Privacy policy

Privacy policy pertaining to Lapland Safaris Group Oy’s customer, partner, marketing and order information.

1 JOINT CONTROLLERS

Lapland Safaris Group Oy (Business ID: 0892158-4)
Koskikatu 1, 96200 Rovaniemi

Lapland Hotels Oy (Business ID: 2199747-9)
Yrjö Kokontie 4, 99300 Muonio

Hotelli Luostotunturi Oy (Business ID: 1515200-7)
Luostontie 1, 99555 Luosto

Hotel Haikko Oy (Business ID: 2764547-4)
Haikkoontie 114, 06400 Porvoo

Lapland Hotels & Safaris Oy (Business ID: 2041198-2)
Postikatu 1, 96100 Rovaniemi

Lapland Ski Resorts Oy (Business ID: 2448061-9)
Yrjö Kokontie 4, 99300 Muonio

Ylläs Ski Oy (Business ID: 2199743-6)
Yrjö Kokontie 4, 99300 Muonio

(Hereinafter “the Controller”)

Lapland Safaris Group Oy forms a group with its subsidiaries and sister companies. The subsidiaries and sister companies process personal data in the manner specified in this privacy policy. Lapland Safaris Group Oy is, however, the primary processor, contact point and administrator in the processing activities specified in this privacy policy.

2 CONTACT DETAILS IN MATTERS RELATED TO THE REGISTERS

Lapland Safaris Group Oy
Koskikatu 1, 96200 ROVANIEMI
E-mail address: gdpr.tietosuoja@laplandhotels.com

3 NAMES OF THE REGISTERS

a) Customer, partner and marketing register.
b) Order register.

4 THE PURPOSE OF AND THE GROUNDS FOR THE PROCESSING OF PERSONAL DATA

The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Safaris Group Oy, separate consent to the processing of customer data, Lapland Safaris Group Oy’s legitimate interest or legislation. The purpose of the registers is to manage the personal data required for collaboration between Lapland Safaris Group Oy and its customers and partners, to ensure smooth customer service and the production and provision of benefits and services and to enable marketing and the planning and development of business.

Personal data is collected and processed with the customer or partner for the following purposes:

  • The realisation and confirmation of purchases related to programme services, hotel rooms, ski passes and other services and goods for the customer and the transmission of information related to the purchases to the service provider
  • The realisation and confirmation of online purchases for the customer
  • The production and delivery of service packages agreed upon with a corporate customer, related invoicing and the management of the customer relationship
  • The analysis and development of products, services and business and the compilation of statistics
  • The collection of feedback and information on deviations and customer satisfaction
  • Advertising, marketing and direct marketing. The data subject has the right to prohibit direct marketing directed at them
  • The realisation of Lapland Safaris Group Oy’s legitimate interests, such as responding to a legal claim
  • The fulfilment of Lapland Safaris Group Oy’s legal obligations
  • Information pertaining to underage persons
    >In its order forms, Lapland Safaris Group Oy may request its customers of legal age to provide the names or nicknames of their underage children. This information pertaining to underage persons is not used for any purpose other than the delivery of the products or services ordered.
  • Cookies are used to make the website function faster, to simplify the login process and to better target the content of the website to the user. For more detailed information on the purpose of the use of cookies, the grounds on which they are used and the data content collected, please refer to the cookie policy.

5 DATA CONTENT OF THE REGISTERS

The registers may include the following information:

a) Customer, partner and marketing register

  • The type of the customer relationship: customer/partner/Club member
  • Customer number
  • Identification information (name, e-mail address, phone number, address, personal identity code)
  • Contact person(s)
  • The role of the contact persons (corporate customers)
  • Invoicing information
  • Membership bonus balance (Club members)
  • The use of cookies

b) Order register

  • Information contained in the customer, partner and marketing register
  • Services ordered and delivered
  • Information collected in connection with services provided by our partners
  • Customers’ health information, such as information on illnesses and allergies

6 SOURCES OF INFORMATION FOR THE REGISTERS AND AUTOMATED DECISION-MAKING

The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration, as well as information collected for research purposes through feedback, deviation and customer satisfaction surveys concerning the collaboration. Personal data is also collected from interactions at customer service points. Personal data may be collected in connection with the purchase of additional services. Secondarily, data can be purchased from registers intended for marketing purposes.

The Controller does not use personal data collected from customers in automated decision-making.

7 DISCLOSURE OF INFORMATION

Data pertaining to data subjects may be disclosed within the organisation of the Controller and its subsidiaries/sister companies, as well as to our partners, to fulfil the purposes described herein.  Otherwise, data is disclosed only to the extent permitted and required by law.

The services of service providers located outside the EU or EEA are used for the realisation of services. The services cannot be realised in practice without these services. In such cases, personal data may be transferred outside the EU or EEA.

Personal data transferred outside the EU or EEA is primarily cookie data (e.g. data on how many users visit the website and how they navigate the website), but ensuring the quality, integrity and correct functioning of information systems that are vital for the provision of services may require, on a case-by-case basis, the transfer of other personal data outside the EU or EEA. Such cases are occasional transfers of individual data of individual data subjects, which are carried out only to the extent required to resolve a specific case.

The Controller has taken adequate technical and organisational security measures in cooperation with the service providers. For example, contracts with service providers use standard contractual clauses approved by the EU Commission and transfers are based on a decision issued by the EU Commission on the adequacy of data protection in the country of destination. For further information, please contact the e-mail address provided in section 2.

8 PROTECTION AND STORAGE OF DATA

The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations.

Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees are trained and instructed to take data security into account when processing personal data.

Personal data is only stored on secure devices. The Controller’s IT devices are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on encrypted cloud servers.

Customer/partner information is stored in the register for at least one (1) year after the end of the customer relationship and the fulfilment of all obligations, unless otherwise specifically agreed or required by law.

9     DATA SUBJECTS’ OTHER RIGHTS REGARDING THE PROCESSING OF PERSONAL DATA

Data subjects’ right of access (inspection right)

Data subjects have the right to know what information pertaining to them is stored in the register. The written and signed request for access must be sent to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller. 

Data subjects’ right to rectification, erasure or restriction of processing

Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification.

Insofar as the data subject is not able to rectify the information themselves, the request for rectification must be submitted in writing to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller. 

Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them.

The Controller reserves the right to limit the number of free rectification and erasure requests to one (1) per year.

Data subjects’ right to transfer data from one system to another

Insofar as the data subject has provided information to the registers and the data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller.

When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.

Other rights

Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations.

10   CONTACTING THE CONTROLLER

In all questions and requests related to personal data, the data subject must contact the e-mail address provided in section 2.

11   THIRD-PARTY WEBSITES AND SERVICES 

This privacy policy applies only to websites maintained by Lapland Safaris Group Oy, and we are not responsible for the privacy policies of other websites. The website may contain links to third-party websites. We recommend that users review the privacy policies of any other websites they use.

12   CHANGES TO THE PRIVACY POLICY

Lapland Safaris Group Oy may make changes to this privacy policy. To ensure that users are always aware of how their data is processed, the revised privacy policy is available on our website. Last updated on 28.11.2023.