Privacy policy

Controller

Qstock Oy (Tullisali)
Business ID 2811591-8
Kansankatu 53 T 3
90100 Oulu

Contact information for matters concerning the register (data protection officer)

Binta Jabbi
binta.jabbi@qstock.fi
040 456 4113

Name of the register

Qstock Oy’s (Tullisali’s) customer data register

Data subjects

The register includes visitors to the Qstock Oy (Tullisali.fi) website who have left their contact details. The register also includes persons who have given their direct marketing authorisation via the Ticketmaster.fi website.

Purpose of the register

Qstock Oy (Tullisali) uses the personal data in the register for customer communication by sending a newsletter, provided that the visitor has given permission for direct marketing.

Grounds for data collection and processing

The data of the data subjects is collected and processed with the consent of the data subject for the purpose of conducting prize draws and customer communications via the newsletter.

Data content of the register

Tullisali collects only the necessary contact information, i.e. the e-mail address.

Data retention period

We will only keep personal data for as long as necessary for the purpose for which it is used. After that, the data will be deleted. It is possible for a person to be removed from the direct marketing list if they so wish, and they have the right to request the deletion of their data.

Regular data sources

Data is collected using Google Analytics 4, an analytics tool.

Regular data disclosures and transfers of data outside the EU or the European Economic Area

Qstock Oy’s customer data register is stored electronically in the Creamailer system, whose security-related functions comply with Finnish and EU legislation and official regulations. The data of the Creamailer service is located on secure servers within the EU. The server centre facilities comply with the Traficom regulation on securing communication networks and services and synchronisation of communication networks (TRAFICOM/54045/03.04.05.00/2020).

The service provider outside the whistleblowing channel used by Qstock Oy uses subcontractors who provide technical data processing services, some of which are located outside the EU in the United States. Appropriate safeguards outside the EU or EEA have been contractually ensured. See Whistleblowing’s Privacy Policy.

Principles for the protection of the register

The register maintained by Qstock Oy on the Creamailer system is not accessible to third parties. Creamailer pays attention to data security and data protection using a lifecycle approach. Creamailer specifies that its services and the processing of personal data are taken into account in the design, implementation, development and maintenance of its services. Creamailer implements information security and data protection based on the principles of preventive risk management. Creamailer is prepared for data breaches and other risks by taking into account the nature of the data to be protected and the likelihood of risks. No data is disclosed to third parties or outside the EU or EEA.

Qstock Oy does not keep manual records of newsletter subscribers. Designated persons using the Creamailer system will maintain their user IDs and will be bound by confidentiality.

The personal data of those completing the form will be kept confidential. The use of the register is regulated within the controller’s organisation and access to the personal register is restricted in such a way that only those employees who are entitled to access the data stored in the register by virtue of their duties and who need the data for their work are allowed to do so. Staff handling personal data are bound by a duty of confidentiality.

Right of access and rectification

Any person in the register has the right to check the data recorded in the register and to request that any inaccurate or incomplete data be corrected or completed. If a person wishes to check or request a correction of the data stored about him or her, the request should be sent to the controller by e-mail. The controller may, if necessary, ask the person making the request to prove his or her identity. The controller will reply to the customer within the time limits set by the EU General Data Protection Regulation (as a general rule, within one month).

Other rights related to the processing of personal data

A person in the register has the right to request the erasure of personal data concerning him or her from the register (“right to be forgotten”). Data subjects also have other rights under the EU General Data Protection Regulation, such as the restriction of the processing of personal data in certain circumstances. Requests should be sent to the controller by e-mail. The controller may, if necessary, ask the applicant to prove his or her identity. The controller will respond to the customer within the time limits set by the EU GDPR (as a general rule, within one month).