Privacy policy pertaining to Lapland Safaris Group Oy’s customer, partnership and marketing information.
1 DATA CONTROLLER
Lapland Safaris Group Oy (Business ID: 0892158-4)
2 CONTACT DETAILS FOR MATTERS RELATED TO THE REGISTER
Email address: gdpr.tietosuoja@laplandhotels.com
Address: Koskikatu 1, 96200 Rovaniemi, Finland
3 NAME OF THE REGISTER
Customer, partnership and marketing register.
4 THE PURPOSE OF AND GROUNDS FOR THE PROCESSING OF PERSONAL DATA
The grounds for the processing of personal data include a contractual relationship between a customer or partner and Lapland Safaris Group Oy or a separate consent for the processing of customer information. The goal for the register is to manage personal data required for collaboration between Lapland Safaris Group Oy and its customers and partners, to ensure smooth-running customer services and the production and provision of services, and to enable marketing and the planning and development of business.
Personal data is collected and processed in collaboration with the customer or partner for the following purposes:
In its order forms, Lapland Safaris Group Oy may request its customers of legal age to provide the names or nicknames of their underage children. The information on underage children is not used for purposes other than the delivery of the products or services ordered.
5 CONTENT OF THE REGISTER
The register may contain the following information:
6 SOURCES OF INFORMATION FOR THE REGISTER
The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration or information collected for the purpose of receiving feedback, analysing customer satisfaction or conducting research.
Additionally, personal data is accumulated in conjunction with visits to the customer service points.
Personal data may also accumulate in conjunction with the purchase of additional services.
Registers are purchased for marketing purposes.
7 DISCLOSURE OF INFORMATION
Registered data may be disclosed within the organisation of the data controller and its subsidiaries and sister companies and to our collaboration partners for the realisation of the purposes described herein. Otherwise, data is only disclosed to the extent permitted or required by law.
Data is not transferred outside the EU or EEA, unless it is necessary for the realisation of the service. In such a case, the data controller guarantees that the required level of data protection is ensured in accordance with the applicable legislation.
8 PROTECTION AND STORAGE OF DATA
The basis of data processing is respect for the rights and freedoms of data subjects in all stages of the processing and the fulfilment of the legal ground for processing. The data controller only collects and processes information that is necessary for its operations.
Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. Various levels have been determined for access rights and each user is granted access rights on the level that is as restricted as possible but suffices for the performance of his or her tasks.
Information related to customers and partners is stored in the register for at least a year after the agreement has been terminated and all contractual obligations have been met unless otherwise agreed on or required by law.
9 DATA SUBJECTS’ OTHER RIGHTS RELATED TO DATA PROCESSING
Data subjects’ right to access the data (inspection right)
Data subjects have the right to know what information pertaining to them is stored in the register. A signed inspection request must be delivered in writing to the register’s contact point specified in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify his or her identity in accordance with the instructions provided by the data controller.
Data subjects’ right to rectification, erasure and the restriction of processing
Data subjects are entitled to require a controller to rectify any errors in their personal data as soon as they notice the error or become aware of it by other means. If the data subject is able to rectify the error, he or she must rectify, erase or complete the erroneous, unnecessary or outdated information. If the data subject is not able to do so, a request for rectification must be submitted.
Insofar as the data subject is unable to rectify the information, a request for rectification must be submitted in writing to the register’s contact point specified in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify his or her identity in accordance with the instructions provided by the data controller.
Data subjects also have the right to restrict the processing of their data, for example if a request for rectification or erasure is pending.
Lapland Safaris Group Oy reserves the right to limit the number of free rectification and erasure requests to one a year.
Data subjects’ right to transfer the data pertaining to them to another system
Insofar as the data subject has provided personal data to the customer register and data processing is performed on the grounds of consent or assignment from the data subject, the individual has the right to receive this data primarily in a machine-readable format and to transfer the data to another data controller.
When the request for data transfer is made in writing, the data controller must deliver the data specified in the section on the right of access within reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify his or her identity in accordance with the instructions provided by the data controller.
Other rights
Data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the applicable data protection regulations.
10 CONTACTING THE DATA CONTROLLER
With regard to questions and requests related to personal data, the data subject must contact the operator responsible for the data controller’s register referred to in section 2.