Privacy Policy / GDPR

Information document on the processing of personal data in the customer register of Hotel AadanKosio Oy in accordance with the EU General Data Protection Regulation.

Controller

Hotel Aada Oy

Business ID: 3447054-5

Address: Kauppakatu 32, 80100 Joensuu, Finland

Contact details for matters concerning the register

Contact person for matters relating to the register and the exercise of the rights of the data subject:

Tanja Pesonen

Name of the register

Hotel AadanKosio customer register

Legal basis for processing personal data

The processing of personal data in the customer register is based on legitimate interest, i.e. the customer relationship of consumer and business customers with Hotel AadanKosio Oy. The controller also processes customer data on the basis of a contract between the controller and the data subject. On this basis, personal data collected from the customer when making a room reservation or for service and room billing purposes are processed.

Purposes of the processing of personal data

The purposes for which the customer data in the customer register is used are:

  • processing of reservations made by the customer
  • customer relationship management and development
  • possible customer communication
  • sales and implementation of services
  • marketing of services
  • processing of personal data relating to payment, invoicing, monitoring and collection of payments
  • developing the controller’s business and customer services

Personal data processed

The controller processes the following personal data:

  • customer’s first and last name, date of birth, telephone number, address, e-mail address
  • citizenship
  • information on reservations
  • information on the use and purchase of services
  • customer payment method information, billing information, any payment delay information
  • information on customer choices and preferences
  • any customer feedback and complaints data
  • any legal prohibitions on direct marketing declared by the person concerned

For business customers, the controller processes the following personal data:

  • name, address, e-mail address, telephone number of the contact person for the business customer
  • any customer feedback and complaints data
  • information on the legal prohibitions on direct marketing provided by the company’s contact person

Where is personal data collected?

The controller receives personal data:

  • from the registrants themselves, e.g. by email, booking system or telephone call
  • information obtained from the use of the services and in connection with visits
  • from external hotel reservation service companies
  • from the registered employer when booking services
  • from external sources such as public registers

Processing of personal data

The data in the customer register are processed only by persons whose job essentially involves processing the data. Access to the register is by means of separate identifiers and passwords. The data will not be disclosed to persons outside the scope of the employment relationship with Hotel AadanKosio Oy or a specially established cooperation relationship. However, the data may be disclosed to the authorities on the basis of their requests for information based on the law.

Transferring data outside the EU

We use subcontractors to provide our services, who may be based outside the EU or the European Economic Area. When data is transferred outside the EU and EEA, we ensure an adequate level of protection of personal data, including by agreeing on confidentiality and processing issues as required by law.

Retention period of personal data

The personal data contained in the customer register is processed for the duration of the customer relationship. The controller will consider the customer relationship to have ended if the customer has not used the company’s services for two (2) years.

However, data may be stored and processed after the end of the customer relationship if necessary for a justified reason or for handling complaints. The retention period of the data in the customer register is in accordance with the legal retention periods, such as the Accounting Act. The information required by the Accounting Act is kept for as long as required by the Accounting Act.

Contact details for business customers are deleted in a similar way after the business relationship is deemed to have ended. However, data may be retained after this period if there is another reason for doing so.

Where data are processed under a contract between the controller and the data subject, the data are kept for as long as the data are needed to implement the contract.

Once the contract has been executed, the data is stored for as long as the customer relationship exists or there is another reason for processing (e.g. complaints or accounting law).

During the customer relationship, only data that is necessary for the purposes for which it is collected is processed. The controller carries out periodic checks to delete unnecessary data.

About the rights of the data subject

The data subject has the right to request access to data concerning him or her and the right to request that the data be corrected if it is inaccurate.

At the request of the data subject, the processing of the data may be restricted or completely erased from the register.

The data subject has the right to object to the use of the data, for example. in direct marketing.

Right to lodge a complaint with a supervisory authority

The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject considers that the controller has not complied with the applicable data protection regulation.

Requests related to the exercise of the rights of the data subject

For questions relating to the processing of personal data and in situations where the data subject wishes to exercise his or her rights, he or she may contact the contact person of the register indicated at the beginning of this document.

A request for the right of access or any other request to the controller to exercise the rights of the data subject must be made in writing by e-mail. Since all the steps required to book a service can only be done electronically, email is also a legitimate channel for sending a request. The request can also be made in person at the controller’s premises. The controller may ask the data subject to specify adequately which data or processing operations are covered by the data subject’s request.

In order to ensure that personal data are not disclosed to persons other than the data subject in connection with the exercise of the data subject’s rights, the controller may, where appropriate, ask the data subject to submit a signed request for verification. The controller may also ask the applicant to prove his or her identity by means of an official identity document or other reliable means.


Last change 24.7.2024