Finnish Composers’ Copyright Society Teosto is a copyright society for composers, lyricists, arrangers and music publishers whose task is to manage musical works of domestic and foreign authors, grant licenses and distribute royalties to authors for the use of their works.
- How to contact us regarding the processing of your personal data;
- What data we collect and where we gather the data;
- The purpose for which the data is used and the legal grounds for the processing;
- For how long the data is stored;
- Where the data is disclosed and transferred;
- How we take care of data protection;
- What are the rights of the data subject.
1. CONTACT INFORMATION
Finnish Composers’ Copyright Society Teosto (Business ID: 0117040-7)
Port of Music
Keilasatama 2 A,
FI-02150 Espoo, Finland
You can contact us by email at firstname.lastname@example.org for information about processing your personal data.
2. WHAT DATA WE PROCESS AND WHERE WE GATHER THE DATA
Along with the collective management of copyrights belonging to Teosto’s core business, Teosto is actively involved in influencing legislation and practices in the field, as well as in cultural activities focusing primarily in music. The extensive work of Teosto requires the processing of personal data of several groups of data subjects. Below we will describe what data we typically process of these data subjects and from which sources we will gather the data. When gathering data, we seek to inform what data is mandatory and what data you can give voluntarily.
Rightholders, beneficiaries and publisher members of Teosto. The rightholders of Teosto are the persons who have concluded a membership agreement with Teosto for the management of their works. We typically process the following personal data of the rightholders:
- Full name, address, phone number and email address;
- Social security number for unambiguous identification, which is necessary for the correct allocation of distribution;
- Bank details;
- The role of the author (composer, lyricist, arranger);
- Member number
- An International Identification Number (IPI Number) that is automatically created when joining as a rightholder, pseudonym (aliases);
- Works data;
- Network Service IDs (username);
- Tax information, details of recovery proceedings details and any debts reported to Teosto (such as debts to publishers);
- Information about the customer relationship (start and end dates), details of the events to which the person has participated (including information about possible allergies and diet of the rightsholder);
- Information we receive from rightholders in connection with customer satisfaction surveys;
- Beneficiary information and information on wills as well as of deed of estate inventory and estates partition documents.
The beneficiaries of our rightholders are persons to whom the copyrights of the copyright owner have been transferred as a result of inheritance or other equivalent right. We typically process the following data of the beneficiaries:
- Full name, social security number and contact information
- Member number
- Bank details.
Teosto’s publisher members are companies that have entered into a membership agreement with Teosto for the management of compositions and arrangements and related lyrics and translations published by the publisher. We typically process the following personal data of publisher members (data is considered personal data when it can be connected to a natural person):
- Name, phone number and e-mail address of representative/contact person of publisher member
- Network Service IDs (username);
- Details of the events to which the publisher member’s representative/contact person has participated (including information about possible allergies and diet of the representative/contact person);
We will gather the data on the rightholders mainly:
- from the person themself, example from the affiliation agreement;
- when the person provides information in order to maintain customer relationship with Teosto (for example notifications of works and and notifications of withdrawals);
- registries of the authorities (example Tax Administration Registers);
- Teosto’s domestic and foreign member and sister organisations;
- from other cooperation organisations (especially IPI number as well as information about the use of works and distribution).
In case of collaborative works, we may receive data from the works’ other rightholders.
The performance and usage information of the works is also gathered from the performance reports, program announcements, and other reports.
Data on beneficiaries of our rightholders is gathered either form the beneficiaries themselves, from the estate or from the authorities.
We gather data on representatives/contact persons of publisher members mainly:
- from the representative/contact person themselves, for example from the membership agreement or when the person provides information in order to maintain their customer relationship with Teosto;
- from Teosto’s domestic and foreign member and sister organisations;
- from other cooperation organisations.
In case of collaborative works, we may receive data from the works’ other rightholders.
Rightholders/publishers not represented by Teosto. Due to the operation of Teosto, we may also process the information of rightholders (composer, lyricists, or arranger) or representatives/contact persons of publishers not represented by Teosto if (i) the rightholder/publisher is a member of another copyright organisation and Teosto has a reciprocal agreement with the copyright organisation, and this organisation has authorized Teosto to process personal data or (ii) the rightholder/publisher is not a member of any copyright organisation, but Teosto represents the rightholder/publisher under an extended collective license in accordance with the Copyright Act.
