ASM Global Finland Oy
Business identity code: 3315130-7
Address: Sturenkatu 4, 00510 Helsinki
CEO, Emilia Mikkola
2 Purposes and legal basis for the processing of the personal data
ASM Global Finland Oy (“we”, “us”, “ASM Global Finland”) processes personal data for the defined purposes and only to the extend necessary. The purposes and legal basis of the processing of personal data, according to the EU General Data Protection Regulation are as follows:
2.1 Performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
In relation to the obligations arising from contracts to which data subject is party, or in the event we are taking steps prior to entering into a contract at the requests of the data subject, we are processing personal data as follows:
- Providing the services, such as event, facility, meeting and catering services, and management of related measures;
- Fulfilling and managing the contractual rights and obligations of the parties in relation to the customer relationship;
- Processing of requests for proposals;
2.2 Compliance with a legal obligation to which we are subject
We are obligated to process your personal data for the following purposes in order to comply with the legal obligations:
- Executing obligations imposed on legislation (for example the Finnish Accounting Act (1336/1997).
2.3 Data subject’s consent
In the following purposes we process your personal data if you have given the consent for such processing:
- Usage statistics and site optimization management on the websites of House of Culture (cookies).
2.4 Legitimate interests pursued by us or by a third party
We process your personal data under our or third party’s legitimate interest for the following purposes:
- Management and development of the customer relationship;
- Management and development of our services;
- Execution of draws and competitions;
- Customer surveys and collecting and processing customer feedback;
- Statistical purposes for analysing customer data;
- To protect our business and financial interests, carry out risk management obligations and establish, exercise or defend legal claims.
The legitimate interest is based on customer relationship between ASM Global Finland Oy and the data subject. When processing personal data based on our legitimate interest, we weigh the benefits and potential disadvantages of processing, and have assessed that our data subjects’ rights and interests do not override our legitimate interest in processing personal data. You have the right to object to the processing of personal data based on legitimate interest.
2.5 Processing of special categories under article 9 of the EU General Data Protection Regulation
In some cases, we may need to process special categories of personal data in order to take into account customer’s special needs relating to their health or other physical state. Processing of such special categories of personal data is based on the article 9(2)(e) or (a).
3 Content of the personal data and categories of personal data concerned
We process personal data of the following data subjects:
- Customers organising events and reserving the facilities of House of Culture
- Catering customers
- Customers participating to the events organised by the customers of ASM Global Finland
- Potential customers
- Website visitors
The personal data processed contains the following personal data:
- Basic information of the customer and potential customer, such as first name and last name
- Contact details: phone number, e-mail, address, postal number and place of residence
- The company represented by the data subject (employer) and the position at the company
- The services and/or products chosen by the data subject
- Payment and invoicing details
Provision of the above described personal data to the controller is a requirement necessary to enter into a contract with the data subject as collecting such data is requirement for performing the obligations of the controller. If the data subject does not give this personal data to the controller, then the controller may not be able to make a contract with the data subject.
4 Regular sources of the personal data
Personal data is primarily collected from the data subject, for example, when the data subject reserves and purchases the services or products form us. In addition, personal data is collected from the ticketing service provider Lippupiste Oy (Lippu.fi), when the data subject purchases our services through their ticketing services.
We may also collect personal data of the customers organising events and reserving the facilities of House of Culture from public sources such as Finnish business information system.
5 Data retention
We will retain your personal data only as long as and only to the extent that is necessary in relation to the initial and compatible purposes of processing. In addition, the personal data below will be stored in accordance with the following time periods or criteria used to determine that time period:
- Information related to the customer relationship: for the duration of the customer relationship and for a period of time required under applicable legislation and for settling of possible claims.
- Complaint handling: 7 years from settlement or closure
- Contracts: current year plus 6 years or plus 12 years (if the agreement is executed as a deed)
- Data subject rights requests including subject access requests: current year plus 6 years
- Personal data included in the accounting documents mentioned in the Accounting Act (1336/1997) will
be retained for a period of six (6) or ten (10) years from the end of the financial year
depending on the nature of the accounting documents. If a provision of law requires that the
documents should be retained for a longer period, that provision will be complied with.
We erase special categories of personal data immediately when there no longer is a need for its processing.
We evaluate the need to store personal data regularly. In addition, we perform all possible reasonable measures to ensure that any inaccurate, incorrect or outdated personal data will be deleted or corrected without delay.
