Privacy statement – reservation management system
According to the General Data Protection Regulation, the personal data controller of a register is obligated to inform the register’s data subjects in a clear manner. This statement fulfils this informing obligation.
1. Personal data controller
Villa Jokivarsi Bed and Breakfast, y-tunnus 2699036-4
Address: Rauskumäki 10, 01480 Vantaa, Finland
Contact information in matters related to personal data files:
Mari Saarenpää
+358-50588597, [email protected]
Data protection officer: Mari Saarenpää
2. Data subjects
Persons who have booked a room in Villa Jokivarsi Bed and Breakfast after 1.1.2018 or have made an online-purchase.
3. Purpose of use of personal data
Grounds for keeping the register:
Personal data is only being processed for predetermined purposes, which are:
4. Personal data recorded in the register
The customer register contains the following information:
5. The data subject’s rights
The data subject has the following rights, and requests for their use should be sent to Villa Jokivarsi Bed and Breakfast, Rauskumäki 10, 01480 Vantaa, Finland or e-mail [email protected]
Right to access data
The data subject may check the data we have recorded.
Right to rectification
The data subject may request the rectification of inaccurate or incomplete personal data.
Right to object
The data subject may object to the processing of personal data if the data subject feels that personal data has been processed unlawfully.
Right to forbid direct marketing
The data subject has the right to forbid the use of personal data for direct marketing.
Right to deletion
The data subject has the right to request the deletion of data if personal data processing is not necessary. We will handle the request for deletion and proceed to either delete the data or state a justified reason for not being able to delete the data.
The data subject may also request for un-identification of his/her personal data.
It should be noted that the controller may have legal or other rights to not delete the requested data. The controller is obligated to preserve accounting materials for the duration (10 years) set out in the Accounting Act (Chapter 2, Section 10). For this reason, materials related to accounting cannot be deleted before that term has expired.
Withdrawing consent
If the processing of personal data is only based on the data subject’s consent and not for instance on a customer relationship or membership, the data subject may withdraw consent.
The data subject may complain of the decision to the Data Protection Supervisor
The data subject has the right to demand us to restrict the processing of controversial data until the matter is solved.
Right to complain
The data subject has the right to complain to the Data Protection Supervisor if the data subject feels that we are violating the effective data protection regulation when processing personal data.
Contact information of the data protection supervisor: www.tietosuoja.fi/en/index/yhteystiedot.html
6. Regular information sources
Customer information is regularly obtained from:
7. Regular disclosure of data
The data is not generally disclosed for marketing purposes outside Villa Jokivarsi.
We are disclosing information to Sirvoy Ltd for storing the information. Sirvoy Ltd also provides the reservation management system, so they have technical means to read the information. Sirvoy Ltd is committed to complying with the requirements of the data protection regulation and the information is stored within EU. Sirvoy is using SSL protection and is a fully PCI compliant service provider.
We have made sure that all our service providers are complying with data protection legislation. We are regularly using the following service providers:
8. Duration of processing
9. Personal data processors
The controller and its employees process personal data. We may also outsource the processing of personal data partly to a third party, in which case we will guarantee with contractual arrangements that personal data is processed in compliance with valid data protection legislation and also otherwise appropriately.
10. Transferring data outside the EU
Normally personal data is not transferred outside the EU or the EEA.
Customers using services provided by Booking.com BV and Expedia Inc are subject to data privacy regulations of these companies.
11. Data protection principles
Villa Jokivarsi B&B’s own hardware and software are protected by Elisa Yritystietoturva -service (provided by F-Secure), and pin codes.
Sirvoy reservation management system stores all our information inside EU and is using SSL protection Sirvoy is a fully PCI compliant service provider.
11. Automatic decision-making and profiling
We are not using the data for automatic decision-making or profiling.
We do process data manually to sort out most significant customers for offering special gifts or benefits.
According to the General Data Protection Regulation, the personal data controller of a register is obligated to inform the register’s data subjects in a clear manner. This statement fulfils this informing obligation.
1. Personal data controller
Villa Jokivarsi Bed and Breakfast, y-tunnus 2699036-4
Address: Rauskumäki 10, 01480 Vantaa, Finland
Contact information in matters related to personal data files:
Mari Saarenpää
+358-50588597, [email protected]
Data protection officer: Mari Saarenpää
2. Data subjects
Persons who have booked a room in Villa Jokivarsi Bed and Breakfast after 1.1.2018 or have made an online-purchase.
