In this privacy statement, we explain how HIFF (“Controller” “we”)processes the personal data of their customers and users of their online services (“Data Subject”) and how one can influence the processing of personal data. The Controller complies with all applicable data protection legislation.


Helsinki International Film Festival – Rakkautta & Anarkiaa/ Love & Anarchy ry (1516764-7)

Simonkatu 12 B 13

00100 Helsinki

Person in charge of the register

Communications Planner

Inari Nikkanen

+358 40 5098818


Personal data that is collected

The Controller processes personal data only to the extent necessary for the purposes described in this privacy statement. The personal data collected and the extent of their processing vary depending on the relationship between the Controller and the Data Subject, the consent given and the privacy settings of the browser used by the Data Subject.

The information to be collected includes:

  • names
  • addresses
  • language of use
  • date of birth
  • gender
  • country of residence
  • phone numbers
  • email addresses
  • organisational details
  • records relating to direct marketing authorisations and prohibitions
  • other information necessary for the use of the services.

The information is collected

  • when purchasing/reserving tickets
  • subscribing to the e-newsletter
  • from the customer register of the partner Eventio, only customers of events organised by the Controller
  • by cookies or other similar technologies.

Use of third parties

Third parties do not have the independent right to use the information they receive from us for purposes beyond the scope of the mandate. We ensure that all our service providers comply with data protection legislation. 

The data controller uses the services of Eventio to carry out its ticket sales. Eventio acts as the
data processor, operating only on behalf of the Controller. Eventio does not hand over data to a third party
unless the Controller gives written instruction to do so.

We use the Creamailer to send newsletters and information, where we collect customers’ email addresses. Creamailer is the processor of the personal data file held by the Controller.

Accreditation for the festival, registration for events, recruitment and responding to enquiries is done through Airtable. Airtable is the processor of the personal data held by the Controller.

Intended use of personal data and legal basis for data processing

The Controller uses the collected personal data for various measures necessary for the management of the customer relationship, such as the proper and safe organisation of the event, the delivery of ordered products or services, and the provision of customer service and other customer support. The collected data may also be used for customer communications and customer relationship maintenance. The processing of personal data is based on an agreement between the Data Subject and the Controller on the delivery of a product or service (such as a ticket or associated merchandise order) and on a legitimate interest in processing the data as a result of action taken to form a customer or employee relationship (such as registering for an event).

The Controller may use the collected personal data for marketing and advertising and other commercial purposes, provided that the Data Subject has given their consent. In terms of electronic direct marketing, the processing of personal data for commercial purposes is based on the consent of the Data Subject.

The Controller may use the collected personal data to develop products and services and to improve the provision of services. Measures related to development and improvement include product recommendations or personalisation of communications. In this case, the processing of the data is based on the Controller’s legitimate interest in utilising the collected data for the benefit of the Data Subject.

Sharing and disclosure of personal data

The Controller may use other third party services to process personal data. In such cases, the Controller will ensure the lawful processing of personal data through contractual arrangements and written instructions to the third party.

In addition, the Controller may disclose personal data to third parties where required to do so by applicable law or where it is necessary for the exercise of the rights or safety of the Controller or the data subject.

Transfer of personal data outside the EU/EEA

Personal data may be transferred outside the EU as the data is stored and processed almost exclusively in electronic form and some of the service providers we use to store and process the data may be located in countries outside the EU. We will always ensure that the transfer of personal data outside the EU is carried out with adequate safeguards as required by data protection legislation. The preferred options are transfer to an EU Commission-approved country with adequate data protection, transfer to an EU-US Privacy Shield certified company (for US-based transferees), or use of EU model clauses.

Use of cookies

We use cookies to improve the experience of our online services as well as to monitor and facilitate their use. Cookies allow you to save short text-based information in your browser for future reference.

For more information about cookie policies and cookies added by third parties, see the Cookie Policy.

We use Google Analytics on our website. For more information about Google Analytics privacy, please read the Google Analytics Privacy Policy.

Retention of personal data

The controller will keep the personal data for as long as necessary for the purpose for which it was collected. However, applicable accounting or other mandatory legislation may require data to be kept for longer than this period. In such situations, the retention periods specified in the legislation will be respected.

Data generated from the use of online services will be kept for a period of approximately 12 months in a form that allows individual users to be identified.

Data relating to payment transactions, such as copies of receipts, will be kept in accordance with legal requirements.

The Data Subject’s rights and opportunities for exerting influence

The Data Subject has the right to access their personal data and the right to inspect and rectify personal data concerning them. In addition, the Data Subject has the right to request the deletion of personal data concerning them to the extent that this is possible under other legislation. The Data Subject also has the right to transfer personal data concerning them to another Controller.

The Data Subject has the right to prohibit direct marketing and to oppose the processing of their personal data for direct marketing purposes.

Requests for the exercise of these rights must be submitted to the Controller in accordance with the contact details given in this privacy statement.


The Controller shall ensure the secure processing of personal data with appropriate physical and technical security measures in order to protect the data from loss, destruction, misuse and unauthorised use and disclosure. The Controller shall endeavour to ensure the secure processing of personal data, for example by limiting access to personal data and ensuring that employees and subcontractors use personal data in accordance with the instructions, agreements and legislation in force.