



Elisa´s data protection principles

Privacy notice

The confidentiality of personal data and communications as well as protection of customers’ privacy are important basic values in all our operations. We observe legislation, authorities’ provisions and good data processing practice in processing the data of our customers, employees and partners as well as other stakeholders. 
 
At Elisa, we abide with a high level of data protection. We process your personal data only for appropriate purposes defined in advance and only when it is necessary.
 
We protect our service with technically appropriate measures and train our personnel regularly in principles related to data processing.

We have compiled the most significant principles regarding data protection in this privacy notice, which we abide with in order to ensure privacy and the confidentiality of communications. This privacy notice applies to all processing of personal data related to our services.

We check regularly that our data protection principles are up-to-date and update them when needed.


The confidentiality of communication and safe processing of personal data are of primary importance to us
Confidentiality of communication
We provide a vast number of different kinds of communication services for your use. In order to transmit messages, we process information about communication and maintain the confidentiality and privacy of communications in such a manner that outsiders will not know the content or existence of your messages.
Data protection
We take a high data protection level into account in all our operations: we process data in a confidential manner. We ensure this by using appropriate technology and data security solutions and ensuring the confidentiality of the data with administrative measures.

What data do we collect?

Why do we collect your personal data?
In order to agree on the delivery of services and tasks requested by you prior of agreeing, we require sufficient information about you. We may also require your social security number in order to identify you for e.g. invoicing purposes. We need your contact information in order to communicate with you and e.g. to inform you of changes in services.

In addition, some of our services require providing different kinds of data based on which we can identify you individually and improve the service to be suitable for you.

In some services, legislation obligates us to collect sufficient data about you to deliver the service. Such an example is an electronic identification service.

We also provide services that require providing your data in order to use them.

Due to the nature of our services, the processing of personal data is an essential and inseparable part of providing certain services, even though in the service itself we will not process your name, social security number or other information that directly identifies you as a person.

Personal data to be processed

We process appropriate and necessary personal data. Such data include identification data, contact information, information related to your customer relationship and the use of services.



Examples of personal data processed in our various services:
• Contact information, such as first name and last name, address, telephone number, e-mail address, social media contact information
• Identification and personalisation information, such as social security number, date of birth, the name and address of the user of the possible service, language of communication or other preference information 
• Bonus and loyalty benefit information and information about the services for which these are collected
• Direct marketing prohibitions and consents
• Payment transaction information
• Other further information provided by you
• Additional information regarding products, services and subscriptions, such as identification data for mobile phones, fixed network devices or other devices and SIM card number 
• Subscription, delivery and contract information for products, services and subscriptions and start and end date for customer relationship for services
• Customer information and classifications, such as information about the customers of Elisa subsidiaries and information about the customer classification of Elisa or its subsidiaries
• Possible contact persons and user information of corporate and community customers and information about their tasks in the company
• Customer history, for example communication, service changes or social media communication
• Phone call and other recordings regarding customer service situations
• Information regarding invoicing and collection
• Information regarding guardianship of the customer
• Data generated from the use of the services, such as the technical data generated when making and receiving phone calls or sending e-mails, the start and end time of transactions, routing data and location data
• Answers to customer research questionnaires
• Electronic customer IDs, such as electronic customer identifier (SATU) or ElisaID
• Information about cookies and third-party cookies as well as other web analytics data



Customer data generated from transactions and recording of transactions

When you call our customer service, use our other interactive service channels, such as email or chat, or being in contact with us otherwise, we may record or otherwise save our conversation in order to verify the transactions. We retain these recordings only for the necessary time period and take into consideration data security factors when storing the recordings. The recordings may also be used for training our personnel and to ensure and develop the quality of our services, like training automatic customer service robots.

We use recording camera surveillance in our shops and other premises to monitor the safety of our premises, employees, and people visiting our stores, as well as untangling the deviations.


Data generated from using the services
When you use our services on a browser, app or separate device (for example OmaElisa), different kinds of data regarding your visits and use are saved. Such data include e.g. the IP address you use, browsing data or cookie data. In addition, we collect your information via the online services and mobile applications you use or devices using these services.

