Privacy Notice

The below terms are used in the Privacy Notice as follows:

Anonymized data refers to data that can no longer be associated with you as a person, as all identifiable elements have been removed.

Customer is a subscriber, buyer or user of our Services. The customer that has a contractual relationship with Telia is responsible for ensuring that all the users (for example family members using the same subscription) are aware of and understand the contents of the Privacy Notice.

Personal data refers to data that can be associated with you either directly or indirectly. The types of personal data we process are described below in the Privacy Notice.

Services refers to all products and services provided by Telia.

Telia companies means companies that belong to Telia Company. More information about Telia companies is available here.

Traffic data refers to such data on calls, messages and e-mail messages generated in connection with the use of a communications service that is processed in the communications network in order to transmit a message, to invoice for a communications service, or for other purposes permitted or required by law. Data generated in connection with the use of communications services includes information about the parties of communications and the terminal device, the start and end time and duration of communications, the routing of the message, the data transmission protocol, the volume of data transmitted, the location of a subscription or terminal device in a specific base stationarea, or other location data, or other similar data processed in the communications network in order to transmit, distribute or forward messages. If the traffic data can be associated with you as a person either directly or indirectly, it is also considered to be personal data.

Telia provides a wide range of services. What personal data we collect depends on the Services you use, subscribe to or buy, and on what data you submit to us or we collect in this connection or otherwise when you log in to our Service.

We can collect personal data from the following sources:

Directly from you yourself for instance when you do business with us, buy or subscribe to our Services and products, or when you register with or log in to our Services, visit our website, subscribe to our newsletter, reply to our customer satisfaction survey or contact us.

From other sources

Detected data generated in connection with the Service use are processed by us to the extent permitted by law for instance when you use our communications network, online services, TV and entertainment services, mobile apps and other Services (for example in connection with phone calls and sending of email or website visits).

Derived data we have created on the basis of your personal data, such as conclusions about your possible interests or service consumption habits, made by means of analytics in order to target direct marketing or services.

Data obtained specifically from other sources, such as other service providers or publicly available registers, such as the Population Register Centre, Posti’s registers, the Robinson register of the Data & Marketing Association of Finland (ASML), Suomen Asiakastieto, Fonecta, Aller and Futusome. We may also process personal data received from other Telia companies in accordance with this Privacy Notice under the conditions laid down by law.

Disclosure of personal data to Telia is not compulsory, but if you choose not to disclose your personal data, we will not necessarily be able to provide you with our Services.

We may process the following types of personal and traffic data:

• Basic details, such as name and contact details, alias, the desired communications channel, title or profession, for corporate contact persons also the area of responsibility / position, and social media identification data.
• Demographic data, such as age, date of birth, gender and mother tongue.
• Personal identity number, if necessary in order to identify the customer for invoicing purposes or if otherwise permitted or required by law, an electronic unique identification number (SATU).
• Data collected in connection with the registration with, identification in and login to Telia’s services and portals, such as usernames and passwords and transaction data concerning the login (for example Omat Sivut, Minun Telia, Corporate Portal, Telia Yhteisö).
• Data on customership and contractual relationship, such as data on the Service, purchases, products, orders and guarantee times and the data associated with them or necessary to provide them, subscriber and user information, bans and restrictions connected to the services, customer rating data, data associated with invoicing, credit control and payment, banking details, customer history, data on online transactions (powers of attorney, authorisations), records made in customer service situations such as recorded calls and videos as well as e-mail, chat and social media messages to customer service, other additional data you have provided.
• Data generated in association with Communications Services and other Services, such as traffic data, data generated from the use of Telia’s website, mobile applications and TV and entertainment services, data needed for administering Mobile ID and data needed and generated during the use of Mobile ID.
• Other data describing the use of the Service, including any personal data collected by means of cookies and similar technologies in connection with web or mobile browsing (more information on the use of cookies).
• Data collected in connection with registration for events, competitions and prize draws organized by Telia, data collected in association with customer satisfaction surveys and queries.
• Data related to direct marketing campaigns, permissions and prohibitions related to direct marketing, interests, subscriptions to newsletters and invitations to events, data related to the targeting of direct marketing.
• Other data that we collect with your consent and that we specify when requesting your consent.
• Information received from other Telia companies.

