Data protection

Privacy Statement

Companies in Oy Suomen Tietotoimisto – Finska Notisbyrån Ab (“STT”) group of undertakings are committed to protecting the privacy of the users of their services in compliance with the personal data legislation in force at any given time and other applicable legislation.
STT is a news agency that creates, refines and transmits information and sells, markets and develops communication services. To provide these services and deliver orders, we primarily process personal data provided by our Clients themselves.
This privacy statement explains in further detail the following:

We recommend that users familiarise themselves with the content of the Privacy Statement. By using our services, the user accepts the terms and conditions in this Privacy Statement. If you, as a user, do not agree to these terms and conditions, you have no right to use our services.

General Terms of Use for the Finnish News Agency STT’s web services

1. What personal data is collected about me and for what purpose?

We only collect personal data about users as necessary for pre-defined purposes. The purpose specifies what data is collected about the user in each situation. When collecting data, we specify the data that is a prerequisite for using the services and what data users can provide, should they wish to do so.

We classify the data we process into data provided by the user or personally identifying data, data based on service usage, derived data and data obtained from other sources as follows:

1) Data provided by the user or personally identifying data:

We collect data provided by the user for example for delivering the service and invoicing purposes, for managing and developing the customer relationship, and for marketing purposes and opinion polls. We cannot deliver the service ordered by the user unless we have contact and invoicing details. We can also collect other data provided by the user to target contents and marketing to better meet the user’s preferences. Data processing for delivering the service may include authentication of logon, (technical) customer service, customising the service and contents, updating customer information, delivering messages about the service, and meeting statutory obligations.

This data includes:

• contact details, including name, address, phone number and email address
• registration data required for the digital account, including user ID, screen name, password and any other identifying code
• demographic data, including title or profession and native language
• information about the customer relationship, including invoicing and payment information, product and order information, customer feedback and contacts, and cancellation data
• profiling and interest information provided by the user
• permissions and consents
• information about blocking of offers
• information provided for questionnaires and surveys
• other information collected on the basis of the user’s consent

2) Data based on service usage:

We use cookies and other similar technologies for the automated collection of data to help us understand how many users our services have, what kind of contents are popular, and for how long users view the contents. This data enables us to develop our services and business, tailor contents to meet the user’s likely subjects of interest, target advertising and prevent and investigate cases of misuse. This data includes:

• information about the use and browsing of service features
• the page from which the user moved to our website
• model of the device
• individual device and/or cookie identifier
• browser and browser version
• IP address
• time and duration of the session and
• screen resolution and operating system
• other information collected on the basis of the user’s consent

3) Data derived from service usage:

Using analytics, we can make conclusions based on detected service usage and/or information provided by the clients themselves, for example about the user’s potential subjects of interest, or segmentation into a certain group of users. We use the data for statistical purposes and analytics, service and business development and tailoring of contents, advertising and marketing messages.

4) Data obtained from other sources:

We may use third party sources of data to update and enhance the data. We may also receive the information required for activating a user account from the user’s employer or another organisation which has obtained the right of use for the user. For journalistic purposes, we may obtain personal data from several different sources.

If we process data for purposes other than the abovementioned, we ensure that the processing complies with the purpose for which the data was originally collected.

2. What is the basis for collecting my personal data?

We process data on the following grounds, based on data protection legislation:

Agreement: We process the data provided by the client to fulfill the agreement on the service or product ordered by our client. Since personalisation of contents is a feature characteristic of some services, we consider it to be integral to fulfilling the agreement.
Consent: We can process the data provided by the user or detected data based on the user’s consent or the legitimate interest mentioned below, among others for marketing purposes. We can also request the user’s consent in case the purposes of the processing change.
Legitimate interest: We process data for the purposes of managing and developing customer service, authentication of customer transactions, implementation of services, development of business and customer service, prevention and investigation of misuse, and marketing. We process the data within the STT Group. We consider these purposes to be necessary for our business and thus to constitute a legitimate interest for us. Users have the right to object, on grounds relating to their particular situation, to processing of data.
Legal obligation: We may be obligated to store some of the client’s personal data to comply with accounting legislation or other mandatory legislation even after the termination of a customer relationship or for another reason for processing of personal data. In such cases, the processing is based on compliance with a legal obligation.
Journalistic purposes: We process personal data, including people’s names or photographs, which may allow their personal identification, for journalistic purposes.

