We are committed to respect and protect your privacy. We use your personal information to provide the content and services you requested from us, to improve our services, to administer your account and reservations. Please read this Privacy Policy carefully to understand how and why we process your personal data.
Haikko aims to maintain high level of privacy policy on it’s website. Your personal data is primarily used to manage, provide, develop and maintain our services, to process your reservations, to optimise your service experience and to identify our communication with you.
Please read this Privacy Statement carefully to understand how and why we process your personal data. By providing us with your personal data, you accept the terms of their usage and give your consent to processing your personal data according to the terms of each service and to this statement. Whenever the applicable law requires more detailed consent we will request it.
You can unsubscribe from these communications at any time. The request must be made by e-mail or by writing and it has to be addressed to the contact person of this Privacy Policy.
In case you give us any other person’s personal data you are responsible for ensuring that Haikko has the right to process the personal data of the person in question according to the applicable data protection terms.
Privacy policy pertaining to Lapland Hotels Oy’s customer, partner, marketing and order information.
1 Joint controllers
Lapland Hotels Oy (Business ID: 2199747-9)
Yrjö Kokontie 4, 99300 Muonio
Hotelli Luostotunturi Oy (Business ID: 1515200-7)
Luostontie 1, 99555 Luosto
Hotel Haikko Oy (Business ID: 2764547-4)
Haikkoontie 114, 06400 Porvoo
Lapland Safaris Group Oy (Business ID: 0892158-4)
Koskikatu 1, 96200 Rovaniemi
Lapland Hotels & Safaris Oy (Business ID: 2041198-2)
Postikatu 1, 96100 Rovaniemi
Lapland Ski Resorts Oy (Business ID: 2448061-9)
Yrjö Kokontie 4, 99300 Muonio
Ylläs Ski Oy (Business ID: 2199743-6)
Yrjö Kokontie 4, 99300 Muonio
(Hereinafter “the Controller”)
Lapland Hotels Oy forms a group with its subsidiaries. The subsidiaries process personal data in the manner specified in this privacy policy. Lapland Hotels Oy is the primary processor, contact point and administrator in the processing activities specified in this privacy policy.
2 Contact details in matters related to the registers
Hotel Haikko Oy
Haikkoontie 114, 06400 Porvoo
sähköposti: gdpr.tietosuoja@laplandhotels.com
3 Names of the registers
a) Customer, partner and marketing register
b) Order register
c) Passenger register
4 The purpose of and the grounds for the processing of personal data
The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Hotels Oy, separate consent to the processing of customer information, Lapland Hotels Oy’s legitimate interest or legislation. The purpose of the registers is to manage the personal data required for collaboration between Lapland Hotels Oy and its customers and partners, to ensure smooth customer service and the production and provision of benefits and services and to enable marketing and the planning and development of business.
The statutory task of the passenger register is to maintain public order and security, to prevent and investigate crimes and to serve statistical needs. Information contained in the passenger register is also processed for the purposes of customer service.
Personal data is collected and processed with the customer or partner for the following purposes:
• the realisation and confirmation of purchases related to hotel rooms, programme services, ski passes and other services and goods for the customer and the transmission of information related to the purchases to the service provider
• The provision of member benefits
• The realisation and confirmation of online purchases for the customer
• The production and delivery of service packages agreed upon with a corporate customer, related invoicing and the management of the customer relationship
• The analysis and development of products, services and business and the compilation of statistics
• The collection of feedback and information on deviations and customer satisfaction
• Advertising, marketing and direct marketing. The data subject has the right to prohibit direct marketing directed at them
• The realisation of Lapland Hotels Oy’s legitimate interests, such as responding to a legal claim
• The fulfilment of Lapland Hotels Oy’s legal obligations
• The names and personal identity codes or dates of birth of underage persons
o In its order forms, Lapland Hotels Oy may request its customers of legal age to provide the names or nicknames of their underage children. This information pertaining to underage persons is not used for any purpose other than the delivery of the products or services ordered to fulfil the statutory obligations of accommodation providers.
• Cookies are used to make the website function faster, to simplify the login process and to better target the content of the website to the user. For more detailed information on the purpose of the use of cookies, the grounds on which they are used and the data content collected, please refer to the cookie policy.