Telia processes children’s personal data to the extent permitted by law, when appropriate in the case in question. Telia takes reasonable efforts to ensure and verify that the custodian of a child under the age of 13 has agreed to the processing of personal data, taking into account the available technology and the privacy risks related to the processing.

We collect, process and use personal data that are needed for conducting and planning our business, efficient customer service and other appropriate commercial activities, including the processing of personal data for anonymizing data.

The processing of personal data is most often based on an agreement you have concluded with us or on Telia’s legitimate interest in connection with Service use and provision. Telia has a legitimate interest to process personal data for customer relationship management and in order to serve our customers. Legitimate interest makes it also possible to conduct targeted marketing and advertising. We may also process personal data based on other grounds, such as on the basis of your consent or the law.

We may combine data collected in connection with different Services in so far as the data have been collected for the same purpose. If the customer is identifiable, we may combine their customer data with analytics data collected on them in order to be able to better target our Services for the customer’s needs.

We may also process personal data between Telia companies in order to get an overview of our customers’ customership at Telia Company and to provide and market services to our customers. Within Telia Companies, personal data may be processed, combined, grouped and cross-checked between the companies in Telia Company, provided that there is a legitimate need for it, such as carrying out and planning their business, managing intra-group credit risk, creating and developing products, services and customer offering, increasing customer understanding,
providing and producing a service, performing marketing and direct marketing, and other purposes for which those companies have stated that they will process your personal data. The data controllers within Telia Company who disclose, transfer and receive your data are independently responsible for the lawfulness of the processing of your personal data and for the implementation of your data protection rights. Further information on the processing of´personal data by other companies within Telia Company is available in their privacy notices and policies.

Telia may have fan pages or business pages on Facebook that are administered by Telia. For these pages, Telia and Facebook act as joint controllers, as applicable. Facebook processes data in accordance with its privacy notice and privacy policy. Facebook is primarily responsible for complying with data protection legislation and for implementing the rights of the data subject in its service. Learn more about the processing of personal data by Facebook and the page administrator and the division of responsibilities between the parties. Facebook privacy settings can be
managed on Facebook.

In all cases, we process personal data only for a specified purpose and to the extent necessary for it, taking the protection of our customers’ privacy always into account.

Telia processes your personal data for the following purposes:

1. On the basis of a contractual relationship and in order to provide Services:

We process your personal data for the provision and production of Services. We process your personal and traffic data for purposes of transmitting communications, implementing a service and ensuring information security, for example when switching a call or transmitting a text message or email to the recipient in our communications network. In addition, the provision of Services requires that we process personal data for managing a customer or contractual relationship, identifying customers or users, processing and delivering orders, invoicing, service and product quality control, credit control, debt collection, customer service, and for fixing various faults and incidents or for processing complaints.

The formation of a contractual relationship and/or the delivery of services may require an approved credit decision, which can be taken through automated decision-making. The credit decision can be made on the basis of Telia’s or a Telia company’s customer relationship information. If the data subject does not have a customer relationship with Telia or if, in addition to the processing of customer data, Telia considers it necessary to use external credit check data, which is provided by Suomen Asiakastieto, among others. Such checks may also be made for data subjects whose credit history is not available, for example due to a long stay abroad. In device sales, we use third-party information to support the credit decision.

The credit decision can be based on the payment history of a customer in a contractual relationship with Telia or other Telia company (invoice amount, invoice payment date, due date). We may also use information about open receivables (amount, duration). The content of the credit decision may also be affected credit check requests presented in a short time interval, the number and value of the services to be purchased and the age of the customer. The use of age, like other criteria, is associated with a calculated estimate of the general amounts of credit transactions. Credit decisions are made during a purchase or order transaction.

Telia’s credit decisions are mainly based on automated processing, which assesses the credit risk by taking into account the above factors with different weights. 

We also process personal data for the purpose of customer communications, for example for sending notifications related to Services and in order to contact customers in matters related to our Services.

We process personal and traffic data in order to detect technical faults and errors, to ensure the information security of all of our Services, data systems and communications networks, and to test their operations. If necessary, we may also process personal and traffic data to detect or prevent misuse and fraud related to our Services, for example if a communications service subject to a charge has been used or attempted to use free of charge. For purposes of information security, we may also collect data on Service use, e.g. on successful and failed logins to our Services requiring registration.