When you use our services, the use related to their content is recorded. For example, the information regarding the Elisa Viihde channels you watch is saved in your user history of the service.
Data generated from network use and communication services and location data
When you use our communication services, such as browsing the internet, sending e-mail, calling or receiving phone calls or text messages, we process the data needed for providing these services. This data includes the data necessary for providing communications services.

Traffic data is technical data that reveals e.g. the sender of the message, the recipient, the size of the message and the time it was sent.

This traffic data is saved in our systems and processing it is necessary in order to implement communication. We process traffic data in accordance with legislation as particularly confidential and only for purposes permitted by the law. The content of the message itself is not considered traffic data.

The content of your phone calls, text messages and other communication is confidential. It is only processed in order to transmit the message and only for as long as necessary in order to transmit the communication.

We save and process the traffic and location data in accordance with communications legislation for the delivery, invoicing and technical development of our services. The data may also be processed for marketing purposes with the customer’s consent. We also process such information in situations of misuse and troubleshooting, in order to ensure data security, invoicing of other service providers, and to fulfil our legal obligations.

Providing communication services requires processing your location data. Your location data is processed in mobile technology with the accuracy of cell tower information and in fixed data transfer with the accuracy of the installation address. This accuracy varies from metres to several kilometres. Processing the location data for another purpose than transmitting communication requires your advance consent. If the data concern a child of under 15 years old, this processing requires advance consent from a guardian. With the help of the location data, we can improve the properties of our services: for instance, when you order a taxi, the call can be connected to the nearest service provider. Location data also enables us to send targeted offers and deals.

In connection with emergency calls or due to authorities’ provisions, location data may be disclosed without your consent.

We retain traffic and location data for as long as it is necessary. The data shall be processed primarily automatically and only a limited number of persons are involved in processing the data. Some delivery data are kept for authorities’ needs in a manner required by communications legislation.
Cookies and other network tracking technologies
Modern websites and services are based on a technology known as cookies that we use on our website. Cookies are small, user-specific text files that are saved on your browser. The server may later read the cookie installed on your browser and in this manner your browser may be identified as having visited our site previously. In this manner, you will get the best possible user experience on our website.

With the help of cookies, we may collect data e.g. regarding the devices, browser and objects of interest of the users visiting our websites. The collected information can be used also for analytics, improving user experience and targeting marketing both in our own and our partners’ advertisements. We aim to provide you with targeted content so that your user experience would be as smooth as possible.

We use both our own and third-party cookies and other similar network tracking technologies. The third-party cookies we use include e.g. Facebook, Google Analytics or Marketing Platform, Salesforce, and Smartly cookies and technologies. You can obtain more information on third party cookies and other network tracking technologies from the web pages of the third party in question.

We monitor the functionality of the e-mails we send and we wish to ensure that you only receive communication from us that interests you. We may use cookies or other tracking technologies also in emails. This means that we can follow which e-mails we have sent you and connect this data to your customer data. Therefore, when you call the customer service and ask e.g. about the offer you have received, the customer service person knows which message you have received and which offers have been sent to you.

You may disable the use of cookies in your browser settings, in which case you may lose a part of your user experience. If you disable the use of cookies, our website may become slower and the use of some features may be prevented. In this event also our possibilities to develop our services in accordance with your user preferences is hampered, and we cannot provide you with adverts targeted for you on the website.

Corporate customer´s personal data
We also offer our services to corporate customers. If you are using a subscription or service ordered by your employer or any other organisation, we will receive the personal data necessary for providing it directly from your employer or a party that has acquired our services for your use. In this context, your data may be linked with the company’s business ID or information related to your work tasks. We will protect your data as though it was provided by you, but we may not necessarily be able to verify that your data is up to date.

As we prepare contracts between companies in order to provide services or other cooperation, we process the contact information of our customer companies’ personnel in order to provide services and implement communication connected with our services. Such contact information include e.g. information of the agreeing party, invoicing information, administrators’ information and other contact persons’ information.



We process the companies’ contact person information for example to manage the customer relationship, enable communication and market our services. These personal data have been collected primarily from the trade register and other public sources based on this privacy notice. We obtain information regarding the contact persons also from the company itself. 

