Privacy Notice, City of Espoo, Espoo City Museum: Marketing register

The marketing register is used for marketing the services and sales and networking events of the Espoo City Museum, for sending newsletters and for other similar activities.

1. Data controller

City of Espoo

P.O. Box 1, 02070 CITY OF ESPOO

2. Person responsible for the register

Maarit Henttonen, Museum Director

3. Contact person of the register

Sarianna Visuri, Marketing and Communication

Resource Management, Arttu Norrlin, Educator

4. Data Protection Officer

Data Protection Officer of the City of Espoo

Address: P.O. Box 12, 02070 City of Espoo

Tel. +358 9 81621 (switchboard)

Email address:

5. For what purpose will personal data be processed?

The marketing register is used for marketing the services and sales and networking events of the Espoo City Museum, for sending newsletters and for other similar activities.

6. On what grounds will personal data be processed?

On the grounds for processing personal data specified in the General Data Protection Regulation of the European Union.

When marketing is aimed at private individuals, the processing of personal data stored in the register is based on the consent given by the data subject. Article 6(1)(a) of the General Data Protection Regulation.

When marketing is aimed at companies, the processing of personal data stored in the register is based on the public interest. Article 6(1)(e) of the General Data Protection Regulation.

7.  What data will be processed?

The groups of persons whose data may be processed are the contact persons of the data controller’s customer and partner companies, those classified as an ex officio partner, potential customer and/or within the sphere of marketing, persons in contact with the data controller, and those who have participated in events organised by the data controller or have given their permission for marketing.

The register may contain, for example, the following data about the data subjects:


organisation (and department) and position

organisation’s address

email address

telephone number

marketing measures targeted at the data subject and participation in them

other data disclosed by the data subject

possible mailing bans (email and mail)

information about changes to the above data

log data (e.g. opening of newsletters).

8. What are the sources of data?

Data in the marketing register is acquired or collected from the data subject through the customer relationship, through the City of Espoo website (contact forms, material downloads, newsletter subscription forms) and through registrations for events organised by the Espoo City Museum and third parties and from publicly available Internet sources and other possible public sources. Personal data may also be collected, saved and updated from the registers of a data controller providing address or updating services or other similar services.

9. Will data be disclosed or transferred outside the city?

As a rule, personal data will not be disclosed to third parties. The Espoo City Museum may, however, disclose data in a manner permitted by legislation to, for example, its partners for marketing purposes if the data subject has given permission for disclosing their data. Data may also be disclosed in cases where it is considered that a third party can offer special information or benefit to a company represented by a person in the register.

10. Will data be transferred outside the EU/EEA?

Personal data will not be transferred outside the EU or the European Economic Area (EEA).

11. How long will data be stored?

Personal data is stored for as long as it is necessary for the operations of the Espoo City Museum or until the data subject prohibits the processing of their data.

12. How will data be protected?

The data is saved in the CRM system of the Economic Development and Employment unit and can only be accessed by the users of the marketing register.

The use of data systems is controlled and the systems can only be accessed with a user ID and password. The systems require a change of password at regular intervals.

Supervisors make decisions regarding granting and removing access rights. At the end of employment, access rights are revoked. The processing of personal data is monitored and controlled with the help of usage log information if it is possible to get the log information from the data system.

Each user must accept the City of Espoo’s information security commitment, including a usage and confidentiality commitment. The personnel are introduced to data protection and appropriate processing of personal data.

13. Rights of the data subject

Further instructions on submitting information requests referred to in the General Data Protection Regulation.

13.1. How can I access my data?

You have the right to obtain from the data controller a copy of the personal data that is subject to processing. The data controller must provide the data without undue delay and in any event within one month of receipt of the request. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests.

If the data controller does not take action on the request of the data subject, the data controller must inform the data subject without delay, and at the latest within one month of receipt of the request, of the reasons for not taking action and on the possibility of lodging a complaint with a supervisory authority and seeking a judicial remedy.

Requests from the data subject and any resulting actions are free of charge. Where requests from a data subject are manifestly unfounded or excessive, in particular because of their repetitive character, the data controller may either charge a reasonable fee taking into account the administrative costs of providing the information or communication or taking the action requested, or refuse to act on the request.

13.2. When can I request rectification of my data?

You have the right to have inaccurate, incomplete, outdated or unnecessary personal data that we store either rectified or completed by us.

13.3. When can I request erasure of my data?

You have the right to have the data controller erase your personal data without undue delay under certain conditions. The data subject does not have the right to erasure if the processing of data is necessary for compliance with a legal obligation or for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller. In these cases, the data will only be erased after the statutory time limit.

13.4. What can I request restriction of processing of my data?

If the data concerning you is inaccurate, you have the right to request that its processing be restricted until its accuracy has been verified.

13.5. Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority if you feel that the processing of your personal data is in infringement of data protection legislation. You can lodge a complaint with the Office of the Data Protection Ombudsman: