General terms and conditions for the use of Rukakeskus Oy’s online services
ABOUT THE RUKAKESKUS OY WEBSITE
The Ruka and Pyhä webshops are web services provided by Rukakeskus Oy. These services provide booking services for Rukakeskus Oy and its affiliates Pyhätunturi Oy and Ski-Inn Hotels & Apartments Oy. All payment transactions pass through Rukakeskus Oy.
The websites use a Secure Socket Layer (SSL) digital certificate with which the service provider’s (Rukakeskus Oy) identity is certified and also the connection between the service user's computer and the server is SSL-protected.
Please contact Ruka and Pyhä booking services for any questions regarding bookings and services:
Phone number +358 10 382 5222, firstname.lastname@example.org
Rukatunturintie 9, FI-93830 Rukatunturi, Finland
Phone number +358 8 8600 400, email@example.com
Kultakeronkatu 21, FI-98530 Pyhätunturi, Finland
The online services do not store any information related to customer transactions such as credit card numbers or bank account numbers. The payment transaction is always secured and follows bank security regulations and the regulations of the payment service provider Nets (Luottokunta).
Rukakeskus Oy (Business ID 3145834-8),
Pyhätunturi Oy (Business ID 0726785-9),
Ski-Inn Hotels & Apartments Oy (Business ID 1905064-9)
PRIVACY STATEMENT, May 28, 2020
The European General Data Protection Regulation (2016/679)
Data Protection Act (1050/2018)
1. Data controller: Rukakeskus Oy, Rukatunturintie 9, FI-93830 Rukatunturi, Finland. Phone number +358 400 101 601.
2. Person in charge of the register: Rukakeskus Oy, Maria Fonsell, Rukatunturintie 9, FI-93830 Rukatunturi, Finland.
3. Name of the register: Customer register of Rukakeskus Oy’s webshop for Ski-Inn apartments, ski passes, activities and equipment rentals.
4. Legal basis for the processing of personal data: The processing of customer data is based on a legitimate interest of the controller or an agreement between the controller and the data subject.
5. Purpose of processing personal data: Managing and developing customer relationship such as selling and purchasing services, confirming the purchase of online services, enabling accommodation activities and identifying online bookings. Marketing and communications of the company and its partners. Developing the data controller’s business and customer service.
6. Register data content: The data controller processes the following personal data:
• Customer’s first and last name, date of birth, phone number, address, email address
• Information about accommodation bookings (value of reservation, booked apartment, special diets)
• Customer’s payment method information, invoicing information, possible reference number information
• Information about possible marketing bans
• Information about customer’s consent to electronic direct marketing (marketing via various electronic channels such as email, SMS, social media)
• Information about the use or purchases of services
• Information about customer-specific behaviour, choices and special wishes (e.g. special requests concerning the apartment, accessibility issues, interests etc.)
• Possible customer feedback and complaint details
7. Profiling: As part of processing the personal data stored in the customer register, Rukakeskus may also use the data for profiling purposes. The profiling is carried out by creating a customer identifier for the data subject, which can be used to combine various data that is created as the data subject uses the service. The profile created through the aforementioned method can then be, for example, compared to profiles created for other data subjects. The purpose of the profiling is to investigate the demand for services and customer behaviour.
8. Regular data sources: Information is collected from the data subject themselves during booking. Additionally, information can be collected when using services and making purchases and possibly from third party registers. By accepting communications and marketing from Rukakeskus Oy and Pyhätunturi Oy, you consent to the storing and processing of your personal data so that we can send you content that you have subscribed to via email. You can cancel the communications settings in question at any time by using the link in our newsletter.
9. Disclosure of data: To be able to provide their services, the data controller uses a subcontractor or subcontractors who need personal data for providing their services. When the customership and factual connection have ended, personal data can be transferred to Ruka’s marketing register.
10. Data transfers outside the EU: According to data protection legislation, personal data may be transferred outside the EU member states or the European Economic Area insofar as the European Commission has found that the country in question guarantees an adequate level of data protection. In order to provide services, Rukakeskus Oy uses partners outside the EU or EEA for the purposes of, for example, customer relationship management, customer service, marketing support, technical support and analysis. When transferring personal data outside the EU or EEA, we use data transfer mechanics approved by the European Commission, such as standard contractual clauses. Rukakeskus Oy is responsible for the third party processing of personal data according to data protection legislation.
11. Data retention period: Personal data in the customer register is processed for the duration of the customer relationship. The data controller considers the customer relationship terminated if the customer has not used the services provided by the data controller in twenty (20) years. This period is calculated from the end of the calendar year in which the customer last used the services of the company. The information is deleted six (6) months after the customer relationship has ended if there are no grounds for retaining the data.
After the termination of the customer relationship, data can still be retained and processed for handling complaints. The retention period of the data in the customer register also complies with the statutory retention periods such as the Accounting Act. The information required by the Accounting Act is retained for as long as the Accounting Act so requires.
