Privacy statement

HELSINKI CONGRESS PAASITORNI, CUSTOMER REGISTER

Information document (Privacy statement) on the processing of personal data in Helsinki Congress Paasitorni’s customer register in accordance with the EU General Data Protection Regulation

 

1. Controller of the data file

Helsinki Congress Paasitorni, business ID 0201307-5
Paasivuorenkatu 5 A, 00530 Helsinki, Finland
+358 (0)9 7089 611, sales@paasitorni.fi

 

2. Contact person in matters concerning the data file

The contact person in matters related to the data file and the exercise of the rights of the data subject is
Kati Kosonen, Marketing Manager, +358 (0)9 7089 691, kati.kosonen@paasitorni.fi

 

3. Name of the data file

Helsinki Congress Paasitorni’s customer register

 

4. Legal basis for the processing of personal data

The processing of personal data in the customer register is based on the customer relationship between consumer customers or corporate customers and Helsinki Congress Paasitorni.

 

5. Purposes of the processing of personal data

• management and development of the customer relationship, including customer feedback
• customer communication
• processing of the reservations made by the customer
• sales and provision of services
• payment and invoicing of services and monitoring and collection of payments
• marketing of the controller’s services
• development of the controller’s business operations and customer service
• information on the customer’s special dietary needs will only be used for preparing and serving food

 

6. Processed personal data

• name and job title of a corporate customer or name of a consumer customer; address, e-mail address, telephone number
• reservation details
• information on the customer’s payment methods, invoicing and any payment delays
• information as to whether the customer has prohibited use of their personal data for direct marketing purposes
• information regarding the use of services, service needs and purchases
• any customer feedback and complaint details
• information on special dietary needs, if any

 

7. Sources of personal data

• directly from the data subject
• when updating name and address information, address information systems or publicly available internet sources
• use of services and purchases
• key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Restel Food&Events Tapahtumaravintolat) or hotel operator (Scandic Hotels)

 

8. Recipients or groups of recipients of personal data

• key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Restel Food&Events Tapahtumaravintolat) or hotel operator (Scandic Hotels) insofar as the partner concerned needs this data in the provision of its services
• other processors of personal data:
• customer register software and its maintenance services: Navakka
• advertising and marketing: Don & Branco
• direct marketing communications: MailChimp
• event marketing and management: Lyyti
• online chatbots: Leadoo Marketing Technologies
• or, in the future, the partners chosen for these tasks
• data may be disclosed to the authorities based on their requests for information under the law

 

9. Cookies

Paasitorni and its partners use cookies and other similar technologies to ensure the proper functioning of the website, analyse usage and target marketing. The technologies used can be divided into the following categories:

Functional cookies

Functional cookies are essential for the basic functionality of the website. A cookie is a small text file that the browser stores on the user’s device. A cookie is not a program and does not contain malware or viruses. These cookies are required, for example, to enable the technical operation and basic features of the site.

Statistical cookies and analytics

Statistical cookies and analytics technologies are used to analyse the use of the website. These are used to collect information, for example, about page loads, the user’s navigation of the site and technical events. The information collected is used to develop the website and improve usability.

Website analytics is carried out both as browser-side and server-side tracking. Google Analytics 4 tracking primarily uses 1st party cookies, which are set through the Paasitorni domain. The data collected in this way is statistical in nature and are mainly processed in an anonymised form.

Part of the analytics tracking is implemented server-side via the Stape.io service (server-side tracking). Server-side tracking reduces the use of third-party cookies and improves privacy protection, as technical tracking data is processed through the server infrastructure of the service provider acting on behalf of the controller before the possible transfer of the data to analytics services.

Technologies related to marketing and user interaction

Marketing-related cookies and similar technologies are used to target advertising, measure the effectiveness of campaigns and develop user interaction on the website.

Paasitorni uses user interaction and analytics technology provided by Leadoo Marketing Technologies Oy to monitor how users navigate the website and to develop customer service and website functionality. In Leadoo tracking, website usage data can be combined with information provided voluntarily by the user, such as information provided during chat conversations.

Leadoo utilises eTag-based tracking technology, which is technically different from cookie-based tracking but is regarded as comparable to it in data protection legislation. The use of technology is based on the user’s consent to the extent required by applicable law.

