Espoo Museum of Modern Art

Data file description and privacy statement

Regulation 2016/679 of the European Parliament and of the Council and the Finnish Data Protection Act 1050/2018.

Data controller
Espoo Art Museum Foundation sr. / EMMA – Espoo Museum of Modern Art (hereinafter EMMA)
P.O. Box 6661
02070 CITY OF ESPOO
email: info@emmamuseum.fi
tel. +358 43 827 0941
Business ID 1784691-8

Contact person for matters concerning the data file
Marketing and Communications Manager of EMMA, Iris Suomi, iris.suomi@emmamuseum.fi

Data file name
EMMA customer and stakeholder registers

Legal basis and purpose of processing personal data
Customer and stakeholder registers are collected and used in accordance with the applicable data protection legislation and other legislation in force. The processing of personal data in the register is based on the consent of the data subject, the execution of agreements, and the legitimate interest of the data controller based on the customer relationship.

The registers are used, among other things, for the following purposes:

  • planning, producing, informing, developing and quality assurance of EMMA’s own and co-produced exhibitions, other services, events, products and current matters
  • maintaining contact, customer support related to services and targeted customer communication with visitors and other stakeholders, and fulfilling statutory obligations
  • marketing and targeting advertising

Data content of the register
The registers contain data such as:

  • name
  • title
  • organisation
  • contact details according to the purpose of use, such as email address, telephone number and postal address;
  • grouping by purpose of use (e.g. opening invitation recipient, subscriber to EMMA’s club letter)
  • profiling based on purpose of use (e.g. stakeholder, business contact, sector), additional information necessary in relation to the museum’s purpose (e.g. position, title, age or language) or the status of contact details (on alternation leave, substitute)
  • other submitted or disclosed data

Regular sources of data
Data accrues from stakeholders involved in EMMA’s own operations and directly from customers. In addition, data may be collected and updated from public sources such as websites or public registers maintained by third parties.

Data observed and derived from the use of the website may include:

  • data collected by the Google Analytics service regarding website use (such as number of visits, page views, devices used and browser types)
  • IP address (a technically collected piece of information that is not used to directly identify the user)
  • location data produced by Google Analytics (country, city or region)
  • statistical data on customer communications (such as newsletter opening rates and link click data)

Regular disclosures of data
Data is not regularly disclosed outside EMMA, except to established and essential partners with whom EMMA has a contractual relationship, for the purpose of maintaining customer relationships and providing services.

Data retention period
Data is stored for the period required by its purpose of use or as required by law. The subscriber may cancel their subscription to newsletters, invitations or other electronic communications themselves.

Transferring data outside the EU or EEA
As a rule, data is not transferred outside the European Union or the European Economic Area.

EMMA uses the Google Analytics 4 service to analyse the use of its website. The service is provided by Google LLC (United States). Analytics data of users in the EU area is primarily collected through servers located in the EU, and users’ IP addresses are not stored.In connection with the use of Google Analytics, analytics data may also be transferred and processed outside the European Union and the European Economic Area, particularly in the United States. In such transfers, an adequate level of protection of personal data is ensured in accordance with the requirements of the General Data Protection Regulation (GDPR). The legal basis for the transfer of data is the adequacy decision under the EU–US Data Privacy Framework adopted by the European Commission, and, where necessary, the standard contractual clauses approved by the European Commission and other supplementary safeguards.

Principles of the protection of the register
The data stored in the registers is protected in an appropriate manner so that it can only be accessed and used by authorised employees of EMMA and the Exhibition Centre WeeGee and its operators who need the data for their work.

The technical protection of the registers is the responsibility of the provider of the electronic service.

Right of inspection and exercise of the right of inspection
Everyone has the right to inspect their personal data and the right to request the correction of inaccurate data in the register. Requests for inspection and rectification shall be addressed to the data controller.

Other possible rights
The data subject may prohibit EMMA from using data concerning them for direct marketing as well as customer satisfaction and other surveys. In addition, the person has the right to request that data concerning them be deleted (right to be forgotten).

Prohibitions and changes concerning the processing of personal data shall be addressed to the data controller in writing.

This Privacy Statement was last updated on 19 May 2026.