3. How long will my data be stored?

We will only store users’ data as long as necessary for the abovementioned purposes, in compliance with legislation in force at any given time. The user can also personally influence the period for which the personal data will be stored in ways listed in section 5 below.

If the user has not logged into a digital account within the last, typically, eighteen (18) months, the user will be requested to renew the user rights. If the user does not renew the user rights or the user’s customer relationship, or other reason for processing of personal data has ended, the user’s personal data will be erased or partially transferred to the marketing register or converted into a format in which the data subject can no longer be identified.

The data will typically be stored in the marketing register for as long as the person works in a position to which the marketed product or service is relevant, and has not refused to accept marketing communications. If the person refuses marketing, we will retain information about the ban and contact information in order to ensure that the ban is observed.

We may be obligated to store some of the user’s personal data to comply with accounting legislation or other mandatory legislation even after the termination of a customer relationship, or other reason for processing of personal data. Invoicing information will typically be stored for seven years.

4. Are cookies used on the website and what are they?

We may collect data concerning the user’s terminal device by way of cookies and other similar techniques. Cookies are small text files stored by the browser on the user’s terminal device. Cookies often include an anonymous, individual identifier to enable us to identify and calculate the browsers visiting our website.

Cookies do not move on their own in the web, but they are placed on the user’s device only alongside the website viewed by the user. Only the server which sent the cookie can read and use the cookie later. Cookies or other techniques do not damage the user’s terminal device or files, and cookies cannot be used for operating software or spreading malware.

We use cookies and other similar techniques to collect information about how and when our services are used: for example, from which page did the user come to the service, when and which of our web pages the user has browsed, which browser does the user use, what is the user’s screen resolution, the operating system and its version on the device, and IP address.

We use both session-specific cookies which become outdated when the user shuts down the web browser, and permanent cookies, which remain on the user’s device for a certain period or until the user erases them. The period for which permanent cookies remain valid varies from some months to some years. The user can also personally influence the period for which the personal data will be stored in ways listed in section 5 below.

Cookies and other similar techniques are used for the purpose of analysing and developing our services further to provide better services for users. For example, thanks to these techniques, the user will not have to re-enter the user ID, password and personal preferences each time the service is used, should the user so wish.

We utilise cookies and other similar techniques for statistical monitoring of visitor numbers in our services. To improve the usability of our websites, we may conduct short-term surveys in which we save data on the movements and clicks of the user’s mouse on a certain page.

Users cannot be identified on the basis of cookies only. In compliance with privacy legislation, information collected by way of cookies and other similar techniques may possibly be linked with information received from the user in other contexts, in order to develop our services to meet the user’s preferences even better and to customise contents, marketing communications and advertising. In cases like this, we will inform the user separately.

Our services may also include so-called third party cookies. Third parties refer to parties outside STT, including providers of measurement and monitoring services. These so-called third parties can place cookies on the user’s device when the user visits our services, for example to compile statistics of visitor numbers on various websites. Through contractual arrangements, we aim to ensure that these third parties comply with the legislation in force at any given time and the self-regulation guidelines of the industry.

Our services may use so-called community plug-ins, such as the Like button for Facebook. These community plug-in buttons, of Facebook for example, may be visible in some of our services, but their content comes directly from Facebook. When a visitor visits our service, the Facebook community plug-in identifies the user as logged in to Facebook, and the page shows custom content on the plug-in, as if the user were on the Facebook.com site. If the user is not logged in on Facebook, the community plug-ins will not show custom content. Facebook can collect data on the user’s visit in compliance with their privacy policy. Facebook does not cede the collected data to STT, unless the user has given explicit consent to do so.

