• FI
  • SV
  • FI
  • SV

    • Privacy policy

    Gramex is a collective management organisation for recorded music in Finland. We represent performers of music and music producers. Gramex offers licenses for the use of recorded music and collect remunerations from the use of music. As a part of our activities, we collect and process the personal data of our rightsholder clients’ (ie. performers and producers), our music user customers and other stakeholders.

    Respecting privacy and protecting personal data is important to Gramex. Therefore, Gramex always processes your personal data confidentially and according to the current data protection legislation.

    In this privacy policy we provide you with more information about the processing of personal data in Gramex. For example what data we collect, where we collect data, the purpose for which the data is used, for how long the data is stored, where the data is transferred and how we take care of data protection. We also provide information on what are your rights as a data subject when Gramex processes your personal data.

    1. Data Controller

    Gramex – The Collective Management Organisation for Recorded Music in Finland, Business ID: 0201196-9

    Port of Music
    Keilasatama 2 A
    02150 Espoo

    In the matters concerning personal data processing you can contact us via email: asiakaspalvelu@gramex.fi

    2. The purpose and legal grounds of data processing

    Performers and producers. The main purpose of the collected information is the accounting and payment of copyright royalties to the rightsholders entitled to them, as well as customer service.

    Personal data is also processed for the following purposes:

    Gramex collects and accounts for remunerations based on client agreements and contractual and compulsory license decisions. For this reason, among others, Gramex also processes the personal data of rightsholders other than its clients. The processing of the rightsholders’ personal data is based on a client agreement, legislation, legitimate interest or consent.

    Licensing customers. The main purposes of the collected data are managing customer relationships between Gramex and licensing clients and enabling communication, as well as invoicing, clientship management and copyright control.

    Personal data is also processed for the following purposes:

    Gramex also processes the personal data of potential licensing customers to determine the need for a music license and to create a possible customer relationship.

    The processing of personal data of licensing clients is based on the agreement between the client and Gramex, legislation, legitimate interest or consent.

    Stakeholder relations and advocacy. This group of data subjects includes the recipients of Gramex’s communication, representatives of various stakeholders, decision-makers and other individuals and organisations that are important to Gramex.

    The main purpose of the collected data is the maintenance and management of customer relationships and other relationships relevant to Gramex’s operations, as well as informing about matters related to Gramex. Personal data can also be processed for purposes related to the development of customer relations and service and the development of communication. The data is also utilized in the marketing and communication automation system to target communication.

    The processing of personal data related to communication is based on the data subject’s consent, the agreement between the data subject and Gramex, the implementation of tasks set for Gramex by law, or the legitimate interest of Gramex or a third party.

    We also process personal data received through feedback and other contacts for the development of our operations and quality control, as well as to enable related contacts.

    Other purposes

    Events and Occasions. We process personal data for the organization of events and occasions, as well as for communication related to them. We process this data based on the consent of the data subject or legimitate intrest.

    3. What personal data we collect and where is the data collected from

    In this chapter, we tell you what information we usually collect in each group of data subjects and where we get this data.

    Performers and Producers. We collect the following personal data for the purposes described above:

    As a general rule, information about rightsholders is collected directly from the person themselves or their representatives, such as in connection with the conclusion of a client agreement. Rightsholders and their representatives provide Gramex with performer and producer information. Use event data is collected from user customers and other copyright societies, as well as with the help of external music recognition services. Personal data is also collected from the following sources:

    Licensing customers. For the purposes mentioned above, Gramex collects the following personal data of licensing clients

    In the case of potential licensing customers, we process the following personal data:

    As a general rule, information about licensing clients is collected directly from the person themselves or their representative at the beginning of the clientship. Personal data is also collected from the following sources:

    Stakeholder relations and advocacy. For the purposes mentioned above, Gramex collects the following personal data:

    As a general rule, personal data is collected directly from the person themselves. Personal data is also collected from the following sources:

    In relation to feedback and other contacts we collect the following data:

    The data is primarily collected from the person themselves at the time of giving feedback or other contact.

    Other collected data. Consent or prohibition regarding direct marketing or other communication given by the registrant may be marked in the registrant’s information.

