Information for data subjects registered for events at the University of the Arts Helsinki (Uniarts)

Articles 13 and 14 of the EU General Data Protection Regulation. Information for Data Subjects. 21 May 2018

1. Controller

University of the Arts Helsinki

Telephone: +358 294 47 2000 (exchange)

Postal address: P.O. Box 1, FI-00097 UNIARTS

2. Entity and person in charge of processing personal data

The University of the Arts Helsinki’s Theatre Academy

3. Contact persons for the processing of personal data

Producer Aapo Juusti
E-mail, telephone: +358 400 792 099

4. Data protection officer

Specialist Antti Orava works as Data Protection Officer at the University of the Arts Helsinki.

E-mail address:

Telephone: +358 294 47 3568

Postal address: P.O. Box 1, FI-00097 UNIARTS

5. Register’s name

Customer register for events

Events are an integral part of Uniarts’ basic operations.

Event attendees are required to register for events. For this purpose, Uniarts maintains a customer register for events. The register ensures that the spectator capacity for an event is not exceeded. Entry fees for events are paid at the sales service point, and attendees’ personal data are stored in the university’s events customer register.  

The customer register consists of a list of attendees with information about their responses to questions presented to them at the time of event registration.   

The legal basis for personal data processing is the university’s legitimate interest in customer relationships for the following purposes: turnout statistics, charging of fees (if applicable), and event communications. To register for or to buy the right to attend an event, attendees are required to disclose their personal data.

We do not apply automated decision-making or profiling of personal data as referred to in the General Data Processing Regulation.

7. What data do we process?

For the customer register, we process the following data: 

  • the data subject’s basic information: name*
  • the data subject’s contact details: email address*, telephone number*
  • other information gathered with the data subject’s consent: for example, information about food allergies

The disclosure of items marked with an asterisk is a precondition for a customer relationship between Uniarts and the data subject. To be able to render a service, we need the data subject’s personal data.

8. Where do we get information?

We receive data from attendees who register for an event and disclose their personal data.

9. To whom do we disclose and transfer data, and do we transfer data outside the EU or the EEA?

For personal data processing, we work with subcontractors. We have outsourced the administration of our event register to an external service provider. Personal data are stored on a server that is administered and secured by the service provider. We have secured the data subjects’ data protection by concluding personal data processing contracts with our subcontractors. 

Personal data will not be transferred across borders outside the EU/ETA.

10. How do we protect data and how long will we keep them?

The personal data system is not accessible to any of our employees except those who have the right to process customer data. Hourly employees who receive event registrations and fees and permanent staff with the right to access the system have personal user identifiers in the system. The data are stored in databases, which are protected by firewalls, passwords, and other technical measures. The databases and their back-up copies are located in secured facilities, and the data are accessible only to designated individuals. 

The customer register includes data about registered, event-specific attendees who have paid their participation fees. These data are erased from the customer register after two years. Delicate data (such as food allergies) are erased after the event has ended and the data are no longer relevant.

11. What are your rights as a data subject?

Data subjects are entitled to request access to their personal data that is stored in a register of persons and have inaccurate, outdated, unnecessary, or illegal personal data concerning them rectified or erased. If a data subject has access to the data, he or she can edit the data personally. If personal data processing is based on the data subject’s consent, the subject has the right to withdraw or change his or her consent. 

In accordance with the GDPR (as of 25 May 2018), data subjects have the right to object to or request the restriction of the use of their personal data; they also have the right to lodge a complaint about the processing of their personal data with the supervisory authority. 

For extraordinary personal reasons, the data subject has the right to object to a set of processing operations involving his or her personal data when the legal basis for processing is our legitimate interest. The data subject must specify the extraordinary reasons for the objection in his or her request. We have the right to refuse to comply with the request only according to legislative criteria.  

If the data subject is not satisfied with the manner in which the university has processed his or her personal data, the subject can appeal to the national data protection supervisory authorities for an inquest into the matter. In Finland, the national data protection supervisory authority is the Data Protection Ombudsman, whose contact details are available at

12. With whom can you get in touch?

All contacts and requests concerning this record of processing activities must be presented in writing or in person to the contact person mentioned in item two, who will forward the matter to the data protection officer as necessary. If you find that your rights are being neglected, you can contact the university’s data protection officer mentioned in item three directly.