Privacy Notice
The Finnish Composers’ Copyright Society Teosto is a copyright society for composers, lyricists, arrangers and music publishers whose task is to manage musical works of domestic and foreign authors, grant licenses and distribute royalties to authors for the use of their works.
Teosto is committed to protecting the privacy of its current and future rights holders, music users and other related stakeholders, and processes their personal data in accordance with applicable data protection legislation. In this privacy notice we provide further information on:
- How to contact us regarding the processing of your personal data;
- What data we collect and where we gather the data;
- The purpose for which the data is used and the legal grounds for the processing;
- For how long the data is stored;
- Where the data is disclosed and transferred;
- How we take care of data protection;
- What are the rights of the data subject.
1. CONTACT INFORMATION
Teosto is the data controller for the processing of personal data in accordance with this privacy notice.
DATA CONTROLLER
Finnish Composers’ Copyright Society Teosto (Business ID: 0117040-7)
Port of Music
Keilasatama 2 A,
FI-02150 Espoo, Finland
You can contact us by email at dataprivacy@teosto.fi for information about processing your personal data.
2. WHAT DATA WE PROCESS AND WHERE WE GATHER THE DATA
Along with the collective management of copyrights belonging to Teosto’s core business, Teosto is actively involved in influencing legislation and practices in the field, as well as in cultural activities focusing primarily in music. The extensive work of Teosto requires the processing of personal data of several groups of data subjects. Below we will describe what data we typically process of these data subjects and from which sources we will gather the data. When gathering data, we seek to inform what data is mandatory and what data you can give voluntarily.
Rightholders, beneficiaries and publisher members of Teosto
The rightholders of Teosto are the persons who have concluded a membership agreement with Teosto for the management of their works. We typically process the following personal data of the rightholders:
- Full name, address, phone number and email address;
- Social security number for unambiguous identification, which is necessary for the correct allocation of distribution;
- Bank details;
- The role of the author (composer, lyricist, arranger);
- Member number
- An International Identification Number (IPI Number) that is automatically created when joining as a rightholder, pseudonym (aliases);
- Works data;
- Network Service IDs (username);
- Tax information, details of recovery proceedings details and any debts reported to Teosto (such as debts to publishers);
- Information about the customer relationship (start and end dates), details of the events to which the person has participated (including information about possible allergies and diet of the rightholder);
- Information we receive from rightholders in connection with customer satisfaction surveys;
- Beneficiary information and information on wills as well as of deed of estate inventory and estates partition documents;
- Other personal data related to the customer relationship.
The beneficiaries of our rightholders are persons to whom the copyrights of the copyright owner have been transferred as a result of inheritance or other equivalent right. We typically process the following data of the beneficiaries:
- Full name, social security number and contact information
- Member number
- Bank details.
Teosto’s publisher members are companies that have entered into a membership agreement with Teosto for the management of compositions and arrangements and related lyrics and translations published by the publisher. We typically process the following personal data of publisher members (data is considered personal data when it can be connected to a natural person):
- Name, phone number and e-mail address of representative/contact person of publisher member
- Network Service IDs (username);
- Details of the events to which the publisher member’s representative/contact person has participated (including information about possible allergies and diet of the representative/contact person);
- Customer ID
We will gather the data on the rightholders mainly:
- from the person themself, for example from the affiliation agreement;
- when the person provides information in order to maintain customer relationship with Teosto (for example notifications of works and and notifications of withdrawals);
- from registries of the authorities (for example Tax Administration Registers);
- from Teosto’s domestic and foreign member and sister organisations;
- from other cooperation organisations (especially IPI number as well as information about the use of works and distribution);
- from publicly available sources (for example personal data relevant for the customer relationship and customer management).
In case of collaborative works, we may receive data from the works’ other rightholders.
The performance and usage information of the works is also gathered from the performance reports, program announcements, and other reports.
Data on beneficiaries of our rightholders is gathered either form the beneficiaries themselves, from the estate or from the authorities.
We gather data on representatives/contact persons of publisher members mainly:
- from the representative/contact person themselves, for example from the membership agreement or when the person provides information in order to maintain their customer relationship with Teosto;
- from Teosto’s domestic and foreign member and sister organisations;
- from other cooperation organisations.
In case of collaborative works, we may receive data from the works’ other rightholders.
