Privacy policy

Updated on 3 July 2024

Recording of customer calls

1 What data is processed and why?

The main purposes of the use of customer’s data are described in the HSL Customer Register Privacy Statement.

Your phone calls to out customer services will be automatically recorded. Your phone number is also automatically stored, unless it is ex-directory.

The recordings of customer calls are used for verifying service transactions, improving service quality, HSL’s internal training purposes as well as for ensuring your and HSL’s legal protection.

In order to assess the quality of the service, we will send a survey to a selected group of customers via SMS. The customers’ phone numbers used in connection with the surveys will not be stored for future purposes.

Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement.

Only designated persons, whose task is to maintain the system used to manage customer calls, have access to the recordings of customer calls.

All your data is processed as confidential and your data is only disclosed to persons who need the data to perform their duties and who are bound by professional secrecy and confidentiality. 

2 How long is my data stored?

The recordings are stored for six months, after which they are automatically destroyed.

Authentication

1. What data is processed in the service and why?

Our customer service can send the customer a link by SMS in order to transfer the customer’s strong authentication data (name and ID number) to customer service. Strong authentication enables customer service situations in our telephone service in which the identity of the customer must be verified.

2. How long is my data stored?

Data delivered by means of strong authentication will not be stored. Such data is destroyed automatically and can only be viewed temporarily by our customer advisor during the customer service situation in question.

Updated 3 July 2024

You will receive communications from us if you have provided your email address in one of our services (e.g. hsl.fi, HSL app or HSL card service) or if you use the HSL app and have enabled notifications.

We communicate to our customers via email and notifications on the HSL app. We provide customers with information about HSL area public transport, transport plans, changes to services and other topical issues. In addition, we may send invitations to customer surveys and interviews conducted to improve our services.

You can choose what information you receive from us and how. You can edit your selections in the setting of the HSL app or in the My information section at hsl.fi. You need to log in using your HSL account to edit your settings. In addition, all email messages we send you include a link which you can use to unsubscribe from email messages.

Some information is considered essential for the benefit of customers and critical communications related to HSL’s duty to provide public transport services cannot be prohibited. This includes email notices about significant changes to HSL’s services (pricing, terms and conditions, etc.) as well as major disruptions to public transport such as strikes.

In addition to general customer communications, we send service-specific messages via email as well as notifications via the HSL app. These include, for example, reminders of the expiry of tickets as well as HSL card value balance reminders. You can manage the settings for service-specific messages in the settings of each service.

1 What data is processed in the service and why?

We process your email address and/or your phone number for the purposes of identifying and reaching you. Our right to process customer data as well as our right or obligation to send customer communications are based on customer relationship. If you have also given your consent to direct marketing, our right to process your customer data for marketing purposes and to send you marketing messages  is based on your consent.

We will process other customer data than your email address and phone number to send you customized messages.

The data we process includes:

• First and last name
• Email address
• Phone number
• Postcode (retrieved from the population information system or provided by you)
• A specified character string that acts as an identifier in different systems
• Language for emails
• Language used in the HSL app
• HSL app technical identifier
• Consent to direct marketing from customers aged over 15 years
• Email and app notifications settings
• Favorite routes and stops stored in HSL’s services
• HSL app ticket purchases
• Reception and opening of emails and HSL appnotifications and of the links included

2 How long is my data stored?

The data storage time is in accordance with the storage times set out in our Privacy Statement. Read more in HSL’s Privacy Statement and service-specific privacy notices.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality.

4 How can I access my data?

You can check and manage your data as well as your communications settings in the HSL app settings as well as in the My information section at hsl.fi when you log in using your HSL account.

For more information about the exercise of the rights of data subjects, see Privacy > Rights of data subjects.

Updated 2 March 2022

1 What data is processed in the service and why?

The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.

If you would like a response to your feedback or you are logged in with your HSL account when submitting feedback, we will process your name and contact details. If you are logged in when submitting your feedback, we will process: your name, email, phone number and HSL account. If you are not logged in and would like a response to your feedback, we will process: your name, email address and phone number, if provided. You can provide additional information in the free text field.

In case of refund requests, you are also asked to provide, for example, your HSL card number, mobile ticket phone number, street address or PO Box, postcode, personal identity code and bank account number. Refund request forms are filled in at a service point or by HSL’s telephone customer service. In case of a strike, a printable refund request form will be available online at hsl.fi.

Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. 