We may process traffic data for the technical development of a communications service, such as for optimizing the operations of communications networks. In addition, we may compile statistics for the development of Services and for other analysis needs and thus, for example, group our customers based on invoicing, data volumes, the duration of the customer relationship or external classifications, e.g. draw up reports on how different user groups use communications services or how a person’s place of residence and age affect their Service use.

We process personal data internally for the development, management and quality control of our business, Services and related processes. Such processing may be necessary, for example, when we analyse delivery processes and complaints related to them in order to improve the efficiency of our delivery process and thereby to find a better and faster way to serve our customers. We also process personal data to better understand our customers’ needs and wishes as regards, for example, the features and contents of our Services. 

2. On the basis of legitimate interest:

Telia may process your personal data on the basis of legitimate interest. Telia has legitimate interest to process your personal data in the following situations, for example:

Direct marketing: We process and utilize both anonymized data and personal data for marketing purposes and for building target groups for marketing within the limits of the valid legislation. In addition, we may process personal data in order to target our marketing at the products and services that each customer finds interesting. We may use personal data within the limits of the law for marketing both our own (including Telia companies) and our cooperation partners’ products and services, such as for direct marketing and market research, and for customer satisfaction surveys.

Personalization of services: We may process personal data or anonymized data for personalizing and targeting Services for instance by giving recommendations and by showing targeted contents in our Services or customer channels. We also process personal data and anonymized data in order to get a comprehensive picture about the customer’s use of our Services and likings related to our Services. We use such profiled data in order to enable our customers to get a better experience of the use of our Services.

Statistical purposes: We may also process personal data in order to create statistical analyses, which enable us to develop our business, customer offering or improve our services or products.

3. To comply with legal obligations:

We process personal data to fulfil our legal obligations, such as accounting and
regulatory purposes, and to comply with obligations on preventing money laundering and the financing of terrorism.

As a telecommunications company, Telia has an obligation to store information communications for the authorities pursuant to the Act on Electronic Communications Services. In addition, as a provider of an electronic signature and identification service and as regards signature or authentication events and identifiers, Telia is obligated to store the data required to verify an individual authentication event or electronic signature transaction, data on prohibitions and use restrictions associated with the use of an identification device and the data content of a certificate.

4. For other purposes to which you have given your consent:

We may process your personal data for all purposes to which you have given your consent. You can, for example, give your consent to the processing of your traffic data or location data in order for us to target such benefits at you that are topical or relevant to you.

When requesting your consent, we inform you thoroughly of the meaning of the consent to personal data processing and how you can cancel your consent.

Information security and protection of customer data are of paramount importance to us. It is important for Telia to ensure the availability, integrity and security of personal data. We strive to take appropriate actions in order to protect personal data and to prevent and detect unauthorized access to personal data and loss of personal data.

We take continuous efforts to safeguard our customers’ rights. We take care of the security of our personnel, data, information systems and public communications networks as well as our offices and technical facilities. We pay special attention to protecting the data we process, such as your personal data.

In data protection, we take into account the risks posed to privacy protection and business operations by the processing of personal data, the available technical options, and different kinds of threats in accordance with the applicable legislation, regulations and obligations under agreements.

Learn more about Telia’s information security policies in general

We may disclose your personal data to the extent permitted and required by law. We may also process anonymized or statistical data that cannot be associated with you as a person. Such information can also be disclosed to third parties for other purposes than those described in the Privacy Notice.

We may disclose your personal data to the parties below.

1. Companies within Telia Company to the extent permitted by applicable legislation. Our Group companies may use your personal data for the purposes defined in this Notice, including for marketing their products or services to you.
   
   Personal data may be disclosed or transferred to another Telia company for the purposes described in the Privacy Notice under the conditions laid down by law.
    
2. Telia’s subcontractors that process personal data on our behalf based on our assignment. These third parties are not allowed to use the personal data for any other purpose than for providing the service agreed with us. When using subcontractors, we will ensure in an appropriate manner that the processing takes place in accordance with the Privacy Notice. The processors referred to herein include, for example, IT service providers, equipment servicing partners, and marketing offices performing marketing efforts on our behalf.
   
