Privacy Policy

Data protection policy for Arctic Holiday Services customer register.

1. Controller
The controller is  Napapiirin Lahja Oy (business ID FI09519730).
Contact person for matters related to the file: Marko Jääskö, Liiketoimintajohtaja.

Napapiirin Lahja Oy

Tähtikuja 2, 96930 Rovaniemi
+358 40 068 5546

2. Name of the file

The name of the file is Napapiirin Lahja Oy customer register.

3. The purpose of processing personal data

Personal data are processed for purposes related to maintaining, managing and developing the customer relationship, offering, supplying and developing services as well as invoicing. Personal data are also processed for the purposes necessitated by resolving any possible complaints and other claims.

Furthermore, personal data are processed in communications directed at customers as well as marketing, in conjunction to which the data are also processed for purposes pertaining to direct marketing and electronic direct marketing.

Customers have the right to refuse direct marketing targeted at them.

The controller processes personal data directly and also utilises subcontractors working on its behalf in the processing activities.

Legal grounds of the processing (in accordance with GDPR 6 art.1.a ja art. 1.b):

a. The processing of personal data is based on the customer relationship between consumer customers/business customers and Arctic Holiday Services. Due to the customer relationship, data processing is based on a legitimate interest.
b. Processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract.
c. There is no need to request separate consent from the data subject for data processing if the processing is based on a legitimate interest or a contract.

The aforementioned legitimate interest of the register keeper is based on a meaningful and appropriate relationship between the data subject and controller as a result of the data subject being a customer of the controller and the processing being conducted for purposes that the data subject can have reasonably anticipated at the time of collecting the personal data and in the context of the appropriate relationship.

5. Data content of the file (categories of personal data processed)

As a general rule, the file contains the following personal data on all data subjects:
a. Basic information and contact information for the person: first name, last name, address, nationality, telephone number, e-mail address
b. Payment method information, invoicing information and possible payment delay information
c. Information about reservations
d. Direct marketing permissions and prohibitionsin for the person
e. Possible customer feedback and complaint information

The controller also processes the following personal data for business customers:
a. The business customer's contact person information: name, phone number, e-mail address
b. Position or job title of the contact person. in a company or organization
c. The company's invoicing information and possible payment delay information
c. Direct marketing permissions and prohibitionsin accordance with the legislation announced by the company's contact person.

6. Regular sources of information

Personal data are collected from the data subjects themselves.
a. On the spot
b. On the phone
c. By email
d. From third parties when data subjects:
- book the controller's services from the booking service website
- book the services of the controller's from a booking service company (such as a travel agency or tour operator)
- when the data subject's employer or association reserves the services of the data controller for the data subject
- when the data subject in other possible ways contacts or books the services of the controller through a third party.

In addition to this, personal data are collected within the framework of the applicable legislation from generally available sources that pertain to fulfilling the relationship between the controller and data subject, and that the controller can use to perform its duties related to maintaining customer relationships.

7. Storage period of personal data

Personal data collected in the file are stored only for as long and to the extent that is necessary in relation to the original or a compatible purpose for which the personal data has been collected.

Data concerning a data subject are removed from the file five year after the end of the customer relationship between the data subject in question and the controller has ended, and the obligations and measures related to the customer relationship have been fulfilled. The storage periods of the data in the customer register are also followed by the storage periods required by law, such as the Accounting Act. For example, accounting records are kept for five years after the end of a financial period.

The controller shall regularly assess the necessity of storing the data in accordance with its internal code of conduct. Furthermore, the controller shall by all reasonable measures ensure that any personal data that are inaccurate, erroneous or contain obsolete information in terms of the purposes of processing the data are deleted or corrected without delay.

When the customer relationship has ended, the data can be transferred to the direct marketing register for data subjects who have not prohibited the use of their data for direct marketing.

8. Recipients of personal data (recipient groups) and regular data disclosures
Personal data will not be disclosed to third parties. Unless the customer separately requests the controller, for example, to reserve third-party services for the customer, such as safaris or table reservations.