Rightholders/publishers not represented by Teosto
Due to the operation of Teosto, we may also process the information of rightholders (composer, lyricists, or arranger) or representatives/contact persons of publishers not represented by Teosto if (i) the rightholder/publisher is a member of another copyright organisation and Teosto has a reciprocal agreement with the copyright organisation, and this organisation has authorized Teosto to process personal data or (ii) the rightholder/publisher is not a member of any copyright organisation, but Teosto represents the rightholder/publisher under an extended collective license in accordance with the Copyright Act.
We typically process the same data of the rightholders and representatives/contact persons of publishers not represented by Teosto than that of Teosto’s rightholders and publisher members’ representatives/contact persons, to the extent necessary to fulfil the obligations under the reciprocal agreement or extended collective license. Unless otherwise stated, the data of these rightholders/representatives/contact persons is processed for the same purpose as Teosto’s rightholders’ and publisher members’ representatives’/contact persons’ data.
In addition to the persons mentioned above, we also process the personal data of other rightholders and representatives/contact persons of publishers when this data is provided to Teosto in work notifications. This data may include the name, birthday, and e-mail address of the person. This personal data is processed as a part of works data in order to secure the persons’ copyrights and to administer works data, license music use and distribute copyright royalties. Teosto may also contact these persons when needed.
Music User Customers
Music user customers are companies, organisations or persons who have made an agreement with Teosto for the use of works represented by Teosto. The following data of the music user customers is typically processed:
- The name of the company holding the license, Business ID, contact information, billing and payment information;
- The first and last name, position/title, phone number and email address of the company’s contact persons;
- For private individuals: first and last name, phone number and email address;
- The name and contact information for the venue and for the performance license holder;
- Information on the requested licenses;
- User ID;
- Potential payment defaults and dunning information;
- Customer ID.
We will get data on music user customers primarily from the licensee herself or her representative via telephone, email or online service. In addition, we can gather data from databases maintained by public authorities and companies. We also gather data on mechanisation from Nordisk Copyright Bureau (NBC), which manages collectively the mechanisation rights for the Nordic copyright organisations. NBC operates in Copenhagen, Denmark. Information on our event customers can also be gathered from performance notifications made to Teosto, or organized events observed by Teosto, regarding which the organizer of the event has not notified Teosto. Music Performers.
Potential Music User Customers
We may process personal data of potential music user customers, for example, to check whether there is a need for a music licence. We typically process the following data of potential music user customers:
- Name of company, company ID, e-mail address, phone number and address;
- Name, title, phone number and email address of company representative;
- Name, phone number and email address of individual customers;
- Customer ID.
We collect the data of potential music customers either from the person itself or from publicly available data resources, such as public administration and company websites and databases maintained by companies.
Music Performers
Music performers are people who perform the works of an author represented by Teosto publicly and make a performance notification to Teosto of the performance event. The following data is typically processed on the music performers:
- First and last name, address, phone number and email address;
- Username;
- Other data voluntarily provided by the data subject.
We will get this data from the data subject herself.
Partners, other stakeholders and communication as well as feedback providers
These data subject groups include organisations and persons, policy decision-makers, and other persons in public or social sphere, who are Teosto’s partners, and who Teosto estimates having an interest in Teosto’s activities, persons who participate in events and trips organized by Teosto, feedback providers, as well as other persons who have expressed their willingness to be updated on Teosto’s operations and activities. Of these groups, we typically process the following data:
- First and last name, organisation represented by the person, position in the organisation, email address, phone number, and other information that may be publicly disclosed by the person (such as their political party, their position in the party and committee memberships);
- Information provided by the person on a case-by-case basis such allergies and diet, nationality, birth date, number and expiration date of identification document and social security number (for example in connection with registration to events, trips or campaigns or, for example in connection with Teosto’s Cultural Ambassador activities.
Data on people who participate in events or subscribe to communications is gathered from the person themself or from Teosto’s sister organisations or other copyright organisations. Data on our partners’ and stakeholders’ representatives is gathered from the data subjects themselves, or we gather it from our member organisations or other copyright organisations or from publicly available sources such as public administration and corporate websites.