5 Data content of the registers
The registers may contain the following information:
a) Customer, partner and marketing registe
• The type of the customer relationship: customer/partner/Club member
• Customer number
• Identification information (name, e-mail address, phone number, address, personal identity code)
• Contact person(s)
• The role of the contact persons (corporate customers)
• Invoicing information
• Membership bonus balance (Club members)
• The use of cookies
b) Order register
• Identification information, contact details and invoicing information contained in the customer, partner and marketing register
• Services ordered and delivered
• Information collected in connection with services provided by our partners
• Health or other sensitive information provided by the customer, such as information about illnesses, allergies and family
c) Passenger register
• Customer identification information
• The names and personal identity codes or dates of birth of any spouse and underage children
• The country of entry to Finland
• Personal identity code
• Nationality
• Travel document number if the person is not a Nordic citizen or their place of residence is not Finland
• The date of arrival and, if known, departure
6 Sources of information for the registers and automated decision-making
The primary source of personal data is information provided by the customer or partner at the start or in the course of the collaboration, as well as information collected for research purposes through feedback, deviation and customer satisfaction surveys concerning the collaboration. Personal data is also collected from interactions at customer service points. Personal data may be collected in connection with the purchase of additional services. Secondarily, data can be purchased from registers intended for marketing purposes.
The Controller does not use personal data collected from customers in automated decision-making.
7 Disclosure of information
Data pertaining to data subjects may be disclosed within the organisation of the Controller and its subsidiaries/sister companies, as well as to our partners, to fulfil the purposes described herein. Otherwise, data is disclosed only to the extent permitted and required by law.
The services of service providers located outside the EU or EEA are used for the realisation of services. The services cannot be realised in practice without these services. In such cases, personal data may be transferred outside the EU or EEA.
Personal data transferred outside the EU or EEA is primarily cookie data (e.g. data on how many users visit the website and how they navigate the website), but ensuring the quality, integrity and correct functioning of information systems that are vital for the provision of services may require, on a case-by-case basis, the transfer of other personal data outside the EU or EEA. Such cases are occasional transfers of individual data of individual data subjects, which are carried out only to the extent required to resolve a specific case.
The personal data of the partners' representatives can be processed outside the EU and EEA countries for marketing purposes or for the fulfillment of the contract.
The Controller has taken adequate technical and organisational security measures in cooperation with the service providers. For example, contracts with service providers use standard contractual clauses approved by the EU Commission and transfers are based on a decision issued by the EU Commission on the adequacy of data protection in the country of destination. For further information, please contact the e-mail address provided in section 2.
8 Protection and storage of data
The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations.
Digital material may only be accessed by authorised employees, sole traders and collaboration partners with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees are trained and instructed to take data security into account when processing personal data.
Personal data is only stored on secure devices. The Controller’s IT devices are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on encrypted cloud servers.
Customer/partner information is stored in the register for at least one (1) year after the end of the customer relationship and the fulfilment of all obligations, unless otherwise specifically agreed or required by law.
9 Data subjects’ other rights regarding the processing of personal data
Data subjects’ right of access (inspection right)
Data subjects have the right to know what information pertaining to them is stored in the register. The written and signed request for access must be sent to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects’ right to rectification, erasure or restriction of processing
Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification.
Insofar as the data subject is not able to rectify the information themselves, the request for rectification must be submitted in writing to the e-mail address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them.
The Controller reserves the right to limit the number of free rectification and erasure requests to one (1) per year.
Data subjects’ right to transfer data from one system to another
Insofar as the data subject has provided information to the registers and the data processing is performed on the grounds of consent or assignment from the data subject, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller.
When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Other rights
Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations.
10 Contacting the controller
In all questions and requests related to personal data, the data subject must contact the e-mail address provided in section 2.
11 Third-party websites and services
This privacy policy applies only to websites maintained by Lapland Hotels Oy, and we are not responsible for the privacy policies of other websites. The website may contain links to third-party websites. We recommend that users review the privacy policies of any other websites they use.
12 Changes to the privacy policy
Lapland Hotels Oy may make changes to this privacy policy. To ensure that users are always aware of how their data is processed, the revised privacy policy is available on our website. Last updated on 13 December 2024.
Privacy policy regarding Lapland Hotels Oy’s video surveillance.