If necessary, we can connect your information with other information we have about you.
Collecting data on potential customers, for example in competitions, webinars and events
When you participate in competitions and sign up to e.g. our events or webinars, we may ask for your contact information or other personal data. We will use this data in order to organise the competition or event in question and possibly in order to contact you to tell you more about our products and services. We can also combine this data in our customer data. Competitions or events may also be organised by our partners, in which case we will receive your contact information directly from them.

How and for what purposes are we using your data
Grounds for data processing
When you acquire a service from us, we make a contract with you. In order to implement the service agreed upon, we process necessary personal data, for example your invoicing data.

We process your data when we have need for it in order to implement our appropriate interests (legitimate interest). The processing of necessary information is done to ensure the functionality of the services (e.g. combining the data for cut-off calls, your location and the phone you are using) and for their improvement and statistical analysis (e.g. movements of large user groups and the implementation or analysis of the changes required by their impacts) and to develop business operations (e.g. based on your purchase history, evaluating the need of future products that will be ordered for the warehouse). In such processing, we process your data typically as a part of a larger mass and we do not aim to examine your data specifically. By evaluating the data of a large group of people we can e.g. develop our services based on accurate and up-to-date information. In addition, with our legitimate interest, we may offer you information of our services that you might be interested in. You have the right to object data processing that is based on legitimate interest. On the other hand, Elisa can refuse this objection based on applicable legislation for example if the processing is necessary for the establishment, exercise or defence of legal claims.

We will process a part of your personal data based on the consent that you have provided. Such processing includes cookies used online that improve the functionality of our services. When we process your data based on your consent, you can revoke your consent at any time.

In exceptional situations we may process your data in order to protect vital interests. Such situations are life-threatening situations where we can reduce the threat by processing necessary information. Protecting vital interests might include, for example, finding out buyers from our register if a device we have sold were to manifest some dangerous manufacturing fault.

In addition, we process personal data for compliance with our legal obligations. Such obligations include retaining invoicing data separately for a legislated period of time or saving information regarding communication service traffic (traffic data) for the use of authorities in order to solve serious crimes.

Processing your personal data as a part of a large group of people
When providing services, a lot of information is collected e.g. when providing websites. Utilising this data is a part of modern information society.

We find out a lot of information from the average behaviour of large masses of people. Such information include e.g. using the location data of mobile devices as well as e.g. the ways and times of watching TV. We make use of this information no only to develop our own services but also to enable the purposeful development of our partners’ and social services.  

Examples of processing the data of large masses of people include user data of public transport or monitoring and development of traffic conditions and statistical analysis of movements of large user groups. In such purposes, an individual person cannot be identified from the result of the processing but information connected with an individual person (e.g. mobile phone) must be processed as a part of a group of data in order to compile the information. This kind of processing is based on Elisa's legitimate interest, and in certain cases you have the right to object this kind of processing.

You can find more information on the processing of movement data of large user groups and about the right to object from here.
Profiling
We wish to customise and develop our services, marketing and other interaction to suit you. For example, in our entertainment services we will recommend interesting films and TV series that might interest you based on your viewing history.

We can target the marketing of products that may interest you in our direct marketing. In order to form a marketing target group, we can process your age, purchase and payment history, place of residence, contact information, cookie information and other information and external classifications, such as the average size of a household of the postal code area of your invoicing address. When profiling, we therefore utilise both collective information and information directly related to you.

We may use automatic credit check in our web shop and the stores when you purchase products or services with a credit purchase. In some cases, the purchase may be prevented due to credit history issues, previous payment behaviours, history of payments history, or large sum of credit debt. In this case, please contact our customer service so that we can look for an alternative solution.
Checking your own data
You can check the data concerning you at OmaElisa service. The data generated from the use of services may also be gained via the user interfaces of the services.

If you cannot use OmaElisa or the service interfaces for some reason, you can also visit our shop with a ID to deal with the issue.

Please note that the right to inspect your own data only concerns your own personal data. Due to this, inspection rights cannot be used for inspecting the data of other family members or employees using a corporate phone subscription. In addition, the confidentiality of the communication services we offer is legislated by communications legislation that restricts disclosing the information to other than the parties to the communication.
Transferring your own data
If you wish you can download the information that you have disclosed to us based on a contract or consent. In several services, such as saving status or e-mail services, you can download your files or address books to yourself.

