Updated May 18, 2018
Personal data means any information relating to an identified or identifiable natural person. For example, name, personal identity code, location data, online identifier, address or accommodation data.
Sensitive data means personal data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning one’s health, sex life or sexual orientation.
“Processing of personal data”
Processing of personal data means any operation which is performed on personal data by automated means or manually.
Processing of personal data is, for example, collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
An identified or identifiable natural person that the processed personal data relates to. For example, a jobseeker or a customer.
A natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Where two or more controllers jointly determine the purposes and means of processing (why and how personal data are processed), they shall be joint controllers. They shall in determine their respective responsibilities a transparent manner for ensuring compliance with the obligations in the legislation.
We collect and process personal data only as far as it is necessary for the business of Kämp Collection Hotels and its affiliates in the same group for the following purposes:
We collect and process your personal data according to the legislation which is valid at any given time and our legitimate interests.
Personal data are mainly collected directly from you via telephone, email or electronic/printable forms to administer the customer relationship. In customer service situations, the communication between you and Kämp Collection Hotels, such as emails, can be stored for the purpose of developing customer service and verifying its contents. Personal data are collected and updated also from the following registers: registers of product and service suppliers for Kämp Collection Hotels and its affiliates, the population register, Data & Marketing Association of Finland’s preference lists and other such registers.
The purpose of the processing defines what data we collect in each situation and for which purpose. We process the personal data mentioned below only on legal grounds for the purposes referred to
Accommodation, meeting and restaurant services
Marketing and advertising
Data collected by the website
*Legitimate interest means processing that is essential for the controller’s activity and that the customer can reasonably expect to be a part of the controller’s activities. The controller must often process personal data to be able to perform the tasks related to its business. The processing of personal data may, in this instance, not necessarily be justified with a legal obligation or contract. The processing of personal data may, however, be justified based on ‘legitimate interest’. In this case, the processing of personal data based on legitimate interest must always be evaluated beforehand so that the activity based on legitimate interest does not cause serious adverse effects for the rights and freedoms of data subjects.
Special categories of personal data, so-called ‘sensitive data’, mean the personal data that reveal one’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, genetic and biometric data or data concerning the health status, sex life or sexual orientation of a natural person.
The processing of sensitive data is allowed only if the processing is necessary to fulfil our legal obligations or with your explicit authorization. Kämp Collection Hotels processes its customers’ sensitive data in the specific circumstances described below.
Spa services: To be able to offer spa services in a safe manner, we need data on the health status of our customers. In conjunction with the spa services, the health data that directly influence the production of the service will be collected during the implementation of the service. Processing the spa service customer’s health status data is based on the customer’s consent.
Sleep monitoring: Some of our hotels offer their customers sleep monitoring services, where a monitor will be placed under the customer’s mattress to monitor the customer’s movements during the night and to evaluate sleep quality. The sleep monitoring service is produced by an external service provider. With the customer’s consent, the services of an external personal trainer can be combined to the service. The processing of the sleep monitoring data is based on the customer’s consent.
Deviation reports: The deviation report system may process the customer’s health status data in conjunction with deviation reports, for example when processing seizure reports. The personal data in the deviation report system’s seizure reports are processed based on the controller’s general interest, to protect the company’s and employees’ legal protection and to establish or defend against a legal claim.
Other processing of health status data: Indirect health status data may accumulate when the customer notifies of their physical disabilities or reserves an accessible room or in conjunction with a recuperative stay after an operation (for example, surgery) carried out on a health care service provider’s premises. The processing of data is based on the customer’s consent.
When processing biometric passports, biometric data meant for the identification of an individual may be accumulated. The processing is based on the controller’s legal obligation.
Trade union members can reserve a room for a member’s price. The processing is based on the customer’s consent.
Based on the legislation, credit card information is not sensitive data, but the misuse of credit card information causes risks for the customers and demands, therefore, particularly careful processing. Kämp Collection Hotels considers the sensitivity of these data with special measures and processes credit card information with the same care as sensitive data. The processing of credit card and other payment information is based on a contract and its fulfillment between the customer and controller.
Kämp Collection Hotels is committed to processing your personal data in a confidential manner and we do not disclose your personal data to third parties except in the following circumstances:
We also use subcontractors and service providers to process the data we have collected (for example, for technical maintenance or the execution of campaigns and direct marketing). They have the right to process your data only to the extent required for the services agreed upon. This means that they cannot use your data for their own purposes. We oblige them with contracts to ensure an adequate level of data protection and the legitimacy of the processing.
