Naantali Music Festival, Naantalin musiikkijuhlasäätiö sr, PO Box 46, 21101 Naantali, business ID: 0476932-7
Name of filing system
Naantali Music Festival customer register
Person responsible for the filing system
Suvi Innilä, email@example.com, tel. +358 50 559 0186
Purpose and legal basis of the filing system
The primary reason for the processing of personal data is to function as a register containing the customer and contact information of those who have booked a Naantali Music Festival ticket or subscribed to the newsletter. Short-term personal data filing systems may also be created in connection with, for example, surveys and prize draws. Personal data is used to distribute the newsletter, send programme leaflets by post, contact customers, maintain customer relationships and gather visitor statistics. Inclusion in the filing system is based on the data subject’s consent through their subscription to the newsletter, ticket booking or other means of providing their contact information.
Data content of the filing system
The Naantali Music Festival customer register contains, at most, the following customer information:
Email address, first and last name, street address, post code and city/municipality, contact telephone number, any additional information provided by the data subject
Data provided in connection with ticket bookings, registrations and prize draws is stored for the required time preceding the event in question. Data provided in connection with newsletter subscriptions is stored until the customer cancels their subscription.
Data stored in the Naantali Music Festival customer register is provided by the customer in connection with, for example, newsletter subscription; providing, maintaining or producing services; prize draws, etc. Additionally, public sources such as the address services of Posti or the Digital and Population Data Services Agency may be used to acquire personal data.
Personal data is not generally disclosed. Personal data is not disclosed to parties outside the EU or EEA. Within the limits and requirements of current legislation, Naantali Music Festival may disclose data to authorities for the purposes of, for example, coronavirus tracing.
Filing system protection
The filing system is managed with due care, and data processed by information systems is appropriately protected. When personal data is stored on web servers or databases, appropriate measures are taken to ensure the physical and digital security of the storage devices. The data controller ensures that stored data, server access rights and other information critical to the security of personal data is processed confidentially and only by staff whose duties include said processing.
Right of access
Every person whose data is stored in the filing system has the right to access said data and demand that any incorrect data is rectified and that any incomplete data is supplemented. Any data subjects who wish to access their data stored in the filing system or demand correction of said data must submit a written and signed request to the data controller. Where necessary, the data controller may require that the requester prove their identity. The data controller will respond to the customer within the time specified in the General Data Protection Regulation (generally within one month).
Right to rectification
Everyone whose personal data is stored in the filing system has the right to demand rectification of incorrect personal data. A free-form rectification request should be sent via email to the filing system manager: firstname.lastname@example.org, tel. +358 50 559 0186.
Other rights associated with the processing of personal data
Data subjects have the right to request that their personal data be erased from the filing system. Data subjects also have all other rights specified in the General Data Protection Regulation, such as the right to limit processing of personal data in certain circumstances. Requests should be submitted in writing to the data controller. Where necessary, the data controller may require that the requester prove their identity. The data controller will respond to the customer within the time specified in the General Data Protection Regulation (generally within one month).