DATA PROTECTION STATEMENT GENERAL DATA PROTECTION REGULATION (679/2016), ART. 12

1. Data controller

Suomen Jääkiekkoliitto ry (Finnish Ice Hockey Association, hereinafter “SJL”)

Veturitie 13 H
00240 Helsinki

+358 (0)10 2270 200

2. Contact person in matters related to the register

Finnish Ice Hockey Association / Data Protection
Veturitie 13 H
00240 Helsinki

tietosuoja@finhockey.fi

3. Name of the register

Register of ticket sales/lotteries for the 2022 IIHF Ice Hockey World Championship.

4. Purpose and legal basis of personal data processing

Personal data is processed for purposes related to ticket sales for events organised by SJL and the implementation and management of lotteries related to the 2022 IIHF Ice Hockey World Championship, the provision and delivery of services, and the development and invoicing of services. Personal data is also processed for purposes related to the investigation of possible complaints and other claims.

In addition, personal data is processed in communications addressed to data subjects, such as for information and news purposes. Personal data can be used by SJL for marketing to data subjects.

The data controller processes the data itself and utilises subcontractors acting on behalf of and for the account of the data controller in the processing of personal data.

The legal bases for the processing of personal data are the following in accordance with the General Data Protection Regulation (hereinafter also “GDPR”):

(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes (GDPR Art. 6.1.a);

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6.1.b);

(c) processing is necessary for the purposes of the legitimate interests pursued by the controller SJL or by a third party (GDPR Art. 6.1.f).

The data controller’s legitimate interest referred to above is based on a relevant and appropriate relationship between the data subject and the data controller as a result of the data subject being a customer of the data controller, and when the processing is for purposes which the data subject could reasonably have expected at the time of collecting personal data and in connection with the appropriate relationship.

5. Data contents of the register

The register may contain the following information: name, nationality, address information, telephone number, e-mail, network IP address, information about the services ordered and their changes, other information related to the customer relationship and the ordered services.

The IP addresses of website visitors and the cookies necessary for the operation of the service are processed on the basis of a legitimate interest, among other things, for data security purposes and for the collection of statistics on visitors to the website in cases where they may be considered personal data. Consent for third-party cookies will be requested separately, if necessary.

The data collected in the register shall be kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal data was collected. Personal data in accordance with this Data Protection Statement will be kept active as long as SJL uses the data for the purposes described in Section 4.

SJL, in its role as the data controller, will regularly assess the need for data retention in accordance with its internal policies. In addition, SJL will take all reasonable steps to ensure that personal data that is inaccurate, erroneous or out of date for the purposes of the processing is deleted or rectified without delay.

6. Regular data sources

Personal data to be stored in the register is obtained from messages sent by the customer through web forms.

Personal data is also collected and updated, within the limits of the applicable law, from publicly available sources related to the establishment of the relationship between the controller and the data subject and by which the controller fulfills its obligations related to the maintenance of this relationship.

7. Regular disclosure of data and transfer of data outside the EU or EEA

SJL may disclose data to the extent permitted and required by applicable law. SJL can itself inform those on the register of important matters related to ticket lotteries or ticket sales.

The data is also processed by, among others, Lippu.fi Oy, the ticket operator for the 2022 IIHF Ice Hockey World Championship, and Pähkinäsaari Software Associates Oy, which is responsible for the technical implementation.

8. Data protection principles

The register is treated with due care and the data processed by information systems are adequately protected. When register data is stored on Internet servers, the physical and digital security of the hardware is adequately addressed. The data controller ensures that the data stored, as well as the access rights to the servers and other information critical to the security of personal data, are treated confidentially and only by the employees who need the data in the performance of their duties.

9. Right to inspection and rectification

The data subject has the right to check what information about him or her is stored in the register. A request for inspection or rectification may also be made by submitting the request to the designated contact person. All requests for inspection of data and other requests and inquiries related to the data subject’s rights should be made in writing to tietosuoja@finhockey.fi.

10. Other rights related to personal data processing

Data subjects have the right to request the erasure of their personal data stored in the register. Data subjects also have other rights under the General Data Protection Regulation, such as restrictions on the processing of personal data in certain situations. Any requests should be sent in writing to tietosuoja@finhockey.fi. The data controller may ask the requester to prove his or her identity. The data controller will respond to the customer within the period specified in the General Data Protection Regulation (normally within one month of the request).

Last updated 22 August 2021.