The user can view the community services’ policies in the community service in question. Privacy policy for e.g. Facebook is available here, for Instagram, here and for Twitter, here.

Our services may also include links to websites other than the ones mentioned above, but we accept no liability for the privacy policies or contents of these third party sites. We recommend that users view the privacy policy of each site separately.

5. How can I influence?

We are committed to offering our users choices and administrative options when it comes to privacy. The various ways in which our users can influence the collection and processing of data are listed below.

Right to access and verify, rectify, transfer or delete data: Users have the right to access and verify the personal data stored about them. At the user’s request, we will rectify, erase or complete personal data which is inaccurate, unnecessary, incomplete or outdated in view of the purpose of processing. Should users so wish, they also have the right to have the personal data transferred. Users can update and/or access their personal data by contacting our customer service.
How to refuse cookies: Users have the possibility to prevent the use of cookies by modifying the settings in the browser they use. Preventing the use of cookies may affect the functioning of our services.
How to erase cookies: Users can erase cookies in the browser settings. When the user erases cookies at regular intervals, the identifier, on the basis of which the user’s profile is created, changes. Erasing cookies will not, however, stop the collection of data completely. Instead, the profile based on previous user behaviour data will be reset.
Right to refuse direct marketing and the related profiling: Our clients can prohibit disclosure of their personal data and processing for direct marketing purposes at any time by clicking on the link at the end of the message, or by contacting our customer service.
Right to object and withdrawal of consent: Users have the right to object to the processing of data, based on legitimate interest, on grounds relating to their particular situation. Users may also withdraw their consent at any time.
Right to appeal: Users have the right to lodge a complaint with the competent public authority, if they consider their personal data to have been processed contrary to this privacy statement and legislation in force at any given time. The Data Protection Ombudsman’s contact information is available at the end of this privacy statement.

6. Will my personal data be disclosed or transferred to third parties?

We do not sell, lease, transfer or disclose identified users’ personal data to any third parties except in the cases listed below:

STT Group: We may process users’ personal data within STT Group. An up-to-date list of STT Group companies is available here.
Consent: We may only disclose the user’s data to third parties if the user has given consent to do so.
Journalism: We may disclose the user’s personal data, including the person’s photograph, for journalistic or artistic purposes, or the purposes of literary expression.
Public authorities: We may disclose the user’s personal data as required by competent public authorities or other parties, based on legislation in force at any given time.
Research: We may disclose data for scientific or historical research purposes, provided that, as a rule, the data is converted into a format in which the data subject is no longer identifiable.
Corporate transactions: In case of mergers, acquisitions or other corporate transactions, the users’ personal data can be disclosed to the buyers and their advisers.
Direct marketing, opinion and market surveys: We may disclose a client’s personal data for direct marketing purposes and opinion and market surveys, unless the client has prohibited it.
Social media: Our services may use so-called community plug-ins, such as the Like button for Facebook. The content of community plug-in buttons comes directly from the social media service which is the button’s source, and in such cases, the social media services can collect data on the user’s visit in compliance with their privacy policy.
Legitimate interest or legal obligation: We may disclose personal data to third party enterprises, organisations or individuals, if we believe that the use, storage or disclosure of such data is necessary to fulfil an agreement, to investigate possible offences, to protect other users of our services or our legal rights.
Aggregate data: We may use and disclose aggregate data for reporting and product development purposes. Such data is modified so that individual users cannot be identified in it.

We use subcontractors’ services for processing the data and in such cases, we ensure, through contractual arrangements, that the data is processed in compliance with legislation in force at any given time, and this privacy statement.

As a rule, we do not transfer data outside the European Union or European Economic Area. If we transfer data outside the European Union or European Economic Area, we ensure a sufficient level of protection of personal data through various measures, including agreeing on matters relating to the confidentiality and processing of personal data as required by law, for example using the standard contractual clauses approved by the European Commission, and otherwise so that the processing of personal data complies with this privacy statement. The transfer of data outside the European Union or European Economic Area may also be based on the user’s consent.

