Privacy Policy For Online Booking System

Privacy Policy related to the Olympic Stadium Booking System

1. Name of personal data file

Olympic Stadium booking system (system provider Asio-Data Oy, business ID: 0640115-5)

2. Controller

The Stadium Foundation (Stadion-säätiö sr), business ID 0202071-8

3. Person responsible for Register


 Marju Paju, Director of Marketing and Communications
[email protected];
tel. +358 40 5138452

4. Register Contact person

Contact details:
[email protected];
Stadion-säätiö sr/ the Stadium Foundation
Paavo Nurmen tie 1, 00250 Helsinki

5. Purpose of personal data processing and legal grounds for processing

The personal data are processed for the purposes of booking of the premises managed by the Stadium Foundation, for adjusting and invoicing the bookings, for customer feedbacks as well as for statistical and filing purposes within the booking system.

The Stadium Foundation processes personal data for direct marketing purposes unless the data subject has prohibited the processing of their data for such purposes.

The personal data collected are not used for any automated decision-making or profiling.

The processing of the personal data is based on the data subject (Article 6 Para 1 Subpara a)[1]. The data subject consents to the processing of their personal data when registering as a service user, or when using the serving for booking without registration. The data subject has the right to withdraw their consent as per the General Data Protection Regulation (GDPR).

When registering and/or making a booking, the Customer gives their consent to the processing of their personal data.

6. Data contents of the register

The personal data is obtained from the data subject. The data subject provides the information when registering as a system user.

Identifying information for registered customers:
- name and business ID of organisation
- address of organisations
- first name and surname of contact person as well as their role in organisation
- email address of contact person
- telephone number of contact person
- invoicing and payment details of organisation
- identifiers: customer’s digital registration data, such as user name


Personal data for non-registered customer are obtained from the customer. The customer provides the information when making an individual booking in the system.

Identifying information for non-registered customers:
- name of person or organisation
- address of person or organisation
- email of person or organisation
- telephone number of person or organisation
- invoicing and payment details of person or organisation

7. Regular disclosure of personal data

We do not regularly disclose registered data to third parties. The registered data are used by the Stadium Foundation/Olympic Stadium.

For service provision purposes, the Stadion Foundation discloses personal data to the provider of the Olympic Stadium restaurant services upon the customer’s consent. For its own customer register, Compass Group FS Finland Oy is an independent controller. The Stadium Foundation invites the service user to also read the personal data processing terms and conditions of Compass Group FS Finland Oy.

The Controller discloses personal data to the payment transfer service if the data subject, when using the booking system, pays the booking through a direct payment.

The Controller can disclose personal data to the authorities if so required by the legislation.

In line with Article 28 of the GDPR, the Controller is responsible for agreeing with the processor, through specific contracts, on the processing of the data.

The registered data is not transferred outside the EU or the EEA. 

8. Data storage times

As far as registered users are concerned, their personal data is stored in the Olympic Stadium booking system register for two (2) years from the most recent booking. Thereafter, the data will be erased from the system. The delay in deleting the personal data must not exceed two (2) months.

The data subject is entitled, at any point of time, to request that their data is erased from the register. However, the data of the data subjects or any other parties whose data is processed in the booking system, can only be erased when the data subject has no further valid or non-invoiced bookings.

9. Data Subject rights

Under the GDPR, each person in the register has the rights to check their personal data stored in the register as well as to demand that eventual erroneous data is corrected or incomplete data completed.

The GRPD provides that each data subject has the right to oppose to/prohibit the use of their personal data for direct marketing purposes.

If the person wishes to check their data stored in the register or demands their adjustment, the request must be made in writing to the controller. If necessary, the controller may ask the requesting party to prove their identity. The controller will provide the Customer with an answer within the timeframe specified in the GDPR (in one month, as a rule). If there are several or complicated requests, the controller may indicate in the response that they need for time for their processing. If the controller has indicated the need for further processing time, the deadline is at three months from the original request.

10. Measures to protect the personal data

The personal data is processed only by persons who have the need to do so based on their work-related tasks.

The ICT services related to the register are provided by an external service provider. The ICT premises, equipment, systems and information are protected through usual IT methods.

The access to the personal data register is limited through access management and control methods.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)