Enable preference cookies to be able to use automatic translations

Processing of personal data at Vantaa City Museum

Culture Residents

In accordance with the EU General Data Protection Regulation, a person must be informed if their personal data is recorded in a personal data register. Personal data includes things such as the data subject’s name and address. The data subject must also be informed about the purpose of the processing of personal data, where the data is regularly disclosed and the rights of the data subject.

This document describes how personal data is processed in Vantaa City Museum’s collection and cultural environment work, the invoicing of products and services, and for communication and the sending of exhibition invitations to the clients. 

For what purpose is personal data processed?

The collection and cultural environment work aims to record and study the history of Vantaa and its residents through photographs, archive material, objects and interviews. The City Museum also collects cultural environment data and monitors the state of the cultural environment. The City Museum promotes the accessibility of collections and information and provides opinions on land use projects as a museum authority. 

 

Only the personal data necessary for invoicing and its related tasks (incl. possible collection) is obtained in connection with purchasing products and services. 

 

The necessary identification information and contact details are collected for communication and sending exhibition invitations. 

What is the basis for the processing of personal data?

The processing of personal data in the collection and cultural environment work is based on compliance with a legal obligation to which the controller is subject and the performance of a task carried out in the public interest or the exercise of official authority vested in the controller. 

 

The processing of personal data in the invoicing of products and services is necessary to implement an agreement to which the data subject is a party or to implement measures that necessitate an agreement as per the data subject’s request. 

The processing of personal data in communication and sending exhibition invitations is based on the consent given by the data subject. Granting consent is voluntary and can be revoked at any time. 

 

Legal basis for the processing: 
Article 6(1)(a)(b)(c) and (e) of the EU General Data Protection Regulation (2016/679). 

What personal data is collected by the Vantaa City Museum, and where is it obtained from?

Information on the collection and cultural environment work is saved in the Kirsti collection database. The database contains information on photographs, archive material and objects, as well as information related to the cultural environment. In addition to the museum context, personal data is stored in the database for the purposes of communication, additional information requests, information exchange and object identification. Furthermore, the reception forms contain manually recorded information on permission for donations and interviews, for example. Personal data is recorded in the party register of the collection management system. There are about 22 roles, including donor, photographer, user, interviewee and designer. 

 

The register contains the following information: 

  • basic personal information: names (current and former), occupation and employer, date of birth and death, address, email address 
  • information on the relationship between the data subjects: spouse, child, parents, kinship 

  • other additional information. 

     

For the collections, the following personal data is stored in the database: 

  • subjects of photography 
  • photographers of the images, archival materials and objects 
  • donors, lenders, originators and sellers 
  • former owners of the objects 
  • users, designers, manufacturers and producers of the objects 
  • interviewer and interviewee 
  • name and contact information of persons who provided oral or written information for a study 

  • genealogy data. 

     

For cultural environment data, the following data concerning the data subjects is stored in the register: 

  • cadastral code 
  • property and building address 
  • general description and history of the property and the buildings on it 
  • names of the current and previous owners of the property and the buildings on it 
  • description of the property and the relics on it 
  • name and contact information of persons who provided oral or written information for a study 
  • name and contact information of the person who reported the relic 
  • name and contact information of the responsible person in the City Museum 
  • Names and contact information of persons who have received building grants from the Finnish Heritage Agency or Uusimaa ELY Centre and persons who participated in the related advisory visits and the inspection, review and advisory visits carried out in connection with official work or investigation 

  • drawings, photographs and maps related to the property and buildings. 

     

The information is collected from work and research by the City Museum, documents, archives and the donors of the materials. Information is also obtained from other City of Vantaa authorities, the city’s electronic systems, government authorities (the Finnish Heritage Agency and the Uusimaa ELY Centre) and private consultants. 

 

Data collected for invoicing the products and services includes first name, last name, address, email address and personal identity code. The data is obtained from the clients when they purchase the Vantaa City Museum’s products or services. 

 

Data collected for communication and sending exhibition invitations includes the client’s/partner’s first name, last name, address and email address. The data is obtained from the client/partner themselves. 

Is the provision of personal data necessary?

The information provided for invoicing the products and services is necessary if the client wishes to pay by invoice. Providing contact information is also necessary if the client wishes to receive exhibition invitations, etc., from the Vantaa City Museum. 

Is personal data disclosed to third parties?

Data may only be disclosed with the consent of the person whose data is concerned or if there is a legal obligation to disclose the data. The data will never be disclosed to third parties for marketing or other commercial purposes. 

How is the personal data protected?

Data security and data protection have been secured by means of various technical and organisational measures. For example, personal data may be processed only by persons who need it to perform their work or official duties and only to the extent required by an individual task. Staff are bound by the obligation of professional confidentiality and will continue to be bound by it after the end of their employment. .

Is personal data transferred outside the EU or EEA?