2 How long is my data stored?

Data included in feedback will be stored for three years. In the case of refunds, personal data will be stored for the the current calendar year and the following six (6) calendar years.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality. Feedback is passed on as relevant. For example, feedback on driver performance is passed on the the relevant bus operator. 

4 How can I access my data? 

For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.

Updated 3 July 2024

1  What data is processed in the service and why?

The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.

When you start using the app, you are asked to provide the following information:

• Are you over 15 years of age.
• If you are over 15, we ask for your place of residence (postcode, postcode district, or you can tick the option “I live abroad”). The information is used to provide you with more detailed up-to-date information about the use of public transport. The domicile information derived from the place of residence is also needed for the purposes of dividing public transport costs between HSL’s member municipalities.
• If you are under 15, you will be asked your date of birth.
• All customers are asked for location and notification permission. Location permission enables better user experience, for example, by facilitating the use of the Journey Planner. The notification permission allows us to send you reminders about the approaching expiry of your tickets and to provide you with information about extensive disruptions affecting your travel.
• If you are aged 15 or over, we will ask for your consent to collect and use travel data. You can read more about the collection and use of travel data below in section 1.2 “Collection of travel data in the HSL app” and in section 1.3 “Connecting travel data to your HSL account”, as well as in the questions and answers section of this privacy page under “How is the travel data collected via the HSL app stored”.

When buying a ticket, you are asked to provide the following information:

• Your name. The information is used, for example, for communications.
• Phone number. Your phone number is processed for ordering and delivering the ticket and for checking the validity of your ticket.
• If you are aged 15 or over, we will ask for your email address. The information is used, for example for communications.
• If you are aged 15 or over, we will ask for your consent to send you direct marketing by email or SMS.
• If you buy a season ticket, you will be asked to enter a password to create an HSL account. An HSL account provides you easy access to your tickets and your payment card details even if you lose or change your phone.
• If you buy single and day tickets, you can create an HSL account if you want by entering a password. An HSL account provides you easy access to your receipts and your payment card details even if you lose or change your phone. If you are under 15, you will also be asked for your email address.
• If you already have an HSL account, you can log in with your HSL account and we won’t ask your phone number, email address or consent for direct marketing.
• If you are buying a season ticket, you need to strongly authenticate for the purposes of establishing the price subsidy based on the municipality of residence. If you have already authenticated for another service and you log in using your HSL account, you will not need to strongly authenticate again.
• If you choose card payment, your card details, i.e. card number and expiry date, will be transmitted over a secure encrypted connection and stored in a secure PCI DSS compliant environment in the card payment service provider’s database. Only the four last digits of the card number will be stored in HSL’s data systems. You can remove the card details at any time in the application settings.
• Other payment methods: we use third parties to process payments and they may ask additional information when processing information related to the payment method. The payment information is only processed by the third party and HSL will not store the information.

In addition, in connection with ticket purchase:

• The data stored for you includes data about the tickets you order, the application version and potential discount entitlement.
• When you buy a student season ticket, we save your student discount entitlement.

Other:

Information about the services you use via your HSL account is connected to your data. These services include, for example, the HSL.fi service.

If you log in using your HSL account and authenticate strongly, your personal identity code, name, address information and potential non-disclosure order will be saved and automatically updated from the population information system of the Digital and Population Data Services Agency.

Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. HSL also processes the data to perform its basic tasks. Direct marketing, use of location information, notifications and collection and use of travel data are based on your consent.

1.1 Surveys conducted via the HSL app

HSL conducts various surveys and questionnaires based on your use of HSL’s services. If you have enabled invitations to surveys and questionnaires in the notification settings of the app, we will send you invitations to participate in online surveys and questionnaires, as appropriate. You can participate in surveys and questionnaires by clicking on the invitation to participate. The invitations also provide you with more detailed information about the survey or questionnaire in question and the type of study.

Completing questionnaires and surveys is completely voluntary. You can turn invitations to surveys and questionnaires on or off at any time by changing the notification setting available in the HSL app settings under “Notifications and email”.

If you have both enabled the abovementioned notifications and given your consent to the collection of your travel data (see section 1.2 “Collection of travel data in the HSL app” below), you may receive invitations to surveys and questionnaires when travelling in areas relevant to them.

In addition to the actual survey data and potential travel data, we also ask for and store, as appropriate, background information needed for grouping*. We will use this data both for the survey in question and for any subsequent surveys and studies and their analysis.

We will store the data from surveys and questionnaires in the HSL data warehouse for a period specified in the plan of each survey (see section 2 “How long is my data stored” below).

