SFS Finnish Standards’ Privacy Policy – Customer and Marketing Data

This Privacy Policy describes how SFS Finnish Standards (“SFS”) as the responsible data controller processes your personal data when we sell and market standards and our other services.

1. Personal Data that We Collect

SFS may collect the following personal data about you:

• Contact and customer data. SFS may collect and process the following customer and contact data about you: your name, your contact information, name of the organisation you represent, title and, where applicable, data about your purchase history and applicable terms and conditions (between SFS and you or the organisation you represent). With respect to certain identifier services you may also be requested to provide other data that is mentioned separately. Furthermore, SFS also collects and stores data related to managing the customer or marketing relationship, including your correspondence with SFS or any feedback you have given.
• Other data. SFS may also store and process data about the events or meetings arranged by SFS that you have participated in, the newsletters or marketing communications that you have subscribed to and about any prohibitions of direct marketing. To arrange events and meetings, SFS also requests you to provide information about any special diets or similar wishes (see below for more information about the limited storage of this data).
• Web analytics data. SFS also collects analytics data about how our website and online services are used. Please read more below.

SFS obtains the aforementioned contact and customer data and other data primarily from you, for example, when you register as a user in SFS’s online service or as a participant in an event. However, your data may also be obtained from a partner of SFS providing business information services or from the organisation that you represent. Web analytics data is collected by using an analytics service as described in more detail below.

2. Purpose and Legal Basis of Collecting Personal Data

SFS processes this data for the following purposes:

• Performance of a contract. SFS collects and processes the aforementioned contact and customer data about you to be able to sell standards and other publications and services to our customers and to perform sales contracts between SFS and our customers and to comply with our legal obligations relating to accounting and retention of accounting materials. In addition, SFS may process the contact and customer data of the representatives of our organisational customers to exercise our legitimate interest to offer and sell these products to the customer represented by the representative. Providing this data may be necessary so that SFS can sell the aforementioned products to you or to the customer organisation that you represent through you.
• Development of services. SFS may use all of the aforementioned data to exercise our legitimate interest to develop our products and services. This may involve collecting feedback and monitoring the sales of and interest for standards to better target the standardisation work in the future. This may also involve monitoring the use of SFS’s website and online services to improve their usability and functionalities.
• Marketing. Furthermore, SFS may use all of the aforementioned data to exercise our legitimate interest to maintain our customer relationships and to market our products and services. SFS may also monitor the use of our website and online services to target marketing. In certain situations, you have the right to object to the use of your personal data for marketing purposes as described in more detail below. However, you always have the right to object to direct marketing to you. To the extent that SFS sends electronic direct marketing that requires consent, you may withdraw your consent concerning it at any time.
• Legal claims. SFS may also process your data to execute our legitimate interest, if necessary, to defend against legal claims or to present such claims regarding, for example, unpaid invoice claims.

Your personal data is not used for automated decision making or profiling as referred to in law.

3. How We Disclose and Transfer Your Personal Data

Generally, SFS does not disclose data about you to others. There are, however, some limited exceptions to this:

• Organisational customers’ access to information. If you represent an organisational customer, SFS may provide the organisational customer in question data about which standards you have purchased on behalf of the customer and how you have used the services that are subject to a contract between the organisational customer and SFS. This may be necessary, for example, for invoicing.
• Identifier services. As regards customers that have purchased an identifier service, SFS may also provide data to organisations operating in third countries when it is necessary to implement the service, for example, to notify the organisation that SFS represents that a customer has been granted a certain identifier.
• Development of the standardisation work. If you represent an organisational customer, SFS may provide data regarding the purchase of a standard to the working group responsible for the creation of the standard. A standardisation expert in the standards writing body responsible for the standard may be also be provided with the data about the name of the customer organisation that you represent and the standard that you purchased on its behalf. The expert will not be provided data that allows you to be identified. The expert cannot disclose the data to third parties.
• Statistical data about the sales of standards. The members of the standardisation group that participated in the creation of the standard may be provided with high-level statistics on the sales of the standards that the group is responsible for in such a way that an individual person or organisation cannot be identified based on the statistics. The representatives of the working group will not be provided data that allows you to be identified.
• Technical service providers. In addition to the above, SFS may also use external service providers for collecting and processing the data set out above. These parties may include companies from which SFS buys IT services such as server space or server room services. SFS also uses an external service provider for direct market-ing. These technical service providers act as data processors on behalf of SFS. Agreements between SFS and these service providers ensure the safe processing of your personal data in these situations as well.
• Electrotechnical standardization is under the responsibility of the Finnish Electrotechnical Standards Association SESKO. If the publication you purchased is an electrotechnical standard, SFS may disclose your personal data and other customer and stakeholder data acquired at the time of purchase to SESKO for the purposes of marketing standards and committee memberships and for other communication due to a legitimate interest. However, such data will not be disclosed if the agreement between your organisation and SFS includes a confidentiality clause.

If you have any questions regarding how your data is disclosed or transferred to others, please contact SFS.

4. Cookies and Web Analytics

SFS uses cookies on its website. Cookies are small data files, that are transferred to your computer when you contact a website. Cookies are saved with the files your browser us-es. Some cookies are in used only during each browser session, while others are in use for a longer time.

Cookies may be divided into four categories: necessary, functional, analytics, and marketing cookies.

Some cookies are necessary for the technical operation of the website. These cookies do not collect information about the user that could be used for marketing or analytics. Functional cookies in turn improve the functioning of the website, e.g., by making it pos-sible for a chatbot to work.

Analytics cookies collect anonymous information and statistics for the development of the website.

