1. Data controller

Veikkaus Oy (hereinafter Veikkaus)

Business ID: 2765220–1
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701

2. Contact person in register matters

Legal Affairs and Sustainability, Corporate Security

P.O. Box 1, 01009 Veikkaus

Tel: exchange (09) 43701

More information on the processing of personal data at Veikkaus:

Data Protection Officer

P.O. Box 1, 01009 Veikkaus

Tel: exchange (09) 43701

tietosuoja@veikkaus.fi

2. Purposes and legal basis of processing personal data

Processing personal data in the register is based on Veikkaus duty to fulfil its statutory obligations, such as those laid down by the Act on Preventing Money Laundering and Terrorist Financing 444/2017, including the decrees based on the said act and any binding guidelines issued by authorities. Furthermore, the processing of personal data in the register is based on legislation on sanctions, which is binding on Veikkaus, referring to, e.g., sanctions belonging under the United Nations (UN) and the European Union (EU), as well as certain national sanctions. The legislation on sanctions, which is binding on Veikkaus, includes the Act on the Fulfilment of Certain Obligations of Finland as a Member of the United Nations and of the European Union (659/1967) and the Act on the Freezing of Funds with a View to Combating Terrorism (325/2013).

The purposes of processing personal data in the register include the prevention, exposure, and investigation of money laundering and terrorist financing and making the criminal activity by which the property or criminal proceeds which are the target of money laundering have been gained, subject to investigation. For these purposes, Veikkaus is subject to, e.g., the obligation to identify and know its customers and to obtain information and to report on the customers. Moreover, personal data are processed in order to carry out inspections and actions related to the sanctions which are binding on the company.

Whilst carrying out its afore-mentioned statutory duties, Veikkaus may also make automatic decisions based on personal data and profiles derived from personal data, and based on the decisions, Veikkaus can take the required measures.

Personal data that are only acquired for the prevention of money laundering or terrorist financing, or for compliance with the sanction obligations, are not used for purposes incompatible with the purposes cited in this privacy policy statement.

3. Personal data in the register

Veikkaus must acquire data on the actions of its customers or their actual beneficiary, the quality and scope of their business, as well as the grounds for using the products or services.    

The Act on Preventing Money Laundering and Terrorist Financing requires, inter alia, the retention and processing of the following data associated with customer due diligence:

4. Sources of data

Personal data are collected from the customers while they are using Veikkaus’ services or engaging in service encounters with Veikkaus. Furthermore, Veikkaus collects data from its own registers of personal data, including Veikkaus’ consumer customer register, as well as from reliable external sources, such as the Population Information System, the Trade Register, services used for the analysis of a customer’s political exposure or corporate connections, as well as from authorities.

5. Recipients of personal data

In its operations, Veikkaus uses subcontractors who process personal data on its behalf for the purposes described in this privacy policy statement. In such cases, Veikkaus ensures, by way of agreements and other administrative measures, that the transfer and processing of the personal data take place legally and in compliance with data security and sufficient data protection even when carried out by these processors.

Veikkaus only discloses personal data in the register to other data controllers in cases permitted by law, e.g., to authorities. In the case of suspicious business transactions, the Financial Intelligence Unit of the National Bureau of Investigation is such an authority.

6. Transfer of personal data to third countries and protection of transfers

When the recipient of a transfer or disclosure of personal data is located outside the EU / EEA, Veikkaus shall take adequate contractual, technological, and administrative protective measures to ensure the legality of the transfer or disclosure. 

7. Retention period of personal data  

Veikkaus only retains such data that are necessary for its operations and for the purposes of use of personal data, and for which there is a legal basis. Personal data are retained for at least five years from the termination of the customer relation. The retention period of personal data is based on the retention periods laid down by law and the necessity provision laid down by the General Data Protection Regulation of the EU (GDPR; EU 2016/679).

Any data that have become useless in view of their purpose, any outdated data, or data for the processing of which there are not any grounds otherwise anymore, are rendered anonymous or destroyed in a secure manner.

8. Principles of protection of the register

Veikkaus processes personal data in a secure manner in compliance with legislation. The data security and confidentiality; the integrity, usability, and accessibility of Veikkaus’ customer data are ensured by appropriate technological and administrative means. Such means may include the pseudonymisation and encryption of personal data, protection of devices and data files, user recognition, access rights, registering of user transactions, passage control, as well as instructing and supervising the processing.

Veikkaus also requires all its subcontractors to commit to secrecy and appropriate protection of personal data.

9. Customer’s rights

According to the General Data Protection Regulation of the EU, customers are entitled to access, rectify, transfer, erase, and restrict their personal data. As regards the prevention of money laundering and terrorist financing, the customers’ rights are, however, primarily determined on the basis of the Act on Preventing Money Laundering and Terrorist Financing, and Veikkaus may refuse to carry out a request case by case, in compliance with the legislation. Thus, customers are not, for example, entitled to access personal data that have been obtained in order to fulfil Veikkaus’ obligations of customer due diligence or reporting. In such cases, the Data Protection Ombudsman may verify the legality of the processing of these data on the customer’s request.

Any written requests concerning the use of the afore-cited rights are made by submitting a signed request to: Veikkaus Oy, Laki- ja vastuullisuus, Yritysturvallisuus, P.O. Box 1, 01009 Veikkaus. The request shall include the customer’s name, date of birth, mailing address, email address, and telephone number. 

10. Right to file a complaint with supervisory authority

If a customer deems that the personal data concerning them are processed in a manner that breaches the law, they have the right to file a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. For updated instructions on filing a complaint, please see the website of the Data Protection Ombudsman, www.tietosuoja.fi.