Primehotels Oy – customer file
Information document on the processing of personal data in the customer file of Primehotels Oy and its subsidiary Hotelli Linnanpuisto Oy in accordance with the EU General Data Protection Regulation (GDPR)
Primehotels Oy (business ID 1801261-6), Furuborginkatu 3, 00980 Helsinki, Finland
Contact person in matters relating to the file
The contact person in matters relating to the file and the rights of the data subject is:
Name: Marja-Liisa Karhu
Tel: + 358 9 319 1110
Name of the file
Primehotels Oy – customer file
Legal basis for processing of personal data
The processing of personal data is based on a legitimate interest, i.e. the processing of personal data in the customer file is based on the customer relationship between consumer customers or corporate customers and Primehotels Oy. The controller also processes customer information based on a contract between the controller and the data subject. This is the basis for processing personal data collected from a customer when booking a restaurant table or room, or for restaurant and room invoicing. The information is also used by Primehotels Oy’s subsidiary Hotelli Linnanpuisto Oy (Hotel Katajanokka) when the processing of personal data is based on a customer relationship or contract.
Purposes for processing personal data
Customer information contained in the customer file is used for the following purposes:
- processing reservations made by the customer
- managing and developing the customer relationship
- customer communication
- sales and provision of services
- marketing of services
- processing of personal data relating to payments, invoicing and the monitoring and recovery of payments
- development of the controller’s business operations and development of customer services
Information on a customer’s special dietary needs is only used for preparing and serving food.
Processed personal data
The following personal data is processed by the controller:
- the customer’s first and last name, birth date, telephone number, address, e-mail address
- reservation details
- information on service use and purchases
- information on the customer’s payment methods, invoicing and any payment delays
- information on the customer’s choices and preferences
- any customer feedback and complaints
With regard to corporate customers, the controller processes the following personal data:
- name, address, e-mail address and telephone number of the corporate customer’s contact person
- any customer feedback and complaints
- information on direct advertising prohibition made by the company’s contact person in accordance with the law
Sources of personal data
The controller obtains personal data from:
- the data subjects directly via e-mail or phone or at promotional events, for example
- information obtained from the use of services and during visits
- its website via order and request for offer forms
- external restaurant reservation sites
- external hotel reservation service providers
- the data subject’s employer in connection with service booking
- subsidiaries in the Primehotels Oy Group
Recipients or groups of recipients of personal data
The data in the customer file is only processed by employees whose work essentially involves the processing of data. Separate IDs and passwords are required to access the file. No data will be disclosed to third parties. However, data may be disclosed to the authorities based on of their legal requests for information.
Transfer of data outside the EU
For the provision of services, we use subcontractors who may be established outside the EU or the European Economic Area. When transferring data outside the EU or the EEA, we ensure an adequate level of personal data protection by means such as agreeing on the confidentiality and processing of personal data as required by law.
Retention periods for personal data
The customer’s personal data contained in the customer file is processed during the customer relationship. The controller considers the customer relationship to have ended if the customer has not used the company’s services for 2 years.
However, personal data may be stored and processed after the end of the customer relationship if necessary for a legitimate reason or for handling complaints. The retention period for the personal data in the customer file is governed by law, such as the Accounting Act. Information required by the Accounting Act is retained for as long as required by the Act.
The contact person data for corporate customers is deleted in a similar way after the company’s account is considered to have terminated. However, the data may continue to be retained if there is some other justification for it.
When personal data is processed on the basis of a contract between the controller and data subject, the data is retained for as long as it is needed to execute the contract. Once the contract has been performed, the data is retained for as long as the account relationship exists or there is some other justification for the processing (e.g. complaints cases or the Accounting Act).
Only personal data that is necessary for the specified uses is processed during the account relationship. The controller will regularly carry out periodic inspections to remove unnecessary data.
Rights of the data subject
The data subject has the right to request access to his/her personal data and the right to require rectification of the data if it is inaccurate. At the request of the data subject, the processing of personal data may be restricted or the data may be removed from the file entirely. The data subject has the right to object to the use of personal data for direct marketing purposes, for example.
Right of appeal to a supervisory authority
The data subject has the right to lodge a complaint with the competent supervisory authority if the data subject considers that the controller has not complied with the data protection rules applicable to its activities.
Requests to exercise the rights of the data subject
In matters relating to the processing of personal data and the exercise of their rights, data subjects may contact the contact person of the controller referred to in section 2.
The request to exercise the right of inspection or some other right of the data subject must be made to the controller in writing by e-mail or post. The request may also be made in person at the controller’s place of business. The controller may ask the data subject to provide sufficient details on which personal data or processing actions the data subject’s request concerns.
In order to ensure that personal data is not disclosed to others than the data subject for exercising the rights of the data subject, the controller may, if necessary, request the data subject to submit the inspection request in signed form. The controller may also ask the requestor to prove their identity with an official identity card or in some other reliable manner.