1. Data controller
Veikkaus Oy (hereinafter Veikkaus)
Business ID: 2765220–1
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701
2. Contact person in register matters
Legal Affairs and Sustainability, Corporate Security
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701
More information on the processing of personal data at Veikkaus:
Data Protection Officer
P.O. Box 1, 01009 Veikkaus
Tel: exchange (09) 43701
2. Purposes and legal basis of processing personal data
Processing personal data in the register is based on Veikkaus duty to fulfil its statutory obligations, such as those laid down by the Act on Preventing Money Laundering and Terrorist Financing 444/2017, including the decrees based on the said act and any binding guidelines issued by authorities. Furthermore, the processing of personal data in the register is based on legislation on sanctions, which is binding on Veikkaus, referring to, e.g., sanctions belonging under the United Nations (UN) and the European Union (EU), as well as certain national sanctions. The legislation on sanctions, which is binding on Veikkaus, includes the Act on the Fulfilment of Certain Obligations of Finland as a Member of the United Nations and of the European Union (659/1967) and the Act on the Freezing of Funds with a View to Combating Terrorism (325/2013).
The purposes of processing personal data in the register include the prevention, exposure, and investigation of money laundering and terrorist financing and making the criminal activity by which the property or criminal proceeds which are the target of money laundering have been gained, subject to investigation. For these purposes, Veikkaus is subject to, e.g., the obligation to identify and know its customers and to obtain information and to report on the customers. Moreover, personal data are processed in order to carry out inspections and actions related to the sanctions which are binding on the company.
Whilst carrying out its afore-mentioned statutory duties, Veikkaus may also make automatic decisions based on personal data and profiles derived from personal data, and based on the decisions, Veikkaus can take the required measures.
Personal data that are only acquired for the prevention of money laundering or terrorist financing, or for compliance with the sanction obligations, are not used for purposes incompatible with the purposes cited in this privacy policy statement.
3. Personal data in the register
Veikkaus must acquire data on the actions of its customers or their actual beneficiary, the quality and scope of their business, as well as the grounds for using the products or services.
The Act on Preventing Money Laundering and Terrorist Financing requires, inter alia, the retention and processing of the following data associated with customer due diligence:
- The name, date of birth, personal ID number, and address of the customer
- The name, date of birth, and personal ID number of the customer’s representative
- The name of the document used for authenticating the customer’s or the customer’s representative’s identity, the number or other credentials of the document, and the entity having issued the document, or a copy of the document
- Time of authentication of the customer’s identity
- If the customer has been subject to remote identification, data on the procedure or sources used for authenticating the customer
- If the customer does not have a Finnish personal ID number, data on their nationality and details of their travel document-data on the nationality of a foreign customer who does not have a Finnish ID number, and details of their travel document
- The full name of a legal person, their register number, date of registration, the registrar, and the articles of association
- The full names, dates of birth, and nationalities of the members of the board or a respective decision-making body of a legal person
- Data on the customer’s activities, the nature and scope of their business, their financial position, grounds for using the business operations or service, and information on the source of the funds, as well as other necessary data obtained for identifying and knowing a customer in accordance with the Act on Preventing Money Laundering and Terrorist Financing
- The necessary data acquired for fulfilling the customer due diligence obligation laid down in the Act on Preventing Money Laundering and Terrorist Financing, as well as for fulfilling the enhanced customer due diligence obligation concerning politically exposed persons
- The customer’s bank or payment account number, the name of the holder of the account or the holder of an authorization to use the account, the opening and termination date of the account, and other credentials related to the account, to the extent to which it is necessary to retain the data in view of the business of the operator subject to the reporting obligation and the obtaining of which is not impeded by other legislation
- Data acquired by electronic identification, and by related trust services or other identification processes implemented remotely or electronically and regulated, acknowledged, or approved by competent national authorities.
4. Sources of data
Personal data are collected from the customers while they are using Veikkaus’ services or engaging in service encounters with Veikkaus. Furthermore, Veikkaus collects data from its own registers of personal data, including Veikkaus’ consumer customer register, as well as from reliable external sources, such as the Population Information System, the Trade Register, services used for the analysis of a customer’s political exposure or corporate connections, as well as from authorities.
5. Recipients of personal data
In its operations, Veikkaus uses subcontractors who process personal data on its behalf for the purposes described in this privacy policy statement. In such cases, Veikkaus ensures, by way of agreements and other administrative measures, that the transfer and processing of the personal data take place legally and in compliance with data security and sufficient data protection even when carried out by these processors.
Veikkaus only discloses personal data in the register to other data controllers in cases permitted by law, e.g., to authorities. In the case of suspicious business transactions, the Financial Intelligence Unit of the National Bureau of Investigation is such an authority.
6. Transfer of personal data to third countries and protection of transfers
When the recipient of a transfer or disclosure of personal data is located outside the EU / EEA, Veikkaus shall take adequate contractual, technological, and administrative protective measures to ensure the legality of the transfer or disclosure.
7. Retention period of personal data
Veikkaus only retains such data that are necessary for its operations and for the purposes of use of personal data, and for which there is a legal basis. Personal data are retained for at least five years from the termination of the customer relation. The retention period of personal data is based on the retention periods laid down by law and the necessity provision laid down by the General Data Protection Regulation of the EU (GDPR; EU 2016/679).
Any data that have become useless in view of their purpose, any outdated data, or data for the processing of which there are not any grounds otherwise anymore, are rendered anonymous or destroyed in a secure manner.
8. Principles of protection of the register
Veikkaus processes personal data in a secure manner in compliance with legislation. The data security and confidentiality; the integrity, usability, and accessibility of Veikkaus’ customer data are ensured by appropriate technological and administrative means. Such means may include the pseudonymisation and encryption of personal data, protection of devices and data files, user recognition, access rights, registering of user transactions, passage control, as well as instructing and supervising the processing.
Veikkaus also requires all its subcontractors to commit to secrecy and appropriate protection of personal data.
9. Customer’s rights
According to the General Data Protection Regulation of the EU, customers are entitled to access, rectify, transfer, erase, and restrict their personal data. As regards the prevention of money laundering and terrorist financing, the customers’ rights are, however, primarily determined on the basis of the Act on Preventing Money Laundering and Terrorist Financing, and Veikkaus may refuse to carry out a request case by case, in compliance with the legislation. Thus, customers are not, for example, entitled to access personal data that have been obtained in order to fulfil Veikkaus’ obligations of customer due diligence or reporting. In such cases, the Data Protection Ombudsman may verify the legality of the processing of these data on the customer’s request.
Any written requests concerning personal data can be made by submitting a signed request to following address: Veikkaus Oy, Kasinot/Henkilötietopyyntö, P.O. Box 1, 01009 Veikkaus. An electronic request for personal data can be made via email tietosuoja (at) veikkaus.fi. The request must include the customer’s name, date of birth, mailing address, telephone number, as well as the information about the data the customer wants to receive and the time period for which the information is needed.
10. Right to file a complaint with supervisory authority
If a customer deems that the personal data concerning them are processed in a manner that breaches the law, they have the right to file a complaint with the supervisory authority. In Finland, the supervisory authority is the Data Protection Ombudsman. For updated instructions on filing a complaint, please see the website of the Data Protection Ombudsman, www.tietosuoja.fi.