7. How is my personal data protected?

We use the necessary technical and organisational data security methods to ensure the protection of personal data from unauthorised access, disclosure, destruction, loss or other unlawful processing. Such methods include the use of firewalls, encryption technologies, safe IT areas, appropriate access control, controlled granting of user rights and supervision of their use, guidelines for staff members participating in the processing of personal data, and the careful selection of subcontractors.

8. Is children’s personal data processed in the services?

Our services are not intended for children, as only persons of legal age can register in our services. However, for example our picture archive may include photographs of children. If we specifically photograph a certain child or children for marketing purposes, we will request consent from the child’s parent or other guardian.

9. Can this privacy statement be amended?

We develop our services continually and reserve the right to amend this privacy statement by notifying about it in our services. Amendments can also be based on changes in legislation. We recommend that you review the contents of the privacy statement on a regular basis.

10. Whom can I contact?

The primary point of contact is the customer service specific for each service. Links to our services are available here.

Users may also send enquiries about this Privacy Statement to:
Oy Suomen Tietotoimisto – Finska Notisbyrån Ab
Data protection
P.O.Box 660, 00181 Helsinki, Finland
email: tietosuoja(at)stt.fi

Supervisory authority contact details:
Office of the Data Protection Ombudsman
Visiting address: Ratapihantie 9, 6th floor. 00520 Helsinki
Postal address: P.O.Box 800, 00521 Helsinki, Finland
Switchboard: +358 29 56 66700
Email: tietosuoja(at)om.fi

Updated 31 January 2019.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by the Google recaptcha service to identify bots to protect the website against malicious spam attacks.
cookielawinfo-checkbox-functional	1 year	The GDPR Cookie Consent plugin sets the cookie to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-liikenteen-analysointievasteet	1 year	No description
cookielawinfo-checkbox-markkinointievasteet	1 year	No description
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non Necessary".
cookielawinfo-checkbox-others	1 year	Set by the GDPR Cookie Consent plugin, this cookie stores user consent for cookies in the category "Others".
cookielawinfo-checkbox-valttamattomat-evasteet	1 year	No description
cookielawinfo-checkbox-vapaaehtoiset-evasteet	1 year	No description
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
datadome	session	This is a security cookie set by Force24 to detect BOTS and malicious traffic.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, camapign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assigns a randoly generated number to identify unique visitors.
_ga_*	1 year 1 month 4 days	Google Analytics sets this cookie to store and count page views.
_ga_1SQKZPKC4M	2 years	This cookie is installed by Google Analytics.
_gat	1 minute	This cookies is installed by Google Universal Analytics to throttle the request rate to limit the colllection of data on high traffic sites.
_gat_gtag_UA_*	1 minute	Google Analytics sets this cookie to store a unique user ID.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the wbsite is doing. The data collected including the number visitors, the source where they have come from, and the pages viisted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjIncludedInSessionSample_129002	2 minutes	Description is currently not available.
_hjRecordingEnabled	never	Hotjar sets this cookie when a Recording starts and is read when the recording module is initialized, to see if the user is already in a recording in a particular session.
_hjRecordingLastActivity	never	Hotjar sets this cookie when a user recording starts and when data is sent through the WebSocket.
_hjSession_129002	30 minutes	No description
_hjSessionUser_129002	1 year	No description
_pk_id.*	1 year 27 days	Matamo set this cookie to store a unique user ID.
_pk_id.2499.4930	1 year 27 days	Matamo set this cookie to store a unique user ID.
_pk_ses.*	30 minutes	Matomo set this cookie to store a unique session ID for gathering information on how the users use the website.
_pk_ses.2499.4930	30 minutes	This cookie is used to store a unique session ID for gathering information on how the users use the website.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
GPS	30 minutes	This cookie is set by Youtube and registers a unique ID for tracking users based on their geographical location
vuid	2 years	These cookies are used by the Vimeo video player on websites.
YSC		This cookies is set by Youtube and is used to track the views of embedded videos.