Skip to main content of the page
Varaamo
SuomeksiEnglishSvenska
Varaamo
SuomeksiEnglishSvenska

Privacy Statement

EU General Data Protection Regulation (2016/679), Articles 13 and 14 Customer data file of the Varaamo premises reservation service Controller The controller is the Culture and Leisure Committee, which delegated the controller’s tasks to the Administrative Director on 27 March 2018, Section 71. Why do we process your personal data? The purpose of the data file is to offer data subjects the possibility of reserving the city’s premises and equipment. Purpose of the processing The manager of the premises, the handler of the reservations or a representative authorised by the city processes personal data in order to verify the identity of the customer and the agreed purpose of use. The people who made the reservation and the contact persons of the event can also be notified of changes related to reservations or premises. The customer can use the Varaamo contact form to make customer service requests in order to resolve any problem situations. Reservation data is also used for statistics and the development of operations. The statistics do not contain personal data. Legal grounds for the processing of personal data General Data Protection Regulation, Article 6(1)(a): the data subject has given consent to the processing of his or her personal data for one or more specific purposes. The personal data submitted with a contact request constitutes consent for data processing. Article 6(1)(b): processing is necessary for the performance of a contract to which the data subject is party. The reservation or application and its acceptance form a contract between the city and the customer. Essential legislation - EU General Data Protection Regulation (679/2016) - Data Protection Act (1050/2018) What personal data do we process about you? The Varaamo service can be used either as an individual or on behalf of an individual, company, association or community. When acting on behalf of another, information on the person is linked to the transaction. You log into the Varaamo service with your Helsinki profile, which requires strong authentication. If you do not have a Helsinki profile, one will be created automatically upon logging in. If you wish, you can view the Helsinki profile privacy statement here (in Finnish): https://www.hel.fi/static/liitteet-2019/Kaupunginkanslia/Rekisteriselosteet/Keha/Sahkoisten%20asiointipalveluiden%20rekisteri.pdf The following personal data of the person making the reservation is stored in the Varaamo service: first name, last name, street address, postal code, municipality of residence, email address, telephone number, language of communication and additional information concerning the reservation, such as reservation name, purpose of use and description, as well as identification data of the city’s information system (library system). When making a reservation on behalf of a registered community, in addition to the above data, the first and last name and contact information of the event’s contact person are stored. Your name and email address are collected on the contact form. When logging in, your name and email are stored. Address information is transferred from the Helsinki profile when making the reservation and stored in the reservation data. The rest of the personal data is collected from the customer himself/herself on the reservation form. The handler of the premises reservations can check the personal identity code of the person making the reservation from the Helsinki profile when the reservation has been made using strong authentication. The personal identity coded is not stored in the Varaamo service. How do we collect personal data? The data is obtained from the data subjects themselves, i.e. the customer who makes the reservation: individuals, companies and communities. To whom do we disclose your personal data? The City of Helsinki has contractual partners to implement the premises reservation service. Personal and reservation data may be disclosed to a contractual partner for the purpose of implementing the premises reservation service. The city may outsource the processing of personal data to an external system supplier or service provider with a separate contract of assignment. In this case, the processing of personal data takes place on behalf of the city and to fulfil the purpose specified by the city. The city remains the controller of the personal data. The city and the service provider are jointly responsible for the lawfulness of the processing of your personal data. The City of Helsinki’s Privacy and Confidentiality Policy is appended to these contracts. Personal data processors The data is processed by authorised city staff and the staff of contractual partners whose duties include the organisation and customer service of the premises reservation service or maintaining the service. Will your personal data be transferred outside the EU or EEA? Personal data is not transferred outside the EU or EEA without agreements ensuring data protection. By default, the City of Helsinki ensures that the processing of personal data takes place in the EU or EEA. However, in some cases, the city’s services and functions can also be implemented using service providers, services and servers located elsewhere. In this case, personal data may also be transferred outside the EU or EEA. The EU General Data Protection Regulation sets strict criteria for the transfer of personal data to countries