1. Data controller
Tel. 020 774 1500
Business ID 0891958-0
2. Contact person for issues concerning the register
Tel. 020 774 1677
3. Name of the register
Murikanranta Oy’s customer register.
4. Legal basis for processing personal data
The processing of personal data in the customer register is based on the consumer customers’ and business customers’ customer relationship with Murikanranta Oy.
The data controller shall only process customer data on the basis of an agreement concluded between the data controller and the customer. On this basis personal data, which is collected from the customer for making a room or table booking or for room or restaurant invoicing, is processed.
5. Intended use of personal data
The intended uses for customer data in the customer register include:
- Management and development of the customer relationship
- Customer relationship communications
- Processing of bookings made by the customer
- Sales and implementation of services
- Processing of personal data related to payment transactions, billing and invoice management and collection
- Marketing of data controller’s services
- Development of data controller’s business operations and customer service
Any special dietary details of the customer are only used for the preparation of meals and for catering.
6. Personal data to be processed
The data controller shall process the following personal data about the customer:
- customer’s first and last name, date of birth, phone number, address, email address
- details concerning bookings
- customer’s payment method details, billing information, any payment reference details
- information on whether the customer has refused using data for direct marketing
- information on whether the customer has given consent to electronic direct marketing (marketing via SMS or email) – information on the use of services and purchases
- details concerning the customer’s choices and wishes (such as special wishes concerning a room, accessibility issues)
- any customer feedback and reclamation information
- any special dietary details.
The data controller shall process the following personal data in case of its business and community customers:
- business and community customer’s contact person’s name, address, email address and phone number
- refusal information concerning direct marketing in accordance with legislation, remote sales and other direct marketing as notified by the company’s or community’s contact person
- any customer feedback and reclamation information.
7. Where is personal data collected
Personal data to be processed is also collected from the data subject him-/herself. Personal data is also collected from third parties, as well as from companies and communities that produce hotel, restaurant and programme booking services, in which case it is a disclosure of data between two data controllers.
The data controller can also produce personal data for the register.
8. Recipients or recipient groups of personal data
Information can be disclosed from the customer register to authorities on the basis of their legal data requests.
Information can also be disclosed to subcontractors for the implementation of their own service. Disclosed data is limited to such data, which the subcontractor needs for implementing his/her own service.
Companies that process personal data on behalf of the data controller are considered to be processors referred to in the data protection regulation. A processor operates as a service provider, which delivers the data controller a customer register software and relevant maintenance services. The processor of contact details used for direct marketing in the customer register operates as a service provider, which delivers the data controller a software service required for the submission of direct marketing messages.
9. Transfer of personal data outside the EU
Personal data is not transferred outside the EU.
10. Criteria concerning the retention period of personal data
Personal data of the customer in the customer register is processed for the term of the customer relationship. The data controller shall deem the customer relationship to have ended, if the customer has not used the services of the company that operates as the data controller for 3 years. The time is calculated from the end of the calendar year, during which the customer has last used the company’s services. The data shall be removed within 3 months after the customer relationship has ended, unless there are other reasons to retain the information.
After the end of the customer relationship, the data can however be retained and processed, if it is necessary for the processing of reclamation issues. In terms of the retention periods of information in the customer register, the retention periods referred to in law, such as the Accounting Act, are observed. Information required by the Accounting Act is retained for as long as the Accounting Act sets out.
The contact person details of business and community customers are removed in a similar manner, when the company’s customer relationship is deemed to have ended. Thereafter information can however be retained, if there is other reason to do so.
When information is processed on the basis of an agreement concluded between the data controller and the data subject, information can be retained for as long as necessary to fulfil the agreement. Once the agreement has been fulfilled, information shall be retained for as long as the customer relationship exists or there is another reason for processing (e.g. reclamation cases or Accounting Act).
During the customer relationship, only such information that is necessary in terms of the defined purposes is processed. The data controller shall regularly carry out periodic reviews to remove any unnecessary information.
When the customer relationship ends, the customers’ details can be transferred to the company’s direct marking register in case of such persons who have not refused the use of their data for direct marketing.
11. Data subject’s rights
When data is processed on the basis of a legitimate interest and agreement, the data subject has the following rights:
Data subject’s right to access own data
The data subject has the right to request access to data concerning him-/herself (=right to review) to clarify whether data concerning him/her is processed in the member register or that they are not processed.