More information about this at OmaElisa or services.
Updating and specifying personal data
When you use our services we will ask you for your personal data. If your data has changed, we ask you to update the changed information to us.

If you detect an error in your own data, you can fix this by notifying us via self-service and customer service channels.

In addition, we update and specify the personal data regarding you from other sources. We may, for example, receive your contact information from our partners for marketing purposes. We aim to keep your personal data accurate and up to date. Due to this, we check, for example, that your address information is up to date from the Population Register Centre and Finnish postal service Posti address databases or other public sources.
The retention period for personal data
We retain your personal data only for the necessary time period. The retention period for your personal data varies depending on the service and the nature of the data.

When the retention period for the data has terminated, we dispose of the personal data either by removing them or making them anonymous (i.e. anonymisation of the data in question). For example, we process your customer data for the entire duration of the customer relationship and due to certain legal obligations also for a required period afterwards or, based on our legitimate interest, for direct marketing purposes. On the other hand, the retention period of the data collected in connection with producing the services may be quite short: for example, technical data related to transmitting a phone call may be disposed of already during the call. The data may be backed up and stored to ensure information security. The backups will be erased according to the backup retention cycle.

Please note that the public comments or other content you produce on Elisa’s online discussion forums may remain visible even after your customer relationship with Elisa has ended.

We regularly evaluate the need for the retention period of the data and evaluate their purposefulness as technology and use needs develop.
Marketing
We constantly develop and produce new services that correspond with our customers’ needs in a changing and developing world. To be able to tell you about such services, we use your personal data for direct marketing purposes. We may be in contact with you  by letter or phone and also via e-mails, text messages, and other methods of communication.

We may also be in contact with you as a potential new customer when we have received your contact information e.g. when you participate in our competition or an event we organise or in another way.

If you do not wish to receive marketing communication from us, you can let us know i.e. via OmaElisa or customer service.

We may use your contact information (f. ex. email address or phone number) or technical contact data (for example cookies) to generate the target group in the social media service or web services, in order to market our products. In such case we ensure, that your information is not disclosed to be used by other parties purposes, but they are processed only for the purposes defined by Elisa. This kind of services are provided by companies like Facebook, Google, Linkedin, and Salesforce.

Direct marketing by third parties
If you wish, you have the possibility to receive offers and marketing from our partners. If you have given us your consent to utilise e.g. traffic or location data in targeting marketing, you may receive relevant offers from service providers in your area.
When we transmit our partners’ communication to you, we do it ourselves. We do not disclose your contact or other information to third parties for marketing purposes. In this manner, we ensure that direct marketing meets your needs and does not disturb you.

If you do not wish to receive marketing communication from our partners, you can let us know for example via OmaElisa or customer service.

Personal data processors and data disclosures
Disclosing personal data
When we provide services, we may disclose your personal data also to our subcontractors or partner operators when they need to receive your data to e.g. provide a service. Such needs include e.g. transmitting a phone call abroad, also outside the EU, or to another teleoperator’s network, or renting the network to another teleoperator.

On our website, we use different kinds of techniques enabled by our partners for analysis and marketing purposes. When providing these services, we disclose personal data to the service provider. In these cases, we do not disclose personal data that identifies you, but technical data enabled by the service, for example with the help of cookies. These services are very common properties of modern websites. You can read more about our cookies in this privacy notice.

When you use identification services, such as mobile verification, we disclose the data identifying you to the party using the identification service after you verify your identity using e.g. a secret pin number.

We produce some of our services in cooperation with our partners. To provide such such services, we disclose your personal data to the service provider. In some cases, using the service requires that you approve the privacy notice or terms of the service provider before using the service. Third parties process your data for their own purposes as an independent data controllers in accordance with their privacy notice. Before disclosing the data, we ensure that the disclosure is in accordance with the law.
Assisting authorities
Some authorities, such as the Finnish Transport and Communications Agency, data protection authority, police or emergency centre authority are entitled to receive your data in order to implement their legislated duties. We can also disclose your data to other authorities or parties with the decision of a competent authority or a court of law within the limits allowed by the law.
Publishing your contact information in directories or directory services
We have a legal obligation to disclose the information that is free to publish in a telephone catalogue to directory and directory service providers. Due to this, we will disclose your name, address and phone number to a national database that discloses the information to the providers of directories or directory service providers. The publishers of the directories are themselves responsible for the information they publish. 