   Our partners who process personal data on our behalf may be located outside Finland, the European Union or the European Economic Area. When transferring personal data outside the EU or EEA, we ensure by means of agreements (e.g. by the use of the EU Commission’s standard contractual clauses) or otherwise (an adequacy decision by the European Commission) that the transfers are implemented as required by law. In addition, we ensure, and also expect our processors to ensure, as required by legislation, that your personal data remain protected regardless of whether they are transferred outside the EU. More information on the conditions for the transfer of personal data to a party outside the EU or EEA.
    
3. Directory inquiry services. We disclose your personal data (such as name, telephone number and address) for publication in public directory inquiry services (electronic directory services or telephone directory) as required by law. If you wish, you have the right to forbid the publication of your data in this way.
    
4. Other telecommunications companies or service providers that provide or are committed to providing you with services, for example, for invoicing purposes or in the event of a fault or disturbance.
   
   When you call a telephone number of other Finnish or foreign telecom operators, you leave our communications network and use the roaming services provided by other telecom operators (e.g. when travelling abroad), the telecom operators concerned are entitled to collect and process your personal data and receive your personal data from Telia.
   
   When you, for example, subscribe to Spotify through us, the service provision may require disclosure of your data to the service provider in question. If you send your device to us for servicing, the warranty procedure may require disclosure of your data to the manufacturer.
   
   Your data may also be disclosed in association with electronic identification or electronic signing to identification broker services or service providers whose services you access or log in by means of Telia’s identification service or identification device (such as Mobile ID) to verify your identity or to sign electronically. We may disclose personal data for service providers and identification broker services in the extent required by the intended use and as allowed or required by law. During authentication and electronic signature, your name, electronic unique identification number and/or personal identity number may be disclosed to the service provider and the identification service broker.
   
   If you use the payment feature of your mobile subscription, i.e. you purchase a ticket to be paid on your phone bill, Telia may process the personal data needed to execute the payment transaction and also disclose the subscription number to the service provider from whom you purchase the service using the payment feature.
   
   When Telia discloses personal data to other telecommunications companies or service providers, the processing and collecting of personal data is carried out in accordance with the contractual terms and privacy policies of the respective telecommunications company or service provider, and this Privacy Notice shall not apply to the processing of personal data by these parties. Telecommunications companies or service providers might also transfer personal data to parties outside the EU and the EEA. If necessary, we recommend that you contact the relevant telecommunications company or service provider if you need more information about their privacy policies.
    
5. Other third parties with your consent, which we may have received in connection with a particular service, for example.
    
6. In relation to legal proceedings or at the request of an authority on the basis of applicable law or court order or in connection with a trial or authority process. Under a court decision, personal data may be disclosed, for example, to a copyright holder or their representative.
   
   We may also disclose data to a competent authority, such as the police or the emergency centre authorities, to the extent required by law in accordance with a predefined procedure.
    
7. As required or permitted by law, for example when providing a subscriber with a connection-specific itemization for an invoice.
    
8. In connection with mergers and acquisitions and various business transaction and transfers.

We keep personal data only as long as necessary to fulfil the purposes defined in the Privacy Notice, unless otherwise required by legislation. No corresponding restrictions apply to the storing of anonymized data.

We do not store outdated or unnecessary information. We aim to make sure that the personal data and other customer data are up-to-date and correct.

Data processed on the basis of a contractual relationship are stored, as a rule, for the duration of the contractual relationship or as long as the provision of the Services requires. After the expiry of the contractual relationship or the end of the Service provision, personal and traffic data will be stored as long as they are needed, for example, for unfinished business, invoicing, complaints or warranty period. As a rule, the retention period for the data is at least 3 years from the end of the year in which the customer relationship ended. The storage times of individual data types may also be shorter: Internet logs (IP addresses), for example, are stored for 14 days.

Data processed on the basis of legitimate interest are processed for as long as there are grounds for their processing. If the customer is entitled to object to the processing, the data are erased when the customer’s request related to the objection has been processed and approved. An example of this kind of processing falling within the scope of legitimate interest is direct marketing to the customer after the end of a contractual relationship.

Data processed on the basis of legal obligations are processed and stored as long as required by law. Obligations regarding the retention of personal data have been laid down in, for example, the legislation on accounting or money laundering (5-6 years), the Act on Electronic Communications Services (6–12 months) and the Act on Strong Electronic Identification and Electronic Trust Services (5 years).

