Visit Rovaniemi privacy policy

Customer database

Controller

Rovaniemi Tourism and Marketing Ltd (1839934-7)
Koskikatu 12
96200 Rovaniemi
FINLAND

Contact person in matters concerning the database

Sari Kalla
Koskikatu 12
+358 (0)44 770 8481
sari@visitrovaniemi.fi

Lawful basis for processing

Purpose of the processing of personal data

Visit Rovaniemi sells and distributes goods and services on behalf of businesses based in and around Rovaniemi and across Lapland. Visit Rovaniemi also provides tourist information services and markets Rovaniemi as a tourist destination internationally. In these cases, Visit Rovaniemi acts as a ‘processor’ and not a ‘controller’. This privacy policy applies to Visit Rovaniemi’s own customers. — Visit Rovaniemi uses the customer database to keep records of the organisation’s customers, to manage, archive and process customers’ orders and to manage customer accounts. The data may be used for operational development, statistical purposes and to produce more personalised targeted content in our online services. Personal data are only processed in so far as is permitted and required under the General Data Protection Regulation. Information from the database can be imported into other systems of the organisation in order to, for example, better target marketing communications without disclosing any personal data to third parties. The organisation may use partners’ services to manage customer accounts and service relationships, in which case some entries from a customer’s file may need to be uploaded to a partner’s server for technical reasons. Personal data are only ever processed in so far as is necessary to manage the controller’s customer relationships and always in a computerised format. The organisation reserves the right to publish electronic or hard-copy lists of its customers based on the database, except where a customer has specifically prohibited this. ‘Lists’ in this context refer to mailing lists and the like. Customers can email the controller’s customer service at info@visitrovaniemi.fi or the contact person in matters concerning the customer database at sari@visitrovaniemi.fi at any time to prohibit the publication of their personal data. The lawful basis for the processing is contractual.

Legitimate interests’ justification

Cookies

Recipients and categories of recipients

Controller’s staff and outsourcing partners (financial administration) where applicable

Consent

Content of the database

The database contains the following kinds of personal data:
– Each data subject’s first name and surname
– Name of the organisation they represent
– Email address
– Postal address
– Telephone number
– Website address
– IP number
– Order history

Regular sources of information

Customers’ personal data are collected using forms that the data subjects fill in themselves at visitrovaniemi.fi and various campaign websites. Customer information can also be collected by telephone and email or obtained from contractual documents or by other similar means. Other sources of information include registrations and correspondence in the course of customer relationships. Information about name changes and new contact details can also be obtained from the authorities and providers of update services. Furthermore, data may be obtained from subcontractors who are involved in the use or provision of services. Information about customers’ other online activities may be obtained through partners’ websites, information systems or other digital sources that are accessed via an electronic invite (link), cookies or a personal username and password. The information contained in our customer database is only accessible to people within our organisation, except where we use an external service provider to deliver a value-added service or to check credit ratings. Customers’ personal data are only ever shared with parties outside of the organisation or with its partners for credit check, debt collection or billing purposes or if required by law. Personal data can be transferred to the United States on the basis of the data protection framework (DPF) based on the data protection adequacy decision, if it is necessary to ensure the technical implementation of the data controller or its partner. Data subjects can ask to have their personal data erased at any time, except where erasure is not possible due to legal obligations, outstanding invoices or ongoing debt collection.

Personal data retention period

10 years from the end of each customer relationship

The information contained in our customer database is only accessible to people within our organisation, except where we use an external service provider to deliver a value-added service or to check credit ratings. Customers’ personal data are only ever shared with parties outside of the controller’s organisation or with its partners for credit check, debt collection or billing purposes or if required by law. Data subjects can ask to have their personal data erased at any time, except where erasure is not possible due to legal obligations, outstanding invoices or ongoing debt collection.

Right to data portability
Transfers of data to non-EU/EEA countries

Personal data are never disclosed to parties established outside of the European Union except where necessary to ensure the technical performance of the organisation or its partner.

Data protection principles A: Manual records

Contact information collected in connection with customer events and other hard-copy documents that contain customers’ personal data are reviewed and then stored in a locked, fireproof space. Only designated employees who have signed a non-disclosure agreement have access to hard-copy documents containing customers’ personal data. The information held in the customer database is protected and processed in accordance with the provisions and principles of the Finnish Data Protection Act, applicable government regulations and good data processing practices.

