PRIVACY POLICY FOR THE CUSTOMER REGISTER
1. Controller
Kassiopeia Finland Oy (on behalf of all companies belonging to the Kassiopeia Finland Group, hereinafter referred to as “Kassiopeia”)
Kutojantie 6-8, FI-02630 Espoo, Finland
2. Contact person in matters concerning the register
Liisa Salmela, Lawyer
Kutojantie 6-8, FI-02630 Espoo, Finland
Tel. +358 (0) 40 9222 860
tietosuoja@kassiopeia.fi
3. Name of register
Kassiopeia’s Customer Register (hereinafter referred to as “the Register”).
4. Legal grounds for processing personal data
The processing of personal data is based on the legitimate interests of Kassiopeia or the customer, the agreement between Kassiopeia and the customer, consent provided by the customer, or compliance with the legislative requirements.
The legitimate interests of Kassiopeia are related to the customer relationship between Kassiopeia and the customer or Kassiopeia’s business interests, such as the measurement of customer satisfaction, quality control of services, and the development of services. Kassiopeia’s legitimate interests may also be related to the surveying and control of risks, as well as the protection of rights and property.
On the basis of the agreement, the personal data that is processed is provided by the customer in making a reservation for a room, table or conference or other service, or for the invoicing of services.
Personal data is processed for electronic direct marketing if the customer has consented to the processing of his/her personal data for this purpose. The customer has the right to cancel the consent s/he has provided.
5. Purpose of the processing of personal data
Kassiopeia processes customers’ personal data to the extent that it is necessary in offering hotel, conference and restaurant-based services as well as other related services.
Kassiopeia uses the customer’s personal data for the following purposes, among others:
6. Personal data processed
The Register may contain the following information regarding customers:
The customer’s first and last names, date of birth, personal ID, address, telephone number, email address, workplace, job and/or community information, gender, nationality, language, total number of adults and children overnighting with the customer, invoicing details, booking info, customer feedback, information concerning reservations, information as to whether the customer has prohibited use of his/her information for direct marketing, information as to whether the customer has given consent to direct marketing, information regarding the use and purchase of services, customer service and formal complaints-related information, information connected with the customer’s wishes and choices (e.g. details regarding room class), possible special diet info, type of payment and payment behaviour information, and other possible information collected, either provided by the customer or obtained with his/her consent.
It is possible to store visitors’ IP addresses in the systems on Kassiopeia’s website as well as information obtained via cookies regarding internet usage.
In addition, Kassiopeia can collect camera surveillance data to ensure safety and due process in Kassiopeia’s office premises, properties, and their courtyards, such as within the vicinity of entrances, waste maintenance points and parking facilities. Camera surveillance data is utilised in the investigation of incidents of crime and damage as well as, if required, the identification of persons accessing the premises.
7. Sources of personal data
Kassiopeia obtains the personal data of the customer mainly directly from the customer via electronic internet forms and printable paper forms as well as by telephone and email. Information is collected when the customer makes a room, table or conference reservation. Information is also obtained from events arranged for customers. In customer service situations, the phone calls can be recorded, and other communications, such as, for example, email messages, can also be saved. Personal data can also be collected and updated from the Kassiopeia group company registers of the distributors of products and services, from the Population Register Centre or from the register of a controller that offers address, updating and other similar services. Kassiopeia can also obtain the customer’s personal information from an external operator offering reservation services and from the party providing the customer’s personal data to Kassiopeia at the customer’s request.
8. Release and transfer of personal data
Kassiopeia does not publish the collected personal data, and observes the confidentiality obligations with regard to personal data unless the legislation or the preparation, presentation or defence of a legal claim requires otherwise.
Information is not transferred outside Kassiopeia with the exception of contractual partners that look after some specific task on behalf of Kassiopeia, such as the maintenance of customer relations or a particular service. Kassiopeia’s contractual partners are bound by confidentiality and a data processing agreement. Kassiopeia can release customers’ personal information to parties that, according to the legislation, have the right to access such information. Information is released only to the necessary extent or in those sections designated in the legislation. These kinds of release are, for example, turning over payment card details to the recipients of payments.
