This is Oy Rova-Rest Ab’s Personal Data Registry and Privacy Statement following the legislation set by the Finnish Personal Data Act (10 & 24 §), as well as the European General Data Protection Regulation (GDPR). First written on the 1st of June 2018 and latest updated on the 21st of October 2020.
1. Registry holder
Oy Rova-Rest Ab and its locations of business:
- Hotel Sodankylä, Unarintie 15, 99600 Sodankylä, +358 10 230 5000 / firstname.lastname@example.org / www.sodankylahotel.fi
- Peurasuvanto Holiday Village, Ivalontie 5086, 99600 Sodankylä, +358 10 230 5800 / email@example.com / www.peurasuvanto.fi
- Budget Hotel Raahe, Uimahallintie 4, 92150 Raahe, +358 10 230 5500 / firstname.lastname@example.org / www.budgethotelraahe.fi
- Manor House Hotel Karolineburg, Karoliinantie 8, 87250 Kajaani, +258 10 230 5900 / email@example.com / www.karolineburg.fi
2. Contact person in charge of registry
Raili Karvonen-Willman, hotel manager
Tel. +358 10 230 5372, e-mail firstname.lastname@example.org
Hilla-Rina Palokari, CEO
Tel. +358 10 230 5382, e-mail email@example.com
3. Name of registry
Company’s Customer Data and Marketing Registry.
4. Legal basis and purpose of handling personal data
According to the European GDPR, legal basis of handling personal data is present when there exists:
– consent from the person in question (documented, voluntary, identified, conscious and unambiguous)
– a contract, in which the registered person represents the other party
– management of public tasks or
– justified interest of the registry holder (i.e. customer relationship, contract of employment, membership).
The purpose of holding a Customer Data and Marketing Registry at Oy Rova-Rest Ab is the following:
Accommodation, meeting and restaurant services:
• In order to execute our services and fill the contract between the registry holder and the customer, we collect the following information: contact information (first and last name, address, postal code, city country, e-mail address, phone number) and payment information (credit card number, name on credit card, expiration information).
• Based on customer consent we also gather information such as:
- When booking restaurant and meeting services, contact and payment information is collected from the customer, as well as possible dietary restrictions.
- As a customer leaves their business card, the information on it can be joint to Oy Rova-Rest Ab’s customer registry.
• A justified interest* of the registry holder while offering accommodation services is to collect information on customer nationality. The registry holder can also collect information on the customer’s means of transportation, arrival and departure times and add additional necessary information on the customer profile.
• Collecting and handling passenger cards is based on the registry holder’s legal obligation.
• Processed information: customer name, social security number or birth date, nationality, travel companions’ and children’s names, social security numbers or birth dates, address, country of origin, travel document number as well as arrival and departure dates. The customer can also be asked to specify the purpose of travel (business, leisure or other). We only collect and handle personal data to the extent which it is necessary for the business operations of Oy Rova-Rest Ab, for the following purposes:
- to enhance our services, production, delivery and offering
- to handle and manage customer relationships
- to produce customer service and event organization
- for billing and credit control
- for communicating about necessary subjects
- for the advertisement and marketing of services, i.e. direct marketing and targeting it to our customers
- to offer, develop and target marketing communications (i.e. market studies)
- for statistical purposes
- to ensure safety (camera surveillance and security reporting)
We collect and handle your personal data according to the current valid legislation and according to our justified interest as registry holder. Your personal data is primarily collected from you personally through telephone, e-mail or and electric or printed ready forms in order to handle the customer relationship in question. In customer service situations, communications such as e-mail conversations between yourself and Oy Rova-Rest Ab and its business locations can be saved in order to develop our customer service or to verify its course.
* Justified interest in this case means handling information that represents an essential part of the activity of the registry holder, which the client can also reasonably expect to be a part of this said activity. The registry holder has to often process personal data in order to execute tasks within the business’ activity. In this context the handling of personal data might not be possible to justify with a legal obligation or according to a contract. Yet, the handling of personal data can be justified according to the ”justified interest”. In this case the justified interest must always be evaluated beforehand, so that acting according to the justified interest does not cause harm or damage to the rights and freedom of the members of the registry.
5. The data content of the registry
The data saved into the registry are a person’s name, company/organization, contact information (phone, e-mail address, postal address), billing/payment information and other information necessary for the customer relationship and providing the ordered services. A singular customer’s information and data are saved in the hotel software for a period of 3 months. Regular and contract client information are saved in the system as long as the client wishes for the information to be deleted.
6. Regular information sources
The data saved into the registry are received from the customer i.e. by messages sent by internet or paper forms, by e-mail, by telephone, by social media services, from contracts, from customer meetings or other situations in which the customer issues information to the company.
7. Regular delivery and transfer of data outside of the EU or the EEA
The customer’s personal data is always collected during check-in by passenger card for legal reasons. This personal data is archived and forwarded to local authorities on a monthly basis. The data is not regularly given out to other parties. The data can be published to the extent which has been agreed on with the customer. Information can be transferred by the registry holder outside of the EU and EEA countries.
8. Principles of registry protection
Caution is applied while handling the registry and IT-based information is accessed directly by using the hotel software and personal employee login information. When registry information is processed on an internet server, the hardware’s physical and digital safety is tended to accordingly. The registry holder ensures that saved information, server user rights and other critical information linked to the safety of personal data handling are dealt with in a confidential manner only by those employees, to whom’s work description it fits. Access to the archive room where passenger cards are held is a lock-secured space, to which only keyholders have access.
9. The right to verify data and demand correction
Each person belonging to the registry has a right to check the saved personal data on them and demand possible rectification of false information or add more specifications to inadequate information. Whether a person wishes to review personal data on him/her saved into the registry or wishes to make a correction to it, the demand must be sent in written form by e-mail to the registry holder. The registry holder may ask the person to prove their identity. The registry holder will answer to the demand within the time set by the European GDPR (mainly withing a month).
10. Other rights linked to handling personal data
A member of the registry has the right to ask for deletion of their personal data in the registry (”the right to be forgotten”). The registered also has other rights according to the European GDPR, such as the limitation of handling personal data in some situations. Requests have to be sent in written form by e-mail to the registry holder. The registry holder may ask the person to prove their identity. The registry holder will answer to the demand within the time set by the European GDPR (mainly withing a month).