Similarly, business customer contact information will be deleted after the business relationship is terminated. However, data can be retained after this if there are other reasons for doing so.
When data is processed under a contract between the controller and the data subject, data shall be retained for as long as necessary for the implementation of the contract. Once the contract has been completed, data will be retained as long as the customer relationship exists or there is another reason for processing the information (e.g. complaints or Accounting Act).
12. The rights of the data subject: Personal data contained in the customer register shall be processed in the legitimate interest of the controller (Data Protection Regulation Article 6 Article 1 subsection e). In this case, the legitimate interest is the customer relationship. Personal data is also processed on the basis of an agreement between the controller and the data subject (Data Protection Regulation Article 6 Article 1 subsection b). This criterion of treatment is further explained in section 4 of the privacy statement. When data is processed on the basis of a legitimate interest and a contract, the data subject has the following rights:
THE DATA SUBJECT’S RIGHT TO ACCESS THEIR PERSONAL DATA
– The data subject has the right to request access to their personal data (right of access) in order to ascertain whether the data concerning them is processed in the register or not.
– As a rule, the data subject has the right to know what information concerning them is stored in the customer register. The data controller may request the data subject to sufficiently specify which data or processing operations the data subject's request relates to.
– The data subject's right to information may be restricted or rejected under the Data Protection Regulation if disclosure would adversely affect the rights and freedoms of others. Such protected rights include, but are not limited to, the business secrets of the controller or personal data of another person. The right of the data subject may also be restricted by national law (e.g. Data Protection Act).
RIGHT TO DATA RECTIFICATION
– The data subject has the right to demand that the controller rectify inaccurate and incorrect personal data concerning the data subject without undue delay.
RIGHT TO THE ERASURE OF DATA
At the request of the data subject, the data controller shall, without undue delay, delete the personal data relating to the data subject if any of the following conditions are met:
– Personal data is no longer needed for the purpose for which they were collected or otherwise processed
– The data subject objects to the processing of their personal data and there are no legitimate grounds for such processing
– The data subject objects to the processing of their personal data for direct marketing purposes (however, the data may still be processed for other purposes in this case)
– Personal data has been processed unlawfully
Even if one of the conditions is met, the data need not be deleted if processing is necessary to comply with statutory obligations, such as EU law or national law applicable to the controller, or to file, present or defend a legal claim.
RIGHT TO OBJECT TO THE PROCESSING OF PERSONAL DATA
– The data subject has the right to object to the processing of their personal data on the basis of their particular personal situation when the data is processed on the basis of a legitimate interest.
– The data subject has no right to object to the processing of their personal data where the processing is based on an agreement between the controller and the data subject.
– If the data subject has objected to the processing of their data on the basis of their particular personal situation, the data subject must identify the specific situation on the basis of which they object to the processing on legitimate grounds. The data controller may continue to process the data, regardless of any objection, if there is a compelling and justified reason for the processing which overrides the interests, rights and freedoms of the data subject or where it is necessary for filing, presenting or defending a legal claim.
The data subject has the right to object at any time to the use of their personal data for direct marketing purposes. If the data subject objects to the use of their personal data in direct marketing, the data may no longer be processed for this purpose.
RIGHT TO RESTRICT THE PROCESSING OF PERSONAL DATA
At the request of the data subject, the data controller shall restrict the active processing of personal data in the following situations:
– The data subject denies the accuracy of the personal data and processing must be restricted until the data controller can verify the accuracy of the data
– The processing is unlawful and the data subject demands that the processing of the personal data be restricted instead of erasing the personal data
– The personal data in question is no longer required by the data controller for the purposes of processing, but is required by the data subject in order to file, present or defend a legal claim, or
– The data subject has objected to the processing of their personal data (on the right of objection above) and the assessment of whether the legitimate grounds of the controller override the data subject's grounds is ongoing.
In principle, while the processing restriction is in effect, data may only be stored. Data may also be processed for the purposes of filing, presenting or defending a legal claim, for the protection of the rights of another natural or legal person, or for important public interest reasons. The data subject must be informed prior to lifting the processing restriction.
RIGHT TO TRANSFER DATA FROM ONE SYSTEM TO ANOTHER
Insofar as the data subject themselves has provided personal data to the customer register which is processed by means of automatic data processing and under a contract between the data controller and data subject, the data subject is generally entitled to receive such data in a machine-readable form as well as have the data transmitted directly from one controller to another, where technically feasible.
13. Right to file a complaint with the supervisory authority: The data subject has a right to file a complaint with the competent supervisory authority if they feel that the data controller has failed to comply with applicable data protection regulations.
14. Requests concerning the data subject’s rights: In matters relating to the processing of personal data and the exercise of their rights, the data subject may contact the contact person of the controller referred to in section 2.A request for access or any other request for exercising the rights of the data subject must be sent in written form, either by email or by mail. The request may also be made in person at the controller's office.The data controller may request the data subject to sufficiently specify which data or processing operations the data subject's request relates to.