Privacy policy

The Finnish National Gallery complies with the laws regarding access to digital services and data protection. 

Privacy Policy of the Finnish National Gallery’s Museum shop 

Name of the register 

Customer Register of the Finnish National Gallery’s Museoshop 

Data controller 

The controller is the Finnish National Gallery, which was established by the Act on the Finnish National Gallery (889/2013).   

Contact details 

For privacy and personal data issues, you can contact us in writing (address: Kansallisgalleria, Kirjaamo, Kaivokatu 2, 00100 Helsinki, Finland) or by email to kirjaamo@kansallisgalleria.fi.  

Purpose of the register 

The purpose of the register is to process, deliver, document and archive orders made by customers of the Finnish National Gallery’s Museoshop, to provide customer support, to receive payment for orders, to improve the user experience of the site and to develop its functions, to collect customer feedback, to serve general statistical purposes, to send newsletters ordered by customer, and to enable marketing as approved by the customer and/or authorised by law. 

Legal basis of processing personal data 

Personal data submitted to the Finnish National Gallery are processed in accordance with the General Data Protection Regulation (EU 2016/679).and the Finnish Personal Data Act (1050/2018). 

The legal grounds for processing personal data are those listed in Article 6 of the EU General Data Protection Regulation. These include processing or accessioning to a register of personal data on the basis of consent, contract or legal obligation. In the pursuit of a legitimate interest, a customer relationship or other relevant relationship exists between the Museoshop and the data subject that justifies the processing of personal data for the purpose of enabling communication between the parties. 

All processing of personal data is subject to impact assessments related to the requirements of necessity and proportionality. Data is stored within the framework permitted by law and as long as the functional connection to the original purpose of use remains. The starting point is the minimisation of data retention times so that unnecessary data is not stored. 

What data are collected 

The data collected in the register may include:   

• information provided by the data subect;   
• information received or collected in order to implement the Museoshop’s operations; and/or  
• information stored in connection with documenting the Museoshop’s operations. 

Information provided by the data subject may include the following:   

• first and last name; 
• user ID;   
• company name; 
• email and phone number;   
• street address, postal code, city and country;  
• information about processed orders (products ordered, order amount, discount codes);   
• payment method of orders (but not payment card details);   
• permissions, consents and information about the data subject’s language or other similar choices; 
• interests, preferences and thematic priorities; and/or 
• other information provided by the data subject, such as information included in forms and data fields. 

Data observed and derived from the use of the Finnish National Gallery’s Museoshop website:   

• data collected by online analytics systems; 
• customer communication data; e.g., information accessed through links; 
• website URL from which the user was redirected to the Finnish National Gallery’s Museoshop website; 
• device identifiers, such as device model and unique device and/or cookie identifier; 
• data collection channel: browser, mobile browser, application and browser type; 
• IP address; 
• device operating system; 
• session ID, time and duration of session; 
• location data; and/or 
• Information associated with the user, based on the user’s history of use of the Finnish National Gallery’s Museoshop services, derived from observed use and/or information provided by the user, such as demographics, interests and other user categories. 

Use of cookies 

We use cookies on our website. Please refer to the Finnish National Gallery's cookie policy: Finnish National Gallery's Privacy Policy. 

The user can delete the cookies stored in the browser from the browser settings or deny the reception of cookies. It is also possible to activate the Do Not Track function and set the browser to reject third-party cookies. 

How personal data is stored   

We comply with good data security practices and use appropriate physical, technical and administrative safeguards for the protection of facilities, data traffic, servers and databases, access control and data backup. Personal data is stored on secure servers that are accessible only to designated persons. Access to systems containing personal data is limited only to legitimate need. 

The Finnish National Gallery maintains valid cooperation agreements with partners as stipulated by the GDPR. This ensures secure and appropriate use of personal data, including in situations where partners have access to personal data. 

The Finnish National Gallery’s Museoshop operates on the Shopify platform, and Shopify is the processor of personal data in accordance wih the GDPR. 

The Finnish National Gallery’s Museoshop and Shopify, the processor of personal data, store personal data in accordance with applicable law and good data protection practices applicable to the industry. Personal data is stored only for as long as necessary to fulfil the purposes set out in this Privacy Policy.  

