Privacy Policy

This is a Register and Privacy Policy prepared in accordance with Sections 10 and 24 of the Finnish Personal Data Act and the EU General Data Protection Regulation (GDPR).
Prepared on May 20, 2018. Last updated on March 28, 2025.

  1. Data Controller : Saimaan Eräpalvelu Oravi Oy, Kiramontie 27, 58130 Oravi
  2. Contact Person: M. Fant, oravi@saimaaholiday.net, 044 274 7078
  3. Name of the Register : SaimaaHoliday Oravin customer register

Purpose of Processing Personal Data

The purpose of processing personal data is to maintain contact with customers, manage customer relationships, and conduct marketing. The data is not used for automated decision-making or profiling.

Legal Basis and Grounds Derived from Legislation and Regulations

The processing is based on applicable laws and regulations:

  • Nationality (Regulation EU 692/2011)
  • Purchase data or parts thereof for accounting purposes (Act 1336/1997)
  • To protect the data subject

Categories of Personal Data Processed

  • Customer information related to reservations, such as name and contact details
  • Language codes, information about travel companions or event participants (passenger card)
  • Billing or other payment and payment method information
  • Pricing basis, such as information about corporate customer status or other factors affecting pricing
  • Purchase information and details of reserved or used services, booking channel
  • The level of service booked, such as room type, and other details regarding requested services
  • Correspondence
  • Marketing communications

Purpose of Processing and Use of the Register

Personal data will be processed solely for the following predefined purposes:

  • Processing of accommodation, activity service, catering, and venue reservations and delivering services
  • Customer identification
  • Managing customer relationships and improving customer experience
  • Customer communication related to reservations and customer contact
  • Marketing communication
  • Investigating and communicating service disruptions
  • Improving customer service, including service development research
  • Safeguarding the rights of the parties and ensuring the correctness of the service

Content of the Register

The register may contain all or some of the following data:

  • Name, position, company/organization
  • Contact details (phone number, email address, postal address)
  • Information about ordered services and their changes
  • Billing information
  • Other information related to the customer relationship and ordered services

We retain collected personal data only as long as it is necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

Regular Sources of Data

Data stored in the register is obtained:

  • Directly from the customer when the customer relationship is established
  • Directly from the customer via online forms

Regular Data Disclosures and Transfers Outside the EU or EEA

We do not sell your personal data and only disclose data as described in this Privacy Policy. All data disclosures comply with current data protection legislation. Your personal data will not be transferred outside the European Union (EU) or the European Economic Area (EEA).

We may disclose your data internally to persons responsible for customer relationships, sales, and marketing. We may transfer your data to service providers who provide us with services such as data processing, IT services, campaign, competition and sweepstake services, as well as opinion and market research services. We do not allow such service providers to use or disclose your personal data for any purpose other than providing services on our behalf.

In the event that we decide, for strategic or other business reasons, to sell or transfer all or part of our business, we may transfer the data we have collected, including customer data containing personal information, to any party involved in the sale or transfer.

We process personal data together with our partners and service providers, who are committed to complying with the requirements of the General Data Protection Regulation (GDPR).

Principles of Register Protection

We process data carefully, and data processed via information systems is appropriately protected. When register data is stored on Internet servers, the physical and digital security of the hardware is properly maintained. The data controller ensures that stored information, server access rights, and other information critical to personal data security are treated confidentially and are only processed by employees whose duties include it. Register access is restricted to designated persons responsible for system and customer relationship management. Register data is protected against external access, and the use of the register is monitored.

Right of Access and Right to Rectification

Every person in the register has the right to review their stored data and to request the correction of inaccurate or incomplete information. If a person wishes to review their data or request corrections, the request must be sent in writing to the data controller. The data controller may, if necessary, ask the requester to prove their identity. The data controller will respond within the timeframe stipulated by the EU General Data Protection Regulation (usually within one month).

Right to Object to Direct Marketing

The data subject has the right to prohibit the use of their personal data for direct marketing purposes.

Right to Erasure (“Right to be Forgotten”)

The data subject has the right to request the deletion of their personal data from the register. Additionally, data subjects have other rights under the GDPR, such as restricting the processing of personal data in certain situations.

It should be noted that the data controller may have a legal or other right not to delete the requested information. The data controller is obliged to retain accounting records for the period specified in the Accounting Act (Chapter 2, Section 10) (10 years). Therefore, accounting-related data cannot be deleted before the expiration of this period.

Withdrawal of Consent

If the processing of personal data is based solely on consent and not, for example, on customer or membership status, the data subject may withdraw their consent.

Right to Lodge a Complaint

The data subject may lodge a complaint with the Data Protection Ombudsman if they consider that the processing of their personal data violates applicable data protection legislation.

Contact information for the Data Protection Ombudsman:
www.tietosuoja.fi/en

Changes to This Privacy Policy

We may update this Privacy Policy and our data protection practices from time to time. If the changes are significant, we will notify it on our website.