Privacy policy

Description of file for HAM and Helsinki Biennial online shop

 EU General Data Protection Regulation (2016/679)
 13 April 2021

1. Controller

The controller is the Culture and Leisure Committee, which delegated the controller’s tasks to the Director of Culture on 27 March 2018, Section 71.

2. Person responsible for the data file

Director of Culture, Culture unit

3. Data file contact person

Museum store manager, HAM Helsinki Art Museum
P.O. Box 1, FI-00099 City of Helsinki

4. Purpose and legal grounds for processing personal data

The purpose of the data file is the processing, delivery and archiving of orders from the HAM Helsinki Art Museum and Helsinki Biennial online store (HAM shop). The data may be used for the development of the operations of the online shop and for statistical purposes.

By placing an order, the customer allows the processing of their personal data for the above-mentioned purposes. When personal data comes from an external system, the approval of the processing of personal data takes place outside the online shop system. 

When paying for an order, customer contact information is transmitted to the payment system in order to ease problem situations and facilitate the refund of payments.

Legal grounds for processing

The legal basis for processing is Article 6(1)(a) of the EU General Data Protection Regulation: the data subject has given consent to the processing of his or her personal data for one or more specific purposes.

Essential legislation

  • EU General Data Protection Regulation (679/2016)
  • Data Protection Act (1050/2018)

5. Data content of the file

General customer data file: Customer number, first name, last name, address, city, telephone number, e-mail address and direct marketing permit.
Order data file: Contact information, ordered products and services.

6. Regular disclosure of personal data

Personal data is not disclosed to external parties, including those outside the EU or EEA.

Personal data may be transferred to other information systems of the controller, such as the point-of-sale system, accounting and invoicing.

7. Data retention periods

Personal data is automatically deleted as soon as possible, but no later than six (6) years after the order.

8. Regular disclosure of personal data

Personal data is obtained from the data subjects in connection with order and payment transactions.