Users of Teosto’s Whistleblowing-channel and persons subject to the reports
In connection with Teosto’s whistleblowing-channel provided in accordance with the Act on whistleblower protection, we process the following data about the whistleblower and the person subject to the whistleblower-report:
- Basic information about the whistleblower;
- Basic information about the person subject to the whistleblower-report;
- Other personal data provided by the whistleblower.
The data is collected from the whistleblower.
Other information
The data of each person may also include a permission or refusal to direct marketing provided by the data subject herself.
In addition, data of Teosto’s website users will be gathered using cookies in a way described in more detail in Teosto’s cookie policy. However, data collected through cookies is not primarily connected with personal data of an identified person although some data collected through cookies may indirectly be connected with personal data of an identified person. This data includes for example IP addresses and unique device identifiers. We process such data as personal data.
We also analyse the functionality and effectiveness of the email communications sent by us to our customers and individuals that have subscribed to our mailing lists by gathering data on which individuals have opened the emails and clicked the links included in the emails. We receive this information from our subcontractor which processes such data for and on behalf of Teosto.
3. LEGAL GROUNDS AND PURPOSE OF THE PROCESSING
We process data for the following purposes:
- We process the data of rightholders and representatives/contact persons of publishers for the establishment and management of customer relationship, for customer relationship related communication, for the maintenance of domestic and international authors’ registers, for maintenance of the contract register, for gathering and matching of usage data of works as well as for the distribution of royalties to the music authors (composers, lyricist and arrangers), authors’ estates and publishers. Due to the international nature of Teosto’s operations, processing is cross-border (see section 5: Transfers and disclosures of personal data). In this case, we process the data on the basis of membership agreement and the statutory obligation (Copyright Act and Act on Collective Management of Copyright)
- Data of the music user customers is processed for establishing and maintaining a customer relationship, for billing and collection of the license fees according to the music license agreements, for customer communication, and for other purposes related to the fulfilment of rights and obligations under the music license agreement. In this case, we will process information based on the agreement and statutory obligation (especially Copyright Act and Act on Collective Management of Copyright). When necessary, we may also process data on the basis of the legitimate interests of Teosto or a third party.
- We process potential music users’ data in order to check whether there is a need for a music licence and to react to possible infringements of rights, and to enable contacts in regards to the aforementioned based on legitimate interest or consent.
- Data on music performers is processed for the establishment and maintenance of customer relationship, for the processing of performance notifications and in customer communication. We can also process performance notifications made by performers for the purpose of monitoring and enforcement of the licenses.
- We process the data of the Whistleblowing-channel’s users and persons subject to the whistleblower-reports in order to provide a Whistleblowing-channel as required by the Act on whistleblower protection and to fulfill our obligations set out in the aforementioned law.
In addition, we are processing data in general for the following purposes:
- Events. We will process data for the purpose of organizing events, as well as for providing invitations and newsletters for these. In this occasion, we will process data to fulfil the agreement for the service the person has subscribed to, or for the purpose of Teosto’s legitimate interest.
- Communication. We will process data for communication (including emails), related to Teosto’s operations, services and events, to the extent that no such communication has been prohibited by the data subject. In this case, we process data in legitimate interest or with the consent of the data subject. Such communication does not apply to communication related to customer relationship or agreement matters, which we will carry out on grounds mentioned above.
- Research and development. We process data for the research and development of Teosto’s products and services on the basis of Teosto’s legitimate interest.
- Public affairs and Legal Claims. We process information for the fulfilment of tasks related to Teosto’s public affairs activities. We also process information to investigate and to prevent potential infringements of agreements and infringement of rights, and to resolve any potential irregularities related to the use of works, and for the enforcement of rights.
- Provision of social media plugins on Teosto’s website. When a visitor visits Teosto’s website, the visitor’s browser may automatically transmit data, such as the visitor’s IP address, to third parties through social media plugins as described in our Cookie policy. The purpose of processing of such data is the provision of social media plugins to our website visitors on the basis of our legitimate interest.
- Provision of Spotify music on Teosto’s website. Spotify Play feature has been emdedded in our website enabling our website visitors to listen to Spotify music on our website. When a website visitor visits our website the visitor’s browser may automatically transmit data, such as the visitor’s IP address, to Spotify. The purpose of processing of such data is the provision of the Spotify Play functionality to our website visitors on the basis of our legitimate interest. The use of cookies relating to Spotify Play is described in our cookie policy.