This information is not transferred or released outside the European Union or the European Economic Area, or to international organisations.
9. Storage periods for personal data
The personal data of a customer in the Register is processed during the period of the customer relationship. Kassiopeia regards the customer relationship as finished if the customer has not used Kassiopeia’s services for a period of ten years. The period is calculated from the end of the calendar year during which the customer has last used Kassiopeia’s services. Personal data is removed upon termination of the customer relationship if there are no existing grounds for the continued storage of the data concerned.
After the termination of the customer relationship, Kassiopeia may still continue storing and processing the data if necessary from the perspective of handling formal complaints. In the storage period of data in the Customer Register, compliance with the storage periods required by legislation, such as the Accounting Act, is also observed. The data required by the Accounting Act is stored as long as this is required by the Act concerned.
When data is processed on the basis of an agreement between Kassiopeia and the customer, the information is stored as long as needed to fulfil the agreement. After the agreement has been fulfilled, the data shall be stored as long as a customer relationship exists or there are other existing grounds for such processing (e.g. formal complaint incidents or the Accounting Act).
Possible management information on use of the data system is stored for six (6) calendar years after the removal of user rights.
Data collected by means of cookies is stored, depending on the nature of the cookie, for a period no longer than three years.
Camera surveillance data collected will normally be stored for 50 days after the date the material has been created. Exceptions may occur should the camera surveillance data be needed on the basis of existing grounds for storing and / or processing the data longer (i.e. unless the legislation or the preparation, presentation or defence of a legal claim requires otherwise).
10. Principles of Register protection
Kassiopeia observes the regulations of the authorities and legislation with respect to protecting its customers’ personal data as well as Kassiopeia’s own information privacy and data protection policies. Personal data can be processed only by persons entitled to perform that task.
Kassiopeia stores manual materials reliably in locked and supervised facilities. Access to digital data is only granted to persons appointed by Kassiopeia, to whom personal user IDs and passwords are given. User rights to the Registers are specified on a task-by-task basis. In specifying user rights, Kassiopeia’s internal processes are observed. The databases used for storage and information networks are protected by means of organisational and technical measures. Supervision and protection of the Register observes the regulations applied in the area of the European Union.
11. Rights of the customer
The customer’s right to access his/her own data.
The customer has the right to know whether Kassiopeia processes his/her personal data and, if it does, s/he also has the right to inspect what personal data Kassiopeia has saved in its systems about them. Kassiopeia may request the customer to provide more details as to which personal data or processing procedures the request concerns. The right of the customer to obtain personal data can, on the basis of the data protection regulation, be restricted, or it can be refused if turning over personal data could negatively affect the rights or liberties of others. These sorts of protected rights are, among other things, Kassiopeia’s business secrets and other individuals’ personal data. The right of the customer may also be restricted in national legislation.
The right of inspection is implemented without delay and no later than three months from submission of the request. If the customer’s inspection request is evidently without grounds or immoderate, particularly if the customer presents inspection requests repeatedly or requests several copies, Kassiopeia may levy an administrative charge for implementing the request, or refuse to comply with the request.
The right to rectify data
The customer has the right to demand that Kassiopeia rectify inaccurate and erroneous personal data without undue delay. Incorrect personal data as noted can be corrected after Kassiopeia receives the right personal data from the customer or another reliable source. Having received information about an error or after personally noticing an error, the customer must, without undue delay and at his/her own initiative, correct, remove or supplement the personal data in the Register that is contrary to the purpose of the Register, erroneous, unnecessary, deficient, or out-of-date. The customer is responsible for the confidentiality of a possible user-specific user ID as well as usage of the same.
Right to removal of data (the right to be forgotten)
At the customer’s request, Kassiopeia must remove all personal data concerning the customer without undue delay if one of the following requirements is fulfilled:
Right to request restriction of processing
At the request of the customer, Kassiopeia must restrict active processing of personal data in the following situations:
Last updated on 21st of November 2022