1 JOINT CONTROLLERS
Lapland Safaris Group Oy (Business ID: 0892158-4)
Koskikatu 1, 96200 Rovaniemi
Lapland Hotels Oy (Business ID: 2199747-9)
Yrjö Kokontie 4, 99300 Muonio
Hotelli Luostotunturi Oy (Business ID: 1515200-7)
Luostontie 1, 99555 Luosto
Lapland Hotels & Safaris Oy (Business ID: 2041198-2)
Koskikatu 1, 96200 Rovaniemi
Lapland Ski Resorts Oy (Business ID: 2448061-9)
Yrjö Kokontie 4, 99300 Muonio
Ylläs Ski Oy (Business ID: 2199743-6)
Yrjö Kokontie 4, 99300 Muonio
(Hereinafter “the Controller”)
2 CONTACT DETAILS IN MATTERS RELATED TO THE REGISTERS
Lapland Safaris Group Oy
Koskikatu 1, 96200 ROVANIEMI
E-mail address: email@example.com
3 NAMES OF THE REGISTERS
a) Customer, partner and marketing register.
b) Order register.
4 THE PURPOSE OF AND THE GROUNDS FOR THE PROCESSING OF PERSONAL DATA
The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Safaris Group Oy, separate consent to the processing of customer data, Lapland Safaris Group Oy’s legitimate interest or legislation. The purpose of the registers is to manage the personal data required for collaboration between Lapland Safaris Group Oy and its customers and partners, to ensure smooth customer service and the production and provision of benefits and services and to enable marketing and the planning and development of business.
Personal data is collected and processed with the customer or partner for the following purposes:
- The realisation and confirmation of purchases related to programme services, hotel rooms, ski passes and other services and goods for the customer and the transmission of information related to the purchases to the service provider
- The realisation and confirmation of online purchases for the customer
- The production and delivery of service packages agreed upon with a corporate customer, related invoicing and the management of the customer relationship
- The analysis and development of products, services and business and the compilation of statistics
- The collection of feedback and information on deviations and customer satisfaction
- Advertising, marketing and direct marketing. The data subject has the right to prohibit direct marketing directed at them
- The realisation of Lapland Safaris Group Oy’s legitimate interests, such as responding to a legal claim
- The fulfilment of Lapland Safaris Group Oy’s legal obligations
- Information pertaining to underage persons
- In its order forms, Lapland Safaris Group Oy may request its customers of legal age to provide the names or nicknames of their underage children. This information pertaining to underage persons is not used for any purpose other than the delivery of the products or services ordered.
5 DATA CONTENT OF THE REGISTERS
The registers may include the following information:
a) Customer, partner and marketing register
- The type of the customer relationship: customer/partner/Club member
- Customer number
- Identification information (name, e-mail address, phone number, address, personal identity code)
- Contact person(s)
- The role of the contact persons (corporate customers)
- Invoicing information
- Membership bonus balance (Club members)
- Photo and video files with Santa Claus
b) Order register
- Information contained in the customer, partner and marketing register
- Services ordered and delivered
- Information collected in connection with services provided by our partners
- Customers’ health information, such as information on illnesses and allergies
6 SOURCES OF INFORMATION FOR THE REGISTERS AND AUTOMATED DECISION-MAKING
The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration, as well as information collected for research purposes through feedback, deviation and customer satisfaction surveys concerning the collaboration. Personal data is also collected from interactions at customer service points. Personal data may be collected in connection with the purchase of additional services. Secondarily, data can be purchased from registers intended for marketing purposes.
The Controller does not use personal data collected from customers in automated decision-making.
7 DISCLOSURE OF INFORMATION
Data pertaining to data subjects may be disclosed within the organisation of the Controller and its subsidiaries/sister companies, as well as to our partners, to fulfil the purposes described herein. Otherwise, data is disclosed only to the extent permitted and required by law.
The services of service providers located outside the EU or EEA are used for the realisation of services. The services cannot be realised in practice without these services. In such cases, personal data may be transferred outside the EU or EEA.
Personal data transferred outside the EU or EEA is primarily cookie data (e.g. data on how many users visit the website and how they navigate the website), but ensuring the quality, integrity and correct functioning of information systems that are vital for the provision of services may require, on a case-by-case basis, the transfer of other personal data outside the EU or EEA. Such cases are occasional transfers of individual data of individual data subjects, which are carried out only to the extent required to resolve a specific case.
The Controller has taken adequate technical and organisational security measures in cooperation with the service providers. For example, contracts with service providers use standard contractual clauses approved by the EU Commission and transfers are based on a decision issued by the EU Commission on the adequacy of data protection in the country of destination. For further information, please contact the e-mail address provided in section 2.
8 PROTECTION AND STORAGE OF DATA
The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations.
Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees are trained and instructed to take data security into account when processing personal data.
Personal data is only stored on secure devices. The Controller’s IT devices are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on encrypted cloud servers.
Customer/partner information is stored in the register for at least one (1) year after the end of the customer relationship and the fulfilment of all obligations, unless otherwise specifically agreed or required by law. Unlike stated previously, photo and video files in the customer, partner and marketing register will be stored for 400 days.
9 DATA SUBJECTS’ OTHER RIGHTS REGARDING THE PROCESSING OF PERSONAL DATA
Data subjects’ right of access (inspection right)
Data subjects’ right to rectification, erasure or restriction of processing
Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification.
Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them.
The Controller reserves the right to limit the number of free rectification and erasure requests to one (1) per year.
Data subjects’ right to transfer data from one system to another
Insofar as the data subject has provided information to the registers and the data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller.
When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations.
10 CONTACTING THE CONTROLLER
In all questions and requests related to personal data, the data subject must contact the e-mail address provided in section 2.
11 THIRD-PARTY WEBSITES AND SERVICES