You have the right to forbid the publication of your data in the directory services completely or partially in OmaElisa or by contacting our customer service. You can also forbid the disclosure of your data completely.

In addition, due to the transferability of your mobile phone number, we disclose your data to our partner that enables the transfer.

Forwarding data that identify the interface in voice and communication services
	
When you make a phone call with a mobile phone or landline, your phone number will usually be transmitted to the recipient. Your phone number will also be transmitted when sending text and picture messages. Identification prevention is available for our telephone interfaces that provide additional data regarding the user instructions of your interface and phone, electronic channels, our customer service or our shops. The preventions concern only the voice transfer services. In other services, you cannot prevent displaying your number.

When calling emergency numbers, the visibility of the phone number cannot be prevented and the prevention does not affect the traffic data that gets collected in our systems when you make a call.

When using online communication services, your data is transmitted to the other party of the communication (e.g. a website service provider). This is necessary in order to provide the service, such as transmit your communications or for a website to load. Typically, the transmitted data is your IP address data and data about the device that you use. As a communications service provider, we do not disclose your identi to the other party. Please note that based on which you can implement the communication you wish or download the website of your choice. In some cases, the other party offering your communication may identify you from this data. You can prevent your data being visible to the other party of the communication by changing the privacy settings on your computer or browser or by using software or forwarding servers that increase privacy.
Subcontractors and processing data outside Finland
The production of our services is primarily local. For example, when you make a phone call it is usually connected within Finland. Maintenance of the IT systems related to the call or the services related to invoicing that follow may be located outside of Finland and the EU and EEA.

We use subcontractors when producing our services as well as related support services. When using subcontractors, we ensure that they abide with our privacy notice and process the data with care and confidentiality. We ensure this with contracts as well as by conducting inspections of the subcontractors’ operations and by providing secure tools for their use.

Some of the personal data is processed outside of Finland and outside of the EU area. This is necessary in order to produce the services, improve quality, provide expertise or enhance operations. Some of the processing work consists of maintaining the data located in Finland and processing them with remote management, but in some cases we transfer the personal data to be processed by our subcontractors for example in South Africa, India, Israel and the United States. In these cases we ensure that the processing party operates in accordance with our privacy notice, appropriately and with care, and that the justification of the processing is ensured according to the applicable data protection legislation, e.g. by using model contract clauses approved by the EU Commission.

We process your personal data when needed between Elisa Oyj and its subsidiaries.

Regardless of the data processor or the location of the data, the protection of your service and personal data works equally through the services we provide.

Special notices about some of our services
Service-specific data protection principles
	
We produce numerous different services for our customers. Some of our services have separate privacy notices where we describe the data processing in connection with the service in question. In some of our services that we produce ourselves or in our subsidiaries’ services we have to process data in a manner that has not been mentioned in this privacy notice. Therefore, please remember to check the possible special terms in them and their changes in connection with starting to use the service and continuing the use.

Separate privacy practices are applied for example in the following services: Elisa Viihde Viaplay, Epic TV, and Elisa Videra service.
Elisa Tunnus
We provide free Elisa Tunnus -service, which enables you to use same user identification in different services. As the identification combines the data from different services, it enables the storage of the information from the services following the discontinue of a discrete service for your use. Additionally, we may send direct marketing to you about the services, which you might be interested in, even if you do not use any other services from us. You can dismiss Elisa Tunnus by its terms and conditions by informing us while dismissing other services.
Identification and verification services
When we grant you electronic identification and verification services, such as Mobile Verification, we identify you from a document granted by an authority that shows your identity. In connection with this, we save your name, social security number, electronic identifier, the identifying information in the identification document used in the identification process and the copy of the identification document. In addition, we save your SIM card serial number, the period of validity of the digital certificates, public key seals and indisputability, identification and encryption certificates and other information required by the Act on Strong Electronic Identification in order to implement the service.

