This privacy notice contains information for data subjects, in accordance with the EU General Data Protection Regulation (679/2016). This policy was prepared on 21 May 2018.
1. Name of the register
The National Museum of Finland’s customer register
2. Controller and the controller’s contact information
Name: The Finnish Heritage Agency
Address: Street address: Sturenkatu 2a, Helsinki
Postal address: PO Box 913, FI-00101, Helsinki
Record Office: +358 (0)295 33 6080
3. Data protection officer’s contact information
telephone: +358 (0)29 533 1000 (switchboard)
4. Purpose and legal basis of processing personal data
Purpose of processing:
Personal data are used in the customer service, marketing and communications processes of the National Museum of Finland.
Legal basis for processing:
– Customer data are collected with the customer’s consent (the EU GDPR, Article 6(1)(a).)
– Customer data are received on the basis of a customer relationship (the EU GDPR, Article 6(1)(b).)
5. Data content of the register/categories of personal data
We collect the following data from our customers:
– First and last name
– Telephone number
– E-mail address
– IP address
6. Recipients of personal data or categories of recipients
With regard to services that are subject to a fee, data are regularly disclosed to Palkeet (the Finnish Government Shared Services Centre for Finance and HR) for invoicing purposes. Personal data may be processed in invitations and registrations as part of event management.
7. Transfer of personal data to third countries or international organisations
The National Museum of Finland/Finnish Heritage Agency does not disclose the personal data stored in the customer register of the National Museum of Finland to third countries or international organisations.
8. Storage period of personal data or the criteria used to determine the period
In principle, personal data are stored for marketing purposes for six (6) months, after which we erase the data.
9. Protecting the processing of personal data
Personal data stored in the customer register of the National Museum of Finland are processed confidentially.
The National Museum of Finland/Finnish Heritage Agency has implemented the necessary technical and organisational measures and also requires this from the processors of personal data. Access to the data is limited to employees who need them in order to perform their duties.
10. Rights of data subjects
Data subjects have the following rights, and requests related to the exercising of these rights must be sent to firstname.lastname@example.org.
Right of access
Data subjects have the right to access their personal data stored in our registers. If you notice any mistakes or omissions in your data, you can ask us to correct or complement the data.
Right to object
Data subjects have the right to object to the processing of their personal data at any moment if they feel that the processing has been unlawful or that we have no right to process certain personal data.
Prohibition on direct marketing
Data subjects have the right to prohibit the use of their data for direct marketing purposes at any time. We never sell or otherwise disclose your personal data to other parties so that they could subject you to direct marketing.
We purchase online marketing services from, for example, Facebook and Google. However, these companies never receive your personal data, and this marketing is not direct marketing and is instead based on cookies. For more information, see the chapter on cookies.
Right to erasure
If you feel that we do not need to process some of your data in order to perform our duties, you have the right to request the erasure of these data. We will process your request and either erase your data or give you the justified reason for not erasing your data. If you disagree with our decision, you have the right to lodge an appeal with the Data Security Ombudsman. You may also require us to restrict the processing of the disputed data while the case is being processed. If the data subject thinks that the processing of their personal data is unlawful, the data subject has the right to lodge an appeal with the Data Security Ombudsman.
11. Source from which the personal data originate, and if applicable, whether they came from publicly accessible sources
The personal data come from the data subjects.
12. Are the data used for automatic decision-making and/or profiling
The registered data are not subject to automatic profiling or decision-making.