3. Purpose of use of personal data
Grounds for keeping the register:
- personal data is being processed based on a customer relationship
Personal data is only being processed for predetermined purposes, which are:
- reservation management, including invoicing and shop deliveries
- informing guests about services in more details
4. Personal data recorded in the register
The customer register contains the following information:
- Contact information; Name, phone number and/or email. Also may contain company name and private /company address
- Voluntary credit card information, wich is securely stored by Stripe Payments Europe
- Information on products/services reserved and bought
- Other voluntary information useful for best customer experience, such as special diets and flight schedules
5. The data subject’s rights
The data subject has the following rights, and requests for their use should be sent to Villa Jokivarsi Bed and Breakfast, Rauskumäki 10, 01480 Vantaa, Finland or e-mail [email protected]
Right to access data
The data subject may check the data we have recorded.
Right to rectification
The data subject may request the rectification of inaccurate or incomplete personal data.
Right to object
The data subject may object to the processing of personal data if the data subject feels that personal data has been processed unlawfully.
Right to forbid direct marketing
The data subject has the right to forbid the use of personal data for direct marketing.
Right to deletion
The data subject has the right to request the deletion of data if personal data processing is not necessary. We will handle the request for deletion and proceed to either delete the data or state a justified reason for not being able to delete the data.
The data subject may also request for un-identification of his/her personal data.
It should be noted that the controller may have legal or other rights to not delete the requested data. The controller is obligated to preserve accounting materials for the duration (10 years) set out in the Accounting Act (Chapter 2, Section 10). For this reason, materials related to accounting cannot be deleted before that term has expired.
Withdrawing consent
If the processing of personal data is only based on the data subject’s consent and not for instance on a customer relationship or membership, the data subject may withdraw consent.
The data subject may complain of the decision to the Data Protection Supervisor
The data subject has the right to demand us to restrict the processing of controversial data until the matter is solved.
Right to complain
The data subject has the right to complain to the Data Protection Supervisor if the data subject feels that we are violating the effective data protection regulation when processing personal data.
Contact information of the data protection supervisor: www.tietosuoja.fi/en/index/yhteystiedot.html
6. Regular information sources
Customer information is regularly obtained from:
- The customer through an online form, which may be on Villa Jokivarsi website, or the associates website
- The customer in e-mail or in conversation with Mari Saarenpää
- The payment information (services bought and payment type, but not the credit card number) is automatically saved on check-out
7. Regular disclosure of data
The data is not generally disclosed for marketing purposes outside Villa Jokivarsi.
We are disclosing information to Sirvoy Ltd for storing the information. Sirvoy Ltd also provides the reservation management system, so they have technical means to read the information. Sirvoy Ltd is committed to complying with the requirements of the data protection regulation and the information is stored within EU. Sirvoy is using SSL protection and is a fully PCI compliant service provider.
We have made sure that all our service providers are complying with data protection legislation. We are regularly using the following service providers:
- Sirvoy Ltd, 1562 First Ave, New York, NY 10028-4004 (/2nd Floor, 13 Upper Baggot Street, Dublin 4, Ireland), Reservation System provider (https://sirvoy.com/privacy-policy/)
- Booking.com B.V., Herengracht 597, 1017 CE Amsterdam, more infortmation: https://www.booking.com/content/about.fi.html
- Expedia Inc., Bellevue, Washington, US, more information: https://www.expediagroup.com/about/privacy-data-handling-requirements/
- Stripe Payments Europe, Limited, The One Building, 1 Grand Canal Street Lower, Dublin 2, Co. Dublin
Ireland, more information: stripe.com/en-fi/privacy - KHV Finance Oy, Kehäkuja 6, 05460 Hyvinkää, accounting
8. Duration of processing
- Personal data is processed for as long as the customer relationship exists, which is until the check-out and payment of the last reservation. However the contact information will be stored in Sirvoy for possible future reservations, unless customer requests for anonymisation.
- Credit card details are automatically destroyed 30 days after check-out
9. Personal data processors
The controller and its employees process personal data. We may also outsource the processing of personal data partly to a third party, in which case we will guarantee with contractual arrangements that personal data is processed in compliance with valid data protection legislation and also otherwise appropriately.
10. Transferring data outside the EU
Normally personal data is not transferred outside the EU or the EEA.
Customers using services provided by Booking.com BV and Expedia Inc are subject to data privacy regulations of these companies.
11. Data protection principles
Villa Jokivarsi B&B’s own hardware and software are protected by Elisa Yritystietoturva -service (provided by F-Secure), and pin codes.
Sirvoy reservation management system stores all our information inside EU and is using SSL protection Sirvoy is a fully PCI compliant service provider.
11. Automatic decision-making and profiling
We are not using the data for automatic decision-making or profiling.
We do process data manually to sort out most significant customers for offering special gifts or benefits.