6 The recipients or categories of recipients of the personal data and the regular disclosures of personal data
We share your personal data within ASM Group when we have a genuine business need for that.
We may share your personal data with third parties in connection with an event or other service or product we provide, including ticketing agents, security providers, event promoters and promoter ticket agents. These third parties include Lippu.fi who sell tickets for events at the venue of House of Culture.
We use external service providers (data processors) acting on behalf of us when needed. We have agreed on the data processing agreement with all our data processors. We require all our data processors to respect the security of the personal data and to treat it in accordance with the law. We do not allow our data processors to use the personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions.
In addition, we use certain ICT service providers acting as data processors and providing different technical systems and services in accordance with the contracts and data processing conditions agreed with them. You can contact us for more information about our ICT providers.
We may disclose the personal data to third parties based on legal obligations of us or based on the official disclosure requests of the recipients based on applicable legislation.
7 Transfer of the personal data outside the eu or the eea or international organisation
The personal data is transferred outside the EU or the EEA in cases where needed, for example to ICT- suppliers and within ASM Group. In these cases, we ensure the lawfulness of the transfer by using appropriate safeguards. A copy of them is available by contacting the contact person mentioned above.
8 Description of the security principles
We have appropriate security measures in place to prevent your personal data being accidentally lost, or used or accessed in an unauthorised way, altered or disclosed. We also limit access to your personal data to personnel who have a genuine business need to know it to fulfil their duties. All personnel who have access to your personal data will only process your personal data on our instructions and they shall be subject to a duty of confidentiality.
We also have policies and procedures in place to deal with any suspected data breach so that we can act quickly to minimise any potential damage. We will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
We restrict technically the access to our information systems with personal usernames and passwords and the necessity of access rights are regularly assessed. In addition, we collect appropriate user log data regarding our systems.
9 Automated decision making and profiling
Customers’ personal data will be processed by the means of automated decision making or profiling.
For more information about the cookies we use and the reasons why we use them, please see our Cookies Policy. We request your consent before using analytical or performance cookies, functionality cookies or targeting cookies, but do not require your consent to use strictly necessary cookies.
11 Rights of the data subject
You have a number of important rights in respect of personal data that we process about you. Those include:
- Right to request access to your information – you can request a copy of your personal data which we hold and to receive certain information relating to that data (this is known as a ‘subject access request’). If you would like a copy of some or all of this information please contact us and let us know what information you would like.
- Right to require us to correct any mistakes in your information – you can require us to rectify inaccurate information or to complete incomplete data. If you would like to do this, please contact us to let us know the information that is incorrect or incomplete and what it should be replaced with.
- Right to object to how we process your personal data – you can ask us to stop processing of your personal data compelling legitimate interests pursued by us or a third party on grounds relating to your particular situation unless our legitimate interests shall override the interests, rights and freedoms of yours or processing is necessary for the establishment, exercise or defense of legal claims.
- Right to withdraw your consent – where we are processing personal data relating to you on the basis that we have your consent to do so, you may withdraw your consent at any time (this will not affect the lawfulness of any processing carried out before you withdraw your consent). If you withdraw your consent, we may not be able to provide certain products or services to you.
- Right to restrict processing – you can ask us to suspend the processing of your personal data in certain circumstances, for example, if you have notified us there is a mistake in the information we hold about you, you may ask us to suspend processing until that mistake is rectified or you have objected to our use of your data but we need to verify whether we have overriding legitimate grounds to use it.
- Right to erasure – otherwise known as ‘the right to be forgotten’ – you can ask us to delete or remove your personal data if it is no longer necessary in relation to the purposes for which it was collected or processed or if you have successfully objected to processing (note, however, that we may not always be able to comply with your request for erasure for specific legal reasons which will be notified to you, if applicable, at the time of your request.)
- Right to receive or ask for your personal data to be transferred to a third party in a structured, commonly used and machine-readable format (note that this right only applies to automated processing of personal data concerning and provided by you and to which you initially provided consent for us to use or where we used the information to perform a contract with you).
- The right to lodge a complaint with a supervisory authority – you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that the processing of personal data relating to you infringes the General Data Protection Regulation. In Finland processing of personal data is supervised by the Office of the Data Protection Ombudsman and the contact details can be found on their website https://tietosuoja.fi/en/home.
You can contact the contact person mentioned above in any matters related to requests or questions about your rights.