General Data Protection Principles

Purpose of the General Data Protection Principles document

The purpose of this document is to set out the principles and practices that are applied in Finavia Corporation (hereinafter referred to as “Finavia”) to ensure the protection of personal data.

This document describes the scope of personal data collected, and how and where that data is used. In addition, it describes how Finavia ensures the legitimate processing of personal data in its various operations and locations.

General Principles for Processing of the Personal Data

The general principles for processing of the personal data described in this section apply to processing of all personal data by Finavia. Therefore, these principles concern not only the collection and use of the data of Finavia’s customers but also its employees and other stakeholders.

Finavia is committed to comply with applicable data protection and other laws, binding governmental policies and good data protection practices in its all activities. As the activities and services of Finavia and data protection laws may change in future, this document is regularly updated as required.

The processing of personal data in Finavia shall always be lawful, transparent and appropriate. Finavia collects personal data only for carefully defined legitimate purposes provided in advance before collecting any data. The specific purposes for processing the personal data as well as the legal basis for the processing are defined in the respective descriptions of the personal data files (Privacy policies) provided per categories of the personal data.

Finavia processes only personal data that is necessary for the performance of its operations. Therefore, personal data is processed only to the extent and for as long as there are legal or regulatory grounds for doing so, or it is necessary for the purpose of the data to be used. Finavia does its best efforts to ensure that it does not handle invalid, incomplete or outdated data. The accuracy of the personal data has to be ascertained from the person itself or from other reliable sources. In addition, the collected personal data will be constantly updated. If possible, Finavia renders personal data anonymous in such a manner that the data does no relate to an identifiable natural person or personal data. Personal data that is no longer needed will be deleted appropriately.

Finavia provides services relating to air transport excluding air navigation services. In order to ensure that air transport is as safe, smooth and efficient as possible, it will require the collection and processing of passenger personal data. Often the processing of personal data is carried out for fulfilling the statutory obligations set out in the applicable legislation. The use of the services provided by Finavia to its customers may also require registration or entering into an agreement by and between Finavia and the person using the services. In this case, processing of personal data is based on the execution of the respective agreement. In addition, Finavia may process personal data on other legitimate grounds, such as consent of a person.

Disclosure of Data

Finavia may disclose personal data to third parties only to the extent permitted by law. Personal data may be disclosed to other airlines and authorities, such as Finnish Transport Safety Agency (Trafi), Data Protection Ombudsman, Police and Emergency Response Centre Administration and other authorities with legitimate grounds or based on the decision of competent authority.

Finavia may use subcontractors and third party service providers for technical development of the services, maintenance, customer service, administration and analyzation of user information, research, client communication or execution of different campaigns. In such cases personal data may be disclosed outside Finavia only to the extent that subcontractors and other service providers participate in providing Finavia services by complying with the purposes of processing the personal data enable the disclose of such data. Where the personal data is disclosed, Finavia obliges third parties to ensure appropriate safeguards and provide adequate security controls for such data.

In certain situations, personal data collected by Finavia may be transferred outside the EU/EEA. If Finavia transfers personal data outside the EU/EEA by using an external service provider, Finavia ensures the appropriate safeguards by using standard contractual data protection clauses of the European Commission.

Responsibility for Data Protection

The management is responsible for sufficient data protection in Finavia. Everyone working in Finavia or its affiliates should be aware of and manage the data protection obligations and risks related to their own area of responsibility. Data protection is guided and developed by a designated Data Protection Officer with the mission of assisting Finavia staff and management in data protection issues. Nevertheless, the ultimate responsibility for data protection in Finavia lies with its management.

Finavia is responsible for data protection also when it outsources the processing of personal data. In such cases, Finavia ensures that the selected outsourcing partner processes personal data received from Finavia only for the purposes stated in the agreement between the parties and in accordance with the instructions given by Finavia.

Outsourced processing of the personal data shall be governed by a written contract compliant with the data protection laws setting out among other things the subject-matter and duration of the processing, nature and purpose of the processing, the type of personal data and categories of data subjects and the obligations and rights of the parties.

When Personal Data is collected

Finavia collects personal data to provide safe, efficient and fluent air transport services at its airports. The personal data is collected e.g. when you use the pre-booking in the airport’s parking reservation system and in connection with the baggage handling process, security check and when assisting physically impaired. In addition, Finavia collects and processes personal data when providing the wireless Wi-Fi for you.

In addition to Finavia, other companies, such as Air Navigation Services Finland Ltd., airlines, ground handling service providers and various stores and restaurants at its airports may collect personal data from their customers. In that case the service providers mentioned above will follow their own privacy policies and Finavia is not responsible for execution of their Data Protection Principles nor their terms of contract.

Additionally, Finavia collects personal data in connection with the online services it offers. These online services include a website (www.finavia.fi), Helsinki Airport mobile app operated by Finavia and various services offered in these platforms, such as Finavia Online Shop, Premium Lounge, Premium lane- To-Go- and car wash and cleaning service as well as parking pre-booking and myFlights-service.

The user terms of service of a particular app store, such as Apple’s App Store, Google Play or Microsoft Store, will apply to apps downloaded there. Finavia recommends that users of Helsinki Airport app read the privacy policies and user terms of such third party service providers. Finavia is not liable for any damages caused by the privacy policies or user terms of any third party.

In addition, Finavia connects and integrates services of other service providers like online shops. Privacy policies and terms of use of such third party service providers are applied to these integrated services.

What Personal Data are collected

Finavia collects or may collect following data at its airports: registration numbers of vehicles parked using Finavia’s pre-booking service, data concerning baggage declared by airlines in connection with the baggage handling process, information in the boarding passes during security controls and information required for applications for passes and other authorizations at the airports. In addition, Finavia collects login information related to the use of wireless network provided by Finavia at its airports.

