Name of data file
Customer data file of the Ticket Sales System of the Finnish National Gallery.
Controller of the data file
The controller of the data file is the Finnish National Gallery, which was founded pursuant to the National Gallery Act (889/2013).
Processor of personal data
The processor of personal data is Liveto Group Ltd.
Contact information of the controller
Matters related to data protection and questions regarding the rights of data subjects should primarily be submitted in writing directly to the controller at: The Finnish National Gallery, Registry, Kaivokatu 2, 00100 Helsinki, Finland or by email at kirjaamo@kansallisgalleria.fi.
Purpose of the data file
The purpose of the data file is the processing, delivery, documentation and archiving of orders from customers of the Finnish National Gallery’s Ticket Sales System, providing customer support, receiving payment for orders, improving the site’s user experience and developing operations, collecting customer feedback, general statistical purposes, sending the newsletter subscribed to by the customer as well as marketing approved by the customer or authorised by law.
Legal basis for processing personal data
The Finnish National Gallery’s way of processing personal data is based on the EU General Data Protection Regulation 2016/679 and the Finnish Data Protection Act 1050/2018.
The grounds justifying the processing of personal data are the grounds listed in Article 6 of the EU General Data Protection Regulation. These include processing a person’s data or adding them to a data file based on consent, contract, legitimate interest or legal obligation. If the basis is a legitimate interest, there is a customer or other relevant relationship between the Finnish National Gallery and the data subject, which justifies the processing of personal data to enable communication between the parties.
Impact assessments related to the requirements of necessity and proportionality have been carried out for all processing of personal data. Data are stored as permitted by law and for as long as the functional connection to the original purpose of use is maintained. The premise is minimizing the periods for which data are stored so that no unnecessary data are kept, in which case the data are anonymized or destroyed in a secure manner.
What data are collected
The data collected in the data file may be:
- provided by the data subject
- obtained or collected to implement the functions of the Ticket Sales System, or
- recorded in the course of the documentation of the functions of the Ticket Sales System.
Data provided by the data subject to the Ticket Sales System may include the following:
first and last name
company name
- email address and telephone number
- street address, postal code, town or city and country
- details of processed orders (ordered products, order amount, discount codes)
- order payment methods and related details (not payment card information)
- permissions, consents and information on the data subject’s language or other similar choices
- interests, preferences and thematic priorities, and
- other information provided by the data subject, such as the details entered as additional information on forms and in data fields.
Data observed and derived from the use of the Ticket Sales System include:
- data collected by analytics systems
- customer communication data, e.g. information on link clicks
- the website from which the user was redirected to the Ticket Sales System
- device identifiers, such as device model and unique device and/or cookie identifier
- data collection channel: browser, mobile browser, application and browser version
- IP address
- device operating system
- session ID as well as time and duration of session
- location data, and
- data associated with the user, based on the user’s history of use of the Ticket Sales System services, derived from observed use and/or information provided by the user, such as demographics, interests and other user categories.
The processor does not collect personal data
The system produces the following data in anonymised form:
- total number of page views;
- number of times the webshop was opened;
- number of orders started, and
- total number of orders that went through the payment process.
Description of the storage of personal data
We comply with good information security practices and use appropriate administrative, physical and technical safeguards for the protection of facilities, data traffic, servers and databases, for access control and data backup. Personal data are stored only on secure servers, access to which is managed by administrators, and limited to designated persons for a justified reason.
The Finnish National Gallery maintains valid cooperation agreements with partners, including the processor, as stipulated by the General Data Protection Regulation. This ensures the secure and appropriate use of personal data, including in situations where partners have access to the personal data.
Personal data are stored in the Ticket Sales System in accordance with the valid legislation and good data protection practices applicable to the industry. Personal data are stored only for as long as there is a legal basis for it. Once the legal basis for the processing of personal data has expired, the personal data will be anonymized or deleted.
If the customer has given their marketing consent in the Ticket Sales System, the National Gallery may send them information and marketing communications relating to the Finnish National Gallery’s activities. Such information and marketing materials may concern the National Gallery’s exhibitions, events, services, museum shops, or restaurants operating in connection with its museums. In this case, the personal data of the customer stored in the Brevo system consist of the customer’s name and email address, together with the name and price of the purchased product. The Finnish National Gallery does not disclose personal data to third parties, such as restaurants or cafés operating within the museums.
The customer may withdraw their marketing consent and/or unsubscribe from newsletters at any time by using the unsubscribe option included in each newsletter and marketing communication sent to them.
If a customer of the Ticket Sales System has reserved a guided tour or an art workshop as a service, the system transfers the following data to the museum’s booking system to enable service delivery and manage reservations: the name, phone number, and email address of the person making the reservation and/or the group leader; where applicable, the name and postal address of the reserving organisation; and anonymised data on the group’s age composition and any special needs relevant to the provision of the service.
With regard to payments, the Ticket Sales System does not collect personal data. The payment and the processing of payment-related information take place in the online payment service of Paytrail Oyj.
Personal data are stored, as applicable:
- up to three years from the last action performed by the person in question in the Ticket Sales System
- if a person has given permission to send the newsletter, personal data related to sending the newsletter are stored until the person in question revokes the permission given;, or
- for information collected by cookies, in accordance with the cookie terms and conditions accepted by the customer when visiting the page.
Cookie policy
When visiting the Ticket Sales System, the customer is first asked for permission to store cookies on the customer’s device. For each cookie, you will be provided with information about the content and use of the cookies. It is necessary to install some cookies on your device in order to be able to use the Ticket Sales System. With regard to non-necessary cookies, the customer decides whether the customer wants to accept their use.
A cookie can contain text, numbers, dates, location information and other data. A cookie is also not an application, and it cannot allow viruses or other malware to enter your device.
Cookies can be used to determine the number of visitors to the site, save the choices made on the site (e.g. language settings), monitor how the site is used (so-called click paths) as well as target and manage advertising (e.g. not showing the same ads multiple times). However, we do not track the data of individual visitors; we compile statistics on visitor data based on, for example, behaviour and geographical location.
With cookies, we aim to improve the user experience and collect information that enables the further development of the Ticket Sales System.
The customer can also choose to delete the cookies stored in the browser or prohibit the reception of cookies from the browser settings. At the same time, it is possible to activate the Do Not Track function and set the browser to reject third-party cookies.
Right to inspect and rectify personal data
Under the law, individuals have the right to inspect the data which has been collected about them. They also have the right to request the rectification or deletion of inaccurate, incomplete, unnecessary or outdated personal data.
Requests for the inspection of personal data must be made by filling in the form for a request to inspect personal data and submitting it by post (address: The Finnish National Gallery, Registry, Kaivokatu 2, 00100 Helsinki, Finland) or by email at kirjaamo@kansallisgalleria.fi.
Individuals can prohibit the Finnish National Gallery from using their personal data for direct marketing, customer satisfaction and other surveys.
The data subject has the right to lodge a complaint with the supervisory authority, which is the Data Protection Ombudsman.
More information about the data protection practices of the Finnish National Gallery is available on our page on Privacy Policies.
Changes to this privacy policy
The Finnish National Gallery is constantly developing its operations. Changes to the privacy policy may be made from time to time and may be made without prior notice. Changes may also be made because of new or amended legislation.