Privacy terms

Data controller

Naantali Music Festival, Naantalin musiikkijuhlasäätiö sr, PO Box 46, 21101 Naantali, business ID: 0476932-7

Name of filing system

Naantali Music Festival customer register

Person responsible for the filing system

Suvi Innilä, suvi.innila@naantali.fi, tel. +358 50 559 0186

Purpose and legal basis of the filing system

The primary reason for the processing of personal data is to function as a register containing the customer and contact information of those who have booked a Naantali Music Festival ticket or subscribed to the newsletter. Short-term personal data filing systems may also be created in connection with, for example, surveys and prize draws. Personal data is used to distribute the newsletter, send programme leaflets by post, contact customers, maintain customer relationships and gather visitor statistics. Inclusion in the filing system is based on the data subject’s consent through their subscription to the newsletter, ticket booking or other means of providing their contact information.

Data content of the filing system

The Naantali Music Festival customer register contains, at most, the following customer information:

Email address, first and last name, street address, post code and city/municipality, contact telephone number, any additional information provided by the data subject

Data provided in connection with ticket bookings, registrations and prize draws is stored for the required time preceding the event in question. Data provided in connection with newsletter subscriptions is stored until the customer cancels their subscription.

Data sources

Data stored in the Naantali Music Festival customer register is provided by the customer in connection with, for example, newsletter subscription; providing, maintaining or producing services; prize draws, etc. Additionally, public sources such as the address services of Posti or the Digital and Population Data Services Agency may be used to acquire personal data.

Disclosure

Personal data is not generally disclosed. Personal data is not disclosed to parties outside the EU or EEA. Within the limits and requirements of current legislation, Naantali Music Festival may disclose data to authorities for the purposes of, for example, coronavirus tracing.

Filing system protection

The filing system is managed with due care, and data processed by information systems is appropriately protected. When personal data is stored on web servers or databases, appropriate measures are taken to ensure the physical and digital security of the storage devices. The data controller ensures that stored data, server access rights and other information critical to the security of personal data is processed confidentially and only by staff whose duties include said processing.

Right of access

Every person whose data is stored in the filing system has the right to access said data and demand that any incorrect data is rectified and that any incomplete data is supplemented. Any data subjects who wish to access their data stored in the filing system or demand correction of said data must submit a written and signed request to the data controller. Where necessary, the data controller may require that the requester prove their identity. The data controller will respond to the customer within the time specified in the General Data Protection Regulation (generally within one month).

Right to rectification

Everyone whose personal data is stored in the filing system has the right to demand rectification of incorrect personal data. A free-form rectification request should be sent via email to the filing system manager: suvi.innila@naantali.fi, tel. +358 50 559 0186.

Other rights associated with the processing of personal data

Data subjects have the right to request that their personal data be erased from the filing system. Data subjects also have all other rights specified in the General Data Protection Regulation, such as the right to limit processing of personal data in certain circumstances. Requests should be submitted in writing to the data controller. Where necessary, the data controller may require that the requester prove their identity. The data controller will respond to the customer within the time specified in the General Data Protection Regulation (generally within one month).