Marketing cookies may be used to target advertising to users of the website. The website may also include social media plugins that you may use if you are signed-in to your social media account.

With respect to cookies that are not technically essential cookies, SFS requests your consent to the use of cookies. You may withdraw your consent at any time, but this does not affect the lawfulness of measures already taken.

Currently, SFS uses the following analytics services:

• Google Analytics. SFS uses the Google Analytics service for the aforementioned purposes. Further information on personal data that the service collects is available here: https://policies.google.com/technologies/partner-sites.
• Askem. SFS also uses Askem, a service provided by the Finnish company React & Share. For details on how Askem handles personal data, see https://www.askem.com/privacy-policy.
• Matomo. SFS uses the cookie-free Matomo service in the webstore (sales.sfs.fi). The service does not use tracking cookies. The collected information is used for analytics purposes by SFS only, and it is not shared or combined with any other information. Visitors are not tracked across different websites or identified. For further information on the privacy practices of the service, see https://matomo.org/privacy/

You can find more information about the cookies used on the SFS.FI website from here: https://sfs.fi/en/finnish-standards-association/cookie-policy/

5. International Disclosures or Transfers of Personal Data

As a general rule, SFS does not disclose or transfer your personal data outside of the EU/EEA. In some limited situations, SFS may, however, disclose or transfer your personal data to a recipient located in a third country outside of the EU/EEA where the local law does not ensure a similar level of data protection as EU regulations:

• Identifier services. As described above, it may be necessary for SFS to notify an organisation operating in a third country that it has granted the identifier you have purchased and to disclose related data in order to provide the service and perform the contract.
• Foreign organisational customers. As described above, an organisational customer may have the right to receive data about how the representatives of the customer have used SFS’s services, for example, for invoicing. If an organisational customer is located abroad, this may require transferring data to a third country.
• Service providers. Some of the aforementioned technical service providers and web analytics services used by SFS may also store or process your personal data in such a third country.

In these situations, SFS has generally entered into an agreement with the party in accordance with EU Commission’s model contract clauses that ensure safe data processing in third countries as well. However, if it is necessary to disclose or transfer data to perform an agreement that SFS has entered into with you or in your favour or if some other legal ground for exemption is applicable, SFS may not use the model contract clauses.

SFS ensures safe and lawful data processing abroad by other means as well. If necessary, SFS can give you more detailed information on international data transfers.

6. Storage Period of Your Personal Data

SFS stores your personal data in accordance with the storage periods described below:

• User ID. If you have a user ID for SFS’s service, your data may be stored in an identifiable form as long as your customer relationship lasts, i.e. until the user ID is removed. You may at any time request that your user ID be removed, but this may mean that you no longer can use SFS’s services, for example, to purchase standards. See below for more information on how you can object to the processing of your personal data, for example, for direct marketing.
• Other purchase data. If you have purchased a standard without creating a user ID, for example, by contacting SFS’s customer service, your purchase data may be stored in an identifiable form until three years have passed from your last purchase. If you have requested that SFS notifies you of updates in a standard that you have purchased, the data may be stored longer in accordance with your request.
• Newsletter subscriptions. Information on you being sent a certain newsletter or marketing communications is stored as long as your subscription is active. You may opt out of this kind of communications at any time. If you have opted out of direct marketing, SFS may store the data relating to the prohibition until you cancel it.
• Other marketing data. Other marketing data, such as information on you participating in a certain event or meeting, will not be stored in an identifiable form more than 3 years. Information on any special diet will, however, be removed immediately after the event or meeting, unless otherwise agreed.
• Web analytics data. User-specific web analytics data will not be stored more than 38 months from the collection.
• Accounting records. Without prejudice to the foregoing, accounting materials referred to in the Accounting Act, such as accounting records and correspondence regarding transactions, may be stored in the manner allowed or required by the provisions on accounting, i.e. normally at least six years.
• Materials relating to legal claims. The data may also be stored, as applicable, longer than the period mentioned above if SFS has a reasonable doubt that it will be needed in a possible legal dispute in the future.

When the mentioned storage period ends, your personal data will either be deleted or anonymised in such a way that it is no longer possible to identify an individual based on the data.

7. Your Rights Pursuant to Data Protection Law

Pursuant to applicable data protection regulation, you have the following rights as regards your personal data set out above:

(a) to check the personal data about you stored by SFS and, in certain cases, the right to demand a copy of your data or its transfer to another data system;
(b) to demand the correction of incorrect or incomplete data;
(c) to demand the deletion of outdated or unnecessary data from SFS’s filing system;
(d) to demand a temporary limitation on data processing until another demand related to your data has been solved;
(e) to object to using your data for direct marketing or, when your particular situation so requires, for safeguarding SFS’s legitimate interests.

In situations where SFS processes your personal data based on your consent, you have the right to withdraw your consent at any time. However, this will not affect the lawfulness of actions carried out before you withdrew your consent.

If you are dissatisfied with how SFS has processed your personal data, you can also lodge a complaint to competent data protection authorities. In Finland this means the Office of the Data Protection Ombudsman (see tietosuoja.fi/en).

8. Contacts

In matters related to this privacy policy or your personal data you can contact SFS with the following contact details:

SFS Finnish Standards
Malminkatu 34, 00100 Helsinki, Finland
PO Box 130, 00101 Helsinki, Finland
Tel. +358 9 149 9331
E-mail: standardeista@sfs.fi

9. Changes

SFS may update this policy from time to time. If necessary, we will announce material changes separately.

The effective date of this privacy policy version is 7 April 2024.