Privacy – Data protection

Privacy Statement

Controller
Gösta Serlachius Fine Arts Foundation
Joenniementie 47
FI-35800 Mänttä
Business ID 0151144-3

Contact person of the controller: Chief Financial Officer Juha Roponen (firstname.lastname@serlachius.fi)

Name of the personal data file system: Serlachius Museums’ Customer and Stakeholder Register

Purpose of personal data processing
The Customer and Stakeholder Register is compiled and used in accordance with data protection legislation and other legislation applicable at the time in question. 
The register is used for, among other things, the following purposes:

  • planning, producing, communicating, developing and ensuring the quality of the Serlachius Museums’ own and co-produced exhibitions, other services, events, products and current issues.
  • communication and service-related customer support and targeted customer communication with visitors and other stakeholders
  • discharging statutory obligations
  • for marketing and targeting of marketing to customers and potential customers


Legal basis for processing personal data
The legal basis for processing of the personal data is established in a contract when a service or product provided by the Serlachius Museums has been ordered. Processing of the personal data is also based on statutory obligations, such as accounting and reporting obligations. Processing for customer relationship management and marketing is based on the legitimate interest of the Serlachius Museums. In addition, processing of the personal data may be based on consent, e.g. subscription to a newsletter. 

Data content of the register
Only essential personal data that is necessary for the museum’s operations and the provision of services, such as the customer’s name, telephone number, address, email address, purchase and payment transactions, any invoicing address and marketing authorisation, are stored in the register.

Information about matters and events in which the customer has participated or expressed interest may also be recorded.We also record, where appropriate, customer feedback and other essential information related to communication with and the provision of services to the individual.

In addition, various purpose-driven groupings (e.g. subscriber to a customer magazine or newsletter) and profilings (e.g. stakeholder, company affiliation or field of business) may be recorded as well as additional information necessary for the purpose (e.g. position or title).  

Regular sources of information
The information stored in the personal data systems is mainly obtained from the individuals themselves or via a stakeholder representing them. In addition, information may also be collected and updated from public data sources such as websites or public registers maintained by third parties.

Regular disclosure of data
The data in the register is not disclosed to third parties, for example for direct marketing or research purposes. In order to provide the services ordered, data may be disclosed to established and relevant partners who are in a contractual relationship with the Serlachius Museums. 

In addition, the Serlachius Museums may outsource the processing of personal data to trusted service providers or subcontractors, for example for communication or marketing purposes (e.g. Posti, Webropol) or for operational development purposes (e.g., an ICT specialist company). This is to ensure that personal data is processed in accordance with the law and with due care.

Data are not, as a rule, disclosed or transferred outside the EU Member States. Some providers of the electronic services used are from the United States; in these contexts, the transfer of personal data to the United States takes place on the basis of the EU-US Data Privacy Framework. 

Protection of the register
Requirements and practices for the appropriate protection of the data have been specified with service providers and the technical partners that maintain the personal data file system. Only those persons who need the information in their work have access to the personal data. Information systems are protected technically by commonly used methods, e.g. personal passwords.

Rights of the data subject
Individuals have the right to check what information about them has been stored in the register, and to request the correction of incorrect, inaccurate or incomplete information about them. In addition, individuals have the right to request that information about them be erased (the right to be forgotten). Individuals also have the right at any time to withdraw their consent to the processing of their personal data. The withdrawal of consent has no effect on processing carried out before the withdrawal. 

Inspection requests must be made in writing to the address: 
Serlachius Museums
Joenniementie 47
FI-35800 Mänttä

Right of complaint
Data subjects have the right to file a complaint with the data protection authority if they consider that the processing of personal data violates the EU’s General Data Protection Regulation. 

This Privacy Statement was last updated on 1 September 2023.