Privacy policy

This privacy statement/notice is available on the HAMK Online Shop website and has also
been submitted to the data protection officer.

Purpose of processing personal data

Personal data is collected for purposes such as the delivery of orders, correct allocation of
charges, identification of the customer and/or the person designated by the customer, verification of the customer’s service history and service rights, reporting and marketing.


Data on software users is collected for the purposes of defining access rights and monitoring
access. The software generates logs containing personal data for the purpose of potential need
to review software usage history or resolve problem cases.


Personal data can be transferred to other HAMK systems, such as the cash register system, accounting and invoicing.

Contact person for matters related to the register

Johanna Närhi
johanna.narhi@hamk.fi
+358 40 738 2136
Häme University of Applied Sciences Ltd
PO Box 230 (Visamäentie 35A)
FI-13101 Hämeenlinna, Finland

Legal basis for processing

As regards consumer customers, the processing of personal data is based on the implementation of the agreement and, as regards business customers, the legitimate interests of the controller (customer relationship).

Personal data content and retention periods

Personal data that may be stored in the registers include:


General customer register: customer number, first name, last name, date of birth, street address, zip code and city, telephone number, e-mail address, order history, user ID.
Order register: Contact details, products ordered.


Registrations: name of the person being registered, contact details, special diets, details of the
guardian of a minor. Find the General Privacy Notice for Events here.


Electronic receipt histories, as well as the registered customer’s data, are stored in the online
shop for a maximum of six years from the most recent purchase. The customer may request
the register data to be deleted earlier than that.

In accordance with the Accounting Act, personal data transferred to the accounts related to
purchases are stored for ten years.

Data subjects

Data subjects are the customers of the online shop.

Data sources

The primary source of data are the online shop customers when they place orders, register for
something or pay e-invoices.


Data related to payment transactions is obtained from Paytrail.

Recipients of personal data

The e-commerce platform is provided by Computer Program Unit Oy (CPU). The payment
transactions are processed by Paytrail Oyj. Communications-related product orders are processed by the student union of Häme University of Applied Sciences (HAMKO).

Principles of protection

Software maintenance is protected by user IDs, passwords and user group-specific access
rights. The data stored in the database is protected by user IDs and passwords, and the processing of data is restricted for the use of the online shop system. Data stored on disks is protected by operating system level access rights. All communication taking place between the
system provider’s systems, the online shop and the payment service provider is SSL protected.
The maintenance connection to the online shop server is only allowed for server and system
suppliers. The software supplier has full access to view and delete all collected data.


The lawful processing of personal data is ensured by categorisation of data and with operating
methods that are in compliance with the data handling rules concerning data set.

Controller

Häme University of Applied Sciences (business ID: 2617489-3)
PO Box 230
(03) 6461
hamk@hamk.fi

Data protection officer

Kari Kataja
tietosuojavastaava@hamk.fi
Häme University of Applied Sciences Ltd
Data protection officer
PO Box 230
FI-13101 Hämeenlinna, Finland

Automated decision-making

No automated decision-making is performed on the recorded data.

Transfer of data outside the EU or EEA

No data is transferred outside the EU or EEA.

Data subject’s rights and restriction of these rights

The EU General Data Protection Regulation (2016/679) provides the data subject with the following rights:

Right to withdraw consent

The data subject shall have the right to withdraw his or her consent at any time (Article 7).

Right of access by the data subject

The data subject shall have the right to obtain from the controller confirmation as to whether
or not personal data concerning him or her are being processed. The data subject shall have
the right to access to the personal data concerning him or her. Where requests are manifestly
unfounded or excessive, in particular because of their repetitive character, the data controller
may charge a fee or refuse to act on the request. (Article 12 and Article 15).

Right to rectification

e data subject shall have the right to obtain from the data controller the rectification of inaccurate personal data concerning him or her contained in the register (Article 16).

A request for rectification shall be submitted in writing. In some information systems, the data subject is
also able to rectify his or her own data.

Right to erasure

The data subject shall have the right to request the erasure of personal data concerning him or
her where one of the following grounds applies (Article 17):

  • the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
  • the data subject withdraws consent on which the processing is based and there is no other
    legal ground for the processing;
  • the data subject objects to the processing, and there are no overriding legitimate grounds
    for the processing (Article 21);
  • the personal data have been unlawfully processed;
  • the personal data have to be erased for compliance with a legal obligation in Union or
    Member State law to which the controller is subject.

Right to restriction of processing

he data subject shall have the right to obtain restriction of processing where one of the following applies (Article 18):

  • the accuracy of the personal data is contested by the data subject, for a period enabling the
    controller to verify the accuracy of the personal data;
  • the processing is unlawful and the data subject opposes the erasure of the personal data
    and requests the restriction of their use instead;
  • the controller no longer needs the personal data for the purposes of the processing, but
    they are required by the data subject for the establishment, exercise or defence of legal
    claims;
  • the data subject has objected to processing pursuant to Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

Right to data portability

here the processing is based on consent and carried out by automated means, the data subject shall have the right to receive the personal data concerning him or her, which he or she
has provided to a data controller, in a machine-readable format (Article 20).

Requests to exercise these rights are to be submitted:

Kari Kataja
tietosuojavastaava@hamk.fi
Häme University of Applied Sciences Ltd
Data protection officer
PO Box 230
FI-13101 Hämeenlinna, Finland

Right to lodge a complaint

The data subject shall have the right to lodge a complaint with the Office of the Data Protection Ombudsman. For more information, visit https://tietosuoja.fi/en/home.