Privacy Policy

Harriniva Ltd customer register

1. Controller

Harriniva Oy (0511442-9)
Harrinivantie 35
99300 Muonio
sales@harriniva.fi

2. Contact for register issues

In matters related to the register and the exercise of data subject rights, please contact:

Hanne Tohmo
Sales and Marketing Manager
+358 40 744 1336
hanne@harriniva.fi

3. Register name

“Harriniva Ltd customer register”

4. Legal basis of personal data processing

The processing of the personal data in the register is based on the customer relationship between private and corporate customers and Harriniva Ltd. Due to the customer relationship, data processing is based on a legitimate interest.

The controller also processes customer data on the basis of an agreement between the controller and the data subject. This applies to the personal data which is collected from the customers in connection of a hotel room or cabin reservation, restaurant, activity or reservation of any other service Harriniva Ltd. provides., or for the purposes of charging such services.

When the data processing is based on a legitimate interest or an agreement, the data subject does not have to be asked for a separate consent to the processing.

5. Purposes of personal data processing

Customer data in the customer register are used for:

– Processing and managing reservations

– Sales and implementation of services

– Payment, invoicing and monitoring thereof as well as possible debt collection measures

– Customer relationship management and development

– Customer relationship communication

– Marketing the controller’s services

– Developing the controller’s business and customer service

Information regarding customers’ special diets is only used for preparing and serving food.

In the event that the customer asks the controller to take into account the customer’s health when providing services, the information submitted by the customer to the controller is used in the provision of the service. Such information may concern, for example, a physical disability or an allergy, or any other information provided by the customer to the controller on their own initiative.

6. Processed personal data

The controller processes the following personal data of the customers:

– First and last name, date of birth, telephone number, address, email address

– Nationality

– Reservation data

– Payment method, invoicing data, data on possible delays of payment

– Information on whether the customer has prohibited the use of the data for direct marketing

– Information on whether the customer has given consent to electronic direct marketing

– Data on the use or purchase of services

– Data concerning the customer’s wishes and choices (e.g. special requirements for accommodation)

– Possible special diets

– Possible customer feedback or complaints

Regarding corporate customers, the controller processes the following personal data:

– Name, email address and telephone number of the corporate customer’s contact person

– Data concerning the prohibitions relating to direct marketing, distance selling and other marketing that have been reported by the contact person and are required under the effective legislation

– Possible customer feedback or complaints.

7. Sources of personal information

The controller receives the personal data directly from the data subject:

– At the location

– Over the phone

– By email

Upon reservation of accommodation or program services at www.harriniva.fi, the data subject discloses their personal data to a third-party booking service, through which the controller receives aforementioned data.

From third parties when:

– Data subject books controller’s services through a booking service site

– Data subject books controller’s services through a booking service company (such as a travel agent or tour operator)

– Data subject’s employer or association books controller’s services for the data subject

– Data subject in some other way contacts or books controller’s services via a third party.

8. Recipients or recipient categories of personal data

Customer register data is not disclosed to third parties unless the customer specifically asks the controller to book third-party services requested by the customer, such as program services or transportation.

This notwithstanding:

Upon reservation of accommodation or program services at www.harriniva.fi, the data subject discloses the personal data necessary to complete the booking via a third-party booking service.

When submitting feedback or a contact request at www.harriniva.fi, the website sends personal information, such as name and email address, to the controller’s email.

Information may be disclosed to authorities on the basis of requests based on the law.

Data is retained in the controller’s hotel and booking systems, which can only be accessed by personnel handling personal data. The systems have been encrypted and protected by their suppliers.

9. Transfer of data outside the EU

Information will not be transferred outside of the EU.

10. Personal data retention period

The personal data in the customer register are processed for the duration of the customer relationship. The controller considers a customer relationship to have ended if the customer has not used the controller’s services for a period of 3 years. The period starts from the end of the calendar year during which the customer last used the controller’s services. The data are erased within 6 months from the end of the customer relationship, unless there are other grounds for storing the data.

However, the data may be stored and processed after the end of the customer relationship if it is required for processing complaint-related issues. The retention periods also comply with the retention periods laid down by the Accounting Act and other relevant laws. The data required by the Accounting Act are stored for as long as is required by the law.

Corporate customers’ contact person data are erased when the company’s customer relationship is considered to have ended. However, the data may be retained after the end of the customer relationship if there are other grounds for storing them.

When the data are processed on grounds of an agreement between the controller and the data subject, the data is stored for as long as is required for implementing the agreement. After the agreement has been implemented, the data is stored for the duration of the customer relationship or for as long as there are other grounds for the processing (e.g. complaints or the Accounting Act).

