Privacy Policy

1. General 

This privacy policy describes how Ilkkas’ Creative Studio Ltd (“Company” or “ICS“) processes personal data; what personal data the company collects, for what purposes the data is used, to which parties the data may be disclosed, and how the data subject can influence the processing. The privacy policy also provides information on the obligations that the Company complies with in the processing of personal data.

“Personal data” refers to information concerning a natural person (“data subject“) that can directly or indirectly identify the person, as defined in the applicable data protection regulation. Information that does not directly or indirectly identify the data subject is not considered personal data.

The Company complies with the EU General Data Protection Regulation (2016/679) (“GDPR“) and other applicable data protection legislation in the processing of personal data. Ensuring privacy is part of the Company’s business operations.

This privacy policy applies to all processing of personal data of the Company’s customers, potential customers, partners, service providers’ representatives and contacts, employees, job applicants, participants in roles, and assistants. We require that all the aforementioned parties familiarize themselves with this privacy policy before participating in the Company’s activities, productions, or otherwise providing information to the Company.

2. Data Controller and Data Protection Officer 

Data Controller: Ilkkas’ Creative Studio Oy, 3308536-2, Ratinankuja 1, 33100 Tampere 

Data Controller’s representative & Data Protection Officer: Ilkka Rahkonen. 

Contact information: [email protected]. 

3. Purposes of Personal Data Processing and Legal Basis for Processing 

Personal data is processed for the following purposes, among others:

Contractual Relationships: 

• Fulfillment of customer and service contracts 
• Employment contracts

Marketing: 

• Personalized customer service and targeted customer communication regarding services, as well as monitoring service usage 
• Marketing and targeting of marketing to customers and potential customers

Internal Operations and Management: 

• Business planning, development, and product development 
• Service provision and quality assurance 
• Management and utilization of intellectual property rights 
• Maintenance of assistant, casting, and audience lists 
• Job application processes and recruitment 
• Employee management, support for career development, and benefits

Legal Obligations: 

• Employer obligations 
• Accounting obligations 
• Obligations regarding customer identification 
• Reporting obligations 
• Risk management and prevention of abuse 
• Ensuring data security

The legal basis for the processing of personal data may be based on: 

Contract: Processing is necessary for the performance of a contract or the implementation of contractual obligations. 

Legitimate Interest: Processing is based on a legitimate interest that does not override the data subject’s rights and freedoms. 

Consent: Processing is based on the data subject’s consent. 

Law: Processing is necessary for compliance with a legal obligation.

The legal basis for the processing of personal data of data subjects is primarily the contractual relationship between the Company and the data subject or the entity represented by the data subject, as well as the Company’s legitimate interests: direct marketing and internal operations and management. The processing of personal data is also based on legal obligations and consent. Consent is requested from the data subject for the processing of specific personal data and automated decision-making that significantly affects the data subject, as well as for the processing of recruitment data regarding individuals for future recruitment needs.

4. Personal Data Collected and Sources 

The Company collects only such personal data about data subjects that are necessary for the purposes stated in this Privacy Policy and to enable the Company’s operations.

We may collect and process the following personal data: 

• Name, contact information (e.g., phone number, email address, address).
• Information about employees, such as job title, employment history, qualifications, and performance records. 
• Information about our partners, such as the name and contact details of the partner. 
• Information related to customer and service contracts, including transaction details and communication history. 
• Marketing preferences and engagement with marketing materials. 
• Website usage data, such as IP addresses, browser information, and cookies. 
• Information provided through job applications and recruitment processes, including resumes, cover letters, and interview notes.

The Company obtains personal data directly from data subjects themselves or from authorized representatives, such as employees or service providers. Additionally, personal data may be collected from publicly available sources, third-party service providers, or other legitimate sources necessary for the purposes mentioned in this Privacy Policy. 

More detailed personal data that may be collected and processed per affiliate group:

Employee

Information related to the employment relationship, managing employer obligations and personnel administration (name, address, social security, contact information), salary payment and benefits information, occupational health information, information related to the transfer of intellectual property rights.

