Data Protection Policy for Retail Customers K-Rauta AB
Below is a description of how we process the personal data of K-Rauta AB’s retail customers.
Table of contents
• Controller
• What personal data are we processing?
• For what purposes are we processing the personal data?
• Storage of data
• What are your rights?
• How to exercise your rights
• Information about the recipient of personal data
• Right to lodge a complaint
• Data that is necessary for our services
• Information on automated decision-making, e.g. profiling
• The use of data for other purposes
• Personal data that have been collected from sources other than you
• Data Protection Officer
1. Controller
K-Rauta AB
Corporate identity number 556511-2991
Esbogatan 11, 164 74 Kista, Sweden
For any matters related to processing, please contact us HERE
2. What personal data are we processing?
We process the following data on our customers:
Basic information:
• Name and address
• Postcode and place
• Personal identity number
• Gender
• Telephone number and email address
Customer information:
• Customer number
• Customer club membership number
• Date of joining the customer club
• Choice of home shop
• Terms of payment
• Credit amount
Marketing information and enriched information:
• Consents and choice of channels
• Points and bonus information
• Enriched information such as type of home, purchasing power, the likelihood of owning a holiday home, family status, behavioural data, areas of interest
• Segmentation and classification, such as value segment, life situation and personas
• Online identifiers
• Campaign information and response
• Information on purchases
3. For what purposes are we processing the personal data?
We collect personal data from our customers to establish and maintain customer relationships. We process personal data in connection with orders, purchases and communication. The processing is required to satisfy our obligations to the customer.
We also process our customers’ personal data to manage our customer database, manage outstanding debts, develop our choices and market our services to our customers. We process personal data in connection with customer services matters and for feedback on our customers’ matters. The processing is necessary both to satisfy our obligations to the customer and to pursue our legitimate interests for marketing purposes.
We process our customers’ personal data for the administration of their membership in the K-Rauta Plus club, for the management of points, bonus balances and bonus payments, benefits and offers and for personally adapted offers. The processing is required so that we can satisfy our obligations according to the terms and conditions of membership in K-Rauta Plus. We process our customers’ personal data so that we can carry out and manage the participation in customer activities such as customer evenings, training, competitions, surveys and other activities. The processing is required to satisfy the customers’ and our own legitimate interest of administering the participation in customer activities.
Directed communication is based on your consents regarding content and choice of channels.
We process our customers’ personal data in order to present relevant and adapted communication and offers. We base these on the customer’s previous patterns, previous purchases and use of services and other information held on the customer. The processing is necessary to meet our obligations under the terms and conditions of membership in the customer club and to pursue our legitimate interest to provide relevant and needs-based communication.
K-Rauta has a legitimate interest in providing its customers with high-quality services in all K-Rauta shops. K-Rauta AB develops it range of products and services based on analyses of customer data to ensure that its customers are offered relevant products and services.
4. Storage of data
This is how personal data are stored:
• We store transaction data from retail customers and other data related to the customer relationship for up to five years after the end of the relationship. Such data are used, for example, to handle customer complaints.
• We store data from customer services matters for six months after the matter has been resolved.
• We store data included in our accounts for seven years
• We store data on members in our member club during the term of membership.
• If a customer chooses to end their membership in K-Rauta Plus or if the customer has been inactive for at least 36 months (no purchases, no activities linked to “mina sidor/Mitt K-Rauta” (my pages/my K-Rauta) and no response to communication), the customer’s data will be deleted or anonymised within three months.
• We store data on customer consent or objections to directed communication for as long as the customer is a member.
• When a customer requests their personal data to be deleted, we do this without delay; due to the lead times in our systems, we can guarantee that our communication will cease three months after the request to delete their personal data.
5. Right to withdraw consent
Our processing of your personal data is based on the consent you provided, and you may withdraw your consent at any time.
Our processing of your personal data for the purpose of sending directed communication is based on the consent you have given us.
You may withdraw your consent at any time by logging into “Mina sidor/mitt K-Rauta” (my pages/my K-Rauta) or by contacting customer services.
6. What are your rights?
Right to information
You have the right to obtain information on how we process your personal data and an extract of the data we hold and information on how we process these. If we are not processing your personal data, you also have a right to have this confirmed.
Right to rectification
You have the right to rectify or amend personal data that are inaccurate or incomplete according to the purpose of the processing.