- For quality improvement and trend analysis. We also process information about the user’s use of our services (including our communications) to improve the quality of the our services e.g. by analyzing any trends in the use of our services. In order to ensure that our services are in line with the users’ needs, personal data can be used for things like customer satisfaction surveys. When possible, we will do this using only aggregated, non-personally identifiable data. The legal ground for processing such data is our legitimate interest.
- Feedback providers. We process feedback providers’ data in order to respond to the feedback, provide services or develop our operations based on consent or legitimate interest.
4. DATA STORAGE TIME
We process data only for as long as it is necessary for the purposes defined above. We may also inform specific data storage times on case-by-case basis.
- Data on the rightholders. We will store the data on the rightholder until the agreement between the rightholder and Teosto is in force and the copyrights of her works (including joint works) managed by Teosto are in force (lifetime and 70 years after the death of the author or the death of the last author of joint works). Despite the end of the customer relationship, Teosto may be required to store certain data necessary for the purpose of distributing royalties as long as the copyrights of the author are in force.
- Other data processed under the agreement. In other respects, we will store data regarding the agreements, such as music licenses, as long as it is necessary to fulfil the contractual rights and obligations, unless law provides for a longer storage time.
- Data used for communication. Personal data used for Teosto’s communication (including data subjects involved formerly in the activities of Teosto, as well as stakeholder data) will be stored as long as the data subject is in a position in which he or she is assumed to be interested in Teosto’s activities and the data subject has not requested the deletion of her data.
- Information on events. Data regarding participation in events organized by Teosto is stored for about 3-5 years.
- Information on quality improvement and trend analysis. Data regarding quality improvement and trend analysis is stored for 3-5 years depending on the service used for the data gathering.
- Information on prohibitions. If a data subject has refused to Teosto’s communications or surveys and there is no other ground for processing data, we will keep the data on the prohibition and contact information to ensure compliance.
- Data received through the Whistleblowing-channel. We store data received through the Whistleblowing-channel for a maximum of five years (from the receipt of the report), unless it is necessary to store the data after this, in order to exercise rights or obligations deriving from the Act on protection of whistleblowers or other legislation, or to draft, present and defend a legal claim.
We try to keep the personal data we hold correct and up to date by deleting unnecessary data and updating outdated data. If you have created a username and password for Teosto’s online service, you can verify and update your data by signing in to the service.
5. TRANFERS AND DISCLOSURES OF PERSONAL DATA
Teosto discloses and transfers your personal data mainly as described below:
- Member and sister organisations, partner organisations, other copyright organisations: Rightholders basic information (name, address, phone numbers, IPI number) and work information may be transferred to Teosto’s domestic and international member and sister organisations and other partner organisations to ensure correct distribution of royalties as well as for other justified purposes related to the management of works in accordance with industry practice. Rightholders’ data may also be disclosed to our member organisations for their legitimate needs. Partners’ and stakeholders’ data may be transferred to other copyright organisations for communication and lobbying purposes. In addition, data and statistics that relate to music use and that might include rightholder and works data may be transferred to our member organisations within the limits of the agreements between Teosto and the music user customers.
- Users of Network Service: Users of Teosto’s Network Service may access rightholders’ basic data and works data (however not data on work shares for other works than one’s own). Access to the aforementioned data is necessary for enabling the user to use the network service (for example to send work notifications).
- Transfers and disclosures based on the Act on Collective Management of Copyright: We may be required to disclose certain personal data to the users of the works on the basis of the Act on Collective Management of Copyright, unless you have prohibited such disclosure.
- Authorities: We may disclose your personal data to the competent authorities (such as the Tax Administration) in the manner required by applicable law.
- Consent: We may, with your consent, disclose your information to third parties, for example, for the purpose of obtaining copyright licenses directly from the rightholder. We ask for such consent separately.
- Mergers and acquisitions: If we sell, merge or otherwise arrange our business, your personal data may be disclosed to the parties of the arrangement.
- Enforcement and legal claims: We may disclose your personal data to third parties if it is necessary for the enforcement of the agreement, collection of receivables investigation of possible infringement, or for the enforcement of rights.
- Subcontractors: We use subcontractors for the processing of personal data for and behalf of Teosto (for example GT Musiikkiluvat Ltd, which is owned by Teosto and Gramex). We have ensured by contractual arrangements that the subcontractor/ will process personal data in accordance with the applicable law.
