1. Data file maintained by:
LUT University (0245904-2)
P.O.Box 20, FI-53851 Lappeenranta
+358 29 446 2111
info(@)lut.fi
2. Contact person in matters concerning the data file
Hammaren, Terho
Yliopistonkatu 34, FI-53850 Lappeenranta
+358 40 755 7724
terho.hammaren(@)lut.fi
3. Name of data file
Ceepos online store
4. Purpose of personal data processing
Personal data is collected e.g. for delivering orders, allocating payments, identifying the customer and/or a
person named by the customer, verifying customer histories and customer rights, reporting and marketing.
Data is collected on users of the software to define user rights and control use. The software creates log
entries containing personal data to define user histories and solve problems.
5. Contents of data file
Possible personal data saved in the file may include the following:
General customer data file: customer number, first name, last name, home address, municipality, phone
number, email address, order history, username, and consent to direct advertising.
Order file: contact information, ordered products.
Customer cards and identifiers: card number and PIN code.
Registrations: person’s name, contact information, health details (allergies and other restrictions),
guardian.
Mailing lists: email address.
Personal data is stored in the files until they are removed manually. Order data is stored until manual
removal once a year (if inactive for 3 years). Electronic receipt histories are stored until manually removed,
but for at least ten years.
6. Regular data sources
Information on payment transactions is provided by external systems that are integrated with the online
store. The main source of data is customers as they place orders, submit registrations and pay online.
7. Data disclosure
No personal data is disclosed to parties beyond the organisation. Personal data may be transferred to the
data controller’s other systems, such as point-of-sale systems, accounting, invoicing, and access control.
Depending on the payment service provider, customer data may be fed to the payment system in
connection with a payment to facilitate problem-solving and refunds.
8. Data transfer beyond the EU or EEA
No personal data is transferred beyond the EU or EEA.
9. Safeguarding of the data file
The maintenance of the software is protected with usernames and passwords and user rights defined for
groups of users. Data in the data file is protected with usernames and passwords, and data processing is
limited to the online store system. Data in the online data storage is protected with assigned user rights to
the operating system. All telecommunication between the system supplier’s systems, the online store and
payment service provider is SSL protected.
Maintenance connections to the online store server are only granted to server and system suppliers. A
system supplier may view and remove collected data.
10. Consent to data processing
Making online purchases and payments is considered as consent to data processing. Consent is otherwise
not required for the use of this system. When personal data comes from an external system, consent to
data processing is confirmed beyond the online store system.
11. Right of access
Data subjects have the right to access data concerning themselves in the data file and receive copies.
Access requests must be made electronically or in writing and addressed to the contact person of the data
file.
12. Right to rectification of data
Data subjects have the right to demand the correction or removal of erroneous data from the data file.
Such requests must be made electronically or in writing to the contact person of the data file.
13. Other rights related to data processing
Data subjects have the right to prohibit the data controller to process personal data for purposes of
direct advertising, distance selling, other direct marketing, market research, opinion polls, public registers
or genealogical research.