Personal data means any information relating to an identified or identifiable natural person. For example, name, personal identity code, location data, online identifier, address or accommodation data.
Sensitive data means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning one’s health, sex life or sexual orientation.
“Processing of personal data”
Processing of personal data means any operation which is performed on personal data by automated means or manually. Processing of personal data is, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An identified or identifiable natural person that the processed personal data relates to. For example, a jobseeker or a customer.
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
1. The use and processing of personal data
We collect and process personal data only as far as it is necessary for the business of Rumarstrand Oy for the following purposes:
- development, production, supply and offering of our services
- maintaining and administering the customer relationship
- organizing customer service and events
- invoicing and credit control
- marketing and advertising services and products, by, for example, direct marketing and targeting it for our customers
- offering, targeting and developing marketing communications (for example, market surveys)
- statistical purposes
- ensuring safety (camera surveillance and deviation reports)
We collect and process your personal data according to the legislation which is valid at any given time and our legitimate interests. Personal data are mainly collected directly from you via telephone, email or electronic/printable forms to administer the customer relationship. In customer service situations, the communication between you and Rumarstrand Oy, such as emails, can be stored for the purpose of developing customer service and verifying its contents. Personal data are collected and updated also from the following registers: registers of product and service suppliers for Rumarstrand Oy, the population register, Data & Marketing Association of Finland’s preference lists and other such registers.
The purpose of the processing defines what data we collect in each situation and for which purpose. We process the personal data mentioned below only on legal grounds for the purposes referred to.
Accommodation, meeting and restaurant services
- Based on the contract and its fulfillment between the customer and the controller, we process the following data: contact details (first and last name, address, ZIP code, city, country, email address, telephone number) and payment details (credit card number, name on the credit card, the expiration month and year of the card).
- Based on the customer’s consent, we can also process the following data:
- When booking restaurant and meeting services, we collect the customer’s contact and payment details as well as the possible allergy information.
- When a customer provides us with their business card, the data can be added to Rumarstrand Oy’s customer register.
- Based on the controller’s legitimate interest*, as accommodation services are offered, we collect the customer’s data on gender, title and nationality as well as the possible loyal customer number and VIP status. The title and gender data can be used when greeting and addressing the customer. The customer’s flight number, airline, arrival and departure times can also be collected from the customer and open details may be added to the customer profile.
- Processing passenger cards is based on the controller’s legal obligation.
- The processed data: the customer’s name, personal identity code or birthdate, nationality, the names of the spouse and underage children accompanying the traveler, Finnish personal identity codes (or, if they are not available, birthdates), address, country of entry to Finland, number of travel document and arrival and departure dates. Moreover, the purpose of traveling can be documented (such as leisure, work or other reason).
Marketing and advertising
- We process, for example, the customer’s email address to deliver a newsletter to the customer (electronic direct marketing), whereupon the processing is based on consent from the customer.
- Marketing and advertising is also based on the controller’s legitimate interest* (for example, in B2B business and compiling guest lists for events).
- Targeted marketing:
- Rumarstrand Oy carries out the profiling of its customers in the context of targeted marketing, so that you may be offered services that are interesting to you based on your previous buying behavior or the data stored in your customer register. Profiling is based on a consent given by you and you have the right to withdraw it at any time. If you have any questions on profiling, do not hesitate to contact us at: email@example.com
- The customer’s email address, name, domicile, possible interests and earlier buying behavior are used to target marketing. Based on previous buying behavior, we can offer, for example, anniversary offers to customers who have previously reserved a wedding package.
- In addition, we use Meta’s custom audience tool in our interest-based online marketing, whereby a pixel tool has been added to our website. A pixel tool is an analytics tool that enables us to create target groups for advertising and it ensures that our ads are shown to the correct target groups (such as age and interests). The data collected for us is kept anonymous and we cannot see an individual user’s personal data. However, Meta stores and processes the collected data.
Data collected by the website
- As you browse our website, we will obtain data, such as your IP address. We use IP addresses to analyze the use of our website to, for example, solve server problems, manage the website and track the users’ activity for statistical purposes.
- Rumarstrand Oy uses Google Analytics to analyze the use of the website and to produce statistics. Google Analytics is a web analysis tool offered by a third party, Google Inc. Google Analytics collects certain data on the website visitors with the help of cookies so that we can analyze and improve your use of the website. This data includes, for example, where the user entered the site from and how they operate on the site. The data collected by these cookies is transferred and stored on Google’s servers, some of which may be located outside the EU.
2. Sensitive data
Special categories of personal data, so-called ‘sensitive data’, mean the personal data that reveal one’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning the health status, sex life or sexual orientation of a natural person.
The processing of sensitive data is allowed only if the processing is necessary to fulfil our legal obligations or with your explicit authorization. Rumarstrand Oy process sensitive data on their customers in the specific circumstances described below.
Deviation reports: The deviation report system may process the customer’s health status data in conjunction with deviation reports, for example when processing seizure reports. The personal data in the deviation report system’s seizure reports are processed based on the
controller’s general interest, to protect the company’s and employees’ legal protection and to establish or defend against a legal claim.
Other processing of health status data: Indirect health status data may accumulate when the customer notifies of their physical disabilities or reserves an accessible room or in conjunction with a recuperative stay after an operation (for example, surgery) carried out on a health care
service provider’s premises. The processing of data is based on the customer’s consent.