When providing identification services, such as Elisa Tunnistus service, we save your name and social security number and forward them to the party whose service you have identified for.

We keep the verification data for individual identification transactions for five years from the moment of the transaction. The data regarding the first identification, the data content of the digital certificate and the data regarding the blocks in the certificate use for five years from the termination of the customer relationship, after which the data will be disposed.
Protecting copyright content
When providing material under copyright, such as book or video content for your use, we may protect the material with copy protection technology or water stamp in a manner that it can only be used by you or connected with you via your user or customer ID. In this manner, we aim to prevent possible abuse.
Data security
Data security
We ensure data security when processing your personal data. Typically your data will be processed in our own server rooms.We control the security of the server rooms by using appropriate measures to protect the data. The servers always use appropriate protective measures, such as access control based on passwords and other protective methods as well as technical encryption of the data. Our technical operating environment has been secured with fire walls and appropriate anti-virus software. 

We primarily process your data in a form where an outsider cannot identify you as an individual. For example, when we transmit network traffic, your identity cannot be directly recognised from the traffic unless you disclose it to the party in question. With these measures, we protect the confidentiality of your communications and prevent connecting your data to your identity when not necessary.

Everyone is responsible for looking after data security. In order to ensure the protection of your data, we ask you to pay attention to looking after the data security of your own devices in a manner as appropriate as possible. You can read more information about this at e.g. www.elisa.fi/tietoturva (in Finnish only).
Preventing data security breaches and malfunctions
In order to prevent data security breaches and to remove data security malfunctions we take the necessary measures e.g. by preventing reception of e-mails, removing viruses and other malware from the messages and implementing other comparable necessary technical procedures within the limits and obligations imposed by legislation. Sending or receiving such messages may be prevented.

The scope of our privacy notice, our contact information and other information
The scope of our privacy notice
This privacy notice concerns the processing of personal data in Elisa Oyj and our subsidiaries. Our affiliates may also have privacy policies that complement this privacy notice or that are parallel to this privacy notice.
Our contact information
OmaElisa (service point for processing personal data): https://oma.elisa.fi/
Customer Service: 010 190 240
Our contact information: https://corporate.elisa.fi/tietoa-elisasta/yhteystiedot/
Data Protection Officer
Data Protection Officer / Elisa Oyj 
P.O. Box 1
00061  Elisa Oyj

E-mail: tietosuojavastaava@elisa.fi
Your rights regarding the processing of your data
You have the right to influence the processing of your own data. 

You have a right to check what data we process on you. You can access your own data in the OmaElisa service.

If you notice incorrect or outdated data in the personal data we process, we ask you to correct the data either via self-service forms or our customer service. With your up-to-date information, we can provide you you the best possible service.

In OmaElisa, you can cancel the consents that you have given, such as marketing consents. If the consent is related to using a particular service, you can cancel the consent in the manner described in the service in question.
 
You have the right to request us to remove the data that are no longer necessary for its purpose of use. We do our best to remove such data automatically, but if you, for one reason or another, notice outdated or unnecessary information in our processing, you can contact us with an OmaElisa form.

You have the right to receive the data you have provided yourself if processing them is based on a contact between us or a consent you have provided. Services related to this are available as in-built properties but you can be in contact with us via OmaElisa.

In addition, you can ask us to restrict the data processing in certain situations or object to their processing. We have aimed to describe all our processing in an open and comprehensible manner in this privacy notice.
Cancellation of consent
When we process your data exclusively based on the consent you have given, you have the possibility to cancel it if you change your mind. This can be done easily in the service you use or via OmaElisa. Please note, however, that this does not affect the data processing that is done before the cancellation of consent.
Right to appeal
Please contact us if you wish to make an appeal or present development suggestions about our processing of personal data. You can find the contact information on this page in the Contact Information section.

You can make an appeal concerning data protection or processing of personal data to a supervising authority, such as the Finnish Transport and Communications Agency in matters related to communications or to the Data Protection Ombudsman in matters concerning other processing of personal data.





Elisa Oyj

17.6.2021