Updated May 18, 2018
Personal data means any information relating to an identified or identifiable natural person. For example, name, personal identity code, location data, online identifier, address or accommodation data.
Sensitive data means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning one’s health, sex life or sexual orientation.
“Processing of personal data”
Processing of personal data means any operation which is performed on personal data by automated means or manually.
Processing of personal data is, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An identified or identifiable natural person that the processed personal data relates to. For example, a jobseeker or a customer.
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Where two or more controllers jointly determine the purposes and means of processing (why and how personal data are processed), they shall be joint controllers. They shall in determine their respective responsibilities a transparent manner for ensuring compliance with the obligations in the legislation.
We collect and process personal data only as far as it is necessary for the business of Kämp Collection Hotels and its affiliates in the same group for the following purposes:
- development, production, supply and offering of services
- maintaining and administering the customer relationship
- organizing customer service and events
- invoicing and credit control
- marketing and advertising services and products, by, for example, direct marketing and targeting it for our customers
- offering, targeting and developing marketing communications (for example, market surveys)
- statistical purposes
- ensuring safety (camera surveillance and deviation reports).
We collect and process your personal data according to the legislation which is valid at any given time and our legitimate interests.
Personal data are mainly collected directly from you via telephone, email or electronic/printable forms to administer the customer relationship. In customer service situations, the communication between you and Kämp Collection Hotels, such as emails, can be stored for the purpose of developing customer service and verifying its contents. Personal data are collected and updated also from the following registers: registers of product and service suppliers for Kämp Collection Hotels and its affiliates, the population register, Data & Marketing Association of Finland’s preference lists and other such registers.
The purpose of the processing defines what data we collect in each situation and for which purpose. We process the personal data mentioned below only on legal grounds for the purposes referred to:
Accommodation, meeting and restaurant services
- Based on the contract and its fulfillment between the customer and the controller, we process the following data: contact details (first and last name, address, ZIP code, city, country, email address, telephone number) and payment details (credit card number, name on the credit card, the expiration month and year of the card).
- Based on the customer’s consent, we can also process the following data:
- When booking restaurant and meeting services, we collect the customer’s contact and payment details as well as the possible allergy information.
- Some of our hotels offer a sleep clinic service that processes data based on consent.
- When a customer provides us with their business card, the data can be added to Kämp Collection Hotels’ customer register.
- Based on the controller’s legitimate interest*, as accommodation services are offered, we collect the customer’s data on gender, title and nationality as well as the possible loyal customer number and VIP status. The title and gender data can be used when greeting and addressing the customer. The customer’s flight number, airline, arrival and departure times can also be collected from the customer and open details may be added to the customer profile.
- Processing passenger cards is based on the controller’s legal obligation.
- The processed data: the customer’s name, personal identity code or birthdate, nationality, the names of the spouse and underage children accompanying the traveler, Finnish personal identity codes (or, if they are not available, birthdates), address, country of entry to Finland, number of travel document and arrival and departure dates. Moreover, the purpose of traveling can be documented (such as leisure, work or other reason).
- We process the following data based on the contract and its fulfillment between the customer and the controller: the customer’s contact details (first and last name, address, ZIP code, city, country, email address, telephone number).
- Based on consent, in addition to the contact details, we process data on the health status of the customer, such as data on allergies, medical conditions and other disabilities affecting the production of service.
Marketing and advertising
- We process, for example, the customer’s email address to deliver a newsletter to the customer (electronic direct marketing), whereupon the processing is based on consent from the customer.
- Marketing and advertising is also based on the controller’s legitimate interest* (for example, in B2B business and compiling guest lists for events).
- Targeted marketing:
- Kämp Collection Hotels carries out the profiling of its customers in the context of targeted marketing, so that you may be offered services that are interesting to you based on your previous buying behavior or the data stored in your customer register. Profiling is based on a consent given by you and you have the right to withdraw it at any time. If you have any questions on profiling, do not hesitate to contact us at: firstname.lastname@example.org.
- The customer’s email address, name, domicile, possible interests and earlier buying behavior are used to target marketing. Based on previous buying behavior, we can offer, for example, anniversary offers to customers who have previously reserved a wedding package.
Data collected by the website
- As you browse our website, we will obtain data, such as your IP address. We use IP addresses to analyze the use of our website tor, for example, solve server problems, manage the website and track the users’ activity for statistical purposes.
