GDPR
Kilpissafarit ky customer register
An information document in accordance with the General Data Protection Regulation (EU) regarding the processing of personal information in the customer register of Kilpissafarit Ky.
1. Controller
Kilpissafarit ky
Tsahkalluoktantie 14
99490 Kilpisjärvi
FINLAND
2. Contact for register issues
In matters related to the register and the exercise of data subject rights, please contact:
Jussi Rauhala
+358 40 5455 123
info@kilpissafarit.fi
3. Name of the register
Kilpissafarit ky customer register
4. Legal basis of personal data processing
The processing of the personal data in the register is based on the customer relationship between private and corporate customers and Kilpissafarit ky Due to the customer relationship, data processing is based on a legitimate interest.
The controller also processes customer data on the basis of an agreement between the controller and the data subject. This basis applies to the personal data which is collected from the data subject in connection with a room, table or program service reservation or for the purpose of charging such services.
When the data processing is based on a legitimate interest or an agreement, the data subject does not have to be asked for a separate consent to the processing.
5. Purposes of personal data processing
Customer data in the customer register are used for:
– processing and managing reservations
– sales and implementation of services
– payment, invoicing and monitoring thereof as well as possible debt collection measures
– customer relationship management and development
– customer relationship communication
In the event that the customer asks the controller to take into account the customer’s health when providing services, the information submitted by the customer to the controller is used in the provision of the service. Such information may concern, for example, a physical disability or an allergy, or any other information provided by the customer to the controller on their own initiative.
6. Processed personal data
The controller processes the following personal data of the customer:
– Company name,
– first and last name, date of birth, telephone number, address, email address
– nationality
– reservation data
– payment method, invoicing data, data on possible delays of payment
– data on the use of purchase of services
– data concerning the customer’s wishes and choices (e.g. special requirements for accommodation)
– possible special diets
– possible customer feedback or complaints
7. Sources of personal information
The controller receives the personal data directly from the data subject:
– at the location
– over the phone
– by email
Upon reservations of accommodation or program services at www.kilpissafarit.fi, the data subject discloses their personal data to a third-party booking service, through which the controller receives said data.
From the third parties when:
– data subject books controller’s services through a booking service site
– data subject books controller’s services through a booking service company (such as a travel agent or tour operator)
– data subject’s employer or association books controller’s services for the data subject
– data subject in some other way contact or books controller’s services via a third party.
8. Recipients or recipient categories of personal data
Customer register data is not disclosed to third parties unless the customer specifically asks the controller to book third-party services requested by the customer, such as program services or transportation.
This notwithstanding:
Upon reservation of accommodation or program services at www.kilpissafarit.fi, the data subject discloses the personal data necessary to complete the booking via third-party booking service.
When submitting feedback or a contact request at www.kilpissafarit.fi, the website sends personal information, such as name and email address, to the controller’s email.
Information may be disclosed to authorities on the basis of request based on the law.
Data is retained in the controller’s hotel and booking system, which can only be accessed by personnel handling personal data. The systems have been encrypted and protected by their suppliers.
9. Transfer of data outside the EU
Information will not be transferred outside of the EU.
10. Personal data retention period
The personal data in the customer register are processed for the duration of the customer relationship. The controller considers a customer relationship to have ended if the customer has not used the controller’s services for a period of 3 years. The period starts from the end of the calendar year during which the customer last used the controller’s services. The data is erased within 6 months from the end of the customers relationship, unless there are other grounds for storing the data.
However, the data may be stored and processed after the end of the customer relationship if it is required for processing complaint-related issues. The retention periods also comply with the retention periods laid down by the Accounting Act and other relevant laws. The data required by the Accounting Act are stored for as long as is required by the law.
When the data are processed on grounds of an agreement between the controller and the data subject, the data is stored for as long as is required for implementing the agreement. After the agreement has been implemented, the data is stored for the duration of the customer relationship or for as long as there are other grounds for the processing (e.g. complaints or the Account Act).
Only data that are required for the defined purposes of use are processed during customer relationship. The controller carries out periodic checks in order to erase unnecessary data.