Paasitorni acts as a controller of personal data and Leadoo as a processor of personal data. Further information on the processing is available in Leadoo Marketing Technologies Oy’s Privacy Policy.

Management of cookies and tracking technologies

The user can control the use of cookies and other tracking technologies through cookie settings on the website. The consent can be changed or revoked at any time through the cookie settings of the cookie banner or the website, as well as through browser settings.

The use of statistical and marketing technologies is based on the user’s consent to the extent required by law.

 

10. Transfer of data outside the EU

Personal data may be transferred outside the European Union or the European Economic Area in connection with the following services:

Direct marketing and communication

• Mailchimp (The Rocket Science Group LLC, USA), which is used for direct marketing communications.
  • Mailchimp has certified its compliance with the EU–US Data Privacy Framework, which provides a safeguard mechanism for the transfer of personal data under EU data protection law. Read more

Website analytics and advertising

• Google Marketing Platform (Google LLC / Google Ireland Ltd) is used for tracking website users (Google Analytics 4) and measuring advertising (Google Ads).
  • Google complies with the EU–US Data Privacy Framework and other applicable data protection frameworks for the transfer of personal data.
• Meta Platforms, Inc. (United States). Meta Pixel technology is used for statistical tracking and optimisation of the effectiveness of advertising.
  • Meta Platforms, Inc. has certified its participation in the EU–US Data Privacy Framework system.
• LinkedIn Corporation (United States). LinkedIn Insight Tag technology is used for statistical tracking and measuring the effectiveness of advertising.
  • LinkedIn does not currently belong to the EU–US Data Privacy Framework and transfers of personal data are based on standard contractual clauses approved by the European Commission.

Server-side analytics

• The Stape.io service is used to implement server-side analytics tracking of the website. In Stape.io’s European Hosted solution, data is processed primarily on servers located in the European Union, which reduces the need for the transfer of personal data outside the EU/EEA.

 

11. Retention period of personal data

The customer’s personal data contained in the customer register will be processed during the customer relationship. The controller considers the customer relationship to have ended if the customer has not used Paasitorni’s services or requested an offer from Paasitorni for three (3) years. This period of time will be calculated from the end of the calendar year in which the customer last used the services. The data will be erased within three (3) years of the end of the customer relationship unless there are other legitimate grounds for retaining the data.

When the customer relationship ends, the customer’s data may be transferred to the company’s marketing register with regard to those persons who have not prohibited direct marketing.

 

12. Rights of the data subject

The processing of the personal data contained in the customer register is based on the controller’s legitimate interest. The legitimate interest is constituted by the customer relationship.

The data subject has the

• right to access their data (right of access)
• right to have their data rectified
• right to have their data erased
• right to object to the processing of their data
• right to request restriction of processing
• right to transfer the data from one system to another

Right to object:
The data subject shall at any time have the right to object to the use of their personal data in direct marketing. If the data subject objects to the use of personal data in direct marketing, they will no longer be processed for this purpose.

 

13. Protection of the data file

The data are stored in Helsinki Congress Paasitorni’s ERP system and databases that are not accessible to parties other than those authorised by Paasitorni. Access to the data file is restricted to those persons in the controller’s employ and other specified persons who need this data in the discharge of their duties. They have usernames and passwords assigned to them. The systems containing the data file are protected by a firewall and other relevant technologies.

 

14. Right to file a complaint with a supervisory authority

The data subject has the right to file a complaint with the competent supervisory authority if the data subject considers that the controller has failed to comply with the applicable data protection regulations in its operations.

 

15. Requests related to the exercise of the rights of the data subject

In matters related to the processing of personal data and in situations related to the exercise of their rights as a data subject, the data subject may contact the controller’s contact person indicated in section 2.

A request concerning the right of access or any another request concerning the exercise of the data subject’s rights shall be submitted to the controller in writing either by e-mail or by post. The request may also be made in person at the controller’s place of business.

The controller may ask the data subject to specify in sufficient detail which data or processing actions the data subject’s request concerns.

In order to ensure that personal data is not disclosed to parties other than the data subject themself for the purpose of exercising the data subject’s rights, the controller may, where necessary, request the data subject to sign the access request. The controller may also ask the person submitting the request to prove their identity with an official identity card or in some other reliable manner.