*Background information include aspects affecting mobility such as gender, area of residence, ticket type and validity area, possession of a driver’s license and ownership of a car.

1.2 Collection of travel data in the HSL app

The following description applies to the HSL app from version 4.9.0 onwards. The description applying to the previous app version is available here.

We collect travel data via the HSL app to develop public transport and the transport system comprising all modes of transport as well as the related services within the 15 Helsinki region municipalities*.

The collection of travel data is based on your consent, which you can give and withdraw at any time by changing the settings in the HSL app under Travel data. When you give your consent to the collection of your travel data on the HSL app, the HSL app starts tracking your activity and saving data on your travel chains in the HSL data warehouse. If you withdraw your consent to the collection of travel data, the collection will be terminated and the data on your phone that has not yet been sent to HSL’s data warehouse will be deleted. The travel data stored in the HSL data warehouse will be stored until the end of the specified storage period (see section 2 “How long is my data stored” below).

Collection of travel data is completely voluntary. We will not ask for or try to find out your identity when collecting travel data. We will not link the travel data with your customer profile unless you have given your consent to connecting your travel data to your HSL account on the HSL app (see section 1.3 “Connecting travel data to your HSL account” below).

We will also combine travel data with other spatial data available to us, as appropriate. We process all accumulated individual-level data in accordance with our Privacy Policy**.

For more information about the travel data collected, see the Questions & Answers on this page.

*Helsinki, Espoo, Vantaa, Kauniainen, Kirkkonummi, Siuntio, Vihti, Nurmijärvi, Kerava, Tuusula, Järvenpää, Hyvinkää, Mäntsälä, Sipoo and Pornainen.

**see HSL’s Data Protection Policy

1.3 Connecting travel data to your HSL account

Connecting travel data to your HSL account requires your explicit consent in addition to the consent to the collection of travel data. You can give and withdraw your consent at any time by changing the settings in the HSL app under Travel data. We will not connect the travel data and data collected in the surveys and questionnaires to your customer profile unless you have given your consent to connecting your travel to your HSL account on the HSL app.  

From the moment the connection to your HSL account is established, the travel data collected by the HSL app is your personal travel data. This allows you to request access to your travel data and allows your data to be deleted from HSL’s data warehouse, which cannot otherwise be done.

When you connect your travel data to your HSL account on the HSL app, you can use in-app services based on your travel data. If, in addition to connecting your travel data to your HSL account, you also use one or more travel data-based services via the HSL app, HSL may use your travel data together with other information about you not only to improve your mobility options, but also for more targeted research and development of the entire transport system and its services.

If you withdraw your consent to connect your travel data to your HSL account, the connection will be disconnected for all devices on which you are logged in to the same HSL account. After this, requests to access travel data and requests to erase travel data can no longer be executed, and the connection to the previously collected travel data cannot be restored. If you give a new consent, the connection of data only applies to the data collected after the consent has been given.

2 How long is my data stored?

Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties. You are deemed to have terminated the use of the app and your service-specific information will be removed if you have not updated your information for several years, have not logged in using your HSL account and you have not had a valid mobile ticket purchased using the app for several years.

Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.

We will store the data received through survey invitations in the HSL data warehouse for a period specified in the plan of each survey. The storage periods vary from a few months to several years depending on whether the survey in question is a small-scale, individual study or a longer-term pre–post study or a follow-up study. We will keep the responses to the surveys linked to the related travel data as long as the travel data is stored in the data warehouse. After this, only information on the situation to which the survey related will be retained in the survey data.

The travel data is stored in the HSL data warehouse for 28 calendar months. If you have given your explicit consent to connecting your travel data to your HSL account, you can withdraw your consent at any time, after which your travel and survey data can no longer be linked back to you. At the end of this period, the data for the earliest month stored in the data warehouse will be merged into a larger data package.

We store both the travel data and survey and research data in a decentralized way in a data system managed by HSL, which is located on Microsoft servers in the Netherlands. We manage access rights to the data through HSL access control.

Removing the app from your device will not remove the data stored in HSL’s background systems.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. Processors of personal data are bound by professional secrecy and confidentiality. 

Payment service partners, including phone operators, are responsible for ticket invoicing.

If necessary, survey, research and travel data sets collected through the app may be disclosed to service providers acting on behalf of HSL, such as IT companies involved in the processing of data. In individual cases, we may disclose data to the Helsinki region and HSL area municipalities, State transport authorities, research institutions and universities as well as to operators in the transport sector for the purposes of statistical, scientific or historic studies relating to traffic and Helsinki region residents’ travel habits, as well as for planning and studies by authorities.