We typically process the same data of the rightholders and representatives/contact persons of publishers not represented by Teosto than that of Teosto’s rightholders and publisher members’ representatives/contact persons, to the extent necessary to fulfil the obligations under the reciprocal agreement or extended collective license. Unless otherwise stated, the data of these rightholders/representatives/contact persons is processed for the same purpose as Teosto’s rightholders’ and publisher members’ representatives’/contact persons’ data.
Music User Customers. Music user customers are companies, organisations or persons who have made an agreement with Teosto for the use of works represented by Teosto. The following data of the music user customers is typically processed:
- The name of the company holding the license, Business ID, contact information, billing and payment information;
- The first and last name, position/title, phone number and email address of the company’s contact persons;
- For private individuals: first and last name, phone number and email address;
- The name and contact information for the venue and for the performance license holder;
- Information on the requested licenses;
- User ID;
- Potential payment defaults and dunning information.
We will get data on music user customers primarily from the licensee herself or her representative via telephone, email or online service. In addition, we can gather data from databases maintained by public authorities and companies. We also gather data on mechanisation from Nordisk Copyright Bureau (NBC), which manages collectively the mechanisation rights for the Nordic copyright organisations. NBC operates in Copenhagen, Denmark. Information on our event customers can also be gathered from performance notifications made to Teosto, or organized events observed by Teosto, regarding which the organizer of the event has not notified Teosto. Music Performers.
Music Performers. Music performers are people who perform the works of an author represented by Teosto publicly and make a performance notification to Teosto of the performance event. The following data is typically processed on the music performers:
- First and last name, address, phone number and email address;
- Other data voluntarily provided by the data subject.
We will get this data from the data subject herself.
In addition, if the performers use our Keikkamobiili app, we may collect their mobile identifier, such as their Google Advertising ID. The Google Advertising ID is an anonymous identifier provided by Google Play services and we use it in the process of allocating and sending notifications to performers using the App (for example reminders that reports should be provided by a certain date) and for analytics purposes. We do not combine the identifier with any personal data. You can opt-out of receiving the communications at any time by changing the respective operating system settings of the Keikkamobiili app in your mobile phone or tablet.
Partners, other stakeholders and communication. These data subject groups include organisations and persons, policy decision-makers, and other persons in public or social sphere, who are Teosto’s partners, and who Teosto estimates having an interest in Teosto’s activities, persons who participate in events and trips organized by Teosto, as well as other persons who have expressed their willingness to be updated on Teosto’s operations and activities. Of these groups, we typically process the following data:
- First and last name, organisation represented by the person, position in the organisation, email address, phone number, and other information that may be publicly disclosed by the person (such as their political party, their position in the party and committee memberships);
- Information provided by the person on a case-by-case basis such allergies and diet, nationality, birth date, number and expiration date of identification document and social security number (for example in connection with registration to events, trips or campaigns or, for example in connection with Teosto’s Cultural Ambassador activities.
Data on people who participate in events or subscribe to communications is gathered from the person themself or from Teosto’s sister organisations or other copyright organisations. Data on our partners’ and stakeholders’ representatives is gathered from the data subjects themselves, or we gather it from our member organisations or other copyright organisations or from publicly available sources such as public administration and corporate websites.
Other information. The data of each person may also include a permission or refusal to direct marketing provided by the data subject herself.
We also analyse the functionality and effectiveness of the email communications sent by us to our customers and individuals that have subscribed to our mailing lists by gathering data on which individuals have opened the emails and clicked the links included in the emails. We receive this information from our subcontractor which processes such data for and on behalf of Teosto.