Data protection principles B: Digital records

Only designated employees of the organisation and its subcontractors are authorised to access and edit the customer database. Each of the authorised users has their own personal username and password. Each user has also signed a non-disclosure agreement. The system is protected by a firewall, which filters incoming network traffic. The information held in the customer database is protected and processed in accordance with the provisions and principles of the Finnish Data Protection Act, applicable government regulations and good data processing practices.

Our website uses cookies. Cookies are small text files that are placed and stored on users’ computers. Cookies do not damage users’ computers or files. Cookies are primarily intended to improve and customise the user experience of the website as well as to analyse and improve the functionality and content of the website. Information collected with the help of cookies can also be used to target communications and marketing as well as to optimise marketing measures. Visitors cannot be identified based on cookies alone. Information collected with the help of cookies can, however, be linked to other data obtained about users in other contexts, such as when a visitor fills in a form on our website.

Cookies are used to collect the following kinds of information:
– Visitor’s IP address
– Time of visit
– Pages visited and amount of time spent on each page
– Visitor’s browser

Your rights

Visitors to our website can disable cookies at any time by changing the settings on their browser. Most browsers give an option to both disable cookies and remove previously saved cookies. Disabling cookies may affect the functionality of the website.

Google Analytics

Our website uses Google Analytics to collect user statistics, monitor traffic, improve the service and plan marketing. Individual users or persons cannot be identified from the collected data. Our website also uses Google Analytics Demographics to collect information about target groups, such as visitors’ age and gender as well as their interests. You can change the settings relating to the collection of these data yourself in your Google account at https://www.google.com/settings/ads. Alternatively, you can block yourself from Google Analytics altogether using the opt-out extension in Chrome. Our website also features links to other websites and services. We use a YouTube API Client to embed videos into our content. For more information, see https://www.youtube.com/t/terms, https://www.google.com/policies/privacy and https://myaccount.google.com/permissions. We accept no responsibility for the privacy policies or contents of these external services.

Cookies
Third parties may place cookies on users’ devices when they visit our services in order to collect statistics on visitor numbers.

Automated decision-making and profiling

Right of access

Data subjects have the right to check what information about them is held in our customer database. Requests to check personal records must be made in writing through the controller’s customer service or the contact person in matters concerning the customer database, in Finnish or in English. The request must be signed or sent from a verified email address. Data subjects have the right to prohibit the processing of their personal data and the disclosure of their data for purposes of direct advertising, distance selling and direct marketing as well as market research and opinion polling by contacting the controller’s customer service. Data subjects have the right to transfer their personal information from one system to another. Requests to move data can be addressed to the contact person in matters concerning the customer database.

Right to rectification

Data subjects have the right to ask for the rectification, erasure or supplementation of any personal data held in the customer database that are incorrect, unnecessary, incomplete or out of date from the perspective of the purpose of processing. Requests to rectify mistakes must be made in writing to the organisation’s customer service or the contact person in matters concerning the customer database and either signed by hand or sent from a verified email address. The request must specify which information needs to be corrected and why. The controller makes such corrections straight away and notifies the source of the incorrect data as well as anyone with whom the incorrect data have been shared.
In the event that a request for rectification is denied, the contact person in matters concerning the customer database produces a written explanation of the reasons why the request was denied. The affected individual may, if they wish, appeal the decision to the Data Protection Ombudsman.

Right to restrict processing

Data subjects have the right to restrict the processing of their personal data if, for example, the information held in the customer database is incorrect. Such requests can be made to the contact person in matters concerning the customer database.

Right to object

Data subjects have the right to access their personal data and to have their personal data updated or erased. Requests can be addressed to the contact person in matters concerning the customer database. If you are acting as a representative of a business or an organisation, your information cannot be erased while you act in this capacity.

Right to data portability

Right to complain to the competent authority

If you feel that the way in which your personal data have been handled violates the General Data Protection Regulation, you can file a complaint with the competent supervisory authority. You can also file your complaint with the competent authority of the EU Member State in which you live or work. The contact information of the competent authority in Finland is as follows:

Office of the Data Protection Ombudsman
Visiting address: Lintulahdenkuja 4, 00530 Helsinki, FINLAND
Postal address: PO Box 800, 00531 Helsinki, FINLAND
Switchboard: +358 (0)29 566 6700
Registry: +358 (0)29 566 6768
tietosuoja@om.fi
www.tietosuoja.fi

Other rights related to the processing of personal data

Data subjects have the right to prohibit the disclosure and processing of their data for purposes of direct advertising and other marketing, the right to demand that their data be anonymised where applicable and the right to be forgotten.