11. Data subject’s rights
The personal data in the customer register is processed based on the controller’s legitimate interest (General Data Protection Regulations, Article 6, section 1, sub-section e). In this case, the customer relationship constitutes the legitimate interest. The processing of personal data is also based on the agreement between the controller and the data subject (General Data Protection Regulation, Article 6, section 1, sub-section b). This ground for processing in explained in more detail in paragraph 4 of the Privacy Notice. When the data is being processed on the grounds of a legitimate interest or an agreement, the data subject has the following rights:
Right to access their data
Data subjects have the right to request access to their personal information in order to determine the processing thereof.
As a general rule, the data subject has the right to know what information the customer register contains on them. The controller may request the data subject to sufficiently clarify which information or processing the request relates to.
The data subject’s right of access may be restricted or refused on the basis of the General Data Protection Regulation if the disclosure would adversely affect the rights and freedoms of others. Such rights include, for example, the controller’s business secrets and third-party personal data. National legislation (the Data Protection Act etc.) may also impose restrictions on the data subject’s right.
Right to data rectification
Data subjects have the right to request that the controller rectify any inaccurate or incorrect personal information without undue delay.
Right to data ensure
At the request of the data subject, the controller must erase the personal information relating to the data subject without undue delay, if any of the following conditions is met:
– personal information is no longer needed for the purposes for which they were originally collected
– data subject objects to the processing and there is no reasonable cause to process the data
– personal data has been unlawfully processed.
Even if one of the requirements is met, the data do not have to be erased if the processing is required in order for the controller to be able to, for example, comply with a statutory obligation based on national or EU legislation that is applicable to the controller and requires the processing, or if the processing is required in order to establish, exercise or defend a legal claim.
Right to object to data processing
The data subject may object to personal data processing on grounds relating to the data subject’s particular situation if the data are processed on the grounds of a legitimate interest.
If the processing is based on an agreement, the data subject does not have the right to object to the processing.
If the data subject has objected to personal data processing on grounds relating to the data subject’s particular situation, the data subject must specify the situation on the grounds of which the data subject objects to the processing based on a legitimate interest. The controller may continue data processing despite the data subject’s objection if there is a particularly important and justifiable reason, which overrides the interests, rights and freedoms of the data subject, or if it is necessary for the establishment, exercise or defense of a legal claim.
The data subject has the right at any time to object to the processing of their personal data for direct marketing purposes. If the data subject objects to the use of their personal information for direct marketing, they may no longer be processed for this purpose.
Right to request restriction of processing
The data subject has the right to request that the controller restrict the active processing of their personal data in the following situations:
– data subject contests the accuracy of the personal data, in which case the processing must be restricted until the controller has verified the accuracy of the data
– processing is contrary to law and the data subject requests restrictions on the processing instead of the erasure of the personal data
– the controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defense of a legal claim
– data subject has objected to the processing of personal data (see above) and the assessment of whether the legitimate interests of the controller override those of the data subject, is pending.
During restricted processing, the data may principally be stored but not processed. Additionally, the data may be processed for the establishment, exercise or defense of a legal claim or for the protection of the rights of another natural or legal person or for reasons of important public interest. Before the restriction is lifted, the data subject must be informed about the matter.
Right to transfer data from one system to another
To the extent that the information in the customer register has been submitted by the data subject themselves, and the data is processed through the means of automatic data processing and on the basis of an agreement between the controller and the data subject, the data subject is entitled to received their data mainly in machine-readable format and transfer the data directly from one controller to another if it is technically possible.
12. Right to lodge a complaint with a regulatory authority
Data subject has the right to lodge a complaint with a competent regulatory authority if the data subject feels that the controller has not complied with the applicable data protection regulations.
13. Requests relating to the exercise of data subject rights
In matters related to personal information processing or exercising the data subject’s rights, please contact the data controller representative mentioned in paragraph 2 above.
Requests pertaining to the right of access or the realization of other data subject rights must be submitted to the controller in writing by email or by post. The request may also be presented in person at the office of the controller.
The controller may request the data subject to sufficiently clarify which information or processing the request relates to.
In order to ensure that personal information is not disclosed to persons other than the data subject, the controller may request that the data subject sign the request. The controller may also ask the issuer of the request to verify their identity with an official identification card or other reliable means.