Only data that are required for the defined purposes of use are processed during the customer relationship. The controller carries out periodic checks in order to erase unnecessary data.

When the customer relationship ends, the customer’s data may be transferred to the company’s direct marketing register if the customer has not prohibited the use of their data for direct marketing purposes.

11. Data subject’s rights

The personal data in the customer register is processed based on the controller’s legitimate interest (General Data Protection Regulation, Article 6, section 1, sub-section e). In this case, the customer relationship constitutes the legitimate interest. The processing of personal data is also based on the agreement between the controller and the data subject (General Data Protection Regulation, Article 6, section 1, sub-section b). This ground for processing is explained in more detail in paragraph 4 of the Privacy Notice.

When the data is being processed on the grounds of a legitimate interest or an agreement, the data subject has the following rights:

Right to access their data

Data subjects have the right to request access to their personal information in order to determine the processing thereof.

As a general rule, the data subject has the right to know what information the customer register contains on them. The controller may request the data subject to sufficiently clarify which information or processing the request relates to.

The data subject’s right of access may be restricted or refused on the basis of the General Data Protection Regulation if the disclosure would adversely affect the rights and freedoms of others. Such rights include, for example, the controller’s business secrets and third-party personal data. National legislation (the Data Protection Act etc.) may also impose restrictions on the data subject’s right.

Right to data rectification

Data subjects have the right to request that the controller rectify any inaccurate or incorrect personal information without undue delay.

Right to data erasure

At the request of the data subject, the controller must erase the personal information relating to the data subject without undue delay, if any of the following conditions is met:

– Personal information is no longer needed for the purposes for which they were originally collected

– Data subject objects to the processing and there is no reasonable cause to process the data

– Data subject objects to the processing for direct marketing purposes (in this case, however, processing for other purposes is permitted)

– Personal data has been unlawfully processed.

Even if one of the requirements is met, the data do not have to be erased if the processing is required in order for the controller to be able to, for example, comply with a statutory obligation based on national or EU legislation that is applicable to the controller and requires the processing, or if the processing is required in order to establish, exercise or defend a legal claim.

Right to object to data processing

The data subject may object to personal data processing on grounds relating to the data subject’s particular situation if the data are processed on the grounds of a legitimate interest.

If the processing is based on an agreement, the data subject does not have the right to object to the processing.

If the data subject has objected to personal data processing on grounds relating to the data subject’s particular situation, the data subject must specify the situation on the grounds of which the data subject objects to the processing based on a legitimate interest. The controller may continue data processing despite the data subject’s objection if there is a particularly important and justifiable reason, which overrides the interests, rights and freedoms of the data subject, or if it is necessary for the establishment, exercise or defense of a legal claim.

The data subject has the right at any time to object to the processing of their personal data for direct marketing purposes. If the data subject objects to the use of their personal information for direct marketing, they may no longer be processed for this purpose.

Right to request restriction of processing

The data subject has the right to request that the controller restrict the active processing of their personal data in the following situations:

– Data subject contests the accuracy of the personal data, in which case the processing must be restricted until the controller has verified the accuracy of the data

– Processing is contrary to law and the data subject requests restrictions on the processing instead of the erasure of the personal data

– The controller no longer needs the personal data for the purposes of the processing, but the data are required by the data subject for the establishment, exercise or defense of a legal claim

– Data subject has objected to the processing of personal data (see above) and the assessment of whether the legitimate interests of the controller override those of the data subject, is pending.

During restricted processing, the data may principally be stored but not processed. Additionally, the data may be processed for the establishment, exercise or defense of a legal claim or for the protection of the rights of another natural or legal person or for reasons of important public interest. Before the restriction is lifted, the data subject must be informed about the matter.

Right to transfer data from one system to another

To the extent that the information in the customer register has been submitted by the data subject themselves, and the data is processed through the means of automatic data processing and on the basis of an agreement between the controller and the data subject, the data subject is entitled to receive their data mainly in machine-readable format and transfer the data directly from one controller to another if it is technically possible.

12. Right to lodge a complaint with a regulatory authority

Data subject has the right to lodge a complaint with a competent regulatory authority if the data subject feels that the controller has not complied with the applicable data protection regulations.

13. Requests relating to the exercise of data subject rights

In matters related to personal information processing or exercising the data subject’s rights, please contact the data controller representative mentioned in paragraph 2 above.

Requests pertaining to the right of access or the realization of other data subject rights must be submitted to the controller in writing by email or by post. The request may also be presented in person at the office of the controller.

The controller may request the data subject to sufficiently clarify which information or processing the request relates to.

In order to ensure that personal information is not disclosed to persons other than the data subject, the controller may request that the data subject sign the request. The controller may also ask the issuer of the request to verify their identity with an official identification card or other reliable means.