Right to erasure You have the right to request the erasure of your personal data from our register. Your data will be erased if we no longer have any legal ground to retain them.
Right to object
When we process personal data, we balance our legitimate interests to ensure that the processing is of importance to our business and does not breach the protection of your privacy.
In such situations, you have the right object to the processing. You may also at any time object to the processing of data for the purposes of directed communication.
Right to restriction of processing
You may have a right to restrict the processing of your personal data. When the processing has been restricted, the controller will only process your data by storing them. You may exercise this right e.g. when you contest the accuracy of your personal data, if the processing is unlawful or if you have objected to the processing and your matter is pending.
7. How to exercise your rights You may request to exercise your rights by contacting customer services, which can be reached here . When you make such a request, we will need to verify your identity.
8. Information about the recipients of personal data
As the controller, K-Rauta processes the personal data inhouse, but K-Rauta also cooperates with various service providers. K-Rauta strives to only cooperate with the best partners and is responsible for its service providers’ activities related to the processing of the personal data. Such service providers may vary but include:
• Providers of IT services
• Providers of payment services
• Providers of logistics services
• Providers of customer services or marketing services
Data are also transferred to Kesko-Group, which processes personal data as the owner of K-Rauta AB. These personal data are processed to establish, maintain and develop customer relationships. Personal data are further processed for analyses, statistics, marketing, customer services and market research. Personal data are considered to be transferred outside of the EU and EES via our IT services partner, as the personal data may be accessed from India. We have entered into an agreement with our service provider regarding the transfer of personal data. This agreement is consistent with the European Commission’s approved standard contractual clauses. These standard contractual clauses are available here.
Certain authorities, such as the police, also have a statutory right to obtain personal data.
9. Right to lodge a complaint
If you consider that we are not processing your personal data in accordance with the EU’s General Data Protection Regulation (GDPR), you may lodge a complaint with the supervisory authority. In Sweden, the supervisory authority is the Swedish Authority for Privacy Protection.
10. Data that is necessary for our services
To administer your membership in our member’s club and meet our obligations regarding bonuses and bonus payments according to the terms and conditions of the Plus club, we collect and process the requisite personal data, such as basic information, customer information, information on purchases and marketing data. If these data are not provided, we cannot meet our obligations and may be forced to deny you the payment of bonuses and membership of the club.
To meet our obligations related to benefits and offers in the Plus club according to the terms and conditions of membership, we collect and process the requisite personal data, such as basic information, customer information, information on purchases and marketing data. If this information is not provided, then we cannot meet our obligations related to benefits and offers. To meet our obligations related to personal offers in the in club according to the terms and conditions of membership, we collect and process the requisite personal data, such as basic information, customer information, information on purchases and marketing data. The personal data are required if we are to meet our obligations related to personal offers.
Your consent to directed communication is not required, but without it, we cannot send you bonus payments and personal offers.
If we are to offer our services to project customers, we must process the requisite personal data, such as information requested by us in our customer forms and project information. The personal data are required if we are to meet our obligations to project customers.
11. Information on automated decision-making, such as profiling
Based on the personal data we collect, we make analyses on group and individual levels. Insights from these analyses may form the basis for how we sort customers into different customer groups and how we choose to communicate with them, both on group and individual levels. These analyses may be based on the personal data we hold on a customer, such as purchase history, member behaviour, age, gender, place of residence, stated preferences (preferred shop, communication choices) and the result from customer satisfaction surveys. Consequently, the communication to Plus members may differ and include different offers, invitations to events, information in “Mina sidor” (my pages), etc.
12. The use of data for other purposes
We do not process your personal data for any other purposes than those provided in this document. If any new processing purposes arise at a later stage, we will inform you of this and of the legal basis for the processing or, if required, we will obtain your consent to the processing of your personal data for this new purpose.
13. Personal data that have been collected from sources other than you
If you are a member of our customer club, we will keep your information up to date using Bisnode and Spar (the Swedish state personal address register), such as your address according to the Swedish population register and your type of home.
14. Data Protection Officer
K-Rauta AB is a part of Kesko Group. Contact Kesko Oyj’s data protection officer if you have any questions regarding the processing of your personal data or want to exercise your rights under the GDPR in relation to the Kesko Group.
The data protection officer's contact details:
[email protected]
Or by letter to:
Tietosuojavastaava/DPO Kesko Oyj
PL 1 00016 Kesko
Finland