PRIVACY POLICYPrivacy policy pertaining to Lapland Hotels Oy’s customer, partner, marketing and order information. 1 Joint controllers Lapland Hotels Oy (Business ID: 2199747-9) Yrjö Kokontie 4, 99300 Muonio Hotelli Luostotunturi Oy (Business ID: 1515200-7) Luostontie 1, 99555 Luosto Hotel Haikko Oy (Business ID: 2764547-4) Haikkoontie 114, 06400 Porvoo Lapland Safaris Group Oy (Business ID: 0892158-4) Koskikatu 1, 96200 Rovaniemi Lapland Hotels & Safaris Oy (Business ID: 2041198-2) Postikatu 1, 96100 Rovaniemi Lapland Ski Resorts Oy (Business ID: 2448061-9) Yrjö Kokontie 4, 99300 Muonio Ylläs Ski Oy (Business ID: 2199743-6) Yrjö Kokontie 4, 99300 Muonio (Hereinafter “the Controller”) Lapland Hotels Oy forms a group with its subsidiaries. The subsidiaries process personal data in the manner specified in this privacy policy. Lapland Hotels Oy is the primary processor, contact point and administrator in the processing activities specified in this privacy policy. 2 Contact details in matters related to the registers Hotel Haikko Oy Haikkoontie 114, 06400 Porvoo sähköposti: gdpr.tietosuoja@laplandhotels.com 3 Names of the registers a) Customer, partner and marketing register b) Order register c) Passenger register 4 The purpose of and the grounds for the processing of personal data The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Hotels Oy, separate consent to the processing of customer information, Lapland Hotels Oy’s legitimate interest or legislation. The purpose of the registers is to manage the personal data required for collaboration between Lapland Hotels Oy and its customers and partners, to ensure smooth customer service and the production and provision of benefits and services and to enable marketing and the planning and development of business. The statutory task of the passenger register is to maintain public order and security, to prevent and investigate crimes and to serve statistical needs. Information contained in the passenger register is also processed for the purposes of customer service. Personal data is collected and processed with the customer or partner for the following purposes: the realisation and confirmation of purchases related to hotel rooms, programme services, ski passes and other services and goods for the customer and the transmission of information related to the purchases to the service provider The provision of member benefits The realisation and confirmation of online purchases for the customer The production and delivery of service packages agreed upon with a corporate customer, related invoicing and the management of the customer relationship The analysis and development of products, services and business and the compilation of statistics The collection of feedback and information on deviations and customer satisfaction Advertising, marketing and direct marketing. The data subject has the right to prohibit direct marketing directed at them The realisation of Lapland Hotels Oy’s legitimate interests, such as responding to a legal claim The fulfilment of Lapland Hotels Oy’s legal obligations The names and personal identity codes or dates of birth of underage persons In its order forms, Lapland Hotels Oy may request its customers of legal age to provide the names or nicknames of their underage children. This information pertaining to underage persons is not used for any purpose other than the delivery of the products or services ordered to fulfil the statutory obligations of accommodation providers. Cookies are used to make the website function faster, to simplify the login process and to better target the content of the website to the user. For more detailed information on the purpose of the use of cookies, the grounds on which they are used and the data content collected, please refer to the cookie policy. 5 Data content of the registers The registers may contain the following information: a) Customer, partner and marketing registe The type of the customer relationship: customer/partner/Club member Customer number Identification information (name, e-mail address, phone number, address, personal identity code) Contact person(s) The role of the contact persons (corporate customers) Invoicing information Membership bonus balance (Club members) The use of cookies b) Order register Identification information, contact details and invoicing information contained in the customer, partner and marketing register Services ordered and delivered Information collected in connection with services provided by our partners Health or other sensitive information provided by the customer, such as information about illnesses, allergies and family c) Passenger register Customer identification information The names and personal identity codes or dates of birth of any spouse and underage children The country of entry to Finland Personal identity code Nationality Travel document number if the person is not a Nordic citizen or their place of residence is not Finland The date of arrival and, if known, departure 6 Sources of information for the registers and automated decision-making The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration, as well as information collected for research purposes through feedback, deviation and customer satisfaction surveys concerning the collaboration. Personal data is also collected from interactions at customer service points. Personal data may be collected in connection with the purchase of additional services. Secondarily, data can be purchased from registers intended for marketing purposes. The Controller does not use personal data collected from customers in automated decision-making. 7 Disclosure of information Data pertaining to data subjects may be disclosed within the organisation of the Controller and its subsidiaries/sister companies, as well as to our partners, to fulfil the purposes described herein. Otherwise, data is disclosed only to the extent permitted and required by law. The services of service providers located outside the EU or EEA are used for the realisation of services. The services cannot be realised in practice without these services. In such cases, personal data may be transferred outside the EU or EEA. Personal data transferred outside the EU or EEA is primarily cookie data (e.g. data on how many users visit the website and how they navigate the website), but ensuring the quality, integrity and correct functioning of information systems that are vital for the provision of services may require, on a case-by-case basis, the transfer of other personal data outside the EU or EEA. Such cases are occasional transfers of individual data of individual data subjects, which are carried out only to the extent required to resolve a specific case. The Controller has taken adequate technical and organisational security measures in cooperation with the service providers. For example, contracts with service providers use standard contractual clauses approved by the EU Commission and transfers are based on a decision issued by the EU Commission on the adequacy of data protection in the country of destination. For further information, please contact the e-mail address provided in section 2. 8 Protection and storage of data The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations. Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees are trained and instructed to take data security into account when processing personal data. Personal data is only stored on secure devices. The Controller’s IT devices are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on encrypted cloud servers. Customer/partner information is stored in the register for at least one (1) year after the end of the customer relationship and the fulfilment of all obligations, unless otherwise specifically agreed or required by law. 9 Data subjects’ other rights regarding the processing of personal data Data subjects’ right of access (inspection right) Data subjects have the right to know what information pertaining to them is stored in the register. The written and signed request for access must be sent to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller. Data subjects’ right to rectification, erasure or restriction of processing Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification. Insofar as the data subject is not able to rectify the information themselves, the request for rectification must be submitted in writing to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller. Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them. The Controller reserves the right to limit the number of free rectification and erasure requests to one (1) per year. Data subjects’ right to transfer data from one system to another Insofar as the data subject has provided information to the registers and the data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller. When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller. Other rights Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations. 10 Contacting the controller In all questions and requests related to personal data, the data subject must contact the e-mail address provided in section 2. 11 Third-party websites and services This privacy policy applies only to websites maintained by Lapland Hotels Oy, and we are not responsible for the privacy policies of other websites. The website may contain links to third-party websites. We recommend that users review the privacy policies of any other websites they use. 12 Changes to the privacy policy Lapland Hotels Oy may make changes to this privacy policy. To ensure that users are always aware of how their data is processed, the revised privacy policy is available on our website. Last updated on 28.11.2023. |