The storage time of data processed with your consent is determined according to purpose of the processing. If you have given your consent to the processing of traffic data for direct marketing purposes and then cancel your consent, we will no longer process traffic data in order to target direct marketing to you on the basis of them. However, we still have the right or obligation to process traffic data, for example, under a contractual relationship or legal obligation. 

Your rights and options depend on the purposes of the processing of personal data and on the situation.

• The right of access: You have the right to receive a confirmation of whether your personal data are processed, and if they are, to gain access to the data. If less than six months have passed since your previous inspection request, Telia may charge you for the inspection request according to the price-list.
• The right to give and withdraw your consent: If the processing of your personal data is based on your consent, you have the right to withdraw your consent at any time.
• The right to rectify data: You are entitled to have your personal data rectified or, in certain cases, to have defective personal data supplemented.
• The right to object to the processing of personal data: You are entitled to object to the processing of your personal data based on Telia’s legitimate interests, including profiling. Telia may reject the request, if the processing is necessary in order to implement Telia’s mandatory and legitimate interests. You are always entitled to oppose to the processing of your personal data for direct marketing purposes and for profiling related to direct marketing.
• The right to data portability: You have the right to receive your personal data you have submitted to us for processing based on your consent or performance of contract. You are entitled to receive the data in a structured, commonly used and machine-readable format, and the right to transfer the data to another controller.
• The right to be forgotten: You are entitled to ask Telia to erase data related to you, for example, if (i) you consider them unnecessary for the purposes described above, (ii) you cancel the consent you have given, (iii) you consider Telia to process your personal data contrary to law, or (iv) you object to the use of your personal data for direct marketing purposes.
• The right to restriction of processing: You have the right under certain circumstances to require the controller to restrict the processing of your personal data.

You also have the right to forbid the publication of your personal data and the disclosure of your personal data to directory inquiry services (so-called unlisted/secret number).

You have the right to file a complaint about a credit decision made with automatic data processing to our customer service and to request that Telia’s handler processes the data and ensure that the decision is based on correct information. Please note that the credit decision may still remain unchanged. 

We will update the Privacy Notice, if necessary, as our operations and Services develop. We advise you to check for the latest version regularly on our website.

If there is a conflict between translations, the Finnish version shall prevail.

You can exercise all the rights of a data subject by logging in to telia.fi and in the Minun Telia application.

Log in to the service through the above link or at www.telia.fi. You can also get more information from Telia’s customer service, by calling 020 690 400 or at Telia Kauppa shops.

You can send any questions related to the processing of personal data or the Privacy Notice to the addresses below.

Controller

Company information
Telia Finland Oyj
Pasilan Asema-aukio 1, 00520 HELSINKI, FI. Registered office: Helsinki
Business ID 1475607-9, VAT No. FI14756079
Data Protection Officer: tietosuoja-telia@teliacompany.com

Complaints related to the processing of personal data and requests related to the exercise of rights:

Telia Finland Oyj
Customer Service
P.O. Box 0400
FI-65101 Vaasa

Nationwide switchboard number 020401 (from abroad: + 358 20401)
Customer Service: www.telia.fi/asiakastuki/yhteystiedot and tel. 020 690 400

If you think that Telia has acted contrary to the Privacy Notice or the valid legislation, you are entitled to file a complaint about the matter. You can also file a complaint with the Office of the Data Protection Ombudsman, that monitors the lawfulness of the processing of personal data, or the Finnish Transport and Communications Agency, which monitors the lawfulness of the processing of traffic data in Finland.

Telia is committed to conducting responsible and sustainable business. If you suspect that Telia has acted contrary to the legislation or the Privacy Notice, you can also report the matter confidentially through Telia Company’s Speak Up Line (so-called whistleblowing system).

If you have any questions or you want to discuss how Telia Company protects your privacy, please contact our Group Data Protection Officer at DPO-TC@teliacompany.com.

Learn more about privacy in Telia Company.

Learn more about security at Telia Company.

Laws applicable to the processing of personal data and traffic data:

• EU’s General Data Protection Regulation (2016/679)
• Act on Electronic Communications Services (917/2014), Part VI, Confidentiality of Communications and Protection of Privacy
• Data Protection Act (1050/2018)