Privacy Policy

PRIVACY POLICY FOR THE CUSTOMER REGISTER

1. Controller

Kassiopeia Finland Oy (on behalf of all companies belonging to the Kassiopeia Finland Group, hereinafter
referred to as “Kassiopeia”)
Kutojantie 6-8, FI‐02630 Espoo, FINLAND

2. Contact person in matters concerning the register

Katri Mustonen, Lawyer
Sinikalliontie 14 B, FI‐02630 Espoo, Finland
Tel. +358 (0)409 220470
tietosuoja@kassiopeia.fi

3. Name of register

Kassiopeia’s Customer Register (hereinafter referred to as “the Register”).

4. Legal grounds for processing personal data

The processing of personal data is based on the legitimate interests of Kassiopeia or the customer, the agreement between Kassiopeia and the customer, consent provided by the customer, or compliance with the legislative requirements.

The legitimate interests of Kassiopeia are related to the customer relationship between Kassiopeia and the customer or Kassiopeia’s business interests, such as the measurement of customer satisfaction, quality control of services, and the development of services. Kassiopeia’s legitimate interests may also be related to the surveying and control of risks, as well as the protection of rights and property.

On the basis of the agreement, the personal data that is processed is provided by the customer in making a reservation for a room, table or conference, or for the invoicing of services.

Personal data is processed for electronic direct marketing if the customer has consented to the processing of his/her personal data. The customer has the right to cancel the consent s/he has provided.

5. Purpose of the processing of personal data

Kassiopeia processes customers’ personal data to the extent that it is necessary in offering hotel, conference and restaurant‐based services.

Kassiopeia uses the customer’s personal data for the following purposes, among others:

  • the care and management of the customer relationship
  • handling reservations
  • event‐related arrangements
  • booking conference facilities
  • customer service
  • customer communications
  • distribution of information, marketing communications
  • development, production, delivery and offering of services
  • payment, invoicing and the supervision and collection of payments
  • the development of business operations and related customer service
  • the making of table reservations in connection with customers’ dining
  • the preparation and serving of food (concerns special diet information)
  • statistical purposes
  • advertising, marketing and market research for services and products respective to the companies belonging to the Kassiopeia Finland Group as well as direct marketing if consent for the same has been obtained from the customer.

6. Personal data processed

The Register may contain the following information regarding customers:

The customer’s first and last names, date of birth, personal ID, address, telephone number, email address, workplace, job and/or community information, gender, nationality, language, total number of adults and children overnighting with the customer, invoicing details, booking info, customer feedback, information concerning reservations, information as to whether the customer has prohibited use of his/her information for direct marketing, information as to whether the customer has given consent to direct marketing, information regarding the use and purchase of services, customer service and formal complaints‐related information, information connected with the customer’s wishes and choices (e.g. details regarding room class), possible special diet info, type of payment and payment behaviour information, and other possible
information collected, either provided by the customer or obtained with his/her consent.

It is possible to store visitors’ IP addresses in the systems on Kassiopeia’s website as well as information obtained via cookies regarding internet usage.

In addition, Kassiopeia can collect camera surveillance data to ensure safety and due process in Kassiopeia’s office premises, properties, and their courtyards, such as within the vicinity of entrances, waste maintenance points and parking garages. Camera surveillance data is utilised in the investigation of incidents of crime and damage as well as, if required, the identification of persons accessing the premises.

7. Sources of personal data

Kassiopeia obtains the personal data of the customer mainly directly from the customer via electronic internet forms and printable paper forms as well as by telephone and email. Information is collected when the customer makes a room, table or conference reservation. Information is also obtained from events arranged for customers. In customer service situations, the phone calls can be recorded, and other communications, such as, for example, email messages, can also be saved. Personal data can also be collected and updated from the Kassiopeia group company registers of the distributors of products and services, from the Population Register Centre or from the register of a controller that offers address, updating and other similar services. Kassiopeia can also obtain the customer’s personal information from an external operator offering reservation services.

8. Release and transfer of personal data

Kassiopeia does not publish the personal data it collects, and observes the confidentiality obligations with regard to personal data unless the legislation or the preparation, presentation or defence of a legal claim requires otherwise.

Information is not transferred outside Kassiopeia with the exception of contractual partners that look after some specific task on behalf of Kassiopeia, such as the maintenance of customer relations or a particular service. Kassiopeia’s contractual partners are bound by confidentiality and a data processing agreement. Kassiopeia can release customers’ personal information to parties that, according to the legislation, have the right to access such information. Information is released only to the necessary extent or in those sections designated in the legislation. These kinds of release are, for example, turning over payment card details to the recipients of payments.

This information is not transferred or released outside the European Union or the European Economic Area, or to international organisations.

9. Storage periods for personal data

The personal data of a customer in the Register is processed during the period of the customer relationship. Kassiopeia regards the customer relationship as finished if the customer has not used Kassiopeia’s services for a period of ten years. The period is calculated from the end of the calendar year during which the customer has last used Kassiopeia’s services. Personal data is removed upon termination of the customer
relationship if there are no existing grounds for the continued storage of the data concerned.

After termination of the customer relationship, data may continue to be stored and processed if necessary from the perspective of handling formal complaints. In the storage period of data in the Customer Register, compliance with the storage periods required by the law, such as the Accounting Act, is also observed. The data required by the Accounting Act is stored as long as this is required by the Act concerned.

When data is processed on the basis of an agreement between Kassiopeia and the customer, the information is stored as long as needed to fulfil the agreement. After the agreement has been fulfilled, the data shall be stored as long as a customer relationship exists or there are other existing grounds for such processing (e.g. formal complaint incidents or the Accounting Act).

