Privacy policy

This is The Ateljé Helsinki Oy’s Privacy Policy in accordance with the Personal Data Act (sections 10 and 24) and the EU General Data Protection Regulation (GDPR). Compiled on 21 August 2020. Last modified on 28 October 2022.

1. Controller

The Ateljé Helsinki Oy


Laivurinkatu 10

00150 Helsinki, Finland

2. Contact person for the filing system

Mari Kekäle

+358 40 614 7688 

3. Name of filing system

The Ateljé Helsinki Oy customer filing system 

4. Legal basis and purpose of processing personal data

By using The Ateljé Helsinki Oy’s online services and registering in our customer filing system, you agree to our Privacy Policy and our Terms and Conditions.

We primarily collect customer information for the purpose of managing the customer relationship. Customer data may also be used for service and business development, marketing, analysis and statistical purposes. All customer and personal data collected by The Ateljé Helsinki Oy is always treated confidentially.

5. Data content of the filing system

The information stored in the filing system includes:

  • Personal and contact information: name, invoicing and delivery address, email address, telephone number
  • Payment information: your credit or debit card details, account number for refund transactions, credit agreements with a third party (Klarna) and any other billing information
  • Company information: company name, business ID, invoicing information and the company’s postal and delivery address (if you do business with us as a company)
  • Purchase information: purchases made (including the sum total, place of purchase, product group, product)
  • Behaviour on the site: incomplete vouchers, loading times and errors, arrival
  • Device information: main device, operating system, screen resolution, IP address, language settings
  • Location information: your geographical location
  • Product recommendation data and other data and identifiers used for targeted content 

6. Regular sources of information

The information stored in the filing system is obtained from the customer through, for example, messages sent via electronic forms, email, telephone, social media services, contracts, customer meetings and other situations where the customer discloses their information.

7. Regular data disclosure and transfer of data outside the EU or EEA

To the extent permitted and required by applicable law, data may be disclosed for, among other things, marketing purposes of partners carefully selected by the controller to support the purpose of the filing system and/or the production of targeted content.

Data may be transferred to the following third parties:

  • Analytical and statistical partners
  • Product recommendation and personalisation partners
  • Partners who maintain the customer filing system
  • Partners who develop and maintain the online store
  • Email marketing partner if the customer has authorised email marketing
  • Printing houses and Posti for marketing communications sent by post if the customer has authorised marketing communications sent by post
  • Marketing partners who manage and implement marketing on digital channels (Facebook, Google)
  • Payment intermediaries when paying by payment card
  • Credit issuers when the customer chooses to pay by invoice or instalments
  • Transport companies when the chosen delivery method involves a pickup point or home delivery
  • Suppliers in the event of complaints or when delivering prizes won in a prize draw

We sign contracts with all our partners, setting out their responsibilities for the processing of customer data. These contracts also take into account the requirements of the EU GDPR and other legislation. If data is disclosed outside the EU, it is disclosed securely and our partners are obliged to comply with the EU GDPR. Our safeguards include standard contractual clauses approved by the European Commission, the EU-US Privacy Shield or any other approved method specified in the GDPR.

Our partners do not have the right to pass on the information they receive.

All personal data is stored only for as long as it is necessary for the purpose for which it was collected or to establish that legal obligations have been fulfilled. Data may also be erased if the customer misuses the services or engages in inappropriate or unlawful activities. If necessary, data may be disclosed to the authorities at their request.

In the event of a data security breach, as required by the GDPR, we will notify the data protection authority of the breach within 72 hours and will always also inform the customer.

8. Principles of filing system protection

 All personal and customer data collected by The Ateljé Helsinki Oy is stored in an appropriate and secure manner.

Care will always be taken when processing the personal data in our filing systems, and personal data processed using data systems will be appropriately protected. When filing system data is stored on Internet servers, appropriate care is taken to ensure the physical and digital information security of the equipment. The controller makes sure that the stored personal data, the rights of use of servers and other data critical for the security of the personal data are processed confidentially and only by employees whose job description includes this task and who are committed to complying with the required secrecy orders and the data security procedures required by the controller.

9. Right of access and the right to request the rectification of data

Every person included in the filing system has the right to check the data concerning themselves and to demand that inaccuracies are corrected, or that inadequate information is supplemented. If a person wishes to check or request rectification of the data stored about them, they need to send the request to the controller. The controller may ask the person making the request to prove their identity. The controller will reply to the customer within the time limit set in the EU GDPR (usually within one month).

10. Other rights relating to the processing of personal data

The data subject has the right to request the erasure of their personal data from the filing system (“the right to be forgotten”). Also, the data subject has other rights bestowed on them by the EU GDPR, such as the right to restrict the processing of their personal data in certain situations. Such requests must be sent in writing to the controller. The controller may ask the person making the request to prove their identity. The controller will reply to the customer within the time limit set in the EU GDPR (usually within one month).


The Ateljé Helsinki Oy reserves the right to change this Privacy Policy. Before placing an order, the customer must read the Terms and Conditions in effect – our updated Privacy Policy is always available on our website.

If the change made involves changes that are significant to the customer and materially alter the way we collect, process and store customer data, we will notify you by sending you an email, posting a notice in our online store and/or social media channels before the changes take effect.