In principle, the data subject has the right to know, what information concerning him/her has been stored in the customer register. The data controller can ask the data subject to specify in a sufficient manner, what data or processing procedures the request concerns.
The data subject’s right to obtain information can be limited or refused under the data protection regulation, if the provision of information would adversely affect the rights and freedom of others. Such protectable rights include, for example, the data controller’s professional secrets or the personal data of another person. The data subject’s right may also be limited by national legislation (such as in the Data Protection Act).
Right to rectify information
On this basis, the data subject has the right to demand that the data controller rectifies any incomplete or inaccurate personal data concerning the data subject without undue delay.
Right to remove information
At the data subject’s request, the data controller must remove any personal data concerning the data subject, if one of the following requirements is met:
- personal data is no longer needed for the purposes it has been collected for or for the purpose it has otherwise been processed
- the data subject refuses the processing of personal data and there is no justified reason for processing
- the data subject refuses the processing of personal data for direct marketing (processing is however possible in this case for other purposes)
- personal data has been processed in violation of legislation
Even if one of the requirements is met, the information does not need to be removed if processing is necessary, for example, for fulfilling the regulatory obligation that requires processing on the basis of EU legislation or national legislation or for preparing, presenting or defending a legal claim.
Right to refuse data processing
The data subject has the right to refuse the processing of his/her personal data on the basis of his/her special circumstances, when the information is processed on the basis of a legitimate interest.
The data subject does not have the right to refuse processing of personal data, when the processing is based on an agreement concluded between the data controller and the data subject.
If the data subject has refused the processing of his/her data on the basis of his/her personal special circumstances, the data subject must specify the special circumstance on which basis he/she refuses the processing that is carried out on the basis of a legitimate interest. The data controller can continue to process data, despite the refusal, if there is a significantly important and justified reason for the processing, which supersedes the data subject’s interests, rights and freedoms or if it is necessary for preparing, presenting of defending a legal claim.
The data subject has the right at any time to refuse the use of personal data in direct marketing. If the data subject refuses the processing of personal data in direct marketing, information may no longer be used for this purpose.
Right to request the limitation of processing
At the data subject’s request, the data controller shall limit the active processing of personal data in the following situations:
- the data subject denies the accuracy of his/her personal data, in which case processing shall be limited, until the data controller can confirm the accuracy of the data
- the processing is in violation with legislation and the data subject demands that processing is limited instead of the personal data being removed
- the data controller no longer needs the personal data for the purposes of processing, but the data subject needs them for preparing, submitting or defending a legal claim or
- the data subject has refused the processing of personal data (right of refusal above) and the assessment of whether the data controller’s legitimate interests supersede those of the data subject’s is still underway.
For the duration of the processing limitation, in principle the data can only be retained. Information can also be used for preparing, presenting or defending a legal claim or for protecting the rights of another natural person or legal person or for reasons concerning important general interest. Before the limitation of processing is removed, it shall be informed to the data subject.
Right to transfer data from one system to another
To the extent that the data subject has personally provided personal data to the customer register, which are processed by means of automatic data processing and on the basis of an agreement concluded between the data controller and the data subject, the data subject has the right to obtain such information, generally in a machine-legible format as well have the personal data transferred from one data controller to another, if it is technically possible.
12. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with a competent supervisory authority, if the data subject considers that the data controller has not observed the data protection regulations that its operations are subject to.
13. Requests concerning the use of the data subject’s rights
In case of questions concerning the processing of personal data and situations concerning the exercising of personal rights, the data subject can contact the data controller’s contact person referred to in Section 2.
A request concerning the right to review or a request concerning the implementation of the data subject’s other rights shall be made in writing either by email or by post. The request can also be made personally at the data controller’s office.
The data controller can ask the data subject to specify in a sufficient manner, what data or processing procedures the request concerns.
To ensure that personal data in relation to the use of the data subject’s rights, are not disclosed to anyone but the data subject, the data controller may request the data subject to deliver a signed request to review. The data controller may also ask the requester to verify his/her identity with an official identification document or by other reliable means.
Cookies on the website
Cookies are used to i.e.
- develop the website useability and user experience
- anonymously count visitors to the website
- monitor visibility in search engines
- target advertising.