to restrict the processing of the personal data, for example, in a situation where the data subject is waiting for the Finnish Standards Association SFS’ response to the request concerning the rectification or erasure of the data.

To the extent that the data subject has provided data to the register or data have been generated in the register directly as a result of the data subject’s activities and the data are processed in order to perform an agreement between the customer and the Finnish Standards Association SFS or based on a consent given by the data subject, the data subject has the right to receive such data in a structured, commonly used and machine-readable format and has the right to transmit these data to another data controller, if this is technically feasible.

If personal data are processed based on the data subject’s consent, the data subject has the right to withdraw his/her consent by notifying the data controller of this. The contact information can be found in section 1 of this privacy policy. The withdrawal of the consent does not affect the legality of the processing carried out based on the consent and before the withdrawal.

The requests related to the data subject’s rights above are generally free of charge and they must be sent to the data controller by using the contact information referred to in section 1 of the policy.

We response to data subjects’ requests without undue delay. If we do not fulfil the request, we will notify the data subject of the reasons for this (e.g. reasons based on legislation).

The data subject has the right to lodge a complaint with the competent supervisory authority, if the data subject deems that the Finnish Standards Association SFS has not complied with applicable data protection regulation in its operations.

11 Changes to the Privacy Policy

The Finnish Standards Association SFS can make changes to this privacy policy, if the methods or purposes of the processing of personal data change. Information on material changes can be published on a case-by-case basis, for example, on the Finnish Standards Association SFS’ website or such changes can be communicated directly to the data subject, if applicable legislation requires this. However, the content of the privacy policy should be checked on a regular basis.