- The hotels owned by Kämp Collection Hotels have recording surveillance cameras, the use of which is based on the controller’s legitimate interest*. The purpose of surveillance cameras is to ensure the judicial protection and safety of the employees of Kämp Collection Hotels and its affiliates, to protect the data and property of the employer, the employees and the customers as well as prevention and investigation of crimes. Data can also be used to substantiate the grounds for the termination of an employment relationship as referred to in §17 subsection 2(1-3) in the Finnish Act on the Protection of Privacy in Working Life (759/2004), to solve and substantiate harassment or molestation referred to in the Finnish Act on Equality between Women and Men (609/1986) or harassment and inappropriate treatment referred to in the Finnish Occupational Safety and Health Act (738/2002), and to solve occupational accidents or other events causing hazards or risks as referred to in the Finnish Occupational Safety and Health Act (738/2002).
- The surveillance camera register includes pictures that are formed from the area under surveillance by the cameras in the surveillance camera system of the hotels owned by Kämp Collection Hotels.
*Legitimate interest means processing that is essential for the controller’s activity and that the customer can reasonably expect to be a part of the controller’s activities. The controller must often process personal data to be able to perform the tasks related to its business. The processing of personal data may, in this instance, not necessarily be justified with a legal obligation or contract. The processing of personal data may, however, be justified based on ‘legitimate interest’. In this case, the processing of personal data based on legitimate interest must always be evaluated beforehand so that the activity based on legitimate interest does not cause serious adverse effects for the rights and freedoms of data subjects.
2. Sensitive data
Special categories of personal data, so-called ‘sensitive data’, mean the personal data that reveal one’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning the health status, sex life or sexual orientation of a natural person.
The processing of sensitive data is allowed only if the processing is necessary to fulfil our legal obligations or with your explicit authorization. Kämp Collection Hotels processes its customers’ sensitive data in the specific circumstances described below.
Spa services: To be able to offer spa services in a safe manner, we need data on the health status of our customers. In conjunction with the spa services, the health data that directly influence the production of the service will be collected during the implementation of the service. Processing the spa service customer’s health status data is based on the customer’s consent.
Sleep monitoring: Some of our hotels offer their customers sleep monitoring services, where a monitor will be placed under the customer’s mattress to monitor the customer’s movements during the night and to evaluate sleep quality. The sleep monitoring service is produced by an external service provider. With the customer’s consent, the services of an external personal trainer can be combined to the service. The processing of the sleep monitoring data is based on the customer’s consent
Deviation reports: The deviation report system may process the customer’s health status data in conjunction with deviation reports, for example when processing seizure reports. The personal data in the deviation report system’s seizure reports are processed based on the controller’s general interest, to protect the company’s and employees’ legal protection and to establish or defend against a legal claim.
Other processing of health status data: Indirect health status data may accumulate when the customer notifies of their physical disabilities or reserves an accessible room or in conjunction with a recuperative stay after an operation (for example, surgery) carried out on a health care service provider’s premises. The processing of data is based on the customer’s consent.
When processing biometric passports, biometric data meant for the identification of an individual may be accumulated. The processing is based on the controller’s legal obligation.
Trade union membership:
Trade union members can reserve a room for a member’s price. The processing is based on the customer’s consent.
Credit card information
Based on the legislation, credit card information is not sensitive data, but the misuse of credit card information causes risks for the customers and demands, therefore, particularly careful processing. Kämp Collection Hotels considers the sensitivity of these data with special measures and processes credit card information with the same care as sensitive data. The processing of credit card and other payment information is based on a contract and its fulfillment between the customer and controller.
Kämp Collection Hotels is committed to processing your personal data in a confidential manner and we do not disclose your personal data to third parties except in the following circumstances:
- Within the group: Your data may be transmitted between the Kämp Collection Hotels’ affiliates to administer your customership and to improve your customer experience. We may also transmit your data if it is necessary due to our legitimate interest, for example to ensure safety or investigate and prevent misconduct based on the customer’s previous unwanted behavior.
- Authorities: Due to its legal obligation, Kämp Collection Hotels discloses the passenger card data of those other than Finnish customers to the police authorities. Furthermore, we may have to disclose some data to the authorities or administrators of law when there is some other prerequisite for it in the legislation. We only do this based on a valid decree from the court or on the authorities’ orders or summons.
- Collaboration partners: Based on our legitimate interest, we disclose data on your name, email address and domicile to the alliance that Kämp Collection Hotels’ affiliates are a part of. Based on your email address and domicile, we can send you targeted marketing if you have not refused electronic direct marketing. You can withdraw your consent for direct marketing at any time. Your name and contact details will also be disclosed for our collaboration partner hotels’ marketing purposes.
We also use subcontractors and service providers to process the data we have collected (for example, for technical maintenance or the execution of campaigns and direct marketing). They have the right to process your data only to the extent required for the services agreed upon. This means that they cannot use your data for their own purposes. We oblige them with contracts to ensure an adequate level of data protection and the legitimacy of the processing.
