Skip to content

redi’s Privacy Notice for the Customer Register

Updated on: 19.9.2023

Kiinteistö Oy Kauppakeskus REDI (“REDI” or ”controller”)
Business ID 2630492-6
Hermannin rantatie 5
00580 Helsinki

Contact person for register matters
Tanja Linsiö
Hermannin rantatie 3 B, P.O. box 200
00580 Helsinki

Name of register

Shopping centre Redi’s customer register

Legal basis for and purpose of processing personal data

The legal basis for processing personal data is Redi’s legitimate interest (based on customer relationship and direct marketing) and fulfillment of requests for information and feedback of the data subjects and newsletter subscriptions. The legal basis for processing personal data is consent of the data subject when it is necessary for sending electronic direct marketing.

The purposes of processing personal data are:
Data subjects and categories of personal data

We process the following personal data of our customers:

Regular sources of information

Personal data are collected directly from the data subject when the data subject is using a web site or other services, sending request for contact or feedback, visiting shopping centre or participating to events.

Disclosure and transfer of data outside the EU or the EEA

Personal data will not be disclosed to external parties except when it is necessary to comply with the legal or contractual obligations of the controller.

Personal data may be shared with third parties only if we have your consent to do so, e.g. disclose name and email address to Aimo Park Finland Oy (Taskuparkki app) with your consent in order to get parking benefit.

The controller outsources some functions of the service to third party vendors or other sub-contractors, such as ICT, marketing and communication service providers. In such case personal data will be transferred to these sub-contractors to the extent necessary for the provision of their services. These sub-contractors will process personal data on behalf of the controller and must comply with controller´s instructions. The controller will ensure through contractual measures that the personal data is processed in compliance with the legislation.

We transfer personal data outside the EU/EEA. When personal data is processed outside the EU/EEA, we make sure that the subcontractor has committed to use the EU Commission’s standard contractual clauses and/or is covered by the Privacy Shield -system.

Data protection and retention

Only those of our employees, who on behalf of their work are entitled to process customer data, are entitled to use the system containing personal data. Each user has a personal username and password to the system. The data is collected into databases that are protected by firewalls, passwords and other technical measures. The databases and their backup copies are in locked premises and can be accessed only by certain pre-designated persons.

Personal data will be retained as long as it is necessary for the purposes and will be deleted one years after the customer relationship has ended.

After the customer relationship has ended the controller may keep anonymized data as well as the above described basic information of the data subject for direct marketing purposes, taking into account the applicable legislation. The controller will estimate the need for data storage regularly and take care of such reasonable actions that ensure no incompatible, outdated or inaccurate personal data is stored in the register taking into account the purpose of the processing.

Rights of the data subject

Data subject has the right to know what kind of personal data has been collected and processed and right to request rectification and removal of any incorrect, unnecessary, incomplete or outdated personal data. The requests can be submitted in person or in writing to the contact persons defined in section 2 above.

Data subject is entitled to prohibit the use of the data for direct marketing, distant selling and profiling, as well as use in questionnaires and market research. This prohibition can be submitted anytime to the contact persons or exit from the email list as stated in the marketing message.

Data subjects may withdraw consents they have given, object to or restrict processing of their data in cases defined by law, and the right to complain to the supervisory authority.

The requests can be submitted to contact persons defined in section 2 above. The controller may need to ask additional information to confirm the identity of the data subject.