In such cases, appropriate agreements will be entered into between HSL and the recipient of the data to ensure data protection requirements and appropriate processing of the data.

4 How can I access my data?

You can access and update your information in the HSL app settings. You can update your location and notification permissions in the application settings as well as on your device settings.

For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.

Date of compilation 25 May 2018, updated 3 July 2024 

1 What data is processed in the service and why?

The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.

When you create an HSL account in the HSL.fi service, you are asked to provide the following information:

• Your name. The information is used, for example, for communications.
• Phone number. The information is used, for example, for communications.
• Email address. The information is used, for example, for communications.
• Your age: are you over 15 years of age
• If you are aged 15 or over, we will ask for your consent to send you direct marketing by email or SMS.
• If you are under 15, you will be asked your date of birth.
• Password. The information is used for logging in to services.

When you log in to HSL.fi using your HSL account, you can update your information and settings in the My information section. 

Information about the services you use via your HSL account is connected to your data. These services include, for example, the HSL app and city bikes.

If you log in using your HSL account and authenticate strongly, your personal identity code, name, address information and potential non-disclosure order will be saved and automatically updated from the population information system of the Digital and Population Data Services Agency.

Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. Direct marketing is based on your consent.

2  How long is my data stored?

Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties. Your service-specific information will be removed if you have not logged in to a service using your HSL account for several years.

You can submit a request for erasure of data at our service point. You need to present an identification document. The contact details of our customer service points are available on our website. Your account will be erased from the system after three years.

Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. All persons processing personal data are bound by professional secrecy and confidentiality.

4 How can I access my data?

You can review and update your information in the My information section of the HSL.fi service by logging in using your HSL account.

For more information about the exercise of the rights of data subjects, see Privacy > Rights of data subjects.

Date of compilation 24 May 2018, updated 3 July 2024 

1 What data is processed in the services and why?

The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.

Customer data is collected on individual customers and corporate customers to manage customer relations and to perform the service.

The data includes:

• first name, last name and address (street address, postcode, town/city, home municipality) obtained from the population information system,
• customer’s other address information (street address, postcode, city/town, country),
• invoicing address (street address, postcode, city/town, country),
• phone number,
• email address,
• personal identity code,
• potential non-disclosure order, and
• customer group,
• language,
• consent to direct marketing,
• authorization information,
• “Entitled to a companion” data item,
• refund information, and
• date of death.

The name and address information is automatically updated with information obtained from the population information system of the Digital and Population Data Services Agency.

Personal identity code is used to verify the right to buy a personal HSL card, to store personal data on a multi-user HSL card, as well as to verify the customer’s identity. 

In case of corporate customers, business ID serves as identifying information.

Basic HSL card data includes: 

• HSL card number,
• card type (personal or multi-user),
• issue time of the card,
• HSL card pricing factors (customer group and home municipality),
• language,
• HSL card status information, e.g. card cancellation information or information about a lost and found card; and
• value and season ticket information.

HSL card transaction data includes:

• value and season ticket purchases,
• loading transactions, and
• value transactions.

HSL card activity data includes:

• validation data from onboard card readers (boarding data).

HSL card history data is collected in the backend system to safeguard your rights as well as for the purposes of reconciliation and reporting of sales data and for verifying the accuracy and integrity of transactions on the system level as well as for each individual HSL card. In addition, the data is needed to determine the municipal contributions of HSL’s member municipalities and for public transport planning. 

The following data is processed in the HSL card service: 

• Your HSL account which you use to log in to the service 
• Your email address for the purposes of sending email reminders and receipts
• The card numbers of HSL cards that you have added in the service as well as their names 
• In connection with strong authentication (optional), identifier retrieved from HSL’s ticketing and information system as well as the card numbers of personal HSL cards and their names 
• Notification settings you have added in the services (season ticket and value reminder on / off) 
• Value and season ticket purchases made via the service 
• Information about email reminders that the service has sent you 

The data is processed on the basis of an agreement between the customer and HSL. Your use of HSL’s services constitutes your acceptance of this agreement. HSL also processes the data to perform its basic tasks. Direct marketing is based on your consent.

2 How long is my data stored?

Customer data will be stored for the duration of the customer relationship and thereafter for as long as is necessary to fulfill the rights and obligations of the parties.

