Declaration of data security principles for Tammer Brands consumer campaigns
This document defines the principles for processing customer data in competitions, drawings and other time-limited campaigns.
Document version, validity and author information
version 2017061300, valid from June 27th, 2017
Created by: Kyuu Eturautti
Verified by: Timo Siren
Information of data controller
Tammer Brands oy
33800 Tampere, Finland
Phone +358 3 2521 111
Data protection matters are handled primarily by CISO Kyuu Eturautti
Details of data files
Tammer Brands (company) consumer campaign data store. The system is used to store information of individual time-limited consumer campaigns for the company and the brands it represents, as well as in whole for product development and quality control.
Processing of the data files is not handled by a third party, but by the company itself.
The data files are not used for long-term marketing uses, but only for the length required to facilitate the processing of the individual campaign in question.
The campaign length and other case specic specific details are described in the rules of each campaign.
Source and type of personal data
The data consists of information provided by consumers via online form, electronic mail or letter. The information consists of two primary data types. Personal information contains data such as name, phone number, email and postal address. Other information contains campaign specific data, such as answers to questions, free text or rich media such as photos or videos.
Methods of data processing and securing
The data is handled in whole within the company’s own systems, which are located at company premises. The logical data storage areas are secured properly with user validation and access control methods. The physical data storage areas are secured with methods such as physical access control and anti-theft solutions.
The data files are available only to the people directly involved with the campaign in question. Personal data is handled confidentially and may only be used for communication required by the campaign in question, such as for delivering prizes or informing consumers of the campaign’s progress.
As per campaign specific rules, partial personal information, which at most contains name and place of residence, can be published as part of the campaign. These rules are always defined specifically for each campaign.
Non-personal information, such as text and rich media files provided by consumers as part of the campaign, are handled separately from personal information. This information can be published and used for marketing purposes, in ways defined in the campaign specific rules. The consumer retains copyrights for any creative works provided as part of the campaign. The company is granted non-exclusive, limited publishing rights for the creative work. The consumers will be compensated for any use of the creative material by the company which does not relate to the campaign, or which is kept visible for over six months after the campaign has ended. The compensation may be included in the prize for the campaign, or it can be agreed upon separately.
Data retention time and data transfer policies
Personal information is stored only for the duration of the campaign, plus a reasonable time needed to verify delivery of prizes and other details. This time is defined as a maximum of six months after the campaign has ended. After this time all detailed personal information is erased. Non-identifying parts of personal information can be retained for statistical purposes, such as postal code or other details that cannot be used to identify an individual person. This statistical data can be combined in part or full with other non-identifying information as part of the company’s quality control and product development.
Necessary contact information can be transferred to a third party (partner) to facilitate group communications, such as sending emails, letters or packages, should the campaign require group communication to consumers. Only the necessary amount of information is sent to the partner. Additionally, partners are required to delete the information when it is no longer required. Partners must adhere to the same limits of data transfer policies as the company, as defined in the next paragraph.
Personal information is not moved outside Finland or to data storage facilities within Finland which are operated by companies residing outside the European Union. Personal data is not disclosed to third parties, with the exception of legally binding requests from public officials.
Changes to this document
Any changes to this document that affects handling of personal information of the consumer will only affect campaigns started after the changes have been published. The changes do not take effect retroactively.
Changes, which do not affect the handling of personal data or the position of the consumer, can also be made retroactively. An example of such changes includes changes to the company’s contact information.
Any other retroactively forced changes to this document or the data handling principles listed herein are possible only if binding legal changes in Finland so require.
Feedback and conflict resolution
We welcome any feedback and suggestions for our consumer campaigns, our data security principles or this document.
Any conflicts will be handled within the Tampere district court.