Job applicant

Age, date of birth, gender, language skills, work experience and education (CV, job application and work certificates), information on driver’s license.

A person applying for a performing role

Height, weight, hair color and length, eye color, clothing and shoe size, facial image, special features related to appearance, full body image.

Assistant involved in productions

Contact information, personal information, if the assistant appears in the production, also information related to appearance (see information content of the performing role), information on the transfer of intellectual property rights.

The audience of a production

Contact information, such as name, address, phone number and email address, information about participating as an audience.

Customers and subcontractors

Name, address, telephone number, email address, position in the represented company, information on the transfer of intellectual property rights in the subcontractor register.

Information related to the customer contract relationship

Information identifying the customer relationship (customers, partners). Customer transaction information as well as contract and product information. Contacts between the registered person and the Company, participation information.

Marketing campaigns

Information provided in connection with a competition or marketing campaign, information about participation in the campaign.

The market and opinion polls

Information, images and videos provided in connection with marketing and opinion polls, as well as information about participation in market or opinion polls.

Reaction data

Comments, pictures, videos and reactions published on the company’s website and social media channels.

Technical identification information

Monitoring of registered online behavior and the Company’s services using, for example, cookies or similar technical identifiers. Collected information may include, for example, the user’s IP address, pages used, browser type, web address, time and duration of the session.

5. Data Retention and Security Measures 

The Company retains personal data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy or as required by law. The retention periods may vary depending on the type of personal data and the applicable legal requirements.

The Company takes appropriate technical and organizational measures to safeguard personal data from unauthorized access, loss, misuse, alteration, or destruction. These measures include the use of secure servers, encryption, access controls, and regular security assessments.

Employees 

Information about employees is stored during the employment relationship and after its termination in accordance with the applicable labor legislation and accounting law.

Participants in productions

The information of the persons participating in the productions is kept for as long and to the extent that it is deemed necessary for the exploitation of intellectual property rights and the defense of said rights.

Partners & collaborations

The information about the cooperation partners is kept as long as the cooperation relationship is valid and after its termination for the time necessary to fulfill business-related obligations.

Customers

Information about customers is stored for the duration of the customer relationship and after its termination for the necessary time, so that we can fulfill our obligations based on the contract and legislation.

Marketing

Information regarding personal data related to marketing is stored for one (1) year, unless it is deemed necessary, due to special circumstances and subject to a case-by-case analysis, to retain the said data for a longer period of time.

The audience of a production

Data is stored for twentyfour (24) months. The company can use the information within this time period by inviting the person as an audience member or performer in other productions.

Persons participating in product development and sales roles or appearing in sales material

Information is stored for five (5) years. The company can use the information within this time period by inviting the person as an audience member or performer in other productions.

Job seeker – Open job application

Application data will be stored for twentyfour (24) months after receiving the application.

Job seeker – An open position announced by the company

Application data is stored during the recruitment process and for a reasonable time after the process. If the job seeker gives the right to use the application data for other similar jobs, the Company will retain the application data for twentyfour (24) months after receiving the application.

When the personal data is no longer needed as defined above, the data will be deleted within a reasonable time, unless the legislation obliging the Company is obliged to keep the data for a longer period of time.

6. Data Sharing and Transfers 

The Company may share personal data with third parties in the following circumstances:

Service Providers: The Company may engage third-party service providers and subcontractors to assist in carrying out its operations involving data processing, such as IT support, marketing, payment processing, or data analytics. These service providers are contractually obligated to handle personal data in a confidential and secure manner and are prohibited from using the data for any other purpose.

Participants in the processing of personal data include e.g. the following parties:

• Financial administration service providers
• IT service providers
• Law firm

In addition, personal data can be disclosed:

• To tax authorities
• To the insurance company
• For cooperation partners
• For group companies
• To the company’s customers (including TV channels and broadcasters).

