Privacy statement
Jyväskylä Fair Ltd Visitor register
Personal Data Act (523/1999) 10 and 24§
General Data Protection Regulation (679/2016)
Updated 21.12.2023
1. Controller
Jyväskylä Fair Ltd
PL 127, 40101 Jyväskylä
info@jklmessut.fi
p. 014 334 0000
Business ID: 0626505-0
2. Name of the register
Jyväskylä Fair Ltd Visitor register
3. Purpose of personal data processing
The controller collects information from those who register as visitors, as exhibitors, and as media representatives.
The visitor data in the register is used for the event’s visitor marketing, visitor counting and conducting visitor surveys.
The register’s visitor data can be used for visitor profiling, electronic direct marketing and the targeting of marketing measures also in future similar events, which visitors are believed to be interested in based on their previous visits to the event and their own work role and areas of responsibility. Visitors can unsubscribe from these newsletter lists at any time.
The purpose of processing the exhibitors’ data is to share information related to the event.
Information and media releases related to the event can be sent to those accredited as media representatives.
4. Legal basis of personal data processing
The basis for the processing of personal data is the consent of the visitor to the event upon registration and the legitimate interest of the controller.
The legitimate interest of the data controller is the basis for processing data when there is a valid connection between the data subject and the data controller. Such a factual connection is formed e.g. when the data subject is in contact with the controller on his own initiative. Direct marketing can be sent to such potential customers of the data controller, for which the data controller can reasonably consider that the marketed products or services have an essential connection to the potential customer’s area of responsibility or work role.
5. Data content of the visitor register
The controller collects basic information about the data subjects, such as name and contact information (email address and/or phone number). Event-specific information can also be collected related to the company and work role (company name, job title).
6. Regular information sources
Data is collected from the following sources:
- From the data subject via registration to events. The register includes only the information that the user provides when filling out the form on the website.
- From the registered, if he accepts an invitation sent by the exhibitor to the event
- From the representative of the registered employer (only information concerning exhibitors working in the stand)
7. Regular hand-over of personal data
There are no regular hand-overs of data to third parties, but the event visitor can himself give permission to scan the QR code of his identification card, in which case the information provided by the visitor when registering (First Name, Last Name, Title, Company, Email Address, Telephone Number) will be transferred to the exhibitor who scanned the identification card.
The information of electronically registered visitors will be handed over to the event organizer if the organizer is an entity other than Jyväskylän Messut Oy.
Register information can be temporarily handed over to partners for use corresponding to the purpose of personal data processing, such as for conducting visitor research. A written data processing agreement has been concluded with partners who process personal data on behalf of the data controller, which ensures that the service providers process personal data under the data controller’s responsibility in accordance with the data controller’s instructions.
8. Transfer of personal data outside the EU or the European Economic Area
Personal data will not be handed over outside the EU or the European Economic Area.
9. Retention period of personal data
The controller processes and stores data only as long as is necessary for the predefined purpose of use of the personal data. Personal data that has become unnecessary and that the controller no longer has grounds to keep or process is deleted at regular intervals in accordance with the controller’s own data protection policies. The registered person has the right to request the deletion of their data at any time.
10. Principles of register protection
Care is taken when processing the register and the information processed with the help of information systems is properly protected.
The data of the register is stored in the system of the controller, which is protected by the security software of the operating system. Only designated employees and the system supplier have access to the register’s data, and the use of the data is protected with a username and password. Employees handling visitor register data are bound by the duty of confidentiality. Information is shared or disclosed to outsiders only due to a statutory reporting obligation, such as the customer’s own request or an authority’s statutory request.
The data is located on the supplier’s servers. The data center facilities are of the latest design and meet very high-level availability and security requirements. The facilities are basically built for the customers’ business-critical servers and applications, and they meet the highest standards set for IT environments.
All traffic between the system and users is encrypted using an SLL certificate.
11. The right of data subjects to check data
The data subject has the right to check the personal information stored in the register and to receive copies of it. The inspection request must be made in writing and addressed to the controller.
12. The right to have the data rectified
The controller corrects, deletes or completes personal data in the register that is incorrect, unnecessary, incomplete or outdated in terms of the purpose of the processing, on its own initiative or at the request of the data subject. The data subject must contact the controller in writing to correct the information.
13. The right of data subjects to restrict processing
The data subject has the right to prohibit the controller from processing personal data concerning him. The prohibition must be made in writing and addressed to the controller.