Service-specific data about your HSL card will be deleted when the HSL card service in its current form has terminated. HSL will notify customers of the change, of switching to an account-based ticketing system and of the deletion of the data in good time before the changes take effect.

The HSL card number will be stored in the boarding data for the time required to validate tickets and perform other functions essential to the public transport system. Boarding data will be stored in pseudonymized form without the card number for as long as is necessary for the purposes of public transport cost allocation between municipalities, transport planning and research.

Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data-processing tasks, and can disclose personal data to them where necessary to perform the tasks. The persons processing the data are bound by professional secrecy and confidentiality.

HSL can disclose customer data to authorities as permitted and required by legislation.

4  How can I access my data?

You can review your HSL card information by logging in to the HSL card service.

You can also use the My Travel Card app available for Android and Windows phones. 

You can check the information of tickets on your HSL card as well as your value balance on a card reader, at a ticket machine or at HSL card sales and service points.

HSL card customer information and card information related to purchase and sales transactions are available as printouts from HSL service points. Please bring with you a valid ID document. You do not need to have your HSL card with you. 

For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.

Updated 3 July 2024

1 What data is processed in the service and why?

The purpose of the processing of personal data is the management of penalty fare notices and collection of payments as well as the development of the controller’s operations.

Under Section 8 of the Act on Penalty Fares in Public Transport (469/1979, a passenger who fails to produce an appropriate ticket must, at an inspector’s request, provide the following personal details to the inspector: their name, personal identity code and address.

The data file contains the following personal data of data subjects:

• The name, personal identity code and address of the person charged with the penalty fare
• Date, time and route on which the penalty fare was issued
• Reason for the penalty fare
• Method of verifying the personal data (driver’s license, passport, etc.)
• First and last name of the ticket inspector who issued the penalty fare
• Incident report
• Information about the payment of the penalty fare (original amount, cancelled/paid/unpaid)
• Number of unpaid penalty fares
• Information about penalty fare enforcement
• Settlements received through enforcement (money/impediment), transfer notices and notices of filing
• Date of the District Court decision on the commencement of debt settlement
• Information about a rectification claim made against the penalty fare and information about the decision concerning the claim
• Information about an appeal lodged in the Administrative Court of Helsinki: (date of the request for information by the Administrative Court and date of the court ruling, retention/repeal of the penalty fare)
• Information about interfering with the inspector
• Information about ticket abuse
• Date of criminal complaint and compensation paid

According to the HSL Public Transport Conditions of Carriage and Ticket Terms and Conditions, a holder of a personal season ticket must, if asked by an inspector, show a reliable proof of their identity. If the passenger does not have an identity document in the event of a ticket inspection, they will be asked to enter their personal identity code, name and address on a personal data form in order to avoid ambiguity and protect the customer’s privacy. The ticket inspector will then check the personal data in the Population Information System.

The personal data forms are intended for HSL’s internal use and are not, in principle, given to passengers.  If a penalty fare is issued, the data will be registered in the penalty fare system and the form is archived. The form will be stored until the penalty fare process is completed. If a penalty fare is not issued, the data will not be registered anywhere; the ticket inspector will securely destroy the personal data form immediately upon arrival at HSL’s premises.

2 How long is my data stored?

The data shall be stored for the current calendar year and the following six (6) calendar years. The retention period is based on Chapter 2, Section 10(2) of the Accounting Act (1336/1997), as the data in question is included ihe subledger subject to the said Act and the storage period provided for therein. Therefore, the data may not be removed from the register before the expiry of the retention period.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. Processors of personal data are bound by professional secrecy and confidentiality.

4 How can I access my data?

For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.

Updated 3 July 2024

1 What data is processed in the service and why?

The purposes of the use of customer data are described in general in the HSL Customer Register Privacy Statement.

The data is used to improve HSL’s services and to provide better customer service,  for example, by guiding customers to the right product. Bots may be used to gauge awareness of a product or service in order to better design marketing. In addition, personal data is collected for the purposes of prize draws, prize delivery and targeted marketing.

If you provide your contact details to participate in a prize draw or competition, or if you indicate on the form that you wish to be contacted, your responses can be linked to you. Your personal data is processed based on your consent. If you give your consent to direct marketing via a bot, we may target advertising to you.

