1 Name of register:
Muumimaailma Oy’s customer register
Muumimaailma Oy (Business ID 0925595-8)
Kaivokatu 5, 21100 Naantali
(+358) 02 511 1111
Person responsible for matters relating to the register: Jarkko Kuitunen, Administrative Director, email@example.com [ ]
The Controller may employ subcontractors and service providers for the processing of personal data. The Controller shall enter into a written agreement with subcontractors and be responsible for ensuring that the subcontractors used comply with the terms and conditions described here and the Controller’s instructions.
4 Purpose of the processing of personal data and its legal basis
The register stores information on the use and involvement of the Controller’s mobile application, the online store, the cash register system, the MM 2.0 system and customer relationship management. Personal data is processed in order to deliver the communications service between the Controller and the data subject, to produce various eservices, to enable measures based on the data subject’s consent connected with the management of orders, registrations, contact requests, transactions, reports and other customer relations matters, and to plan and develop the business.
The information on use and involvement that is processed in the register as well as location data may also be used to raise profiles, improve marketing and develop customer communications to attract the interest of data subjects. Personal data is also processed when sending out newsletters and in connection with events and other marketing measures.
Processing is undertaken with the data subject’s consent in the case of direct marketing, and to guarantee the legitimate interest of the Controller.
5 Groups associated with the register, information content and personal data categories
The register is used to process the Moominworld mobile application user's name and contact information in connection with the device's unique identifier. The collection of personal data relies on the provision of information by the data subjects themselves and the process is undertaken with their consent.
Some of the data is forwarded to the cash register system and Email marketing system. The data processed includes:
• Email address
• Phone number
• Marketing authorisation
• Order data
• Purchased items and services
• Order date
Other colleted data
• Payment infomation details (Voluntary)
• Location data (Voluntary)
Location data is not automatically transmitted outside the mobile application’s management system. Location data is only collected when application is being used.
Magic bracelett system
So-called RFID-based data is used when the customer registers an identifier with an RFID chip, which is used for functions in the park and for authentication at the cash register. These functions may be effects, information boards and other functions providing personalised content. In such cases the following information on the customer is also saved:
• RFID identifier
• Bracelett user name
• Favorite character
• Favorite color
Cash register system
The register only saves details of the data subject’s purchases via the Moominworld cash register system if the data subject wants it to. Authentication relies on an individual identifier issued to the data subject when registering in the Muumimaailma Oy customer register. The cash register system only produces a purchase history, and does not automatically forward it to other systems. The cash register system receives the data subject’s details automatically from the customer relationship management system. These details are:
- Customer number
- Customer category
Email marketing system
Email marketing system is used for customer communications and marketing between Moominworld and its customers.
The collection of personal data relies on the provision of information by the data subjects themselves and the process is undertaken with their consent.
- Marketing authorisation
6 Regular sources of information
The personal data saved in the register is mainly that the users have recorded themselves. Customers are able to save data via the Moominworld application, customer portal or online store.
Some of the information is saved automatically when the user carries out various actions during a visit. Examples are the use of the application and RFID services.
The personal data is saved and combined with the information on the device’s use when the user registers the application. In addition, data is collected automatically on the device's unique identifier, the receiving times of beacon transmitter signals, the device's operating system, and beacon nudge screen and use information.
7 Regular disclosure of data
Personal data is not disclosed to outsiders without the consent of the data subject, with the exception of subcontractors connected with the Controller’s service and maintenance of the application. Furthermore, information on the winners of the draws may be disclosed to a partner of the Controller (e.g. the external organiser of the draw) for the prize to be sent. The Controller may also disclose information, where the law allows and within the legal limits, to reply to requests for information on the part of authorities.
Personal data is not disclosed to any party outside the European Union or European Economic Area. The technical management and development of the register platform can be conducted via remote connections outside the EU, while adhering to the requirements of the Personal Data Act.
8 Retention period for personal data
Personal data is kept for as long as data subjects use the mobile application, or for as long as data subjects have given their consent for their personal data to be processed, or for as long as is necessary for the Controller to manage customer relations.
9 Principles of register protection
The material is in digital format. No physical sections from the register are used. The saved data is passed from the mobile application to the register encrypted. The electronic register is kept in an environment that is protected against outside unauthorised contact.
Only the designated personnel of the Controller and its subcontractors, and where it is in their job description, have the right to process and maintain data in the register. Users are bound by an obligation of confidentiality. Data is stored in a manner that is technically secure, and physical access to it is prevented by means of access control and other security measures. The data kept in the register is backed up securely and can be retrieved when needed. The level of information security is audited at repeated intervals either by an external or internal auditor.
10 Rights of the data subject
A person recorded in the register has the right, inter alia, to:
1) ask the Controller for access to the personal data on that person, and the right to ask for it to be amended or deleted, or for its processing to be restricted, or to oppose its processing and the right to transfer the data from the system to another;
2) inspect what information is held on that person in the register and, if necessary, have it corrected. The request must be made in writing to the Controller. A person entered in the register has the right to ask for changes to be made to details on that person that have been recorded in the register wrongly.
3) where the processing of personal data is with the consent of the data subject, withdraw one’s consent at any time without this affecting the legality of the processing undertaken with consent prior to its withdrawal;
4) lodge a complaint with a supervisory authority about the processing of personal data.
Customers always have the right to refuse to allow their data to be used for direct marketing and marketing studies. This refusal can be set up when the application and service starts to be used, both in the management of one’s own data and in the Moominworld application’s settings.