Joint register: data, legal bases and data subject rights

What is a joint register?

A joint register is a structured dataset containing personal data that multiple data controllers use for common purposes. In this case, two data controllers – SOK and S-Bank – jointly determine the purposes and means of processing. They act as joint data controllers.

The change is based on clarified GDPR interpretations by authorities. The joint register enables the provision of useful services and benefits for you:

• When S-Bank transfers information about your benefits payment account to the joint register, the co-op can pay your cashback benefits directly to your S-Bank account

• When SOK transfers your member/customer number to the joint register, S-Bank can provide you with a payment card as an S-Etukortti with the correct number for earning Bonus

Who is included in the joint register?

The joint register concerns you if you are:

• A co-op member or household member and an S-Bank customer

• An S-mobiili user (regardless of S-Bank customer status)

• Joined as a co-op member through the online service (regardless of S-Bank customer status)

S-mobiili and the Join as Co-op Member online service are services produced jointly by SOK and S-Bank.

What personal data does the joint register contain?

The joint register processes a precisely limited portion of data about SOK and S-Bank's shared customers.

Data processed in the joint register:

• Name, personal identity code and date of birth

• Language and gender information (if you have provided it)

• Contact details (address, phone number)

• Consent and restriction information (direct marketing restriction, email and mobile marketing consent, research survey restriction, telemarketing restriction)

• Household membership information and member/customer number

• Benefits payment account and S-Etukortti cards with payment features

S-mobiili usage data:

• Information about activation and devices you use the app on

• Digital footprint of service usage

• Feedback you provide in the service

The joint register does NOT contain:

• S-Bank transaction data

• S Group purchase data

The joint register data is also in S Group's co-op member and customer register and S-Bank's customer register. These registers contain much other data that is not transferred to the joint register.

More information is available in SOK's and S-Bank's privacy notices.

What changes in personal data processing?

The joint register is not directly visible to you as a change. S Group and S-Bank have previously cooperated in managing shared customer data.

Previously: S Group and S-Bank transferred information such as your contact details to each other, so you didn't have to provide them twice.

Going forward: Your contact details update directly to the jointly maintained SOK and S-Bank joint register. Data management becomes easier and development of shared services, such as S-mobiili, becomes more streamlined.

Data collected from S-mobiili usage enables better and more customer-centric service development. SOK and S-Bank can jointly analyze how different customer groups use the service.

Being included in the joint register requires no action from you.

Data subject rights

Under the GDPR, you have the right to:

• Receive information about the processing of your personal data

• Access your data (data subject's right of access)

• Rectify your data

• Object to processing in certain situations

• Request deletion of your data

However, a data subject cannot exercise all rights in all situations. The situation is affected by, for example, the legal basis on which personal data is processed.

How is personal data security ensured?

Data protection:

• SOK and S-Bank use appropriate information security and data protection mechanisms throughout the data lifecycle

• Information security management is based on proactive risk management

Staff training:

• SOK and S-Bank regularly train staff who process personal data

• Partner organization staff are also trained to understand the confidential nature of personal data

Monitoring and supervision:

• SOK and S-Bank continuously and systematically monitor and supervise their systems

• In the event of a potential data security breach, action is taken according to legal requirements and the defined process

• Relevant authorities and data subjects are notified when necessary

Legal bases and retention periods

Below are listed the shared data that S-Bank and SOK process for common purposes.

Basic personal information (name, personal identity code, date of birth, language, gender information, date of death)

• Purpose: Maintaining data to provide co-op member benefits and staff benefits

• Retention period: As long as the customer is in the joint register

• Legal basis: Contract (legitimate interest for gender information)

Contact details (postal address, phone number, email address)

• Purpose: Data maintenance and updates

• Retention period: As long as the customer is in the joint register

• Legal basis: Contract

Staff information (information about staff membership and discount entitlement)

• Purpose: Providing staff benefits

• Retention period: As long as the customer is in the joint register

• Legal basis: Legitimate interest

Co-op member household (household membership, validity period, member/customer number)

• Purpose: Providing co-op member benefits

• Retention period: As long as the customer is in the joint register

• Legal basis: Contract

Benefits payment account (account number of valid benefits payment account)

• Purpose: Providing co-op member benefits

• Retention period: As long as the customer is in the joint register

• Legal basis: Contract

S-Etukortti Visa (card type, validity period, co-op information)

• Purpose: Producing S-Etukortti Visa cards and handling disputes

• Retention period: As long as the customer is in the joint register

• Legal basis: Contract

Consent and restriction information (marketing restrictions and consents, Robinson list restrictions)

• Purpose: Data maintenance and updates

• Retention period: As long as the customer is in the joint register

• Legal basis: Legitimate interest

S-mobiili activation information (incl. guardian's consent for under 13-year-olds)

• Purpose: Providing S-mobiili service

• Retention period: Duration of S-mobiili agreement

• Legal basis: Contract

S-mobiili advertising identifier

• Purpose: Data maintenance and updates

• Retention period: Duration of consent, maximum duration of S-mobiili agreement

• Legal basis: Consent

S-mobiili consents (location, notifications)

• Purpose: Targeting marketing, improving customer experience

• Retention period: Duration of consent, maximum duration of S-mobiili agreement

• Legal basis: Legitimate interest

S-mobiili customer feedback

• Purpose: App development and responding to feedback

• Retention period: 2 years

• Legal basis: Legitimate interest

S-mobiili digital footprint

• Purpose: Improving customer experience, profiling, app development

• Retention period: 2 years, maximum duration of S-mobiili agreement

• Legal basis: Consent

S-mobiili interface choices and favourites

• Purpose: Interface personalization, content targeting

• Retention period: Duration of choice, maximum duration of S-mobiili agreement

• Legal basis: Contract

S-mobiili customer segments

• Purpose: Recommending benefits and services, personalization, development

• Retention period: 5 years, maximum duration of S-mobiili agreement

• Legal basis: Legitimate interest

Personal data is also processed independently for separate purposes as part of SOK's co-op member and customer register and S-Bank's customer register.

Where can I get more information?

• S Group's data protection website: As an S-Etukortti customer – data protection

• S-Bank's data protection website: Data protection protects your personal data

• Data Protection Officer: tietosuojavastaava@sok.fi