The data stored includes data collected via the bot such as
• First name, last name, email address, phone number
• Address
• Date of birth or age category (e.g. 31–40 years)
• Profile (e.g. how you perceive yourself as a public transport user)
• Opinions and data related to user experiences (e.g. experiences of using the website; on what topics would you have liked to have more information; or, e.g. “In my opinion, route number 500 would have been better for the light rail line”)
• Quiz answers (e.g. How many metro stations are there along the light rail line)
• Other open-ended responses and feedback

2 How long is my data stored?

All data collected via a bot will be stored for 13 months.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. Processors of personal data are bound by professional secrecy and confidentiality.

General analyses of the responses may be made to create proposals of measures to improve services.

4 Rights of the data subject

Withdrawal of consent

You can withdraw any consent to receive marketing communications you have given when taking a quiz or in other similar situations directly on each marketing platform, for example, by blocking advertisements in Meta (Facebook, Instagram), or via the link at the bottom of the marketing email.

For more information about the exercise of the rights of data subjects, see Privacy>Rights of data subjects.

HSL Mobile ticket app

Date of compilation: 24 May 2018, updated 3 July 2024

1 What data is processed in the service and why?

Asiakkaan tietojen yleisiä käyttötarkoituksia on kuvattu HSL:n asiakasrekisterin tietosuojaselosteessa.

Sovelluksen käyttöönoton yhteydessä sinulta kysytään:

• Puhelinnumero ja kotikunta. Puhelinnumeroa käsitellään lipun tilausta ja toimittamista sekä lipun voimassaolon tarkastamista varten. Kotikuntatieto tarvitaan joukkoliikenteen kulujen kuntajakoa varten HSL-kuntayhtymän jäsenkuntien välillä.
• Oletko alle 18-vuotias ja onko sinulla huoltajan suostumus käyttää palvelua.
• Jos olet yli 18-vuotias, sinulta kysytään nimi- ja yhteystiedot (etunimi, sukunimi, postinumero ja sähköpostiosoite). Tietoja hyödynnetään esimerkiksi asiointi- ja viestintätilanteissa.
• Jos olet yli 18-vuotias, voit antaa suoramarkkinointiluvan.
• Maksutapa (korttimaksu tai mobiilimaksu). Mikäli valitset maksutavaksesi korttimaksun, maksupalveluun tallennettavia tietoja ovat maksukortin numero ja viimeinen voimassaolopäivä. Korttitiedot siirretään salatun verkkoyhteyden avulla ja tallennetaan suojatussa PCI DSS –sertifioidussa ympäristössä. Mobiilimaksun osalta operaattori veloittaa liput puhelinlaskulla.

Tietojesi yhteyteen tallentuu tietoja mm. tilatuista lipuista ja sovellusversiosta.

Tietoja käsitellään HSL:n ja sinun välisen sopimuksen perusteella. Sopimus syntyy, kun käytät HSL:n palveluita. HSL käsittelee tietoja myös perustehtäviensä toteuttamiseksi. Suoramarkkinointilupa perustuu antamaasi suostumukseen.

2. Kuinka kauan tietoja säilytetään?

Kirjanpidon kannalta tarpeellisia osto-, myynti-, tilaus-, laskutus- ja maksutietoja säilytetään enintään 10 vuoden ajan.

3. Ketkä käsittelevät tietoja?

Tietoja käsittelevät henkilöt, jotka työtehtäviensä takia tarvitsevat pääsyn tietoihin. HSL käyttää tietojen käsittelyssä sopimuskumppaneita, joille siirretään tehtävien kannalta tarpeellisia tietoja. Henkilötietojen käsittelijät ovat salassapito- ja vaitiolovelvollisia. 

Maksupalvelukumppanit ml. puhelinoperaattorit vastaavat lipun laskutuksesta.

4. Miten voin tarkastaa tietoni?

Lisätietoa rekisteröidyn oikeuksien toteuttamisesta HSL:n verkkosivuilla kohdassa Tietosuoja > Rekisteröidyn oikeudet

HSL Mobile ticket

Date of compilation: 24 May 2018

1 What data is processed in the service and why?

The main purposes of the use of customer’s data are described in the HSL Customer Register Privacy Statement.

Your phone number is processed for ordering and delivering tickets and for checking the validity of your ticket. Your phone operator is responsible for ticket invoicing.

Your data is processed on the basis of an agreement between you and HSL. Your use of HSL’s services constitutes your acceptance of this agreement.

2 How long is my data stored?

Purchase, sales, order, invoicing and payment data necessary for the purposes of accounting will be stored for at most 10 years.

3 Who processes the data?

The data is processed by persons who have access to the data to perform their work tasks. HSL uses contract partners for data processing tasks, and can disclose personal data to them where necessary to perform the tasks. The persons processing personal data are bound by professional secrecy and confidentiality.