When the data subject books accommodation services, leaves feedback or a contact request, personal data is transmitted through the website administrator.

If necessary, customer register data can be disclosed to authorities such as the police on these request based on the law.

9. Transferring data outside the EU or EEA

Personal data contained in the file will not be transferred outside the EU or EEA.

10. Register protection principles

Materials containing personal data are stored in locked spaces that can only be accessed by the appointed persons with task-based authorisation.

The database containing personal data is on a server which is stored in a locked space that can only be accessed by the appointed persons with task-based authorisation. The server is protected with the appropriate firewall and technical safeguards.

The databases and systems can only be accessed with separately provided personal user IDs and passwords. The controller has restricted access rights and authorisations to information systems and other storage platforms so that the data can only be viewed and processed by persons who are required to do so to ensure the lawful processing of the data. Furthermore, the database and system interactions are registered in the log data of the controller's IT system.

The controller's employees and other persons have undertaken to observe secrecy and keep secret any information they may gain in the context of processing personal data.

11. Rights of the data subject

In this case, the legitimate interest is the customer relationship. Data is also processed based on the agreement between the controller and the data subjects.The Data subject has the following rights under the EU General Data Protection Regulation:

a. The right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and the following information:
- the purposes of the processing
- the categories of personal data concerned
- the recipients or categories of recipient to whom the personal data have been or will be disclosed
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period
- the existence of the right to request from the controller the rectification or erasure of personal data or restriction of processing of personal data concerning the data subject or to object to such processing
- the right to lodge a complaint with a supervisory authority
- where the personal data are not collected from the data subject, any available information as to their source (GDPR, Art. 15)

b. The right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal (GDPR, Art. 7)

c. The right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and, taking into account the purposes of the processing, the right to have incomplete personal data completed, including by means of providing a supplementary statement (GDPR, Art. 16);

d. The right to obtain from the controller the erasure of personal data concerning him or her without undue delay where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed
- the data subject withdraws consent on which the processing is based and where there is no other legal ground for the processing
- the data subject objects to the processing based on a special personal situation and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes
- the personal data have been unlawfully processed (GDPR, Art. 17);

e. The right to object to the processing of their personal data
- The data subject person can object to the processing of her /his personal data on grounds related to her personal special situation, when the data is processed on the basis of a legitimate interest.
-The data subject does not have the right to object to the processing when the processing is based on an agreement between the data subject and the controller.
- If the data subject has objected to the processing on grounds related to her/his personal special situation, she/he must identify the special situation on the basis of which she/he objects to the processing based on a legitimate interest. The controller may continue processing the data if there is a significantly important and justified reason for the processing that overrides the interests and rights of the data subject, or if it is necessary to prepare, present or defend a legal claim.
- The data subject has the right at any time to object to the use of personal data about her/his in direct marketing (GDPR 21 art.)

f. The right to obtain from the controller restriction of processing where one of the following applies:
- the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data
- the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead
- the controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims
- the data subject has objected to processing on grounds relating to his or her particular situation pending the verification of whether the legitimate grounds of the controller override those of the data subject (GDPR Art. 18);

g. The right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided, where the processing is based on consent referred to in the regulation and the processing is carried out by automated means (GDPR, Art. 20);

h. The right to lodge a complaint with a supervisory authority if the data subject considers that the processing of personal data relating to him or her infringes the EU General Data Protection Regulation (GDPR, Art. 77).

Any requests regarding the enforcement of the data subject's rights are to be addressed to the controller's contact person listed in Section 1. The request to the data controller must be made in writing either by e-mail or by post.

If necessary, the controller may ask the data subject to submit a signed inspection request. The controller can also ask the date subject making the request to prove her/his identity with an official ID or another reliable way. To ensures the identity of the data and the data subject are matching.

12. Network analytics

The services below collect anonymized information about the website visits without personal information.
a. Webnode
b. Google Analytics

This data protection policy of the customer register was prepared on 01.02.2022 and it is updated on 01.03.2023.