In order to avoid congestion in security check and to provide information about likely queues for security controls, Finavia collects MAC-address information via Bluetooth or wireless network from customers’ mobile devices.

Finavia may also collect anonymous position data of customers’ mobile devices via Bluetooth, inter alia, to estimate the lead time of the passenger flow or the commercial potential of the shops.

Finavia also processes season card applications relating to commercial and general aviation, and in connection with these applications Finavia will collect and process personal data.

A registration might be required for some Finavia’s online services in which case following information may be asked and collected: name, workplace, phone number, home address and email address. This Personal Data is used, inter alia, to provide services and messages and to allocate services.

Finavia collects following information when you visit Finavia’s website: IP-address, device and browser type, movement on the website using the URL-information and timestamps and the URL of the arrival site. Finavia uses this information to provide chat-services, for analytic purposes and to improve and develop its services.

Finavia may also collect Personal Data through feedback forms. Such information will be processed and handled in accordance with the data protection laws and only to process the received feedback. Finavia does not share this information to third parties unless it is necessary for processing or there is legal and justified reason for disclosure.

In addition, Finavia collects data from the use of its’ online services. Such data is not personal data and the users of the online services cannot be identified.

How personal data is collected and processed

Personal Data are collected at Finavia’s airports to ease the travel process, to minimize the flight delays and to enforce airport surveillance obligations as required by law. Information may be collected in connection with the seat reservation and/or self-service machine, security controls, departure gate or baggage handling process. The said information may be obtained partly from the Departure Control Systems of the airlines, for example to allow baggage handling, and some is obtained automatically from the check-in desks at the airport, check-in systems or the information in the boarding pass presented by passengers himself/herself.

Finavia collects personal data when using Finavia’s online services provided on its website that may require log in, such as purchasing or ordering from online.

All collected data is used for purposes mentioned above.

In addition to personal data, Finavia collects automatically anonymous data about visits on its website and the users of its online services with Google Analytics and Datastudio. Finavia collects the said data to provide and develop its services and to ensure data security and to prevent misuse of services.

Use of services in mobile apps

Finavia also collects following data when you use our services through mobile apps: device-specific information (such as operating system and information regarding other apps, as well as device identifiers including phone’s unique device identifiers)

When using Finavia’s services, location information may also be collected in case the user has expressly given a consent for the collection.

Push notifications

If you enable the notification service (“push notification”, e.g. for obtaining updates on flights), an automatically generated identification number (“token”) is additionally saved, together with the language settings as long as the notification service is used after which it is automatically deleted. The token is generated by the provider of the app store from which you obtained the App (Apple Inc. for iOS devices and Google Inc. for Android devices) and sent to Finavia. For the notification service, the token is sent together with the content of each notification to Apple Inc. or Google Inc., after which the content is retransmitted via Apple Inc.’s or Google Inc.’s own services. The information sent to Apple Inc. or Google Inc. may result in conclusions to be made about the users. However, the mentioned information is only temporarily stored on systems operated by Finavia. Thus, if you use the notification service you also use services of Apple Inc. (iOS) or Google Inc. (Android) which are outside of Finavia’s control. Personal data may also be transferred and processed outside the EU or EEA. For more information on the handling of personal data by Apple Inc. or Google Inc. in connection with the use of notification service, please consult the relevant provider’s own data Data Protection Principles.

Cookies

Finavia uses cookies and other equivalent techniques to improve the content, quality and user experience of its online services so that its online service corresponds better to need of its users.

As a user, you may disable cookies in your web browser via its settings. If cookies are disabled, it is possible that you cannot use all features of Finavia’s online services. Finavia may also use cookies of third parties.

Cookies are small text files which are created on your device. Cookies will usually contain anonymous distinctive identifier which allows the recognition of web browsers.

Profiling

Finavia does not in principle use profiling. In case it is used, there is possibility to refuse.

Changes to this General Data Protection Principles document

Finavia develops constantly its services and may from time to time make changes to this document without prior notice. If there are major material changes, Finavia will inform accordingly in its website.

Instructions for using Data subject rights

Please note that the Data Subject Access Request (DSAR) form is only intended for submitting access requests in accordance with Articles 15-18 and 20-21 of the EU General Data Protection Regulation.

Information on how to make other types of requests and general inquiries can be found on the contact information page or on the contact form page. You can also contact our customer service by phone or chat.

If you wish to know whether or not we process your personal data and what data we potentially have about you we kindly request you to fill in the attached form and send it to us. In order we can focus on appropriate information systems when searching for your information please point out on the form what Finavia provided services your request concerns and your role in relation to us when you used our services.

The mandatory field “Email address” is important. If you signed up for our services (digital services and advance reservation of parking, lounge and ancillary services) using the e-mail address you fill in on the form we can usually identify you and search for your information on that base. We will also reply to the email address you fill in there unless you want a reply by mail. In that case, please use the free text field to let us know your postal address.

You can specify your request in more detail than the questions on the form allow by adding a free-form attachment to your request. However, do not attach, for example, a copy of your identity card, sensitive information or other personal data which is not necessary to process your request. If necessary, we will ask you to verify your identity separately upon receipt of your request.

We endeavor to respond within one (1) month from receipt of your request made as described above.

Link to the form

We store all information we receive as part of your request in a filing system. This is because we are accountable in accordance with GDPR (i.e. we must be able to demonstrate compliance in all regards).

You can use the following link to view our Privacy Policy describing how we process personal data in the filing system in separation from other processing activities Privacy policy - Register for Controller's Data Protection accountability (PDF)