Data Protection Statement for the Event Enrolment Service in the Customer Register of the Theatre Academy of the University of the Arts Helsinki

Articles 13 and 14 of the EU General Data Protection Regulation Informing a data subject. Drawn up on May 21, 2018

Published 31.1.2020 | Updated 30.1.2023

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

Director Jyri Pulkkinen
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 50 5722 058

3. Contact persons for handling personal data

Producer Aapo Juusti
E-mail address: firstname.lastname@uniarts.fi, telephone: +358 400 792 099

4. Data protection officer

Legal Counsel Minna Eskola works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address: privacy@uniarts.fi

Telephone: +358 294 47 3490

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Name of register

Event customer register

6. What are the purpose and the legal basis for processing personal data?

The artistic activities of the Theatre Academy of the University of the Arts Helsinki provide students with possibilities to learn how to act as artists as part of their university studies. As part of their studies and their artistic activity, student groups organize events open for the public.

Attendants are required to sign up and an attendance fee is charged from those present other than students and staff members of the University as well as members of certain other special groups. For these purposes, an event customer register is maintained to ensure that only as many spectators attend each event as the capacity of the premises permits. The attendance fees are paid in the sales service and the data are entered in the University event customer register.

The customer register contains a list of people coming to attend each event and information about the price categories of the tickets acquired. When they come to attend an event, those who have acquired a ticket sign up and prove when necessary that they are entitled to the discount ticket that they have acquired or to free admission.

The processing of personal data is based on the legitimate interest of the University on the basis of a customer relationship for the following purposes: establishing statistics on attendance, processing the price categories of the attendance fee, and event communication. One cannot sign up for the events or buy a right to attend without providing personal data.

When processing personal data, we do not make use of automated decision-making and profiling as referred to in the Data Protection Regulation.

7. What data do we process?

In conjunction with the customer register, we process the following personal data on those signing up for an event:

basic information about the data subject: name*
a data subject’s contact information: e-mail address* and telephone number*
eventual other data collected with the data subject’s consent: information about the ticket price category that one is entitled to (standard fare / students / pensioners / theatre and dance professionals / students or staff members of the University of the Arts Student Union (ArtSU), of the Aalto University School of Arts, and of the Degree Programme in Theatre Arts of the University of Tampere / people with season invitations and invitees)

Providing the personal data marked with an asterisk is a prerequisite for establishing our customer relationship. Without the personal data needed, we cannot provide the service.

8. Where do we get information?

We receive information from the person entering the personal data in the event customer register.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

In processing personal data, we use subcontractors working for us. We have outsourced IT administration to a third-party service provider administering and protecting the server on which personal data are saved. We have taken steps with our subcontractors to ensure your data protection by concluding data-processing agreements.

We do not transfer personal data beyond the EU or outside the EEA.

10. How do we protect data and how long will we keep them?

Only those of our employees who are authorized to process customer information in their line of work are entitled to use the system containing personal data. The users paid by the hour to receive event sign-ups and payments who are part of the permanent staff have personal user IDs and passwords into the system. The data are gathered in databases protected with firewalls, passwords, and other technical means. The databases and their backup copies are situated in locked spaces, and the data can only be accessed by certain pre-named persons.

The customer register contains data on the people who have signed up as participants in each event and paid for participation. The data are erased from the customer register after a period of two years.

11. What are your rights as a data subject?

Data subjects are entitled to check the data concerning them and stored in the personal data register and require erroneous, outdated, unnecessary, or unlawful data to be rectified or erased. In case a data subject has personal access to their data, they can modify their data himself or herself. In case processing is based on a consent, a data subject also has the right to withdraw his or her consent or to alter it.

As of May 25, 2018, data subjects have, according to the Data Protection Regulation, the right to object to processing or to request restriction of processing of data as well as to lodge a complaint with a supervisory authority on processing personal data.

For specific reasons of personal nature, data subjects also have the right to object to processing activities concerning them when processing data is based on our legitimate interest. In conjunction with the request, the data subject shall specify the particular situation on the basis of which he or she objects to processing. We may refuse to execute an objection-related request only on the basis of grounds stated in law.

Should the data subject not be satisfied with the way the University has processed his or her personal data, he or she may demand the national data protection authority (in Finland, the Data Protection Ombudsman whose contact information is available in the web address http://www.tietosuoja.fi/en/) to look into the matter.

12. With whom can you get in touch?

You may present your other questions on the processing of personal data as described in this statement by getting in touch with the contact person named in Point three who will, in case of need, forward the matter to the data protection officer. In case you feel that your rights as mentioned in Point 11 are not respected, you may get directly in touch with the University Data Protection Officer named in Point four.