Data Protection Statement for the Customers and Musicians of the Primo Event Service of the University of the Arts Helsinki

Articles 13 and 14 of the EU General Data Protection Regulation. Informing a data subject. Drawn up on May 21, 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

Production Secretary Miisa Järvi
E-mail address:, telephone: +358 40 710 4334

3. Contact persons for handling personal data

Producer Anne Toppila
E-mail address:, telephone: +358 50 526 1970

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Rukkis / customer and musician register of the primo event service

The Primo event service co-operates with customers (enterprises and communities) for whose various events musical programme is produced. The event service processes, in addition to its customers’ personal data, also those of the musicians booked by the event service to perform in customers’ events. 

The purpose of processing information about enterprises and their contact persons is to attend to a customer relationship, and the purpose of processing information about performers is to book performers via the event service for customers’ events and to prepare and execute performance agreements: 

  • processing a request for offer made by a customer and making a programme offer to the customer 
  • contacting the performer of the event 
  • concluding a programme agreement with the customer 
  • concluding performance agreements with the performers 
  • invoicing the customer 
  • paying performers’ fees

We keep the customers’ contact information on file also after the event in order to be able to serve them better. From the customer data, we see e.g. what kind of programme has been produced for them for the previous occasions so that we are able to offer them new alternatives. We also see what kind of entertainment they usually like.

The musicians’ and ensembles’ contact information is kept on file so that they can be contacted in matters relating to events. 

We send our customers newsletters and invite our regular customers to various events. 

The legal basis for processing personal data is comprised of the execution of agreements as regards both customers and musicians and of the legitimate interest in handling customer accounts.

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

In conjunction with the customer and musician register, we process the following personal data:

  • Information about the customer’s contact person:name of enterprise/ community and name, e-mail address, telephone number, and address of contact person
  • Information about the customer account and the agreement: information about past and current agreements and orders/bookings
  • Basic information about the performer: ensemble or band/name, e-mail address, telephone number and address of contact person
  • Personal data related to payment of fees: these have been described as part of statement on the University of the Arts Helsinki regarding the processing of the personal data of people in a non-work or non-study relationship with the University

Providing the information listed above is a prerequisite for establishing a contractual and/or customer relationship and for concluding a performer agreement. Without the necessary personal data, we cannot deliver the service.

8. Where do we get information?

We get information directly from the customers and musicians. Customers provide information when they contact the Primo event service. Musicians give their information when offering their services.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

We do not disclose register data to outside parties. In our service, we use subcontractors with which we have concluded agreements on processing personal data. We do not transfer personal data beyond the EU or outside the EEA.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process customer information in their line of work are entitled to use the system containing personal data. Each user has a personal user ID and a password into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.

We keep personal data on file for as long as is necessary for the intended use of personal data. Both the customers and the performers may ask for their data to be erased from our register. We annually check our customer and performer data and erase outdated data (data not used for benefit in a period of three years).

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address to look into the matter.

A person has at all times the right to withdraw his or her consent for electronic direct marketing via the Unsubscribe feature of direct-marketing letters or by contacting the contact person of account management.

12. With whom can you get in touch?

All questions on the processing of personal data as described in this data protection statement are to be asked by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.