If a customer of the Museoshop has subscribed to a newsletter and/or accepted marketing, the Finnish National Gallery’s Museoshop uses Brevo to produce the newsletter and marketing, in which the name and email address of the subscriber to the newsletter is stored, as well as the following information for orders: name, address, phone number and email provided by the customer. The Finnish National Gallery’s Museoshop does not collect personal data in connection with payments, which are processed using Paytrail Oyj’s online payment service. 

The Finnish National Gallery, Shopify and Brevo process personal data within the EU. Any transfers of data outside the EU are made in compliance with the terms of the GDPR. 

Once the grounds for processing the personal data have expired, the data is deleted. Personal data is stored as applicable: 

• for 2 years from the last registered event of the respective customer in the museum store of the Finnish National Gallery’s Museoshop; 
• for 2 years if the visitor to the Finnish National Gallery’s Museoshop website has subscribed to the Museoshop’s newsletter; and/or 
• with regard to data collected by cookies when visiting the Finnish National Gallery’s Museoshop website, in accordance with the terms of accepted cookies. 

How personal data is stored   

We comply with good data security practices and use appropriate physical, technical and administrative safeguards for the protection of facilities, data traffic, servers and databases, access control and data backup. Personal data is stored on secure servers that are accessible only to designated persons. Access to systems containing personal data is limited only to legitimate need. 

The Finnish National Gallery maintains valid cooperation agreements with partners as stipulated by the GDPR. This ensures secure and appropriate use of personal data, including in situations where partners have access to personal data. 

The Finnish National Gallery’s Museoshop operates on the Shopify platform, and Shopify is the processor of personal data in accordance wih the GDPR. 

The Finnish National Gallery’s Museoshop and Shopify, the processor of personal data, store personal data in accordance with applicable law and good data protection practices applicable to the industry. Personal data is stored only for as long as necessary to fulfil the purposes set out in this Privacy Policy.  

If a customer of the Museoshop has subscribed to a newsletter and/or accepted marketing, the Finnish National Gallery’s Museoshop uses Brevo to produce the newsletter and marketing, in which the name and email address of the subscriber to the newsletter is stored, as well as the following information for orders: name, address, phone number and email provided by the customer. The Finnish National Gallery’s Museoshop does not collect personal data in connection with payments, which are processed using Paytrail Oyj’s online payment service. 

The Finnish National Gallery, Shopify and Brevo process personal data within the EU. Any transfers of data outside the EU are made in compliance with the terms of the GDPR. 

Once the grounds for processing the personal data have expired, the data is deleted. Personal data is stored as applicable: 

• for 2 years from the last registered event of the respective customer in the museum store of the Finnish National Gallery’s Museoshop; 
• for 2 years if the visitor to the Finnish National Gallery’s Museoshop website has subscribed to the Museoshop’s newsletter; and/or 

• with regard to data collected by cookies when visiting the Finnish National Gallery’s Museoshop website, in accordance with the terms of accepted cookies. 

Right to inspect and rectify personal data   

Under the law, individuals have the right to review what data has been collected about them. They also have the right to request the rectification or deletion of inaccurate, incomplete, unnecessary or outdated personal data. 

A request for personal data review can be made by submitting a Request to Rectify Personal Data by post (address: Kansallisgalleria, Kirjaamo, Kaivokatu 2, 00100 Helsinki, Finland) or by email to kirjaamo@kansallisgalleria.fi.  

Individuals can prohibit the Finnish National Gallery’s Museoshop from using personal data for direct marketing, customer satisfaction and other surveys. 

The data subject has the right to lodge a complaint with the supervisory authority, which is the Data Protection Ombudsman. 

Request to Inspect Personal Data (pdf) 

Use this form to request to inspect your data in our files. 

Request to Rectify Personal Data (pdf) 

Use this form to request the Finnish National Gallery to rectify your data in our files. 

Further information about the Finnish National Gallery's Privacy Policy can be found here. 

Changes to the Privacy Policy   

The Finnish National Gallery is constantly developing its operations. Changes to the Privacy Policy may be made from time to time and without prior notice. Changes may also made because of new or amended legislation. 

Request to Rectify Personal Data (pdf) 

Use this form to request the Finnish National Gallery to rectify your data in our files. 

Further information about the Finnish National Gallery's Privacy Policy can be found here.