Privacy statement


Information document (Privacy statement) on the processing of personal data in Helsinki Congress Paasitorni’s customer register in accordance with the EU General Data Protection Regulation


1. Controller of the data file

Helsinki Congress Paasitorni, business ID 0201307-5
Paasivuorenkatu 5 A, 00530 Helsinki, Finland
+358 (0)9 7089 611,


2. Contact person in matters concerning the data file

The contact person in matters related to the data file and the exercise of the rights of the data subject is
Kati Kosonen, Marketing Manager, +358 (0)9 7089 691,


3. Name of the data file

Helsinki Congress Paasitorni’s customer register


4. Legal basis for the processing of personal data

The processing of personal data in the customer register is based on the customer relationship between consumer customers or corporate customers and Helsinki Congress Paasitorni.


5. Purposes of the processing of personal data

  • management and development of the customer relationship, including customer feedback
  • customer communication
  • processing of the reservations made by the customer
  • sales and provision of services
  • payment and invoicing of services and monitoring and collection of payments
  • marketing of the controller’s services
  • development of the controller’s business operations and customer service
  • information on the customer’s special dietary needs will only be used for preparing and serving food


6. Processed personal data

  • name and job title of a corporate customer or name of a consumer customer; address, e-mail address, telephone number
  • reservation details
  • information on the customer’s payment methods, invoicing and any payment delays
  • information as to whether the customer has prohibited use of their personal data for direct marketing purposes
  • information regarding the use of services, service needs and purchases
  • any customer feedback and complaint details
  • information on special dietary needs, if any


7. Sources of personal data

  • directly from the data subject
  • when updating name and address information, address information systems or publicly available internet sources
  • use of services and purchases
  • key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Graniittiravintolat Oy) or hotel operator (Scandic Finland)


8. Recipients or groups of recipients of personal data

  • key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Graniittiravintolat Oy) or hotel operator (Scandic Finland) insofar as the partner concerned needs this data in the provision of its services
  • other processors of personal data:
  • customer register software and its maintenance services: Navakka
  • advertising and marketing: Don & Branco
  • direct marketing communications: MailChimp
  • event marketing and management: Lyyti
  • online chatbots: Leadoo Marketing Technologies
  • or, in the future, the partners chosen for these tasks
  • data may be disclosed to the authorities based on their requests for information under the law


9. Cookies

Paasitorni and its business partners use technologies, including cookies, to collect information for various purposes, including: 1. Functional, 2. Statistical, 3. Marketing.

Functional cookies perform essential functions for our website. A cookie is a small data file stored in your computer, tablet or smartphone. A cookie is not a program that can contain harmful malware or virus.

Cookies also help us get an overview of your visit to our website so we can continuously optimize and tailor the experience to your needs and interests. For example, cookies remember things like: whether you have visited our website before; if you are logged in; and the specific language you prefer to see on the website. We also use cookies to target our ads specifically to you on other websites. In general, we use cookies as part of our service to present you with content that is as relevant to you as possible.

You can change your consent at any time by either deleting cookies from your browser or by clicking the small icon at the bottom left corner of the website and then declining all cookies.

We also use Leadoo’s tracking service to follow what users are doing on the site and combine this behavioral data with other data we can gather from e.g. chat interactions. Leadoo uses etag tracking in order to hook together the same user’s behavior over several sessions – in practice this works similarly to cookie based tracking.

Please check out Leadoo Marketing Technologies’ Privacy Policy for more information on what is tracked and what your rights are. Leadoo works as the Processor and Paasitorni as the Controller for the data in terms of GDPR.

You can stop the tracking by emptying your browser’s cache after the visit or by declining Statistical cookies. For more on how Leadoo works as a GDPR compliant processor, see


10. Transfer of data outside the EU

Personal data can be transferred to a third party outside the EU:

  • MailChimp (the United States), partner responsible for the direct marketing communications software
    • MailChimp certifies to the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework, and with the EU-US Data Privacy Framework. It is legal to transfer contact data from the EU to MailChimp in the U.S. For more information see
  • Google Marketing Platform (the United States), responsible for website user tracking (Google Analytics 4) and digital advertising (Google Ads)
    • As described in Google’s Data Privacy Framework certification, Google complies with the EU-U.S. and Swiss-U.S. Data Privacy Frameworks (DPF) and the UK Extension to the EU-U.S. DPF as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal information from the EEA, Switzerland and the UK, respectively.
  • Meta Platforms, Inc. (the United States), responsible for website user tracking (Meta Pixel) and digital advertising (Facebook/Instagram)
    • Meta Platforms Inc. has certified their participation in the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework (collectively, the ”DPF”) with the U.S.
  • LinkedIn Corporation (the United States), responsible for website user tracking (LinkedIn Insights Tag) and digital advertising (LinkedIn Ads).
    • LinkedIn Corporation has recently withdrawn their participation in the EU-U.S. Data Privacy Framework. LinkedIn relies on European Commission-approved Standard Contractual Clauses as a legal mechanism for data transfers from the EU. These clauses are contractual commitments between companies transferring personal data (for example, from LinkedIn Ireland Unlimited Company or its customers to LinkedIn Corporation), binding them to protect the privacy and security of the data. LinkedIn companies adopted Standard Contractual Clauses so that the data flows necessary to provide, maintain, and develop LinkedIn services take place legally.


11. Retention period of personal data

The customer’s personal data contained in the customer register will be processed during the customer relationship. The controller considers the customer relationship to have ended if the customer has not used Paasitorni’s services or requested an offer from Paasitorni for three (3) years. This period of time will be calculated from the end of the calendar year in which the customer last used the services. The data will be erased within three (3) years of the end of the customer relationship unless there are other legitimate grounds for retaining the data.

When the customer relationship ends, the customer’s data may be transferred to the company’s marketing register with regard to those persons who have not prohibited direct marketing.


12. Rights of the data subject

The processing of the personal data contained in the customer register is based on the controller’s legitimate interest. The legitimate interest is constituted by the customer relationship.

The data subject has the

  • right to access their data (right of access)
  • right to have their data rectified
  • right to have their data erased
  • right to object to the processing of their data
  • right to request restriction of processing
  • right to transfer the data from one system to another

Right to object:
The data subject shall at any time have the right to object to the use of their personal data in direct marketing. If the data subject objects to the use of personal data in direct marketing, they will no longer be processed for this purpose.


13. Protection of the data file

The data are stored in Helsinki Congress Paasitorni’s ERP system and databases that are not accessible to parties other than those authorised by Paasitorni. Access to the data file is restricted to those persons in the controller’s employ and other specified persons who need this data in the discharge of their duties. They have usernames and passwords assigned to them. The systems containing the data file are protected by a firewall and other relevant technologies.


14. Right to file a complaint with a supervisory authority

The data subject has the right to file a complaint with the competent supervisory authority if the data subject considers that the controller has failed to comply with the applicable data protection regulations in its operations.


15. Requests related to the exercise of the rights of the data subject

In matters related to the processing of personal data and in situations related to the exercise of their rights as a data subject, the data subject may contact the controller’s contact person indicated in section 2.

A request concerning the right of access or any another request concerning the exercise of the data subject’s rights shall be submitted to the controller in writing either by e-mail or by post. The request may also be made in person at the controller’s place of business.

The controller may ask the data subject to specify in sufficient detail which data or processing actions the data subject’s request concerns.

In order to ensure that personal data is not disclosed to parties other than the data subject themself for the purpose of exercising the data subject’s rights, the controller may, where necessary, request the data subject to sign the access request. The controller may also ask the person submitting the request to prove their identity with an official identity card or in some other reliable manner.