Privacy Notice of Himos-Yhtiöt Ltd
Personal Data Act (523/99) 10 §
Date of issue 1.1.2018 (13.8.2018)
1. REGISTER HOLDER
T. +358 20 711 9100
2. PERSON IN CHARGE OF REGISTER
Ceo Elsi Ojala
T. +358 20 711 9100
3. NAME OF REGISTER
The customer register of Himos-Yhtiöt Ltd.
4. HOW WE COLLECT YOUR PERSONAL DATA
When processing your personal data in the customer register, it’s based on customer relationship between customer and business customers and Himos-Yhtiöt Ltd.
The controller also processes customer data based on an agreement between the controller and the customer. This is the basis for we process data that is collected from the customer.
– in ski rental for renting equipment.
– in ticket office booking a caravan place or group reservation.
5. INFORMATION COLLECTION AND USE
The purposes of using customer data are:
– cuostomer relationship management and development
– processing of customer bookings
– processing of personal data related to payment, invoicing and control and collection of payments
– marketing of controllers services
– development of the controller business and customer service
– in group resrvations, customers special diet information are used only for food preparation and service.
6. THE PROCESS OF PERSONAL DATA
The controller shall process the following personal data of clients in accordance with the current legislation and the needs of the client relationship:
– first- and surename
– phone number
– date of birth
– Smartcard’s WTP-no and serial no
– date of purchase
– the period of validity
– use and purchase of services
– booking information
– group’s, ski team’s/company’s name
– VAT no
– special diet
– payment information
– possible payment delay information
– personal identification number
– account number
– type of employment
– salery data
The information listed above is stored to the extent that it relates to the customer relationship.
For equipment rental, additional information is required in accordance with the delivery terms, such as:
– level of skills
The controller shall process the following data of company clients:
– Company’s contact person’s name, address, email and phone number
– Statutory prohibitions on direct mail, distance selling and other direct marketing informed by company’s contact person.
– Possible customer feedback and complaint information.
7. SOURCES OF INFORMATION
– Information provided by the customer.
– Customer, companion or a member of a group.
8. SERVICE PROVIDERS
We may transfer data to third-party companies and individuals (EK-tilit Oy, Axess, Easyrent) due to the following reasons; the technical implementation of the requiested service requires it or it is necessary according to the Parts 2 to 5 of Section 23 of the Personal Data Act. Information may also be disclosed to authorities on the basis of statutory requests for information.
9. DATA TRANSFER OUTSIDE OF THE EU OR THE EUROPEAN ECONOMIC AREA
Data may be transferred outside of the EU and the European Economic Area if the technical realization of the service requested by the customer so requires, or for some other reason if necessary by Parts 2 to 5 of Section 23 of the Personal Data Act. Non-EU partners are required to adhere to the EU data protection regulations.
10. THE STORAGE TIME OF PERSONAL DATA
Customer’s personal data in the customer register will be processed during the customer relationship. The controller shall consider the relationship to be ended if the customer has not used the services in five years. The time is calculated from the the end of the calendar year in which the customer last used the services. The data will be deleted within twelve months of the end of the relationship, unless there are other reasons to keep the data.
However, after the end of the relationship, the information may be stored and processed if necessary fo the purpose of dealing with complaints. The retention period of the data in the customer register also complies with the statutory retention periods such as the Accounting Act. The information required by the Accounting Act is retained for as long as the Accounting Act requires.
Company customer’s contact information will be deleted after the end of the business relationship. However the data may subsequently be stored if there are other reasons for that.
When data are processed under a contact between the controller and customer, the data shall be kept for as long as the data are necessary for the implementation of the contract. Once the contract has been completed, the information will be retained for as long as the customer relationshiop exists or there is another reason for processing (eg. claims or Accounting Act).
During the customer relationship, only information that is necessary for the identified purposes is processed. The controller shall periodically carry out periodic checks in order to remove unnecessary data.
When the relationship ends, the customer data can be transferred to the company’s direct marketing register for individuals who have not denied the use of their data for direct marketing.
11. REGISTERS RIGHTS AND OPTIONS REGARDING THE PROCESSING OF PERSONAL DATA
As outlined in the Personal Data Act, a registered customer has the right to check their information in the customer register.
A registered customer has the right to correct any false information found in their personal data.
A registered customer has the right to data deletion.
A registered customer has the right to deny the using and processing of their information for the purposes of sales, direct marketing, and marketing and opinion survey.
12. RIGHT TO COMPLAIN TO THE OFFICE OF THE DATA PROTECTION OMBUDSMAN
A registered customer has the right to complain to the Office of the Data Protection Ombudsman, if registered customer is of the opinion that the controller has not complied with applicable data protection rules.
13. REQUESTS FOR THE EXERCISE OF RIGHTS OF THE REGISTERED
In matters relating to the processing of personal data and the exercise of one’s rights, the registered customer contact the controller.
Request must be sent in writing via e-mail or post to the person in charge of the register, specified in section 2. Request must be signed by the registered customer.
The controller may ask for more information from the registered customer, for what data the request concerns.
The controller has the right to ask the registered customer to indentify oneself with an official ID to ensure that personal data is not disclosed to anyone other than the registered customer.
14. DATA PROTECTION PRINCIPLES
Manually processed files containingn information about registered customers are stored in a secure facility with no unauthorized access.
Digitally processed data are located in an internet-based service secured by the SSL protocol. Used only by authorized personnel who each have their own personal user name and password. Users are obligated to confidentiality. Users are authorized and overseen by the person in charge of the register.