Lapland Safaris Group Oy (Business ID: 0892158-4)
Koskikatu 1, 96200 Rovaniemi
Lapland Hotels Oy (Business ID: 2199747-9)
Yrjö Kokontie 4, 99300 Muonio
Hotelli Luostotunturi Oy (Business ID: 1515200-7)
Luostontie 1, 99555 Luosto
Hotel Haikko Oy (Business ID: 2764547-4)
Haikkoontie 114, 06400 Porvoo
Lapland Hotels & Safaris Oy (Business ID: 2041198-2)
Postikatu 1, 96100 Rovaniemi
Lapland Ski Resorts Oy (Business ID: 2448061-9)
Yrjö Kokontie 4, 99300 Muonio
Ylläs Ski Oy (Business ID: 2199743-6)
Yrjö Kokontie 4, 99300 Muonio
(Hereinafter “the Controller”)
Lapland Safaris Group Oy
Koskikatu 1, 96200 ROVANIEMI
E-mail address: email@example.com
a) Customer, partner and marketing register.
b) Order register.
The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Safaris Group Oy, separate consent to the processing of customer data, Lapland Safaris Group Oy’s legitimate interest or legislation. The purpose of the registers is to manage the personal data required for collaboration between Lapland Safaris Group Oy and its customers and partners, to ensure smooth customer service and the production and provision of benefits and services and to enable marketing and the planning and development of business.
Personal data is collected and processed with the customer or partner for the following purposes:
The registers may include the following information:
a) Customer, partner and marketing register
b) Order register
The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration, as well as information collected for research purposes through feedback, deviation and customer satisfaction surveys concerning the collaboration. Personal data is also collected from interactions at customer service points. Personal data may be collected in connection with the purchase of additional services. Secondarily, data can be purchased from registers intended for marketing purposes.
The Controller does not use personal data collected from customers in automated decision-making.
Data pertaining to data subjects may be disclosed within the organisation of the Controller and its subsidiaries/sister companies, as well as to our partners, to fulfil the purposes described herein. Otherwise, data is disclosed only to the extent permitted and required by law.
The services of service providers located outside the EU or EEA are used for the realisation of services. The services cannot be realised in practice without these services. In such cases, personal data may be transferred outside the EU or EEA.
Personal data transferred outside the EU or EEA is primarily cookie data (e.g. data on how many users visit the website and how they navigate the website), but ensuring the quality, integrity and correct functioning of information systems that are vital for the provision of services may require, on a case-by-case basis, the transfer of other personal data outside the EU or EEA. Such cases are occasional transfers of individual data of individual data subjects, which are carried out only to the extent required to resolve a specific case.
The Controller has taken adequate technical and organisational security measures in cooperation with the service providers. For example, contracts with service providers use standard contractual clauses approved by the EU Commission and transfers are based on a decision issued by the EU Commission on the adequacy of data protection in the country of destination. For further information, please contact the e-mail address provided in section 2.
The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations.
Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees are trained and instructed to take data security into account when processing personal data.
Personal data is only stored on secure devices. The Controller’s IT devices are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on encrypted cloud servers.
Customer/partner information is stored in the register for at least one (1) year after the end of the customer relationship and the fulfilment of all obligations, unless otherwise specifically agreed or required by law.
Data subjects’ right of access (inspection right)
Data subjects’ right to rectification, erasure or restriction of processing
Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification.
Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them.
The Controller reserves the right to limit the number of free rectification and erasure requests to one (1) per year.
Data subjects’ right to transfer data from one system to another
Insofar as the data subject has provided information to the registers and the data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller.
When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations.
In all questions and requests related to personal data, the data subject must contact the e-mail address provided in section 2.