Skip to content
Descriptions of registers Online shop registery

Privacy Notice – Online Store Customer Register

Prepared: 21 May 2018

Latest update: 9 January 2026

1. Data Controller

Messukeskus, Suomen Messut Oyj
Messuaukio 1, 00520 Helsinki
Tel. +358 40 450 3250
Business ID: 01163223
asiakaspalvelu@messukeskus.com

2. Contact Person Responsible for the Register

Messukeskus / Customer Service
Messuaukio 1, 00520 Helsinki
Tel. +358 40 450 3250
asiakaspalvelu@messukeskus.com

3. Name of the Register

Customer register of the online store of Suomen Messut Oyj

4. Purposes and Legal Bases for Processing, Processed Personal Data, and Storage Periods

We collect, store, and process personal data for predefined purposes and only on lawful grounds. In connection with the operation of our online store, we primarily process personal data for the following purposes and on the following legal bases:

Purpose: Online store operation and order processing

Description of processing:

– Receiving orders, processing payments, delivering tickets/products, sending order confirmations

– Handling complaints and returns

Personal data processed:

– Name and contact details

– Order and payment details

– Customer number

Legal basis & retention:

– Contract: Processing is necessary to fulfil the contract

– Retention: Order and customer data retained for 36 months, unless another legal basis applies

Purpose: Statutory obligations

Description of processing:

– Retention and reporting of receipts (e.g., accounting, taxation)

Personal data processed:

– Billing information

– Payment transaction data

Legal basis & retention:

– Legal obligation (e.g., accounting and tax laws)

– Retention: 10 years after the end of the financial year

Purpose: Customer relationship management and communication

Description of processing:

– Customer service

– Event‑related notifications (e.g., arrival instructions)

– Customer communication and satisfaction surveys

Personal data processed:

– Email address and phone number

– Interaction and transaction history

Legal basis & retention:

– Legitimate interest: to serve customers and develop operations

– Retention: For the duration of the customer relationship + 36 months

Purpose: Electronic direct marketing

Description of processing:

– Sending offers, newsletters, and general event information via email or SMS

Personal data processed:

– Email address

– Phone number

– Name

Legal basis & retention:

– Consent: provided when subscribing or during purchase

– Retention: Consent records kept 12 months after inactivity; marketing data kept until consent is withdrawn or the customer relationship ends

Purpose: Profiling, targeted advertising and measurement (CDP & Enhanced Conversions)

Description of processing:

– Combining and enriching customer data in the customer data platform (CDP)

– Using Meta (Facebook, Instagram) and Google conversion tracking (Enhanced Conversions / Advanced Matching)

– Sending hashed identifiers to advertising platforms for attribution and targeting

– Data is used only for matching to platform user accounts; Messukeskus does not use it to directly identify individuals

Personal data processed:

– Purchase history

– Cookie data (hashed)

– Demographic data

– Profiling/segment data

– Encrypted email address

– Encrypted phone number

Legal basis & retention:

– Legitimate interest: marketing attribution and audience creation

– Retention: until consent is withdrawn or the customer relationship ends

General retention rule

We do not store personal data longer than necessary for its purpose, for contractual reasons, or as required/permitted by law. Data may also be deleted if the data subject withdraws consent and no other lawful basis applies.

5. Data Sources

We primarily collect data directly from the data subject during purchases, registration, or online store use. We also collect data from Messukeskus’ own systems (e.g., marketing communications and online store usage data) and via cookies. We may enrich customer data with demographic information obtained from third parties, where consent has been given.

6. Data Disclosures and Transfers (incl. outside EU/EEA)

Data is processed only by Messukeskus employees and by contracted service providers (e.g., payment services, analytics, technical maintenance, CDP provider).

Some partners for digital marketing and analytics (such as Meta, Google, LinkedIn) may process data outside the EU/EEA, especially in the United States.

If you have given consent for profiling and targeted marketing: segmented audience data or hashed identifiers may be transferred to advertising platforms; transfers are primarily protected by the EU–U.S. Data Privacy Framework (DPF). If the provider is not covered by the DPF, we use EU Standard Contractual Clauses (SCC) with supplementary safeguards.

7. Security Principles

We apply the principle of Privacy by Default. Access is role‑based and limited to necessary personnel and contracted processors. Access rights are monitored and logged. Safeguards include multi‑factor authentication, encryption, and regular access audits.

8. Cookies and Measurement

The online store uses cookies and similar technologies for analytics, improved user experience, and marketing. Cookie use is based on consent provided via the cookie banner. Categories: necessary, analytics, marketing. Tags and measurement tools activate only after consent. Necessary cookies are used without consent solely for technical operation.

9. Obligation to Provide Personal Data and Consequences of Not Doing So

Certain personal data is mandatory to conclude and fulfil contracts in the online store and for billing and payment purposes. Where possible, we indicate which data is mandatory and which is optional.

10. Profiling and Automated Decision‑Making

We use a customer data platform (CDP) to build customer profiles and audiences (profiling) to provide more relevant communication and marketing. This profiling is based on consent. We do not make automated decisions that would have legal or similarly significant effects.

11. Rights of the Data Subject

Right to manage your data: Customers may be able to log in, review, and edit certain data.

Right of access: You may request confirmation of processing and obtain a copy of your data; access may be limited for legal, privacy, or trade secret reasons.

Right to rectification: You may have inaccurate, incomplete, or outdated data corrected.

Right to erasure: You may request deletion where no lawful basis remains.

Right to restrict processing: You may request restriction, in which case we primarily store the data only (e.g., during accuracy disputes or pending objection outcomes).

Right to object: You may object to processing based on legitimate interest for reasons related to your particular situation.

Right to data portability: If processing is based on consent or contract and is automated, you may obtain your data in a commonly used machine‑readable format for transfer to another controller.

12. Withdrawal of Consent and Right to Object to Direct Marketing

If processing is based on consent, you may withdraw it at any time; withdrawal does not affect processing prior to the withdrawal. You may always object to direct marketing and withdraw any marketing consent. Rights can be exercised by contacting asiakaspalvelu@messukeskus.com.

13. Right to Lodge a Complaint

If you believe we process your data unlawfully or contrary to this notice, you may file a complaint with the supervisory authority in Finland: Office of the Data Protection Ombudsman – https://www.tietosuoja.fi.

14. Changes to the Privacy Notice

We may update this notice due to operational changes, privacy principles, or legal requirements. Unless otherwise stated, changes take effect once published.

15. Contact Information

Messukeskus / Suomen Messut Oyj

Messuaukio 1, 00520 Helsinki

asiakaspalvelu@messukeskus.com