HELSINKI CONGRESS PAASITORNI, CUSTOMER REGISTER
Information document (Privacy statement) on the processing of personal data in Helsinki Congress Paasitorni’s customer register in accordance with the EU General Data Protection Regulation
1. Controller of the data file
Helsinki Congress Paasitorni, business ID 0201307-5
Paasivuorenkatu 5 A, 00530 Helsinki, Finland
+358 (0)9 7089 611, email@example.com
2. Contact person in matters concerning the data file
The contact person in matters related to the data file and the exercise of the rights of the data subject is
Kati Kosonen, Marketing Manager, +358 (0)9 7089 691, firstname.lastname@example.org
3. Name of the data file
Helsinki Congress Paasitorni’s customer register
4. Legal basis for the processing of personal data
The processing of personal data in the customer register is based on the customer relationship between consumer customers or corporate customers and Helsinki Congress Paasitorni.
5. Purposes of the processing of personal data
- management and development of the customer relationship, including customer feedback
- customer communication
- processing of the reservations made by the customer
- sales and provision of services
- payment and invoicing of services and monitoring and collection of payments
- marketing of the controller’s services
- development of the controller’s business operations and customer service
- information on the customer’s special dietary needs will only be used for preparing and serving food
6. Processed personal data
- name and job title of a corporate customer or name of a consumer customer; address, e-mail address, telephone number
- reservation details
- information on the customer’s payment methods, invoicing and any payment delays
- information as to whether the customer has prohibited use of their personal data for direct marketing purposes
- information regarding the use of services, service needs and purchases
- any customer feedback and complaint details
- information on special dietary needs, if any
7. Sources of personal data
- directly from the data subject
- when updating name and address information, address information systems or publicly available internet sources
- use of services and purchases
- key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Graniittiravintolat Oy) or hotel operator (Scandic Finland)
8. Recipients or groups of recipients of personal data
- key partners responsible for the provision of Paasitorni’s services: the restaurant operator (Graniittiravintolat Oy) or hotel operator (Scandic Finland) insofar as the partner concerned needs this data in the provision of its services
- other processors of personal data:
- customer register software and its maintenance services: Navakka
- advertising and marketing: Don & Branco
- direct marketing communications: MailChimp
- event marketing and management: Lyyti
- or, in the future, the partners chosen for these tasks
- data may be disclosed to the authorities based on their requests for information under the law
9. Transfer of data outside the EU
- personal data can be transferred to a third party outside the EU: MailChimp (the United States), partner responsible for the direct marketing communications software
* MailChimp certifies to the EU-U.S. Privacy Shield Framework and the Swiss-U.S Privacy Shield Framework, and it is legal to transfer contact data from the EU to MailChimp in the U.S.
10. Retention period of personal data
The customer’s personal data contained in the customer register will be processed during the customer relationship. The controller considers the customer relationship to have ended if the customer has not used Paasitorni’s services or requested an offer from Paasitorni for three (3) years. This period of time will be calculated from the end of the calendar year in which the customer last used the services. The data will be erased within three (3) years of the end of the customer relationship unless there are other legitimate grounds for retaining the data.
When the customer relationship ends, the customer’s data may be transferred to the company’s marketing register with regard to those persons who have not prohibited direct marketing.
11. Rights of the data subject
The processing of the personal data contained in the customer register is based on the controller’s legitimate interest. The legitimate interest is constituted by the customer relationship.
The data subject has the
- right to access their data (right of access)
- right to have their data rectified
- right to have their data erased
- right to object to the processing of their data
- right to request restriction of processing
- right to transfer the data from one system to another
Right to object:
The data subject shall at any time have the right to object to the use of their personal data in direct marketing. If the data subject objects to the use of personal data in direct marketing, they will no longer be processed for this purpose.
12. Protection of the data file
The data are stored in Helsinki Congress Paasitorni’s ERP system and databases that are not accessible to parties other than those authorised by Paasitorni. Access to the data file is restricted to those persons in the controller’s employ and other specified persons who need this data in the discharge of their duties. They have usernames and passwords assigned to them. The systems containing the data file are protected by a firewall and other relevant technologies.
13. Right to file a complaint with a supervisory authority
The data subject has the right to file a complaint with the competent supervisory authority if the data subject considers that the controller has failed to comply with the applicable data protection regulations in its operations.
14. Requests related to the exercise of the rights of the data subject
In matters related to the processing of personal data and in situations related to the exercise of their rights as a data subject, the data subject may contact the controller’s contact person indicated in section 2.
A request concerning the right of access or any another request concerning the exercise of the data subject’s rights shall be submitted to the controller in writing either by e-mail or by post. The request may also be made in person at the controller’s place of business.
The controller may ask the data subject to specify in sufficient detail which data or processing actions the data subject’s request concerns.
In order to ensure that personal data is not disclosed to parties other than the data subject themself for the purpose of exercising the data subject’s rights, the controller may, where necessary, request the data subject to sign the access request. The controller may also ask the person submitting the request to prove their identity with an official identity card or in some other reliable manner.