In cases where the processor of personal data handles personal data on behalf of the City of Vantaa, the appropriate level of data security and data protection has been agreed to in an agreement with the processor. As a rule, data is only processed in the EU or EEA area, but the processor can also transfer data outside the EU or EEA. However, such a transfer is only permitted if it meets the requirements set out in the data protection legislation and the agreement, which ensure an adequate level of protection of personal data. 

What does the city do in case of a security breach?

Despite the protection measures, in some exceptional cases it is possible for personal data to be compromised by a data security breach or end up in the hands of a third party. In these cases, the City of Vantaa will take immediate action to rectify the situation and submit the necessary reports to the national Data Protection Ombudsman and the data subjects affected. The City of Vantaa will notify the Data Protection Ombudsman of any breach without undue delay and, where possible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to risk the rights and freedoms of any data subjects. 

 

If the breach is likely to cause a high risk with regard to the data subjects’ rights and freedoms, the City of Vantaa will notify the data subjects of the breach without undue delay. In this case, the city will report the breach to those data subjects whose data is affected by the data security breach. If the data breach concerns a large group of people and does not require any immediate action from registered parties, the details of the data breach can also be provided as a general notification. 

How long is the data stored?

The data is stored and destroyed in accordance with the City of Vantaa’s data management plan. The document storage periods specified in the data management plan are based on legislation, the regulations of the National Archives of Finland on documents intended for permanent storage and the recommendations of the Association of Finnish Local and Regional Authorities on documents to be stored for a fixed period. At the end of the period, the data is destroyed. Storage periods vary, but the information provided for communication is immediately destroyed at the data subject’s request. 

Will the data be used for profiling or automatic decision-making?

Your personal data will not be used for profiling or automated decision-making. 

What rights does a data subject have, and how can the rights be exercised? How long does processing a case take?

The term ‘data subject’ refers to the natural person whose personal data is being processed. 

 

Depending on the basis for the processing, the registered party has the right to 

  • check what data is being processed 
  • request the rectification of erroneous or inaccurate information 
  • request the erasure of personal data 
  • request the restriction of the data processing 
  • object to the processing of the data 

  • right to obtain the data and transfer it to another data controller, and to withdraw their consent at any time, if the processing is based on consent. 

     

You can submit an access request via a separate form available through the vantaa.fi website and Vantaa Info desks. Should you wish to exercise other rights of a data subject or request additional information on the processing of personal data, please contact the contact person. The statutory requirements regarding exercising your rights will be confirmed on a case-by-case basis. Exercising your rights may require you to verify your identity. 

 

The City of Vantaa will complete the requested measures without undue delay, but in any case no later than within one month of receiving the request. If necessary, the deadline may be postponed by a maximum of two months, based on the complexity and quantity of the requests. In the event that the deadline is postponed, the City of Vantaa will provide notification of the delay and the relevant grounds to the requesting party within one month of receiving the request. 

Is exercising a data subject’s rights subject to a charge?

The exercise of the rights is, in principle, free of charge. However, the City of Vantaa may collect a reasonable fee corresponding to the administrative costs for fulfilling a request or refuse a request if the data subject’s requests are clearly unfounded, unreasonable or recurring. If the intention is to collect a fee for fulfilling a request, the City of Vantaa will contact the person who submitted the request before fulfilment. In the event that the City of Vantaa refuses to fulfil the requested measure, the person who submitted the request will be provided with the grounds for the refusal in writing and informed of the opportunity to refer the matter to the Data Protection Ombudsman and resort to other legal remedies. 

How can I submit an appeal to a supervisory authority?

If you suspect that your personal details are being processed unlawfully, you can appeal to a supervisory authority in the EU member state of your permanent residence or employment or the member state where you consider the violation to have taken place. In Finland, the relevant supervisory authority is the Data Protection Ombudsman. 

More information and instructions for filing a complaint are available on the data protection ombudsman website. 

Office of the Data Protection Ombudsman, Contact information

Where can I request more information, and who is the controller?

More information on the processing of personal data is available from the contact person specified below. Please note that email is not a safe medium for processing personal data. As such, please do not send sensitive information, such as your personal identity code, via email. 

The controller is the City of Vantaa Urban Culture Committee. Contact details of the controller and the City of Vantaa data protection officer can be found below: 

Controller  
City of Vantaa  
Urban Culture Committee  
Business ID 0124610-9  
Asematie 7, FI-01300 Vantaa 

Registry office 
Postal address: PO Box 1100, FI-01030 City of Vantaa 
Street address: Vantaa Info Tikkurila, Dixi, Ratatie 11, 
2nd floor, FI-01300 Vantaa 
Tel. (exchange): +358 9 839 11 
Fax +358 9 8392 4163, email: kirjaamo(at)vantaa.fi 

More information

Päivi Yli-Karhula

Vantaa City Museum
Intendant
050 318 1428 firstname.lastname@vantaa.fi

Mikael Valtomaa

City of Vantaa
Lawyer, Data Protection Officer
040 071 3358  firstname.lastname@vantaa.fi