3. LEGAL GROUNDS AND PURPOSE OF THE PROCESSING
We process data for the following purposes:
- We process the data of rightholders and representatives/contact persons of publishers for the establishment and management of customer relationship, for customer relationship related communication, for the maintenance of domestic and international authors’ registers, for maintenance of the contract register, for gathering and matching of usage data of works as well as for the distribution of royalties to the music authors (composers, lyricist and arrangers), authors’ estates and publishers. Due to the international nature of Teosto’s operations, processing is cross-border (see data disclosure and transfers). In this case, we process the data on the basis of membership agreement and the statutory obligation (Copyright Act and Act on Collective Management of Copyright)
- Data of the music user customers is processed for establishing and maintaining a customer relationship, for billing and collection of the license fees according to the music license agreements, for customer communication, and for other purposes related to the fulfilment of rights and obligations under the music license agreement. In this case, we will process information based on the agreement and statutory obligation (especially Copyright Act and Act on Collective Management of Copyright).
- Data on music performers is processed for the establishment and maintenance of customer relationship, for the processing of performance notifications and in customer communication. We can also process performance notifications made by performers for the purpose of monitoring and enforcement of the licenses.
In addition, we are processing data in general for the following purposes:
- Events. We will process data for the purpose of organizing events, as well as for providing invitations and newsletters for these. In this occasion, we will process data to fulfil the agreement for the service the person has subscribed to, or for the purpose of Teosto’s legitimate interest.
- Communication. We will process data for communication (including emails), related to Teosto’s operations, services and events, to the extent that no such communication has been prohibited by the data subject. In this case, we process data in legitimate interest or with the consent of the data subject. Such communication does not apply to communication related to customer relationship or agreement matters, which we will carry out on grounds mentioned above.
- Research and development. We process data for the research and development of Teosto’s products and services on the basis of Teosto’s legitimate interest.
- Public affairs and Legal Claims. We process information for the fulfilment of tasks related to Teosto’s public affairs activities. We also process information to investigate and to prevent potential infringements of agreements and infringement of rights, and to resolve any potential irregularities related to the use of works, and for the enforcement of rights.
- For quality improvement and trend analysis. We also process information about the user’s use of our services (including our communications) to improve the quality of the our services e.g. by analyzing any trends in the use of our services. In order to ensure that our services are in line with the users’ needs, personal data can be used for things like customer satisfaction surveys. When possible, we will do this using only aggregated, non-personally identifiable data. The legal ground for processing such data is our legitimate interest.
4. DATA STORAGE TIME
We process data only for as long as it is necessary for the purposes defined above. We may also inform specific data storage times on case-by-case basis.
- Data on the rightholders. We will store the data on the rightholder until the agreement between the rightholder and Teosto is in force and the copyrights of her works (including joint works) managed by Teosto are in force (lifetime and 70 years after the death of the author or the death of the last author of joint works). Despite the end of the customer relationship, Teosto may be required to store certain data necessary for the purpose of distributing royalties as long as the copyrights of the author are in force.
- Other data processed under the agreement. In other respects, we will store data regarding the agreements, such as music licenses, as long as it is necessary to fulfil the contractual rights and obligations, unless law provides for a longer storage time.
- Data used for communication. Personal data used for Teosto’s communication (including data subjects involved formerly in the activities of Teosto, as well as stakeholder data) will be stored as long as the data subject is in a position in which he or she is assumed to be interested in Teosto’s activities and the data subject has not requested the deletion of her data.
- Information on events. Data regarding participation in events organized by Teosto is stored for about 3-5 years.
- Information on quality improvement and trend analysis. Data regarding quality improvement and trend analysis is stored for 3-5 years depending on the service used for the data gathering.
- Information on prohibitions. If a data subject has refused to Teosto’s communications or surveys and there is no other ground for processing data, we will keep the data on the prohibition and contact information to ensure compliance.
We try to keep the personal data we hold correct and up to date by deleting unnecessary data and updating outdated data. If you have created a username and password for Teosto’s online service, you can verify and update your data by signing in to the service.
5. TRANFERS AND DISCLOSURES OF PERSONAL DATA
Teosto discloses and transfers your personal data mainly as described below:
- Member and sister organisations, partner organisations, other copyright organisations: Rightholders basic information (name, address, phone numbers, IPI number) and work information may be transferred to Teosto’s domestic and international member and sister organisations and other partner organisations to ensure correct distribution of royalties as well as for other justified purposes related to the management of works in accordance with industry practice. Partners’ and stakeholders’ data may be transferred to other copyright organisations for communication and lobbying purposes.