The data we have collected are stored and processed partly outside the European Economic Area when, for example, the service provider we use is located or stores data outside the European Economic Area. Your data are transferred to collaboration hotels in the same alliance with Kämp Collection Hotels also to servers in the United States and Australia, and to protect personal data, we use standard clauses established by the European Commission. The service providers we use have committed by contracts to ensure that an adequate level of data protection is applied in all processing of your personal data.
We have adequate technical and organizational data protection measures to protect your personal data from loss, abuse, or other unlawful access. These kinds of measures are, for example, firewalls, encryption techniques and the use of safe equipment premises.
Access to your personal data has also been restricted internally by access control and admission and monitoring of user IDs. Your personal data are processed by only those employees who have the right to do so based on their work tasks.
You have the right to control what data we have collected on you and to affect how we use such data. It is up to you to decide if you want to receive direct marketing and, in some instances, you have the right to be forgotten or to request to have your data transmitted to another controller. In this section, we explain what rights you have based on the applicable legislation and how you can exercise your rights:
When the processing of personal data is based on your consent, you have the right to withdraw your consent at any time. You can, for example, withdraw your consent to direct marketing.
You have the right to control what data we have collected on you or to obtain confirmation that we do not have any personal data on you in our register. If your data are inaccurate or incomplete, you can send us a request for rectification or completion.
If your data are inaccurate in some part, you have the right to demand the temporary restriction of processing until we have confirmed the correctness of the data. Whenever the processing of your data is based on the controller’s legitimate interest, you have the right to object to the processing of your data. This means that we are no longer allowed to process your personal data, unless we can reasonably demonstrate compelling legitimate grounds which override the interests, rights and freedoms of the data subject. In addition, if we need the data to establish, exercise or defense legal claims, we are allowed to continue processing the personal data.
Moreover, you can refuse direct marketing at any time (including profiling for direct marketing purposes).
In specific instances, you have the right to be forgotten, which means we will erase all personal data concerning you, if the personal data are no longer necessary for the purposes they were originally collected for (for example, to investigate and prevent misconduct based on the customer’s previous unwanted behavior). We will also erase the data if the processing has been based on consent and you withdraw your consent, or if you object to the processing of your personal data, unless there is another basis for the processing. Please note that we may have legal obligations to store your personal data, such as the Act on Accommodation and Food Service Operations that obliges us to store the data on your passenger card for a certain period of time.
You may request the transmission of your personal data, whereby we will provide you with your personal data in a machine-readable format so that you may store it yourself or transmit them to another controller (for example, another service provider). If technically possible, we will transmit your data directly to another controller at your request. This is only possible in situations where we process your personal data based on your consent or a contract, and applies only to data you have supplied to us yourself.
In addition to the rights mentioned hereinabove, you have the right to lodge a complaint on the processing of your personal data to supervisory authorities.
How can I request access to my personal data?
You can request access to your personal data with a separate form on our website where you define in more detail which data you want to access (kampcollectionhotels.com/incy).
We store your personal data for the duration that is necessary for the purpose of the processing, as long as the law requires us to store such data or until we receive a request for erasure. The storage period of the data starts when we receive the data.
We store your data for as long as it is necessary to fulfil the purposes as defined in section 1, always within the limits of the applicable law. After this, the data will be erased or made unidentifiable by changing the data irreversibly so that no individual is identifiable.
Processed personal data/category of personal data
Data in the customer management system
- 36 months after the last contact with the customer if they have not subscribed to a newsletter
- corporate customers’ invoicing details for 36 months after the last contact with the customer
Customer service chat
Marketing communications register
Data are stored for as long as the customer’s consent for marketing is in force.
Data in the hotel operations registers
Data in the electronic booking system
12 months after the last activity
Personal data concerning invitations of bids
Credit card information
Customer profiles in the ERP (enterprise resource planning)
Unfinished profiles 30 days, inactive profiles 1 year.
Passenger cards on paper
Surveillance camera tapes
Kämp Collection Hotels, together with its affiliates, specified below, is the controller of your personal data (“joint controller”). Joint controllers are jointly responsible for the processing of your personal data.
Kämp Collection Hotels Oy
Erottajankatu 4 C
00120 Helsinki, Finland
The joint controllers are: