1 Data controller
Villa Säikkärä Oy
Säikkäränniemi 21, 97250 Raanujärvi, Finland
Business ID: 1079947-7
2 Contact details for matters related to the register
Villa Säikkärä Oy
3 The purpose of and legal basis for the processing of personal data
The processing of personal data is legally based on a contractual relationship between a customer, partner or employee and Villa Säikkärä Oy, a separate consent for the processing of customer/personal data, data controller’s legal obligations or data controller’s legitimate interest. The goal for the data processing is to create and produce accommodation services, manage personal data required for collaboration between Villa Säikkärä Oy and its customers and partners, to ensure professional customer service, and to enable marketing and the planning and development of business. The purpose of employee data processing is to fulfill the employer’s legal obligations.
Personal data is collected and processed in collaboration with the customer, partner or employee for the following purposes:
- The realisation, confirmation and billing of purchases related to accommodation and programme services and other services and goods connected with the customer and handling of the customer relationship
- Intermediating the information related to purchases of the accommodation and other services
- The analysis, development and creation of statistics of the business
- The collection of feedback and information on deviations and customer satisfaction
- Advertising, marketing and direct marketing. The data subject has the right to prohibit direct marketing
- Processing the data on underage persons in order to provide accomodation and other services (the data of underage persons will be only used to manage the direct purchase/service/accommodation)
- The realization of the legitimate interest of the data collector for example replying to a legal claim
- The fulfillment of the legal obligations of the data collector; for example related to accounting or employer responsibilities
4 Content of the registers
The registers may contain the following information:
- Identity of the user (name/address/email/telephone number)
- Social security number/Identity number
- Contact person(s)
- The role of the contact persons (corporate customers)
- Invoicing information
- Services ordered and delivered
- Information accumulated in conjunction with services supplied by our partners
- Information collected from received feedback or through customer satisfaction survey
- Information of one´s health and/or allergies or information on underaged persons
- Data needed for employment and information related to performance, behaviour and history of a business relationship.
5 Sources of information for the registers
The primary source of personal data is information provided by the customer or partner or employee before the contractual relationship has been conducted, in the process of the negotiations of the contractual relationship and during the contractual relationship. Additionally, data is collected through feedback, customer satisfaction surveys and surveys concerning deviations of the services in the purpose of analysing and development of the business and conducting research concerning the business.
6 Disclosure of information
Registered data may be disclosed within the organisation of the data controller and its collaboration partners for the realisation of the purposes described herein. Otherwise, data is only disclosed to the extent permitted or required by law. When disclosing the data, Villa Säikkärä Oy aims to secure the lawfulness of the data processing provided by the partners through organizational, technical and legal means
The agreement committed with the customer, partner or employee may include the transfer of the information outside of the ETA and EU boarders with the use of cloud and computer services. In this case it is also the responsibility of Villa Säikkärä Oy to ensure the needed data security according to the legislation. The data collected outside of ETA and EU area may include for example data collected by cloud and program providers including cookie, log, statistical and troubleshoot data. Personal data will not be moved in a way that it may lead to identification of the person. With the cloud and service providers located outside of ETA or EU area will be used standard contractual clauses adopted by the EU Commission.
7 Protection and storage of data
The basic principle of data processing is to respect the rights and freedoms of the data subjects in all stages of the processing and the fulfilment of the legal basis for processing. The data controller only collects and processes information that is necessary for its operations.
Data security will be provided through computer and organizational means. The Employees are guided to follow data secured working methods. Personal data may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. Various levels have been determined for access rights and each user is granted access rights on the level that is as restricted as possible but suffices for the performance of his or her tasks. IT devices are protected with up-to-date firewall and virus protection softwares.
Villa Säikkärä Oy will only keep personal data stored as long as it is necessary to meet the purposes of the data processing as defined in chapter 3. In order to ensure for the fulfillment of these purposes and of the rights of the data subjects, the data will be retained in the register, in a form where data subject is identifiable, for two (2) years after a customer or partner relationship has ended and all the commitments have been fulfilled.
The end of the relationship is determined to be the moment, when (i) it has been one (1) year from the last order date of the data subject, or (ii) when the agreement with the partner has ended or (iii) when the work agreement has ended.
The legislation may include certain obligatory deadlines concerning the data retention. The identification and billing information as well as documents for ordered and delivered services will be retained as accounting information according to the accounting law (1336/1997) for ten years (10) after the accounting period has ended. After an employment has ended, the identification data of the employee will be removed from the register five (5) years after the work relationship has ended at the latest. If an employee had an accident during the work agreement, the personal data is removed from the register ten (10) years after the accident took place.
A deviation from the two (2) year accounting period is done in situations, where the data subject has done a reclamation or has initiate legal actions concerning the purposes of the processing personal data. In this case, the data controller will retain the personal data until the dispute has been resolved in legally binding way.
8 Data subjects’ other rights related to data processing
Data subjects’ right to access the data (inspection right)
Data subjects may require the adjustment of the data, it’s removal or the limitation of it’s use
Data subject may request the adjustment of their own data after receiving the information about the information being false or after noticing themselves that the data is false. If the data subject has the possibility to correct a mistake, he ought to do so without hesitation and correct, remove or supplement false, unnecessary or old data.
For the data that the data subject can not correct themselves, they need to make a correction request to the contact point mentioned in Chapter 2. The data subject will need to identify themselves according to the instructions provided by Villa Säikkärä Oy. The data subject has also the right to limit the use of their data in the case when they are waiting response for their data to be corrected or removed.
Villa Säikkärä Oy has the right to limit the corrections free of charge to one time per year.
Data subjects’ right to transfer the data pertaining to them to another system
Insofar as the data subject has provided personal data to the registers and data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to receive this data primarily in a machine-readable format and to transfer the data to another data controller.
When the request for data transfer is made in writing, the data controller must deliver the data specified in the section on the right of access within reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify his or her identity in accordance with the instructions provided by the data controller.
Data subjects have the right to lodge a complaint with a supervisory authority if they consider that the processing of personal data relating to them infringes the applicable data protection regulations.
9 Contacting the data controller
With regard to questions and requests related to personal data, the data subject must contact the operator responsible for the data controller’s registers referred to in section 2.
10 Third party websites and services