- Users of Network Service: Users of Teosto’s Network Service may access rightholders’ basic data and works data (however not data on work shares for other works than one’s own). Access to the aforementioned data is necessary for enabling the user to use the network service (for example to send work notifications).
- Transfers and disclosures based on the Act on Collective Management of Copyright: We may be required to disclose certain personal data to the users of the works on the basis of the Act on Collective Management of Copyright, unless you have prohibited such disclosure.
- Authorities: We may disclose your personal data to the competent authorities (such as the Tax Administration) in the manner required by applicable law.
- Consent: We may, with your consent, disclose your information to third parties, for example, for the purpose of obtaining copyright licenses directly from the rightholder. We ask for such consent separately.
- Mergers and acquisitions: If we sell, merge or otherwise arrange our business, your personal data may be disclosed to the parties of the arrangement.
- Enforcement and legal claims: We may disclose your personal data to third parties if it is necessary for the enforcement of the agreement, collection of receivables investigation of possible infringement, or for the enforcement of rights.
- Subcontractors: We use subcontractors for the processing of personal data for and behalf of Teosto. We have ensured by contractual arrangements that the subcontractor/ will process personal data in accordance with the applicable law.
- Third parties for research and development activities: W may transfer rightholder and works data (except for work shares) and performers’ concert data and set lists to third parties (for example to a system developer or researcher) for research and development purposes.
- Third parties for the provision of social media plugins and other functionalities of our website: We may transfer data relating to our website visitors’ browsers to social media service providers in order to provide social media plugins to our website visitors as well as to Spotify in order to provide Spotify Play functionality to our website visitors.
Disclosures and transfers outside the EU and EEA. As a rule, we are not transferring personal data outside the EU or EEA. However, rightholders’ basic and work information may be disclosed and transferred to Teosto’s sister organisations and other partner organisations outside the EU and EEA, in order to ensure the right distribution of royalties, for obtaining and granting licenses, and for the purposes necessary for the management of the author’s works. In this case, we will comply with the safeguards and transfer criteria in accordance with the data protection legislation.
6. DATA SECURITY
Teosto processes your personal data in a secure manner and uses appropriate organisational and technical data security tools to protect your personal data. Databases used for personal data processing are protected by firewalls, passwords and other technical means. Databases and their backups are located in locked spaces. Manually processed documents containing personal data are stored in locked premises where access is monitored by access control. We ensure that only those workers and workers of those companies who work on behalf of Teosto, have access to such data that is necessary to carry out their duties. Teosto applies its own security policy in securing the data security, for more information (in Finnish).
7. RIGHTS OF THE DATA SUBJECT
As a data subject, you have certain legal rights to influence the processing of your personal data. You can currently influence your data processing in ways listed below:
- Checking, correcting and deleting data: You have the right to examine personal data stored on you. Upon request, for the purpose of processing, we correct, complete, or delete any faulty, incomplete or outdated personal data. If you have created online service IDs for Teosto’s online services, you can also update your data by signing in to the service. You have the right to request the removal of your personal data (“right to be forgotten”) on the basis of law.
- Withdrawal of consent: You can withdraw your consent at any time by contacting our customer service or other specially provided means such as clicking the link at the end of the message. Withdrawal of consent does not affect the legality of measures taken before the withdrawal.
- Transfer of data: By contacting our customer service you may have your personal data, which we automatically process on the basis of the consent or agreement, transferred.
- The right to object direct marketing and profiling: You can at any time prohibit the processing of your personal data for direct marketing and related profiling by clicking on the link at the end of the message or by contacting our customer service. Since Teosto does not actually engage in direct marketing, in the case of Teosto’s communications, the right of denial applies to Teosto’s communications that we carry out on a legitimate interest.
- Objection and restriction right: Based on your personal situation, you may object processing that is based on a legitimate interest. For example, in such a situation, processing is limited for the duration of the evaluation of such grounds. The processing can also be limited when in example the data subject disputes the accuracy of the personal data, whereby the processing is limited to the period in which we can verify the accuracy of the data.