whose legislation regarding the processing of personal data differs from the requirements of European data protection legislation. In this case, the City of Helsinki undertakes to comply with the requirements for an adequate level of protection of personal data and, where applicable, obliges the system suppliers and service providers it uses to take care of the corresponding data protection obligations as required by the data protection legislation. How long do we store your personal data? In the case of an individual reservation, the personal data is stored for two years after the end of the use time of each space. In the case of season reservations, the data is stored for two years after the end of the processing of the application. The data collected on the contact form is stored for one full calendar year. Automated decision-making and profiling The processing of personal data does not involve automated decision-making and profiling. Your rights in relation to the processing of your personal data The data subject’s rights and instructions for exercising them are available at: https://www.hel.fi/en/decision-making/information-on-helsinki/data-protection-and-information-management/data-protection/rights-of-data-subjects-and-exercising-these-rights Right of access (Right of access by the data subject, Article 15) You have the right to know whether your personal data is being processed and what data is stored about you. The City of Helsinki will provide the information without undue delay, at the latest within one month of receiving the request. If necessary, this period may be extended by a maximum of two months if the request is of exceptional scope and complexity. If the time limit is extended, the city will inform the person requesting the information of this within one month of receiving the request, as well as of the reasons for the delay. Right to rectification (Article 16) You have the right to demand that the city rectify imprecise and inaccurate personal data concerning you without undue delay. In addition, you have the right to the supplementation of incomplete information. Any incompleteness of the data will be resolved by taking into account the purpose of the processing of personal data. If the city does not accept the person’s demand for rectification, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate. Right to erasure (‘right to be forgotten’) (Article 17) In some exceptional cases – for example, if the processing of data has been based on the person’s consent and the person withdraws their consent – the person has the right to have their data erased, or in other words, to be forgotten. If the city does not accept the person’s demand for erasure, it will issue a written certificate stating the reasons the demand was not accepted. The possibility of lodging a complaint with a supervisory authority and of seeking other remedies is also mentioned in connection with the certificate. The right to erasure does not exist if the processing is based on compliance with the city’s statutory obligation, or it is related to the performance of a task carried out in public interest or the exercise of public authority vested in the city. Right to restriction of processing (Article 18) In certain situations, a person may have the right to request that the processing of their personal data be restricted until their data has been duly checked and corrected or supplemented. Such situations include a person denying the accuracy of their data, in which case the processing of their data is restricted while the city is checking their accuracy. Right to data portability (Article 20) A person has the right to transfer their personal data from one controller to another if they have themselves provided the controller with their personal data, the processing of the data is based on consent or a contract and the processing is carried out automatically. This right does not apply to processing that is necessary for the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city. Right to object (Article 21) A person has the right to object to the processing of their personal data at any time on grounds related to their personal situation, where the processing is based on the performance of a task carried out in the public interest or in the exercise of an official authority vested in the city. In this case, the data may be further processed only if there is a substantial and justified reason for the processing that can be demonstrated by the city. The processing may also continue if the processing is necessary for the establishment, exercise or defence of legal claims. Right to lodge a complaint with an authority (Article 77) You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data violates the EU General Data Protection Regulation (EU) 2016/679. You also have the right to exercise other administrative and judicial remedies. Office of the Data Protection Ombudsman Street address: Lintulahdenkuja 4 Postal address: PO Box 800, FI-00531 Helsinki, Finland Email: tietosuoja@om.fi Switchboard: +358 29 56 66700 How can you contact us about data protection issues? kuva.tietosuoja@hel.fi Responsible person Project Manager Varaamo Contact information City of Helsinki, Registrar’s Office, PO Box 10 (Pohjoisesplanadi 11–13), FI-00099 City of Helsinki, Finland Contact information of the data protection officer City of Helsinki’s Data Protection Officer tietosuoja@hel.fi +358 9 310 1691 (switchboard) This privacy statement was updated on 29/04/2024.