Credit card information:
Based on the legislation, credit card information is not sensitive data, but the misuse of credit card information causes risks for the customers and demands, therefore, particularly careful processing. Rumarstrand Oy considers the sensitivity of these data with special measures and
processes credit card information with the same care as sensitive data. The processing of credit card and other payment information is based on a contract and its fulfillment between the customer and controller.
3. Disclosure and transfer of data
Rumarstrand Oy is committed to processing your personal data in a confidential manner and we do not disclose your personal data to third parties except in the following circumstances:
- Within the group: Your data may be disclosed to Rumarstrand Oy to administer your customership and to improve your customer experience. We may also disclose your data if it is necessary due to our legitimate interest, for example to ensure safety or investigate and prevent misconduct based on the customer’s previous unwanted behavior.
- Authorities: Due to its legal obligation, Rumarstrand Oy discloses the passenger notifications data of those other than Finnish customers to the police authorities. Furthermore, we may have to disclose some data to the authorities or administrators of law when there is some other prerequisite for it in the legislation. We only do this based on a valid decree from the court or on the authorities’ orders or summons.
- Collaboration partners: Based on our legitimate interest, we disclose data on your name, email address and domicile to the partners of Rumarstrand Oy. Based on your email address and domicile, we can send you targeted marketing if you have not refused electronic direct marketing. You can withdraw your consent for direct marketing at any time. Your name and contact details will also be disclosed for our collaboration partner hotels’ marketing purposes.
We also use subcontractors and service providers to process the data we have collected (for example, for technical maintenance or the execution of campaigns and direct marketing). They have the right to process your data only to the extent required for the services agreed upon. This means that they cannot use your data for their own purposes. We oblige them with contracts to ensure an adequate level of data protection and the legitimacy of the processing.
4. Data security
We have adequate technical and organizational data protection measures to protect your personal data from loss, abuse, or other unlawful access. These kinds of measures are, for example, firewalls, encryption techniques and the use of safe equipment premises. Access to your personal data has also been restricted internally by access control and admission and monitoring of user IDs. Your personal data are processed by only those employees who have the right to do so based on their work tasks.
5. Access to data and exercising your rights
You have the right to control what data we have collected on you and to affect how we use such data. It is up to you to decide if you want to receive direct marketing and, in some instances, you have the right to be forgotten or to request to have your data transmitted to another controller. In this section, we explain what rights you have based on the applicable legislation and how you can exercise your rights:
- Right to withdraw consent: When the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. You can, for example, withdraw your consent to direct marketing.
- Right to control and rectification: You have the right to control what data we have collected on you or to obtain confirmation that we do not have any personal data on you in our register. If your data are inaccurate or incomplete, you can send us a request for rectification or completion.
- Restriction or objection of processing: If your data are inaccurate in some part, you have the right to demand the temporary restriction of processing until we have confirmed the correctness of the data. Whenever the processing of your data is based on the controller’s legitimate interest, you have the right to object to the processing of your data. This means that we are no longer allowed to process your personal data, unless we can reasonably demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the data subject. In addition, if we need the data to establish, exercise or defense legal claims, we are allowed to continue processing the personal data.
- Right to refuse marketing: Moreover, you can refuse direct marketing at any time (including profiling for direct marketing purposes).
- Right to be forgotten: In specific instances, you have the right to be forgotten, which means we will erase all personal data concerning you, if the personal data are no longer necessary for the purposes they were originally collected for (for example, to investigate and prevent misconduct based on the customer’s previous unwanted behavior). We will also erase the data if the processing has been based on consent and you withdraw your consent, or if you object to the processing of your personal data, unless there is another basis for the processing. Please note that we may have legal obligations to store your personal data, such as the Act on Accommodation and Food Service Operations that obliges us to store the data on your passenger card for a certain period of time.
- Right to transmit data from one system to another: You may request the transmission of your personal data, whereby we will provide you with your personal data in a machine-readable format so that you may store it yourself or transmit them to another controller (for example, another service provider). If technically possible, we will transmit your data directly to another controller at your request. This is only possible in situations where we process your personal data based on your consent or a contract, and applies only to data you have supplied to us yourself.
- Right to lodge a complaint: In addition to the rights mentioned hereinabove, you have the right to lodge a complaint on the processing of your personal data to supervisory authorities.
How can I request access to my personal data?
You can request access to your personal data by sending an e-mail where you define in more
detail which data you want to access: firstname.lastname@example.org
6. Storing the data
We store your personal data for the duration that is necessary for the purpose of the processing, as long as the law requires us to store such data or until we receive a request for erasure. The storage period of the data starts when we receive the data.
We store your data for as long as it is necessary to fulfil the purposes as defined in section 1, always within the limits of the applicable law. After this, the data will be erased or made unidentifiable by changing the data irreversibly so that no individual is identifiable.
|Processed personal data/category of personal data||Storage period|
-36 months after the last contact with the customer, if they have not given us marketing permission
-corporate customers’ details for 36 months after the last contact with the customer
|Customer service chat||6 months|
|Marketing communications register||Data are stored for as long as the customer’s consent for marketing is in force.|
|Data in the electronic Spa booking system||12 months after the last activity|
|Credit card information||14 days|
|Passenger cards on paper||12 months|
|Surveillance camera tapes||6 months|
|Deviation reports||5 years|
We may collect data concerning your computer with the help of cookies and other similar techniques. A cookie is a small text file that the browser stores on your computer. Cookies include an individual identifier and are used so that we can identify and count the browsers
9. Controller and contact details
Rumarstrand Oy is the controller of your personal data
21710, Korppoo, Finland