Your phone operator is responsible for ticket invoicing.

4 How can I access my data?

You get information about the SMS tickets invoiced from your phone operator.

Verkkokauppa

Laatimispäivä 26.11.2018

1. Mitä tietojani palvelussa käsitellään ja miksi?

Asiakkaan tietojen yleisiä käyttötarkoituksia on kuvattu HSL:n asiakasrekisterin tietosuojaselosteessa.

Verkkokaupassa tietojasi käsitellään tilauksen käsittelemistä ja toimittamista varten. Toimitusehtojen mukaisesti verkkokaupasta voivat tehdä ostoksia vain 15 vuotta täyttäneet henkilöt.

Verkkokaupassa annat tilaajan nimen ja yhteystiedot (etunimi, sukunimi, osoite, postinumero, kaupunki, puhelin, sähköpostiosoite). Tarvittaessa voit antaa toimitustiedot erikseen (etunimi, sukunimi, osoite, postinumero, kaupunki, puhelin).

Henkilökohtaisen HSL-kortin tilauksen yhteydessä tunnistaudut vahvasti verkkopankkitunnuksilla, mobiilivarmenteella tai varmennekortilla. Väestörekisterikeskuksesta saatavan henkilötunnuksen avulla tarkistetaan tietosi, koska sinulla voi olla vain yksi henkilökohtainen HSL-kortti.

Tietoja käsitellään HSL:n ja sinun välisen sopimuksen perusteella. Sopimus syntyy, kun käytät HSL:n palveluita.

2. Kuinka kauan tietoja säilytetään?

Kirjanpidon kannalta tarpeellisia osto-, myynti-, tilaus-, laskutus- ja maksutietoja säilytetään enintään 10 vuoden ajan. Henkilötunnusta säilytetään enintään 2 viikkoa.

3. Ketkä käsittelevät tietoja?

Tietoja käsittelevät henkilöt, jotka työtehtäviensä takia tarvitsevat pääsyn tietoihin. HSL käyttää tietojen käsittelyssä sopimuskumppaneita, joille siirretään tehtävien kannalta tarpeellisia tietoja. Henkilötietojen käsittelijät ovat salassapito- ja vaitiolovelvollisia. Maksamisen osalta tietoja välitetään maksupalvelukumppanille ja tilausten toimituksen osalta varastointi- ja logistiikkakumppanille.

4. Miten voin tarkastaa tietoni?

Lisätietoa rekisteröidyn oikeuksien toteuttamisesta HSL:n verkkosivuilla kohdassa Tietosuoja > Rekisteröidyn oikeudet.

We collect basic information about our customers including, for example, name and address, as well as information needed to provide and develop services. 

The HSL Customer Register Privacy Statement and service-specific privacy notices describe what data is processed in different services.

We primarily collect information directly from customers when they register for or use a service. We also collet information from other sources such as the population information system of the Digital and Population Data Services Agency.

We collect personal data about our customers to provide our customers with transport services.

The storage period depends on the service used, and it is always based on the legal basis for processing. 

Your personal data is processed by HSL’ employees whose duties involve processing of such data, as well as by service providers who provide services for HSL.

We will only disclose personal data to third parties when obliged by law or if explicit consent has been given to do so.  

Personal data is protected by technical (e.g. storage in locked premises, use of firewalls) and organizational (e.g. restricted access and non-disclosure agreements) measures. 

We will ensure that any data that is subject to a non-disclosure order obtained from the population information system is not disclosed or made available to any third party unless otherwise provided by law. The data may only be processed by designated persons whose duties directly involve processing of such data.

Our websites use cookies. Cookies are small text files, which are stored on a user’s computer. They enable the user to save their service login information, for example. The cookies enhance the user experience and help us to improve our services. You can change your browser settings to enable or disable cookies or block them altogether. However, disabling cookies may affect your ability to access and use certain features of the services.

We use the common target groups provided by advertisement media (such as news sites, social media and Google services) to target ads. The target groups are based on information provided by the users or on classifications made based on browser use. The information used include, for example, age, gender, areas of interest and location. In addition, we use cookies to target ads to web browsers used to visit our services.

On Meta's, TikTok's, Google's, Alma Media's and Sanoma’s ad networks, we use customized target groups created by identifying those customers who also use Meta's services or have a TikTok, Google, Alma or Sanoma Account. We do not receive any information on what identifiers are included in the final target group, and Meta, TikTok, Google, Alma Media and Sanoma, on the other hand, are not aware of the identity behind the identifier or why HSL wants to target advertising to them. Meta, TikTok, Google, Alma Media and Sanoma are committed to using the target group only for HSL’s marketing.

