Privacy Policy – the Finnish Fair Corporation’s visitor register

Prepared 3 October 2017, latest change 7 June 2018

1. Controller

Messukeskus, Finnish Fair Corporation
Messuaukio 1, 00520 Helsinki, Finland
Tel. +358 40 450 3250
Business ID: 01163223

2. Party handling matters related to the file/Contact person responsible for the file

Messukeskus customer service
Messuaukio 1, 00520 Helsinki, Finland
Tel. +358 40 450 3250
customer.service@messukeskus.com

3. Name of the file

The Finnish Fair Corporation’s visitor register

4. Legal basis and purpose of processing personal data

The basis for processing personal data is the consent of the person – in this case, a visitor to an event – granted in conjunction with registration, as well as the controller’s justified benefit.

Personal data is processed in order to calculate and compile statistics on visitor numbers, and it is used as the basis for analysis that benefits the business. Data is collected in order to calculate the official number of visitors and to develop events. Data is used for marketing in conventional forms, as well as in electronic and text message form. By providing a mobile phone number, the customer is granting consent for direct marketing messages to be sent to the mobile phone number.

If the data subject’s data is not entered properly, the registration may be invalidated as the controller cannot in such cases commit itself to a contract between the controller and the data subject in relation to the attendance.

5. Contents of the data file

The person’s name, position, company/organisation, role in making purchasing decisions, contact details (phone number, email address, address), customer number, information about services ordered and related service provision and invoicing. In addition, the saved data may also include website addresses, the IP address of the internet connection, location data and information about the use of online tickets, IDs/profiles on social media services, other information about services ordered and changes therein, location data, information about visits to Messukeskus, and other profiling data provided by the customer.

6. Regular sources of data

The data stored in the file comes from electronic visitor registration for events. Electronic visitor registration refers to advance registration (the visitor registers for the event on the internet before the event takes place or before arriving at the event) and/or on-site registration (the visitor registers for the event at the registration point at the entrance to Messukeskus). Customer data may also be obtained from parties that disclose it for the controller’s use as part of an agreement. Such parties include event clients. In such cases, the party disclosing the data is responsible for ensuring that the disclosed file is accurate, up-to-date and compliant with the GDPR requirements.

7. Regular disclosure of data and the transfer of data outside the EU or the European Economic Area

We may transfer or disclose personal data to our partners if this is necessary for purposes corresponding to this privacy statement. Such partners include exhibition clients, partners, “lead collection systems” (devices that read contact details), and the electronic meeting and networking service that operates at events. In addition, data may be disclosed to marketing partners, such as the partner that provides the newsletter tool, or media agencies, IT providers or other partners of the Finnish Fair Corporation. Data may also be disclosed to exhibitors if the visitor has granted consent for this. In such circumstances, personal data is processed in accordance with applicable legislation.

We may also use third-party service providers, such as providers of payment services, debt collection services and analytic services, to conduct certain tasks involving processing personal data on our behalf.

We may also transfer or disclose personal data to other companies within our Group and to the successor business as a consequence of matters such as merger and acquisition transactions, the sale of the business, mergers, demergers, bankruptcy or receivership.

We will not otherwise sell or disclose your data to external parties. We will also not transfer data outside the EEA other than in circumstances permitted by data protection legislation. Personal data may also be transferred or disclosed to the authorities if the applicable law so demands.

8. Principles for securing the file

Due care is exercised when the file is processed, and data processed using IT systems is protected appropriately. When data from the file is stored on internet servers, the physical and digital information security of the hardware is arranged appropriately. The controller takes care to ensure that the saved data, server access rights and other information critical to the security of personal data is processed confidentially and only by the employees or partners whose duties require it.

Employees who process data in the customer file are bound by a duty of confidentiality. Data is communicated or disclosed to third parties only if there is a duty of notification prescribed by law, such as the customer’s own request or a statutory request made by the authorities. The system is protected by technical means.

8.1. Manual material is created in extraordinary circumstances (when the registration system is out of service) from registration forms filled in by hand. Such data is stored in a locked area until the end of the period required by the circulation audit (approximately 3 months after the end of the event), after which it is destroyed.

8.2. The visitor register created from advance and on-site registration, as well as any post-registration (saving data after the event), is stored on the visitor register system’s server as long as the Finnish Fair Corporation has business needs related to the data or until the registree requests the removal of his/her information. Only the Finnish Fair Corporation’s employees and the system supplier have access to the data in the file. Use of the data is protected with user IDs and passwords.

 9. Your rights as a data subject

Right of inspection

The Finnish Fair Corporation offers you the right to inspect the personal data that we process about you. You can contact us in writing and ask us to tell you which personal data we process about you and the grounds for processing the data. The Finnish Fair Corporation is entitled to verify the identity of the enquirer. If less than 12 months has elapsed since your previous information request, we may require a fee to be paid for the work involved in realising the request.

Right to demand correction of data

You are also entitled to correct or supplement data that is incorrect, inaccurate, incomplete, out of date or unnecessary.

Right to demand erasure of data

You may also ask us to erase your personal data from our system. We will take the action you request unless we have a justified reason to refrain from erasing the data, such as fulfilling our obligations under legislation. The data may not be immediately erased from all of our backup systems or corresponding systems.

Right of objection

You may also request restrictions on the processing of your personal data if the data is processed for purposes other than providing our services or fulfilling obligations arising under law. You may also object to your personal data being processed in the future, even if the processing is based on consent that you have previously granted. Objecting to the processing of personal data may result in more restricted opportunities to use our website and services.

Right to restrict data processing

You may ask us to restrict the processing of certain pieces of your personal data. Requests to restrict data processing may result in more restricted opportunities to use our website and services.

Right to transfer data from one system to another

You are entitled to obtain your personal data from us in a structured and widely used format so you can transfer the data to a different controller.

You may exercise your right by sending an email to customer.service@messukeskus.com or by contacting us at the addresses specified above. Users who have registered for our services should primarily send their requests from the email address that is registered under the user data for the Service in question, and the response to the request will be sent to the same email address.

In addition to the foregoing rights and your other rights, legislation also guarantees you the right to submit a complaint to the supervisory authority, particularly in the Member State where you are permanently resident or working, or where the alleged contravention of the GDPR has taken place. The supervisory authority in Finland is the Data Protection Ombudsman.