    Gramex collects information about the users of its website (www.gramex.fi) using cookies or similar technology. You can read the details about the information collected with the cookies from Gramex’s [cookies management/policyGramex].

    To develop our communication, we can monitor what links those who have given their consent click on our home pages newsletters, and social media updates

    4. Storage time of personal data

    Gramex stores the personal data of rightsholders for as long as it is necessary to fulfill the purpose of personal data processing as defined above or as long as Gramex has a legal obligation to retain personal data. Such oblication may result, for example, from accounting legislation.

    Gramex can set specific retention periods for certain groups of data subjects.

    We aim to keep the personal data in our possession correct and up-to-date by deleting unnecessary data and updating outdated data.

    Gramex applies the following principles on personal data retention periods:

    Gramex stores the personal data of Performers and Producers for as long as it is necessary to fulfill the purpose of personal data processing as defined above.

    The processing of the rightsholders’ personal data is necessary for at least the term of copyright of the recording and music video. According to the Copyright Act, a recording is protected until 70 years have passed since the recorded performance was first published. According to the Copyright Act, a music video is protected until 50 years have passed since the recording was first released.

    It is the purpose of Gramex to further the general preconditions for the development of the Finnish creative musical art and phonogram production. One dimension in the realisation of this purpose is to cherish historical information about published recordings that are not collected elsewhere. For example, the recording reports submitted to Gramex form a culturally historically significant entity.

    In case of licensing customers we retain information as long as it is necessary to implement rights and obligations based on the contract. However, if legislation requires a longer retention period, we will store the data for the time required by law.

    Stakeholder relations and advocacy.

    Information needed to organize catering at events and occasions is removed from the register after it is no longer needed. In terms of communication, we retain information as long as the person is in a position where thay can be assumed to be interested in matters related to Gramex.

    5. Transfers and disclosures of personal data

    Collection of copyright royalties and supporting measures and data management. Personal data of rightsholder clients and licensing customers can be disclosed or transferred to GT Music Licences Ltd, which, on behalf of Gramex, manages the customer service for licensing the public performance of recorded music and other assignment tasks related to music licensing. Information is also transferred to other copyright societies and other cooperative organisations to collect royalties and manage recording data in the manner and scope required by Gramex’s operations.

    Information is transferred to international information systems that support and perform the collection of royalties and accounting, such as the IPD register and the VRDB2 system maintained and managed by SCAPR, and the RDx service and the ISNI register.

    Sound recording register information. When registering artist information for a sound recording, Gramex sends an email showing the names of the rights holders related to the sound recording or music video, as well as the Gramex customer number. This information is used to distribute copyright compensation among the rights holders, and it is important that all parties have the opportunity to check the accuracy of the information.

    External service providers. Gramex uses service providers who process the personal data of rightsholders as part of the service they provide to Gramex. One major service provider that handles the personal data of rightsholders is a company that develops and maintains a rights management system. Contractual arrangements with all service providers that process personal data have ensured that personal data is processed in accordance with current legislation.

    Authorities. Gramex can hand over the personal data of rightsholder members and licensing customers to the authorities as required by the applicable legislation at any given time. Gramex regularly discloses information to, for example, the Tax Administration and execution authorities.

    Collection and enforcement of rights. The personal data of rightsholder members may be disclosed to third parties if it is necessary to enforce contracts or rights, to collect claims, to investigate possible violations of rights or to present a legal claim or to defend against a claim.

    Research activity. Gramex can hand over performer and producer information for recordings and music videos to third parties for research and archiving purposes supporting Gramex’s operations or for statistical purposes.

    Social media plugins.  Information related to the browsers of Gramex’s website users may in some situations be handed over to social media service providers” to provide plugins.

    Transfer outside the EU and EEA. As a matter of principle, Gramex does not transfer or hand over personal data outside the EU or EEA, or to countries without an adequate level of data protection, as determined by the Commission. The personal data of the rightsholders can be handed over or transferred to other copyright societies and other cooperation bodies for the purposes necessary for the collection, settlement and payment of copyright royalties and for the administration of rights. When transferring and handing over personal data, protective measures and transfer criteria according to data protection legislation are followed. If personal data is transferred outside the EU and the EEA, and the Commission has not determined an adequate level of data protection for the country in question, both parties to the transfer shall follow the standard clauses approved by the Commission to guarantee an adequate level of data protection.

