Domestic tour operators club
Domestic tour operators club of the travel and hospitality industry
PRIVACY POLICY (as of 25 May 2018)
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)
1. Controller
SOK Corporation
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1
2. Contact details of data protection officer
tietosuojavastaava@sok.fi
3. Contact details of officer in charge of register matters
tietosuoja.mara@sok.fi
4. Name of the register
Domestic tour operators club of the Travel and Hospitality Industry
5. Purpose of personal data processing
Personal data is collected and processed within the framework of the register for the following purposes:
- the maintenance of the Domestic tour operators club membership register
- the identification of a contact person belonging in the Domestic tour operators club
- customer communication related to the membership, contacting customers
- marketing communications
- communicating any interruptions or disturbances
6. Grounds for personal data processing
The personal data processing is based on the controller's legitimate interest.
7. Description of controller's legitimate interests
The legitimate interest is driven by the tour operator's needs and desire; the tour operator wants to be part of the Domestic tour operators club to receive the benefits offered to member companies.
The personal data is needed for communication with the tour operator. To receive information about the benefits offered, the tour operator must provide the contact details of their contact person. Without these details, we cannot inform the tour operator of benefits worth money.
8. The personal data processed
With respect to the tour operator's contact person (persons): last name, first names, phone number, email address and marketing opt-in.
9. The categories of personal data processed
Contact details, marketing opt-in or opt-out.
10. Information source and description of information sources, if the data has been collected from public sources
The data collected is received directly from the data subject.
11. Recipients of personal data
The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services. Personal data can be transferred to said service providers insofar as the service providers in question participate in the implementation of measures within the framework of the relevant assignment.
We ensure the adequate level of our partners' personal data protection in the manner required by legislation.
We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.
12. Transfer of personal data to third countries or international organisations, and the safeguards employed
We do not transfer personal data to third countries, outside the European Union or the European Economic Area or to international organisations.
13. Storage period of personal data or criteria for determining the storage period
Any personal data related to membership in the Domestic tour operators club is stored for the duration of the membership. The data can be erased if the data subject so wishes.
14. The rights of the data subject
Data subjects have the right to check the data concerning them and to rectify it by filling in the information request form available at S Group's customer service points, where the identity of the person making the request is verified. Changes to a tour operator's Domestic tour operators club membership, for example, can also be effected by sending a message to leisure@sok.fi, which takes care of club-related matters.
The data subject may exercise their right to object to commercial communications by sending an email to leisure@sok.fi.
The data subject has the right to have data concerning them erased and to change for instance the tour operator's contact details by sending a message to leisure@sok.fi.
15. Withdrawing consent
Any withdrawal of a consent to direct digital marketing communications should be sent to leisure@sok.fi.
16. Impact of failure to provide personal data on contracts
Membership in the Domestic tour operators club requires the specification and details of the tour operator's contact person; without this information, we cannot create an account for the company in the Domestic tour operators club.
17. The meaningful information of automated decision-making or profiling
Profiling is used to target marketing communications in such a way that the message is sent to the email address indicated by the tour operator's contact person, provided that the person has opted to receive said marketing.
Profiling does not have a legal effect on the data subject.
18. Impact of personal data processing and general description of the technical and organisational security measures
We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.
At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.