We comply with applicable data protection legislation in all processing of personal data. Data protection legislation refers to current data protection legislation, such as the General Data Protection Regulation of the European Union (2016/679) and the Finnish Data Protection Act (5.12.2018/1050). Concepts related to data protection that are not defined in this privacy statement shall be interpreted in accordance with data protection legislation.
“Personal data” means any information relating to a natural person (“data subject”) from which a person can be identified, directly or indirectly, as further defined in the GDPR.
2. Data controller and data protection officer
Controller: Hilla Villas Oy
Business ID: 3338777-4
Address: Oksasenkatu 4b A 11, 00100 Helsinki
Contact information for data protection matters:
3. Purposes and legal bases for processing personal data
The purposes (and legal bases) for processing personal data are:
- providing and delivering services (e.g. managing reservations), concluding customer and partner agreements (contractual relationship or its preparation, legitimate interest)
- customer service and communication, e.g. service-related notifications, informing about changes made to services, requesting feedback on services and customer satisfaction surveys (legitimate interest, consent, contractual relationship)
- marketing, including market research, other marketing promotion and analysis, production of statistics and measurement of marketing effectiveness (legitimate interest)
- direct marketing, including electronic direct marketing and telemarketing, as well as planning and measuring the effectiveness of advertising and marketing, as well as combining and updating personal data for direct marketing purposes (the controller may use personal data to tailor its offer and provide relevant content – this means, for example, recommendations or tailored content and tailored advertisements in our own and third-party services) (legitimate interest, consent)
- managing customer and partner relationships, subcontracting and cooperation with service providers (legitimate interest, contractual relationship or its preparation)
- analyze and improve business processes and practices (legitimate interest)
- using data analytics to develop the website, services, marketing, customer relationships and experiences (legitimate interest, consent)
- monitoring user traffic on our website and other services (consent)
- invoicing, credit decisions and debt collection (legitimate interest)
- internal reporting and other administrative measures (compliance with a legal obligation)
- handling complaints and handling legal and official procedures (compliance with a legal obligation)
- preventing and investigating misuse, as well as ensuring data security, the safety of persons and property (legitimate interest)
- to administer and protect our business and website, including troubleshooting, data analysis, testing and system maintenance (legitimate interest)
- fulfilling other statutory obligations (e.g. accounting and tax related activities) and reporting obligations (statutory obligation)
When we process personal data based on legitimate interest, we assess the benefits and possible disadvantages of the processing for the data subject and we have assessed that the rights and interests of the data subjects do not override the legitimate interest. Upon request, we will provide additional information on the processing of personal data based on legitimate interest.
We send marketing by email or other relevant electronic communication channel if the data subject has given us consent to this or we are otherwise entitled to it under the Act on Electronic Communications Services.
As an accommodation operator, we may use passenger information and passenger name records for customer service and direct marketing. The data subject’s right to object to the processing of personal data is laid down in the General Data Protection Regulation, and more information on this right is provided in section 11 (Rights of data subjects) of this privacy statement.
4. Personal data processed
The following personal data is processed about customers:
- Information required by passenger declarations:
- the passenger’s full name and personal identity code or, failing this, date of birth and nationality
- the full names and personal identity codes of the passenger’s accompanying spouse and minor children or, in their absence, their dates of birth
- passenger’s address
- the country from which the traveller arrives in Finland
- passenger’s travel document number
- the traveller’s date of arrival at the tourist accommodation and date of departure, if known;
- the traveller can indicate in the passenger notification whether the accommodation takes place for leisure, work, a meeting or some other reason
- Other customer information
- e-mail address
- telephone number
- necessary information provided by the customer in connection with customer service and contacts
- customer satisfaction data (e.g. feedback and complaints), comments on the controller’s services and other information obtained with the customer’s consent
- results of customer satisfaction surveys
- booking information (e.g. information about previous bookings and future bookings)
- Information related to the use of the Services: e.g. Service usage, purchase and cancellation information
- customer’s payment method and payment behaviour information as well as billing information
- direct marketing consents and prohibitions (e.g. removal from the newsletter mailing list)
- other data collected with the customer’s consent (e.g. information on mobility limitations, injuries and illnesses reported by the customer that are necessary for the provision of the service requested by the customer, as well as information about pets and electric cars)
- for corporate customers, company name, business ID, industry and contact information
Data processed about partners:
- name, business ID, contact person, date of birth, address, telephone number, email address, account number of a company or private person
5. Regular sources of information
Usually, we collect personal data directly from the data subject, for example in connection with transactions, when the data subject books and purchases our services either themselves or on behalf of the organisation they represent, when the data subject visits our website and other electronic services, subscribes to our newsletter, responds to a customer satisfaction survey or otherwise contacts us.
We also receive personal data from other external sources, such as private register services and registers maintained by authorities.
6. Automated decision-making and profiling
We do not carry out automated decision-making or profiling that would have legal or similar effects on data subjects in accordance with Article 22 of the GDPR.
7. Retention of personal data
We store personal data for as long as is necessary for the purposes defined in the privacy statement and always for the period required by law (for example, responsibilities and obligations related to accounting obligations or reporting obligations), or if we need the data for the establishment, exercise or defence of legal claims or to resolve a similar dispute.