1 Joint controllers
Lapland Hotels Oy (Business ID: 2199747-9)
Yrjö Kokontie 4, 99300 Muonio
Hotelli Luostotunturi Oy (Business ID: 1515200-7)
Luostontie 1, 99555 Luosto
Hotel Haikko Oy (Business ID: 2764547-4)
Haikkoontie 114, 06400 Porvoo
2 Contact details in matters related to the register
Hotel Haikko OyOy
Haikkoontie 114, 06400 Porvoo
E-mail address: gdpr.tietosuoja@laplandhotels.com
3 Name of register
Video surveillance register
4 The purpose of and the grounds for the processing of personal data
The grounds for registration is a business relationship established by agreement with the customer or partner and Lapland Hotels Oy, separate consent to video surveillance and Lapland Hotels Oy’s legitimate interest.
Personal data is collected and processed with the customer or partner for the following purposes:
ensuring the personal safety of employees and customers
protection of property
monitoring the proper functioning of the production process
prevention and investigation of situations endangering safety, property or the production process
prevention and investigation of obvious work-related hazards and threats
prevention and investigation of property crimes
ensuring the interests and rights of the employee at the separate request of the employee
5 Data content and sources of the register
The video surveillance register consists of digital image recordings of surveillance cameras. In addition to the image, the register stores information about the monitored area or machine in which the camera is located, as well as the date and time of the events recorded in the image.
The personal data source of the register is the video recording collected by surveillance cameras and other data related to the recording.
6 Disclosure of information
Data concerning the data subject is stored on the servers of the service provider providing video surveillance, from which the data is utilised through a technical connection. Data is disclosed to the extent permitted and required by law, for example, in the case of suspected crimes to a police authority.
Personal data is not transferred outside the EU or EEA.
7 Protection and storage of data
The basis of the processing of personal data is respect for the rights and freedom of data subjects at all stages of the processing and the fulfilment of the legal grounds for processing. The Controller only collects and processes information that is necessary for its operations.
Digital material may only be accessed by authorised employees with a personal username and password. There are varying levels of access, and each user is granted access that is sufficient for the performance of their tasks while as restricted as possible. Employees who process data are trained and instructed to take data security into account when processing personal data.
Personal data is only stored on secure devices. The IT devices used for processing are equipped with appropriate virus and firewall software that is configured to automatically download and install new software updates. Personal data is stored on servers located in the EU and protected by up-to-date encryption methods.
The Controller retains personal data only for as long as is necessary to fulfil the purposes of processing specified in section 4. To ensure the fulfilment of these purposes and the rights of the data subjects, the data in the register is stored for 90 days, after which the data is destroyed.
8 Data subjects’ other rights regarding the processing of personal data
Data subjects’ right of access (inspection right)
Data subjects have the right to inspect their personal data stored in the register. The written and signed request for access must be sent to the address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects’ right to rectification, erasure or restriction of processing
Data subjects have the right to request the rectification of incorrect personal data pertaining to them after being informed of or discovering the error. If the data subject is able to rectify the error, they must rectify, erase or complete the incorrect, unnecessary or outdated information without delay. If the data subject is not able to rectify the information themselves, they must submit a request for rectification.
Insofar as the data subject is not able to rectify the information themselves, the request for rectification must be submitted in writing to the address provided in section 2 of this privacy policy. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Data subjects also have the right to demand the Controller to restrict the processing of their personal data, for example, when the data subject is waiting for a response to their request for the rectification or erasure of data pertaining to them.
Lapland Hotels Oy reserves the right to limit the number of free rectification and erasure requests to one (1) per year.
Data subjects’ right to transfer data from one system to another
Insofar as the data subject has provided information to the register and the data processing is performed on the grounds of the data subject’s consent or commission, the data subject has the right to obtain such data for themselves primarily in a machine-readable format and the right to transfer this data to another controller.
When the request for data transfer is made in writing, the Controller must deliver the data specified in the section on the right of access within a reasonable time taking into account the extent of the information to be delivered. The data subject submitting the request must be prepared to verify their identity in accordance with the instructions provided by the Controller.
Other rights
Data subjects have the right to lodge a complaint with the competent supervisory authority if the Controller has failed to comply with the applicable data protection regulations in its operations.
9 Contacting the Controller
In all questions and requests related to personal data, the data subject must contact the party responsible for the Controller’s register provided in section 2.
10 Changes to the privacy policy
Lapland Hotels Oy may make changes to this privacy policy. To ensure that users are always aware of how their data is processed, the revised privacy policy is available on our website. Last updated on 17 August 2023.
