Regulation 2016/679 of the European Parliament and of the Council and the Finnish Data Protection Act 1050/2018

Data controller
EMMA Art Museum Foundation sr. / EMMA – Espoo Museum of Modern Art (hereinafter EMMA)
P.O. Box 6661
02070 CITY OF ESPOO
email: info@emmamuseum.fi
tel. +358 43 827 0941
Business ID 1784691-8

Contact person for matters concerning the data file
Marketing and Communications Manager of EMMA, Iris Suomi, iris.suomi@emmamuseum.fi

Data file name
EMMA ticket shop customer register

Legal basis and purpose of processing personal data
The legal basis for processing personal data is:

• performance of a contract (purchase of a ticket or service),
• statutory obligation of the data controller (e.g. accounting legislation),
• legitimate interest of the data controller (customer relationship management),
• consent given by the data subject (marketing).

Personal data is processed for the following purposes:

• processing and delivery of orders,
• documentation and archiving of orders,
• receiving payments and managing payment transactions,
• managing customer relationships and providing customer service,
• developing the functionality and quality of services, collecting customer feedback,
• statistics and reporting.

Data may be used for direct marketing (e.g. newsletters and invitations) only with the customer’s separate consent. The customer may withdraw their consent at any time.

Data content of the register
Data stored in the register may include:

• first name,
• last name,
• email address,
• phone number,
• street address, postal code, city and country,
• order history (ordered products or services, prices, discount codes),
• payment method and payment status (information received from the payment service provider; EMMA does not store card details),
• permissions and consents given by the customer (e.g. direct marketing),
• other information provided by the customer (e.g. additional information, customer service messages).

For business customers, additional data may include:

• company name,
• Business ID,
• postal and billing address,
• intermediary ID,
• reference number.

Data observed and derived from the use of the website may include:

• data collected by Google Analytics 4 on website usage, such as number of visits, page views and information on devices and browsers used,
• IP address, which is used technically only to establish the network connection and approximate location; IP addresses of users in the EU are not stored or used as a direct identifier,
• approximate location data produced by Google Analytics, such as country, region or city, derived from the IP address,
• statistical data on customer communications, such as newsletter open and click rates.

Regular sources of data
Data is primarily obtained directly from the customer through the electronic forms of the Liveto ticket shop or in connection with customer service.

Regular disclosures of data

Personal data is processed on behalf of EMMA’s ticket shop by:

the e-commerce and ticketing system provider Liveto Group Oy

the payment service provider Paytrail Oyj

Data is disclosed only to the extent necessary for the provision of the service and only on a contractual basis. If the service or event ordered by the customer includes services provided by a restaurant or another partner operating in the Exhibition Centre WeeGee (such as table reservations or catering), necessary data (such as contact details related to the reservation or any special information provided by the customer, such as dietary requirements) may be transferred to the relevant operator for the purpose of providing the service. Data is transferred only to the extent required for organising the service.

Data retention period
Personal data is stored only for as long as necessary for the intended purpose or as required by law.

Data related to the customer relationship and orders is generally stored for a maximum of six (6) years after the end of the customer relationship due to accounting and legal obligations.

Data related to marketing (newsletters and invitations) is stored until the data subject withdraws their consent.

Transferring data outside the EU or EEA
As a rule, data is not transferred outside the European Union or the European Economic Area.

EMMA uses Google Analytics 4 to analyse the use of its website. The service is provided by Google LLC (United States). Analytics data of users in the EU is primarily collected via servers located in the EU, and users’ IP addresses are not stored.

In connection with the use of Google Analytics, analytics data may also be transferred and processed outside the European Union and the European Economic Area, particularly in the United States. In such transfers, an adequate level of data protection is ensured in accordance with the GDPR. The legal basis for such transfers is the adequacy decision under the EU–US Data Privacy Framework adopted by the European Commission and, where necessary, the standard contractual clauses and other supplementary safeguards approved by the European Commission.

Principles of the protection of the register
Personal data is processed confidentially and in accordance with applicable data protection legislation.

Access to the register is limited to EMMA employees whose duties include processing personal data in the ticket shop. Access to systems is protected by usernames and passwords. All users are bound by confidentiality obligations.

Liveto Group Oy and Paytrail Oyj act as technical and payment service providers for the ticket shop and process personal data on behalf of EMMA. These service providers have their own privacy policies in accordance with data protection legislation, which can be found on their websites.

Liveto: Privacy Policy / Data Protection Statement (In Fnnish)
Paytrail: Privacy Statements

Right of inspection and exercise of the right of inspection
The data subject has the right to:

• access their personal data,
• request the rectification of inaccurate or incomplete data,
• request the erasure of their data (right to be forgotten) where legally justified.

Requests for access, rectification and erasure must be addressed to the data controller.

The data controller shall rectify, erase or supplement personal data in the register at the request of the data subject or on its own initiative if the data is inaccurate, unnecessary, incomplete or outdated for the purpose of processing.

Other possible rights
Right to lodge a complaint: the data subject has the right to lodge a complaint with the data protection authority if they consider that the processing of personal data violates the GDPR.

This Privacy Statement was last updated on 19 May 2026.