    6. Data Security

    The information in the register is protected from unauthorised viewing, modification and disposal. Protection is based on access and access control using personal IDs, as well as limitation and classification of user rights.

    The information stored in the systems is protected by firewalls, passwords and other generally accepted technical means in the field of information security. The data is processed only by certain persons who need the register’s data in their work. The rights to view and change data are classified and limited according to the work tasks of Gramex personnel and various levels of user rights. Data changes made internally by Gramex are automatically logged in its own technical tracking and logging system. Data integrity is ensured by backup recordings and physical security procedures. The servers of the information systems are located in the territory of the European Union.

    Databases and backups are located in locked rooms. Manually processed documents containing personal data are kept in locked rooms, access to which is controlled, for example, by means of access control.

    7. Rights of the data subject

    Right of inspection. If Gramex processes personal data concerning the data subject, the data subject has the right to check which personal data groups concerning them are stored in the register. Inspection is free of charge once a year. The written inspection request must be submitted to the contact email mentioned at the beginning of the report. Before handing over the data, Gramex must be able to verify the identity of the data requester.

    The right to demand rectification of data. The data subject has the right to demand that Gramex correct inaccurate and incorrect information about them. Gramex corrects, deletes or completes incorrect, unnecessary, incomplete or outdated personal data in the register at the request of the data subject or upon noticing such information on its own initiative without delay.

    The request for rectification and correction of information must be made in writing and it must specify which information the correction request applies to. The written inspection request must be submitted to the contact person mentioned at the beginning of this privacy policy.

    The data subject also has the opportunity to correct certain information they find to be incorrect via the web service of the registrar by registering as a user of the service.

    Withdrawal of consent. With regard to personal data collcted on the basis of consent, the data subject has the right to withdraw the consent given for the processing of their personal data.

    The right to delete data, limit processing and object to processing. The data subject has the right, in situations defined in the General Data Protection Regulation, to have Gramex delete their personal data and/or limit the processing of their personal data. In addition, the data subject has the right to object to the processing of personal data concerning them on the basis of their personal special situation.

    The right to transfer personal data. The data subject has the right to receive the personal data concerning them which they have provided to Gramex or which Gramex has collected on the basis of this privacy policy, and to transfer it to another controller to the extent that the processing of personal data is based on consent or an agreement.

    The right to object direct marketing and relating profiling. Gramex does not hand over the information in the registers to third parties for direct marketing.

    The data subject can prohibit Gramex from processing information about them in connection with direct marketing or related profiling.

    The right to file a complaint with the supervisory authority. The data subject has the right to file a complaint with the supervisory authority if they consider that their personal data has been processed in violation of this privacy policy or the legislation in force at any given time. You can find the supervisory authority’s contact information on the website of the Office of the Data Protection Ombudsman at Office of the Data Protection Ombudsman – Office of the Data Protection Ombudsman.

    8. Cookies

    Gramex uses cookies on its site (www.gramex.fi) to improve the user experience and to target advertising. Cookies are small text files that are sent to the user’s computer at the request of the browser and stored there.

    Information collected with cookies is not primarily combined with personal data related to an identified person, but some information collected with cookies may be indirectly linked to personal data related to an identified person. Such information includes, for example, the IP address of the website user and a unique device identifier. We process such information as personal data in accordance with our privacy policy.

    The cookies used by Gramex are related to, among other things, storing visitor information for site development and targeting content marketing.

    The programs that collect cookies used on the site are Google Analytics and Liana Automation.

    You can read the details about the use of cookies and refuse cookies in the site’s cookie management (which you will find in the bottom left-hand corner of the site.).

    9. Amendments to the privacy policy

    Gramex is constantly developing its operations and therefore reserves the right to amend the privacy policy by announcing its current content in its services. The amendments can also be based, for example, on the development of legislation.

    Gramex recommends data subjects to acquaint themselves with the content of the privacy policy regularly.

    The privacy policy was last updated on 21 November 2023.