Possible management information on use of the data system is stored for six (6) calendar years after the removal of user rights.

Data collected by means of cookies is stored, depending on the nature of the cookie, for a period no longer than three years.

10. Principles of Register protection

Kassiopeia observes the regulations of the authorities and legislation with respect to protecting its customers’ personal data as well as Kassiopeia’s own information privacy and data protection policies. Personal data can be processed only by persons entitled to perform that task.

Kassiopeia stores manual materials reliably in locked and supervised facilities. Access to digital data is only granted to persons appointed by Kassiopeia, to whom personal user IDs and passwords are given. User rights to the Registers are specified on a task‐by‐task basis. In specifying user rights, Kassiopeia’s internal processes are observed. The databases used for storage and information networks are protected by means of organisational and technical measures. Supervision and protection of the Register observes the regulations applied in the area of the European Union.

11. Rights of the customer

The customer’s right to access his/her own data

The customer has the right to know whether Kassiopeia processes his/her personal data and, if it does, s/he also has the right to inspect what personal data Kassiopeia has saved in the system about her/him. Kassiopeia may request the customer to provide more details as to which personal data or processing procedures the request concerns. The right of the customer to obtain personal data can, on the basis of the data protection regulation, be restricted, or it can be refused if turning over personal data could negatively affect the rights or liberties of others. These sorts of protected rights are, among other things, Kassiopeia’s business secrets and another individual’s personal data.

The right of the customer may also be restricted in national legislation.
The right of inspection is implemented without delay and no later than three months from submission of the request. If the customer’s inspection request is evidently without grounds or immoderate, particularly if the customer presents inspection requests repeatedly or requests several copies, Kassiopeia may levy an administrative charge for implementing the request, or refuse to comply with the request.

The right to rectify data

The customer has the right to demand that Kassiopeia rectify inaccurate and erroneous personal data without undue delay. Incorrect personal data as noted can be corrected after Kassiopeia receives the right personal data from the customer or another reliable source. Having received information about an error or after personally noticing an error, the customer must, without undue delay and at his/her own initiative, correct, remove or supplement the personal data in the Register that is contrary to the purpose of the Register, erroneous, unnecessary, deficient or out‐of‐date. The customer is responsible for the confidentiality of a possible user‐specific user ID as well as usage of the same.

Right to removal of data (the right to be forgotten)

At the customer’s request, Kassiopeia must remove all personal data concerning the customer without undue delay if one of the following requirements is fulfilled:

  • The personal data is no longer needed for the purposes for which it was collected or for the purposes of which it is otherwise being processed.
  • The customer objects to the processing of his/her personal data and there is no justified existing reason for such processing.
  • The customer objects to the processing of his/her personal data for the purpose of direct marketing (processing is nevertheless possible for other purposes).
  • The personal data is processed unlawfully.

Even if one of the requirements is fulfilled, it is unnecessary to remove the personal data if processing is necessary in order to comply with an obligation requiring such processing, based on EU rights or national legislation to be observed with respect to a legislated obligation or the preparation, presentation or defence of a legal claim.

The right to object to the processing of personal data

The customer has the right to object to the processing of her/his data on to the basis of her/his special personal situation when personal data is processed on the basis of legitimate interests.

The customer does not have the right to object to the processing of personal information when such processing is based on an agreement made between Kassiopeia and the customer.

If the customer has objected to the processing of her/his information on the basis of her/his special personal situation, s/he should itemise the particular circumstances which s/he objects to with regard to the processing on the basis of legitimate interests. Kassiopeia has the right to continue the processing of data despite the objection if such processing has a notably important and justified reason that supersedes the
customer’s own interests, rights and liberties; or such action is required for the preparation, presentation or defence of a legal claim.

The customer has the right at any time to object to the use of personal data concerning him/her in direct marketing. If the customer objects to the use of personal data in direct marketing, that data can no longer be processed for the purpose concerned.

Right to request restriction of processing

At the request of the customer, Kassiopeia must restrict active processing of personal data in the following situations:

  • The customer disputes the accuracy of the personal data, whereupon processing must be restricted until Kassiopeia can confirm the accuracy of the data.
  • The processing is in violation of the law, and the customer demands a restriction of the processing of the data in lieu of removal of the personal data concerned.
  • Kassiopeia no longer requires the personal data concerned for processing purposes, but the customer needs it for the preparation, presentation or defence of a legal claim.
  • The customer objects to the processing of personal data and the assessment of whether Kassiopeia’s legitimate interests supersede those of the customer is still ongoing.

During the restriction of processing, personal data may, in principle, only be stored. Personal data may be processing in the preparation, presentation or defence of a legal claim, the protection of another person’s rights, or for reasons linked to important public interests.

The right to transfer personal data from one system to another

With regard to the extent that the customer has personally delivered personal data to Kassiopeia that is processed by means of automatic data processing as well as on the basis of an agreement between Kassiopeia and the customer, the latter shall have the right to obtain this sort of personal data primarily in machine‐readable format as well as to have personal information transferred directly from Kassiopeia to another controller, if technically possible.

The right to appeal to a supervisory authority

The customer has the right to file an appeal with the presiding supervisory authority if the customer is of the view that Kassiopeia has not observed the applicable information privacy regulations in its operations. The telephone number for the Office of the Data Protection Ombudsman is +358 (0)29 5666700, and the address
is Ratapihantie 9, FI‐00520 Helsinki, Finland.