As to fan and community pages on Facebook and Instagram, Meta Platforms Ireland Limited and HSL are join controllers, where applicable.

The HSL Customer Register Privacy Statement and terms governing the processing of personal data specified in each service are applied when you use HSL’s mobile services. These terms are stated and you must agree to them when signing in to a service.

We use your device location information if you are using HSL’s mobile services, have agreed to the use of location information and if you have enabled location services in your device settings.

Before the first ticket purchase, you log in using your strongly authenticated HSL account and give your authorization. If you do not have a strongly authenticated HSL account, you can create an account and/or perform strong authentication of your HSL account and then give your authorization. Your authorization allows the MaaS operator to buy personal HSL mobile tickets on your behalf.

The authorization is valid for 12 months from the latest ticket purchase requiring the operator to act on your behalf, unless you withdraw it. HSL will forward your authorization and the data required for purchasing tickets, in encrypted form, to the Maas operator authorized to act on your behalf. In addition to your authorization, your home municipality will be stored in HSL’s customer register for the purposes of public transport cost allocation between municipalities.

In order to authorize a MaaS operator to buy personal tickets on your behalf, you need to have a strongly authenticated HSL account. You can also set up the account when making the authorization. Ending the use of the MaaS service will not terminate your customer relationship with HSL. You can read more about the HSL account and terminating your account under the service-specific privacy notices  (HSL account) at hsl.fi/privacy.

We use your phone number for the purposes of processing your order, delivering your ticket, checking the validity of your ticket and for solving any problems you may experience.

We collect and save

• travel routes,
• times of the different parts of your journey,
• modes of transport used on different parts of the journey, and
• any HSL Bluetooth beacons detected.

We interpret the information using the location data of your smartphone or smart device and the data collected by motion detectors. In addition, we use data from Bluetooth beacons located in public transport vehicles and at stations and stops, as well as information about the location of HSL’s public transport vehicles along their routes.

We store the travel data and data from surveys and questionnaires in the following way:

• For the time being, we only save and use travel data for journeys made within the 15 municipalities* of the Helsinki region.
• Once you have enabled the collection of your travel and location data on the HSL app, we will collect your travel data regardless of whether you use public transport for your journey or not.
• We use random identifiers generated by smartphones or devices and the back-end system as identifiers. We will link data obtained from the same HSL app using these identifiers.
• When you travel by public transport services or in their immediate vicinity, we save your route in detail. For the other parts of the journey, only information about the areas where you travel is saved. The start and end times of the journey are rounded to the nearest 15 minutes, but the times of any changes in the mode of transport observed during the journey are not rounded.
• We use the 250-meter YKR grid** to indicate the locations. If the journey starts or ends in a grid cell with only a small number of residents, the first or last cells of the travel chain are not saved to ensure that the journeys of individuals residing in the areas covered by individual cells would not stand out among other journeys.
• After the storage period, we will merge the travel data into larger sets, for example, by deleting the random identifiers, combining the journey observations in the data set and by averaging them, and by using larger grid cells in sparsely populated areas. After the merging of data, we will destroy the individual-level data for the month in question and store the merged data in the HSL data warehouse for long-term reviews and studies.
• We do not intend to collect travel data of children aged under 15. Children aged under 15 are excluded from the data collection based on the age customers have provided on the HSL app.

*Helsinki, Espoo, Vantaa, Kauniainen, Kirkkonummi, Siuntio, Vihti, Nurmijärvi, Kerava, Tuusula, Järvenpää, Hyvinkää, Mäntsälä, Sipoo and Pornainen.

**YKR = Yhdyskuntarakenteen seurantajärjestelmä (Monitoring System of Spatial Structure and Urban Form; the website is in Finnish)

We may change our privacy policy information if need be. We will inform our customers of any changes on our website.

We process personal data in compliance with the EU's General Data Protection Regulation (2016/679), national legislation on personal data protection and other applicable special provisions and applicable general legislation such as the Local Government Act, Administrative Procedure Act and Act on the Openness of Government Activities.

You can contact HSL customer service on +358 9 4766 4000 (Mon-Fri 7am-7pm, Sat-Sun 9am-5pm).

In addition, HSL has a Data Protection Officer whom you can contact at tietosuojavastaava@hsl.fi.