The data we have collected are stored and processed partly outside the European Economic Area when, for example, the service provider we use is located or stores data outside the European Economic Area. Your data are transferred to collaboration hotels in the same alliance with Kämp Collection Hotels also to servers in the United States and Australia, and to protect personal data, we use standard clauses established by the European Commission. The service providers we use have committed by contracts to ensure that an adequate level of data protection is applied in all processing of your personal data.
We have adequate technical and organizational data protection measures to protect your personal data from loss, abuse, or other unlawful access. These kinds of measures are, for example, firewalls, encryption techniques and the use of safe equipment premises.
Access to your personal data has also been restricted internally by access control and admission and monitoring of user IDs. Your personal data are processed by only those employees who have the right to do so based on their work tasks.
You have the right to control what data we have collected on you and to affect how we use such data. It is up to you to decide if you want to receive direct marketing and, in some instances, you have the right to be forgotten or to request to have your data transmitted to another controller. In this section, we explain what rights you have based on the applicable legislation and how you can exercise your rights:
- Right to withdraw consent
When the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. You can, for example, withdraw your consent to direct marketing.
- Right to control and rectification
You have the right to control what data we have collected on you or to obtain confirmation that we do not have any personal data on you in our register. If your data are inaccurate or incomplete, you can send us a request for rectification or completion.
- Restriction or objection of processing
If your data are inaccurate in some part, you have the right to demand the temporary restriction of processing until we have confirmed the correctness of the data. Whenever the processing of your data is based on the controller’s legitimate interest, you have the right to object to the processing of your data. This means that we are no longer allowed to process your personal data, unless we can reasonably demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the data subject. In addition, if we need the data to establish, exercise or defense legal claims, we are allowed to continue processing the personal data.
- Right to refuse direct marketing
Moreover, you can refuse direct marketing at any time (including profiling for direct marketing purposes).
- Right to be forgotten
In specific instances, you have the right to be forgotten, which means we will erase all personal data concerning you, if the personal data are no longer necessary for the purposes they were originally collected for (for example, to investigate and prevent misconduct based on the customer’s previous unwanted behavior). We will also erase the data if the processing has been based on consent and you withdraw your consent, or if you object to the processing of your personal data, unless there is another basis for the processing. Please note that we may have legal obligations to store your personal data, such as the Act on Accommodation and Food Service Operations that obliges us to store the data on your passenger card for a certain period of time.
- Right to transmit data from one system to another
You may request the transmission of your personal data, whereby we will provide you with your personal data in a machine-readable format so that you may store it yourself or transmit them to another controller (for example, another service provider). If technically possible, we will transmit your data directly to another controller at your request. This is only possible in situations where we process your personal data based on your consent or a contract, and applies only to data you have supplied to us yourself.
- Right to lodge a complaint
In addition to the rights mentioned hereinabove, you have the right to lodge a complaint on the processing of your personal data to supervisory authorities.
How can I request access to my personal data?
You can request access to your personal data with a separate form on our website where you define in more detail which data you want to access (kampcollectionhotels.com/incy).
We store your personal data for the duration that is necessary for the purpose of the processing, as long as the law requires us to store such data or until we receive a request for erasure. The storage period of the data starts when we receive the data.
We store your data for as long as it is necessary to fulfil the purposes as defined in section 1, always within the limits of the applicable law. After this, the data will be erased or made unidentifiable by changing the data irreversibly so that no individual is identifiable.
|Processed personal data/category of personal data||Storage period|
|Data in the customer management system||– 36 months after the last contact with the customer if they have not subscribed to a newsletter
– corporate customers’ invoicing details for 36 months after the last contact with the customer
|Customer service chat||6 months|
|Marketing communications register||Data are stored for as long as the customer’s consent for marketing is in force.|
|Data in the hotel operations registers||18 months|
|Data in the electronic booking system||12 months after the last activity|
|Personal data concerning invitations of bids||36 months|
|Credit card information||14 days|
|Customer profiles in the ERP (enterprise resource planning)||Unfinished profiles 30 days, inactive profiles 1 year.|
|Passenger cards on paper||12 months|
|Surveillance camera tapes||30 days|
|Deviation reports||5 years|
Kämp Collection Hotels, together with its affiliates, specified below, is the controller of your personal data (“joint controller”). Joint controllers are jointly responsible for the processing of your personal data.
Kämp Collection Hotels Oy
Erottajankatu 4 C
00120 Helsinki, Finland
The joint controllers are:
- GLO Hotellit Oy (2076976-5)
- Kämp Oy (1446572-2)
- Kämp Wellness & Health Oy (2057306-8)
- Lifestyle Hotels Finland Oy (1888783-4)
- Oy Union Hotels Ab (2159675-5)
- George Oy (2698390-6)