Skip to content
Home » Data privacy

Data privacy policy

This page covers the data protection policy required by the EU General Data Protection Regulation (GDPR) about the data privacy and the processing of personal data by Tampere Hall.

Tampere Hall data privacy policy

Compiled 23 May 2018, updated 29 Jan 2021

At Tampere Hall we consider data protection very important and take measures to ensure that the personal data or our customers is safe.

Data protection policy for Tampere Hall corporate customer register

Data controller

Tampere-talo Oy
Business ID 0706363-7
Yliopistonkatu 55, P.O. Box 16, FI-33101 Tampere, Finland
Tel. +358 3 2434111

Contact person responsible for the register

Director of Marketing and Communications, mrs Tiia Välimäki
Yliopistonkatu 55, P.O. Box 16, FI-33101 Tampere, Finland

Register name

Tampere Hall customer register

The legal basis for and the purpose of processing personal data

Personal data is processed for purposes related to the maintenance, management, and development of the customer relationship, offering services as the Swedish consulate, offering services and products, sales and deliveries, customer profiling, collecting customer feedback and surveys and for the development and invoicing of services and products. Personal data is also processed for purposes required in order to settle any complaints and other claims. In addition, personal data is processed when targeting communication to customers, such as for sending information and news, and for marketing, which also includes processing personal data for purposes related to direct marketing and electronic direct marketing. The customer has the right to disallow direct marketing targeted at him or her, and to request the removal of the data related to him or her from the register.

The legal basis for personal data processing in accordance with the EU General Data Protection Regulation is that the data subject has either given consent for the processing of his or her personal data for one or more specific purposes (GDPR Art. 6(1)a) or the processing is necessary for the performance of a contract to which the data subject is party, or in order to carry out procedures at the request of the data subject prior to entering into a contract (GDPR Art. 6(1)b) or the processing is necessary for the purposes of the legitimate interests of the controller or of a third party (GDPR Art. 6(1)f).

The data controller processes the data itself and by using sub-contractors operating on the behalf of and on the account of the data controller.

Information content of the register

Information to be stored in the register may include:

  • Name
  • Title
  • Organisation
  • Client number
  • Telephone number
  • Address
  • E-mail address
  • Home town
  • Username/ID
  • Information created by the client (such as messages, settings and images)
  • Purchasing history and invoicing information
  • Information related to the use of online services
  • Health information (special diets and allergies in connection with restaurant reservations)
  • Consent to/prohibition of direct marketing
  • IP address of the network connection

Regular data sources

The information is provided mainly by the clients, the data subjects themselves. The information stored in the registry is obtained from the client via messages sent using internet forms, e-mail, ticket sales, by telephone or social media services and other situations in which the client discloses his or her data.

Regular disclosures and processors of data

The data controller can use contractual partners operating on its behalf for the technical, commercial or operative implementation of its data management duties, and during this co-operation personal data may be transferred in accordance with the data security contract.

In addition, the data is disclosed to the following parties:

  • Personal data (such as name, e-mail address, telephone number, invoicing information, purchase history, special diets and food allergies) is disclosed to NoHo Partners, in charge of the restaurant services of Tampere Hall, and Tuulensuun Palatsin Ravintolat Ltd, in charge of the restaurant services of Tuulensuun Palace, in order to implement customer service and carry out invoicing.
  • Personal information (such as name and e-mail address) is disclosed to other entities operating in the Tampere Hall premises, such as Tampere Filharmonia and the Moomin Museum, for the purposes of managing the communication and marketing of the customer relationship.

Regular disclosure of data of the transfer of data outside of the EU and the European Economic area

The data can also be transferred by the data controller outside the EU or EEA. The data controller shall ensure a sufficient level of data protection for these transfers as required by the Finnish and EU legislation. These measures include using standard contractual clauses approved by the European Commission concerning the transfers of personal data to third countries.

The principles of register protection

Care shall be taken when managing the registry, and the information to be processed with information systems shall be protected in an appropriate manner. When the register information is stored on an internet server, the physical and digital data security shall be appropriately ensured. The personal data in electronic format has been protected by reasonable technical means generally accepted in the industry, such as firewalls and passwords. The registry material including personal data in other than electronic format is stored in locked premises to which access by unauthorised persons is forbidden. The information retained, the server user rights and other information critical for personal data security is handled confidentially and only by those employees whose work description it entails. All users of the personal data are bound by secrecy. The information security level is audited at regular intervals either by external or internal auditing.

Personal data retention time

The data collected in the register shall be retained only for the duration and the extent necessary in relation to the original or compatible purposes for which the personal data was initially collected. The personal data in accordance with this data protection policy is retained for as long as the data controller utilises the data for the purposes described in this document. The personal data stored in the registry will be deleted when there is no longer a legal basis for its processing, such as the retention obligation for accounting purposes.

Rights of the data subject

The data subject has the following rights under the EU General Data Protection Regulation:

(a) the right to obtain from the controller confirmation as to whether or not personal data concerning him or her is being processed, and, where that is the case, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipient to whom the personal data have been or will be disclosed; (iv) where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period; (v) the existence of the right to request from the controller rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) where the personal data is not collected from the data subject, any available information as to its source; (GDPR, Art. 15). This basic information described from (i) to (vii) shall be provided to the data subject using this form;

(b) the right to withdraw consent at any time, and this withdrawal shall not affect the lawfulness of processing based on consent before its withdrawal (GDPR, Art. 7);

(c) the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and the right to have incomplete personal data completed, including by means of providing a supplementary statement, taking into account the purposes of the processing (GDPR, Art. 16);

(d) the right to obtain from the controller the erasure of personal data concerning him or her without undue delay if one of the following grounds applies: (i) the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent on which the processing is based and there is no other legal ground for the processing; (iii) the data subject objects to the processing on grounds relating to his or her particular situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing of personal data concerning him or her for direct marketing purposes; (iv) the personal data has been unlawfully processed; or (v) the personal data has to be erased for compliance with a legal obligation in Union or Member State law to which the controller is subject (GDPR, Art. 17);

(e) the right to obtain from the controller restriction of processing where one of the following applies: (i) the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data; (ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of its use instead; (iii) the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or (iv) the data subject has objected to processing on grounds relating to his or her particular situation pending the verification of whether the legitimate grounds of the controller override those of the data subject (GDPR, Art. 18);

(f) the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit that data to another controller without hindrance from the controller to which the personal data have been provided, if the processing is based on consent pursuant to the regulation and the processing is carried out by automated means (GDPR, Art. 20);

(g) the right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR, Art. 77).


This website uses cookies. You can read more about cookie settings from the button at the bottom left of the site.