1. Registrar
Karelia University of Applied Sciences
Business ID 2544377-1
Tikkarinne 9, FI-80200 Joensuu
Tel. +358 13 260 600
info@karelia.fi
2. Contact person in matters concerning the register
Pia Hiltunen
Tikkarinne 9, FI-80200 Joensuu
+358 40 743 6165
pia.hiltunen@karelia.fi
3. Name of the register
Ceepos e-commerce
4. Purpose of the processing of personal data
Personal data is collected for reasons such as the delivery of orders, correct allocation of payments, identification of the customer and/or the person registered by the customer, verification of the customer’s transaction history and rights to use services, reporting and marketing.
Information about the users of the software is collected to determine the user rights and to monitor the use of the software. The software generates logs containing personal information for the purposes of the software’s usage history and incident resolution.
5. Data content of the register
Possible personal data stored in registers include:
General customer register: Customer number, first name, last name, street address, city, telephone number, email address, order history, username and direct marketing permit.
Order register: Contact information, ordered products.
Customer cards/IDs: Card number and PIN.
Registrations: Name of the person to be registered, contact details, state of health (allergies and other restrictions), guardian’s details.
Mailing lists: Email address.
Personal data is stored in registers until they are deleted manually. Order information is kept until depreciation is done manually or on a scheduled basis. Electronic receipt histories are kept until the depreciation is done manually, but for at least six years.
6. Regular data sources
Payment transactions via interfaces are transmitted by external systems that are integrated into the e-commerce. The main source of information is the e-commerce customers use when placing orders, registering and paying their online fees.
7. Regular disclosures of data
Personal data is not disclosed to third parties. Personal data may be transferred to other systems of the controller such as the cash register system, accounting, invoicing, access control. Depending on the payment service provider, when the order is paid, the customer’s contact information is forwarded to the payment system to facilitate problem situations and refund of payments.
8. Transfer of data outside the EU or EEA
Personal data is not transferred outside the EU or the EEA.
9. Principles for the protection of the register
Software maintenance is protected by user IDs and passwords as well as user group-specific access rights. The data in the database is protected by user IDs and passwords, and the processing of the data is limited to the use of the e-commerce system. Data stored on disks is protected by operating system level access. All communication between the system vendor’s systems and the e-commerce and the payment service provider takes place with SSL security.
The e-commerce server service connection is only allowed for server and system vendors. The software vendor has full access to view and delete all collected data.
10. Acceptance of the processing of personal data
Making online purchases and payments is considered an acceptance of the processing of personal data, and this is not separately required of the consumer to use the system. When personal data comes from an external system, the approval of the processing of personal data is handled outside the e-commerce system.
11. Right of access
The data subject has the right to check the data concerning them stored in the register and receive copies of them. The request to check data must be made electronically or in writing and addressed to the contact person in the register.
12. Right to demand rectification of information
The data subject has the right to demand that incorrect data in the personal data file be corrected or deleted. Requests must be addressed electronically or in writing to the contact person of the register.
13. Other rights related to the processing of personal data
The data subject has the right to prohibit the controller from processing data concerning them for the purposes of direct advertising, distance selling and other direct marketing, and market and opinion polling.