An information document in accordance with the General Data Protection Regulation (EU) regarding the processing of personal information in the customer register of
Northern Lights Igloo Resort Oy / LaplandNews Ltd
Reg.nro 3010923-4 and 2860612-7
Koskikatu 49, 96100 Rovaniemi
Tel. +358 45 211 8838
2. Contact for register issues
In matters related to the register and the exercise of data subject rights, please contact:
Tel. +358 40 507 9441
3. Name of the register
Northern Lights Igloo Resort customer register
4. Legal basis of personal data processing
The processing of the personal data in the register is based on the customer relationship between private and corporate customers and LaplandNews Ltd. Due to the customer relationship, data processing is based on a legitimate interest.
The controller also processes customer data on the basis of an agreement between the controller and the data subject. This basis applies to the personal data which is collected from the data subject in connection with a room, table or program service reservation or for the purpose of charging such services.
When the data processing is based on a legitimate interest or an agreement, the data subject does not have to be asked for a separate consent to the processing.
5. Purposes of personal data processing
Customer data in the customer register are used for:
– customer relationship management and development
– customer relationship communication
– marketing the controller’s services
6. Processed personal data
The controller processes the following personal data of the customer:
– first and last name, age, address, telephone number, email address
– possible customer feedback or complaints
7. Sources of personal information
The controller receives the personal data directily from the data subject:
– at the location
– over the phone
– by email
– by social media
8. Recipients or recipient categories of personal data
Customer register data is not disclosed to third parties unless the customer specifically asks the controller to book third-pary services requested by the customer, such as program services or transportation.
9. Transfer of data outside the EU
Information will not be transferred outside of the EU.
10. Personal data retention period
The personal data in the customer register are processed for the duration of the customer relationship. The controller considers a customer relationship to have ended if the customer has not been active and used the controller’s services for a period of 3 years. The period starts from the end of the calendar year during which the customer last used the controller’s services. The data is erased within 6 months from the end of the customers relationship, unless there are other grounds for storing the data.
However, the data may be stored and processed after the end of the customer relationship if it is required for processing complaint-related issues. The retention periods also comply with the retention periods laid down by the Accounting Act and other relevant laws. The data required by the Accounting Act are stored for as long as is required by the law.
Corporate customers’ contact person data are erased when the company’s customer relationship is considered to have ended. However, the data may be retained after the end of the customer relationship if there are other grounds for storing them.
When the data are processed on grounds of an agreement between the controller and the data subject, the data is stored for as long as is required for implementing the agreement. After the agreement has been implemented, the data is stored for the duration of the customer relationship or for as long as there are other grounds for the processing (e.g. complaints or the Account Act).
Only data that are required for the defined purposes of use are processed during customer relationship. The controller carries out periodic checks in order to erase unnecessary data.
When the customer relationship ends, the customer’s data may be transferred to the company’s direct marketing register if the customer has not prohibited the use of their data for direct marketing purposes.
11. Data subject’s rights
The personal data in the customer register is processed based on the controller’s legitimate interest (General Data Protection Regulations, Article 6, section 1, sub-section e). In this case, the customer relationship contitutes the legitimate interest. The processing of personal data is also based on the agreement between the controller and the data subject (General Data Protection Regulation, Article 6, section 1, sub-section b). This ground for processing in explained in more detail in paragraph 4 of the Privacy Notice.
When the data is being processed on the grounds of a legitimate interest or an agreement, the data subject has the following rights:
Right to access their data
Data subjects have the right to request access to their personal information in order to determine the processing thereof.
As a general rule, the data subject has the right to know what information the customer register contains on them. The controller may request the data subject to sufficiently clarify which information or processing the request relates to.
The data subject’s right of access may be restricted or refused on the basis of the General Data Protection Regulation if the disclosure would adversely affect the rights and freedoms of others. Such rights include, for example, the controller’s business secrets and third-party personal data. National legislation (the Data Protection Act etc.) may also impose restrictions on the data subject’s right.
Right to data rectification
Data subjects have the right to request that the controller rectify any inaccurate or incorrect personal information without undue delay.
Right to data ensure
At the request of the data subject, the controller must erase the personal information relating to the data subject without undue delay, if any of the following conditions is met:
– personal information is no longer needed for the purposes for which they were originally collected
– data subject objects to the processing and there is no reasonable cause to process the data
– data subject objects to the processing for direct marketing purposes (in this case, however, processing for other purposes is permitted)
– personal data has been unlawfully processed.
Even if one of the requirements is met, the data do not have to be erased if the processing is required in order for the controller to be able to, for example, comply with a statutory obligation based on national or EU legislation that is applicable to the controller and requires the processing, or if the processing is required in order to establish, exercise or defend a legal claim.
Right to object to data processing
The data subject may object to personal data processing on grounds relating to the data subject’s particular situation if the data are processed on the grounds of a legitimate interest.
If the processing is based on an agreement, the data subject does not have the right to object to the processing.
If the data subject has objected to personal data processing on grounds relating to the data subject’s particular situation, the data subject must specify the situation on the grounds of which the data subject objects to the processing based on a legitimate interest. The controller may continue data processing despite the data subject’s objection if there is a particularly important and justifiable reason, which overrides the interests, rights and freedoms of the data subject, or if it is necessary for the establishment, exercise or defense of a legal claim.
The data subject has the right at any time to object to the processing of their personal data for direct marketing purposes. If the data subject objects to the use of their personal information for direct marketing, they may no longer be processed for this purpose.
Right to request restriction of processing
The data subject has the right to request that the controller restrict the active processing of their personal data in the following situations:
– data subject contests the accuracy of the personal data, in which case the processing must be restricted until the controller has verified the accuracy of the data
– processing is contrary to law and the data subject requests restrictions on the processing instead of the erasure of the personal data
– the controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defense of a legal claim
– data subject has objected to the processing of personal data (see above) and the assessment of whether the legitimate interests of the controller override those of the data subject, is pending.
During restricted processing, the data may principally be stored but not processed. Additionally, the data may be processed for the establishment, exercise or defense of a legal claim or for the protection of the rights of another natural or legal person or for reasons of important public interest. Before the restriction is lifted, the data subject must be informed about the matter.
Right to transfer data from one system to another
To the expent that the information in the customer register has been submitted by the data subject themselves, and the data is processed through the means of automatic data processing and on the basis of an agreement between the controller and the data subject, the datasubject is entitled to received their data mainly in machine-readable format and transfer the data directly from one controller to another if it is technically possible.
12. Right to lodge a complaint with a requlatory authority
Data subject has the right to lodge a complaint with a competent requlatory authority if the data subject feels that the controller has not complied with the applicable data protection requlations.
13. Requests relating to the exercise of data subject rights
In matters related to personal information processing or exercising the data subject’s rights, please contact the data controller representative mentioned in paragraph 2 above.
Requests pertaining to the right of access or the realization of other data subject rights must be submitted to the controller in writing by email or by post. The request may also be presented in person at the office of the controller.
The controller may request the data subject to sufficiently clarify which information or processing the request relates to.
In order to ensure that personal information is not disclosed to persons other than the data subject, the controller may request that the data subject sign the request. The controller may also ask the issuer of the request to verify their identity with an official identification card or other reliable means.