Date of modification: August 19, 2025
1. Name of the filing system
Ceepos – online payment solution
2. Data controller
City of Hamina
Puistokatu 6, 49400 Hamina
Business ID: 0242496-6
Phone: 05 749 2500
3. Contact person responsible for this register
Head of Information Management
niko.palmu@hamina.fi
0406874100
4. City’s Data Protection Officer
ICT Developer, Information Management
Isoympyräkatu 10, 49400 Hamina
Phone: 0401991688
Email: tietosuoja@hamina.fi
5. Purpose of the register and legal basis for processing
Personal data is collected for purposes such as correctly allocating payments, identifying the customer and/or a person indicated by the customer, and for reporting. Information is collected from software users to define access rights and to monitor usage. The software generates log data containing personal information for the purposes of usage history and problem case investigations.
6. Data content of the register
Possible personal data stored in the registers include:
General customer register: customer number, first name, last name, and email address.
Order register: payment number, ordered products, and related additional details.
7. Regular sources of information
External systems transmitting payment transactions via connections integrated into the online payment interface.
8. Regular disclosures and transfers of data
Personal data is not disclosed to third parties. Personal data may be transferred to other systems of the data controller, such as the cash register system, accounting, invoicing, access control, and booking systems. Depending on the payment service provider, customer contact details may be transferred to the payment system at the time of payment to facilitate problem resolution and refunds.
9. Principles of data protection and data retention
Software maintenance is protected by usernames and passwords as well as user-group-specific access rights. Data in the database is protected with usernames and passwords, and data processing is restricted to the e-commerce system. Data stored on disks is protected by operating system-level access rights. All communication between the system supplier’s systems, the online store, and the payment service provider is SSL-secured.
Maintenance connections to the e-commerce server are allowed only for the server and system suppliers. The software supplier has full access to review and delete all collected data.
Personal data is stored in the registers until deletion is carried out manually. Order information is stored until deletion is done manually or on a scheduled basis. Electronic receipt histories are stored until deletion is carried out manually, but for at least two years.
10. Transfer of data outside the EU or EEA
Personal data is not transferred outside the EU or EEA.
11. Rights of the data subject related to the register
Right to access and request deletion of data The data subject has the right to check what data concerning them has been stored in the register. The inspection request is subject to a fee if less than one year has passed since the previous request. The data subject has the right to request deletion of data concerning them that has been stored in the register. The data controller may refuse to carry out deletion based on legal grounds or the obligations and rights of the data controller.
Right to lodge a complaint with the supervisory authority The data subject has the right to lodge a complaint with the competent supervisory authority if the data controller has not complied with applicable data protection regulations.
Contact for exercising rights For inspection and deletion requests, the request must be submitted in writing and signed to the responsible person named in section 3. The inspection request must be made in person at the data controller’s premises. The data controller may, if necessary, ask the customer to clarify their request in writing and to prove their identity.