After the end of the purpose of use, the personal data will be deleted or anonymised within a reasonable time.
In general, we follow the following criteria for storing and deleting personal data:
- Personal data is processed for the duration of the customer and contractual relationship and for the necessary time after the customer and contractual relationship has ended.
- We, as the accommodation operator, must retain passenger declarations and data for one year from the date of signing the declaration, after which they must be destroyed. PNR data shall be retained for one year after entry, after which they shall be destroyed. However, the provisions of the General Data Protection Regulation shall apply to the removal of data used for customer service and direct marketing.
Upon request, we will provide additional information about our personal data retention practices.
8. Recipients of personal data
Various service providers and other third parties may be used in the processing of personal data, such as providers of technical solutions or server space, customer service and marketing service providers, or accounting and financial administration service providers.
Our partners (owners and custodians of accommodations) have access to customer data related to the accommodation they own or maintain.
We take care of the agreements required by data protection legislation with the parties we use in the processing of personal data.
In addition to the above, the controller may disclose personal data for the following purposes:
- to collect payments for services and may, for example, transfer or sell unpaid invoices to third parties providing debt collection services;
- partners with whom the controller jointly implements services;
- the controller may share personal data in connection with a corporate acquisition or other corporate arrangement or when the service is transferred to another service provider. The controller may share personal data by order of a court or similar;
- to third parties in situations required by law or authorities or to investigate misuse, as well as to ensure safety. In addition, personal data may need to be disclosed in connection with legal proceedings or similar legal proceedings;
- if the controller is involved in a merger, business acquisition or other corporate arrangement, personal data may be disclosed to the parties to the arrangement or to parties assisting in the arrangement.
Our website and service may set cookies and collect or transfer information to third parties. Please refer to the Cookie Statement and Cookie Settings displayed on our website for information about these third parties and the purposes for which the data is collected. We only use non-essential cookies if the data subject has given his or her consent.
Upon request, we will provide additional information about the recipients of personal data.
9. Transfer of personal data outside the European Economic Area
The controller strives to store personal data in the European Economic Area and the European Union, but this is not always possible. If data is transferred outside the European Union or the European Economic Area, the controller ensures an adequate level of protection of personal data, for example, by agreeing on matters related to the processing of personal data as required by data protection legislation, such as by using standard contractual clauses approved by the European Commission or based on an adequacy decision made by the European Commission.
Upon request, we will provide additional information regarding transfers of personal data and the protection mechanisms used.
10. Protection of personal data
Data security and protection of personal data are of paramount importance to us. We use appropriate technical and organisational safeguards to protect personal data. We also ensure fault tolerance of our systems and data recovery capabilities. The right of access to personal data is restricted only to separately authorised parties. Parties processing personal data are bound by professional secrecy in matters related to the processing of personal data.
11. Rights of data subjects
Data subjects have rights to their personal data in accordance with data protection legislation. However, the application of rights in each individual situation depends on the purpose and situation of the personal data.
- Right of access to personal data. The data subject has the right to obtain confirmation of whether the data subject’s personal data is being processed and other information on the processing of personal data in accordance with data protection legislation. The data subject has the right to receive a copy of the personal data.
- Right to rectification of personal data. The data subject has the right, subject to certain restrictions, to demand the correction or erasure of incorrect or inaccurate data.
- Right to erasure of personal data. The data subject has the right, in accordance with the requirements of data protection legislation, to request the erasure of their personal data. Upon request, we will delete personal data, unless we are required by law or some other applicable exception under data protection legislation to retain personal data.
- Right to restriction of processing. In accordance with the requirements of data protection legislation, the data subject has the right to request the restriction of the processing of personal data in certain situations.
- Right to portability of personal data. The data subject has the right to request the transfer of their personal data to another controller. As a rule, the right to portability applies to personal data that the data subject has provided to the controller in a structured and machine-readable format and for which the processing is based on the data subject’s consent or agreement, and/or for which the processing is carried out automatically.
- Right to object to processing. The data subject has the right, in accordance with the requirements of data protection legislation, to object to the processing of personal data based on legitimate interests, including profiling. We may refuse the request if the processing is necessary for the compelling and legitimate interests pursued by the controller or a third party. However, the data subject always has the right to object to the processing of personal data for direct marketing purposes and profiling related to direct marketing.
- Right to withdraw consent. If the processing of personal data is based on the consent given by the data subject, the data subject has the right to withdraw his or her consent to the processing of personal data concerning him/her. The withdrawal of consent has no effect on processing previously carried out in the event of the withdrawal.
Exercising your rights
We hope that you will contact us as a data subject if you have any questions regarding the processing of your personal data.
You can send a request concerning the rights of the data subject by letter or e-mail using the contact details mentioned in this privacy statement.
The identity of the applicant may be verified before the request is processed. The request shall be answered within a reasonable time and, in principle, within one month of the request being made and the identity checked. If the request cannot be granted, the refusal will be notified separately.
12. Right to lodge a complaint with a supervisory authority
The data subject has the right to lodge a complaint with the competent data protection authority if the data subject considers that his or her personal data has been processed in violation of data protection legislation.
The contact information of the Finnish Data Protection Authority can be found here.
This privacy statement was published on 1.9.2023.