- Music user customers: We may disclose your personal data, for example the data from performance notifications, to music user customers if the disclosure is needed for agreeing on music use or collecting royalties.
- Publisher and rightholder members: Data concerning music user customers and music performers, for example data from performance notifications, as well as rightholders’ data, for example data from cue sheet documents, may be transferred to Teosto’s publisher and rightholder members when the transfer is necessary to ensure correct distribution of royalties. In addition, publisher and rightholder members may access the data of their own works which includes the names and shares of all the work’s authors and the name of each author’s publisher.
- Third parties for research and development activities: W may transfer rightholder and works data (except for work shares) and performers’ concert data and set lists to third parties (for example to a system developer or researcher) for research and development purposes.
- Third parties for the provision of social media plugins and other functionalities of our website: We may transfer data relating to our website visitors’ browsers to social media service providers in order to provide social media plugins to our website visitors as well as to Spotify in order to provide Spotify Play functionality to our website visitors.
Disclosures and transfers outside the EU and EEA. As a rule, we are not transferring personal data outside the EU or EEA. However, rightholders’ basic and work information may be disclosed and transferred to Teosto’s sister organisations and other partner organisations outside the EU and EEA, in order to ensure the right distribution of royalties, for obtaining and granting licenses, and for the purposes necessary for the management of the author’s works. In addition, if we use a subcontractor when processing the data, personal data may in certain situations be transferred outside the EU/EEA. In the aforementioned situations, we comply with safeguards and transfer criteria laid down in data protection legislation.
6. DATA SECURITY
Teosto processes your personal data in a secure manner and uses appropriate organisational and technical data security tools to protect your personal data. Databases used for personal data processing are protected by firewalls, passwords and other technical means. Databases and their backups are located in locked spaces. Manually processed documents containing personal data are stored in locked premises where access is monitored by access control. We ensure that only those workers and workers of those companies who work on behalf of Teosto, have access to such data that is necessary to carry out their duties. Teosto applies its own security policy in securing the data security, for more information (in Finnish).
7. RIGHTS OF THE DATA SUBJECT
As a data subject, you have certain legal rights to influence the processing of your personal data. You can currently influence your data processing in ways listed below:
- Checking, correcting and deleting data: You have the right to examine personal data stored on you. Upon request, for the purpose of processing, we correct, complete, or delete any faulty, incomplete or outdated personal data. If you have created online service IDs for Teosto’s online services, you can also update your data by signing in to the service. You have the right to request the removal of your personal data (“right to be forgotten”) on the basis of law. To the extent the data has derived from the Whistelblowing-channel and the report has been made in accordance with the Act on whistleblower protection, the data subject’s right to check their data can be restricted, if it is necessary to secure the investigation of the report or to protect the identity of the whistleblower. Nevertheless, the data subject has the right to get information about other data concerning them. The data subject is also entitled to receive information about the aforementioned restrictions, and to ask that the data is provided to the Data Protection Ombudsman in accordance with the Data Protection Act.
- Withdrawal of consent: You can withdraw your consent at any time by contacting our customer service or other specially provided means such as clicking the link at the end of the message. Withdrawal of consent does not affect the legality of measures taken before the withdrawal.
- Transfer of data: By contacting our customer service you may have your personal data, which we automatically process on the basis of the consent or agreement, transferred.
- The right to object direct marketing and profiling: You can at any time prohibit the processing of your personal data for direct marketing and related profiling by clicking on the link at the end of the message or by contacting our customer service. Since Teosto does not actually engage in direct marketing, in the case of Teosto’s communications, the right of denial applies to Teosto’s communications that we carry out on a legitimate interest.
- Objection and restriction right: Based on your personal situation, you may object processing that is based on a legitimate interest. For example, in such a situation, processing is limited for the duration of the evaluation of such grounds. The processing can also be limited when, for example, the data subject disputes the accuracy of the personal data, whereby the processing is limited to the period in which we can verify the accuracy of the data. To the extent the data has derived from the Whistleblowing-channel, the data subject cannot invoke their right to restriction of processing of personal data.
Right to complaint: You can file a complaint at the authority if you consider that your data has been processed against this privacy notice and against any applicable law. The contact details of the supervisory authority can be found at www.tietosuoja.fi/en.
Updated on 22 May 2024