You can request more detailed information about recipients from the company.

Legal Requirements and Safety: The Company may disclose personal data if required to do so by law, legal process, or governmental authorities. Additionally, personal data may be shared to protect the rights, property, or safety of the Company, its customers, employees, or the public.

Corporate Transactions: In the event of a merger, acquisition, or other corporate transactions, personal data may be transferred to the acquiring or merged entity, subject to applicable data protection laws.

7. International Data Transfers 

Personal data will not be transferred outside the European Economic Area (EEA) by the Company, unless required by law or the transfer is necessary for the performance of a contract between the data subject and the controller or the implementation of pre-contractual measures taken at the data subject’s request.

If personal data is transferred to countries outside the EEA, the Company ensures that appropriate safeguards according to the GDPR are in place to protect the data.

8. Data Security 

The Company takes appropriate technical and organizational measures to ensure the security and confidentiality of personal data against unauthorized access, loss, destruction, or other risks. These measures are regularly assessed and updated as necessary to ensure the ongoing integrity and availability of personal data.

In accordance with this privacy policy, the Company may outsource the processing of personal data to service providers or subcontractors, in which case the company ensures with sufficient contractual obligations that personal data is processed appropriately and in accordance with the law.

9. Rights of Data Subjects 

Data subjects have rights to their own personal data according to the applicable data protection regulation. These rights include, inter alia, the right:

• to obtain information on the processing of their personal data
• of access to their data
• to rectification of their data
• to the erasure of their data and to be forgotten
• to restrict the processing of their data
• to data portability
• to object to the processing of their data
• not to be subject to a decision based solely on automated processing.

Data subjects can exercise their rights by contacting the Data Controller or the Data Protection Officer using the contact information provided in this Privacy Policy.

The right of access and to obtain information

The registered person has the right to receive confirmation as to whether the registered person’s personal data is being processed.

The registered person has the right to check and see the information about themself and, upon request, the right to receive the information in written or electronic form.

The right to rectify and erase data

The registered person has the right to demand the correction of incorrect or inaccurate information. In addition, the data subject has the right to request the deletion of their data. The controller also deletes, corrects and completes on its own initiative personal data that is incorrect, unnecessary, incomplete or out of date in terms of the purpose of the processing.

The right to transfer data and to limit processing and to object to processing

The registered person has the right to request the transfer of their data to another controller.

In addition, the data subject has the right to request the restriction of the processing of personal data in accordance with the conditions defined by the GDPR or other applicable data protection legislation.

The registered person has the right to object to the use of the data for certain types of processing. The registrant has the right to refuse the disclosure and processing of their data for direct marketing.

The right to withdraw consent

If the processing of personal data is based solely on the consent given separately by the data subject, the data subject has the right to withdraw the consent they have given to the processing of data concerning them. The cancellation has no effect on the processing carried out before the cancellation.

Exercise of rights

Requests regarding the rights of the data subjects are made electronically or otherwise in writing using the contact information mentioned above. The inspection request will be answered within a reasonable time and, if possible, no later than one month after the request is submitted and the identity is verified. We may request additional information as necessary in order to fulfill the aforementioned requests. If the data subject’s request cannot be agreed to, the data subject will be informed of the refusal in writing.

10. The right to file a complaint with the supervisory authority

The data subject has the right to file a complaint with the data protection authority, if the data subject considers that their personal data has been processed in violation of current applicable legislation.

11. Updates to the Privacy Policy 

The Company may update this Privacy Policy from time to time to reflect changes in its data processing practices or legal requirements. The updated version will be posted on the Company’s website, and data subjects are encouraged to review it periodically.

If there are significant changes to the Privacy Policy or if required by applicable law, the Company may provide additional notice or obtain consent as necessary.

12. Contact

If you have any questions or concerns regarding the processing of your personal data or this privacy policy, please contact the Data Controller or the Data Protection Officer using the contact information provided in this privacy policy.

 

This privacy policy has been updated on: 5 July, 2023.