Ehrensvärd Society ry, customer registry

1.Controller

The Ehrensvärd Society ry (Business ID: 0220249-0)
Suomenlinna B 40
FI-00190 Helsinki

2. Persons responsible for the registry

Name: Carita Wilenius-Rantala Postal address: Suomenlinna B 40, FI-00190 Suomenlinna
E-mail: guidebooking@suomenlinnatours.com
Telephone: +358 9 68999850

3. Controller’s contact information

Name: Carita Wilenius-Rantala
Postal address: Suomenlinna B 40, FI-00190 Suomenlinna
E-mail: guidebooking@suomenlinnatours.com
Telephone: +358 9 68999850

4. Collected customer information and data sources

The booking, purchasing and using of the services and products offered by the Ehrensvärd Society and its subsidiary, Suomenlinnan Matkailuexpert Oy, require providing certain personal information. Your personal information may be collected in various ways. We mainly collect and process personal information received primarily;

• From customers themselves during ordering and registration and during the purchasing and using of services via the internet, telephone, by using customer cards, e-mail or other similar ways; during transactions completed at the web shop or at a cashier; when the customer orders our newsletter or contacts us for an offer or an inquiry;
• Generated during the use of the service or while visiting the website, e.g. when you sign in to the service, or by cookies and similar technologies;

We may also obtain information from other sources to the extent allowed by applicable laws, including but not limited to e.g. the Finnish Trade Register, the Finnish Population Information System, the Finnish Business Information System or the address data system of the Finnish postal service Posti.

You do not have to provide us with your personal information, but in this case we may not be able to provide our service for you.

Examples of the personal information categories that we collect and process:

• Basic information such as name, contact information, (e-mail address, street address and telephone number, age) and business language
• Data related to the customer relationship such as data pertaining to the service and/or product and order, payment and payment method data, invoicing data, marketing permissions and bans;
• Customer contacts and associated correspondence and registry entries concerning data subject rights;
• Any personal information generated by the use of our service or collected during the use of our website, e.g. usernames, passwords, identification data, log data concerning the use of the service, data collected by cookies and similar technologies from our website (device identification and type, operating system and application settings); and
• Other information specified on a case-by-case basis on the basis of your consent, such as data needed for the provision of the service, e.g. information concerning allergies and similar.

Cookies

We use cookies and similar technologies on our website. Cookies are small text files that are placed on your device for the collection and recall of useful data, in order to improve the functionality and usability of our website. We may also use cookies and similar technologies for statistical purposes, such as compiling website use statistics in order to understand how the users use the website and how to improve the user experience.

You may prevent the setting of cookies, limit their use or remove them from your browser. Since cookies enable the functionality of our website, limiting their use may affect the usability of the website.

5. Purpose and legal grounds for the processing of personal information

The processing of personal information is typically based e.g. on the data subject’s consent, on the legitimate interest of the controller, or on the fulfilment of such a contract whereto the data subject is a party.

We only collect and process personal information that is necessary for the running of our business operations, for maintaining customer relations and for appropriate commercial purposes.

We will process your personal information for the following purposes, based on applicable data protection legislation:

Providing a service and maintaining customer relations

• We will mainly process your personal information in order to offer and deliver our services and products for you or the company/community you represent. In order to be able to do so, we maintain and care for the customer relationship between you or the company/community you represent and us. In this case, the processing of your personal information is based on an agreement between us and you or the company/community you represent.

For example: When at issue are customers and the data pertaining to users of the webshop up until the performance of the order, the processing and storing of data is necessary in order to fulfil the agreement and to realise the procedures preceding the agreement (e.g. maintenance of customer relations, orders, invoicing, payment control, granting payment time and collecting, customer communications). When at issue are customers after the fulfilment of the agreement and those who have handed over their data for marketing purposes (e.g. participants in contests and newsletter subscribers), the processing is necessary in order to realise the controller’s legitimate interests (e.g. maintenance, development and analysis of customer relations, customer communications, planning of activities and tracking).

Developing services and products, data protection and internal reporting

• We will also process your personal information in order to ensure the data security of our services, products and website, to improve the quality of the service and the website and to develop services and products. We may also compile internal reports on the basis of personal information for use by our management and various operational units for the purpose of proper operational management. We will segment our customers for marketing purposes, based for example on the use of services and/or behaviour on our website. In these cases, the processing of personal information is based on our legitimate interest in ensuring the appropriate data security for our services and website and to obtain sufficient data for the purposes of developing our services and managing our operations.

Compliance with laws

•  We may process your personal information in order to carry out our legal obligations concerning e.g. accounting or in order to comply with legal information requests issued by authorities (e.g. the tax authority).

Customer profiling

• We compile statistics for example on the use of on-site services and while you are visiting the website for customer segmentation in order to facilitate our sales processes and to improve our services and products.

Marketing

• We may contact you with information concerning new service features or for marketing purposes and to sell you other services. This mainly applies to our newsletter subscribers. We may also process your personal information for customer surveys (collecting customer feedback). The processing of personal information is based on our legitimate interest in offering information as a part of our service and in marketing our other services for you. According to law, you are entitled at any time to object to the processing of your personal information for direct marketing purposes (see also section 9).

6. Personal information processors

Your personal information will only be processed by persons specifically authorised for it by the Ehrensvärd Society, in order to carry out their work tasks and for the purposes and on the grounds stated in this notice. Your personal information will only be processed to the extent necessary for the processing.  (See also section 7)

7. Transferring and handing over personal information

• We may transfer your personal information within the group (consisting of the Ehrensvärd Society ry and its subsidiary Suomenlinnan Matkailuexpert Oy) on grounds of legitimate interest, should there be a particular reason to do so.
• We may hand over your personal information in the following cases:
  • to the extent allowed or required by law, e.g. in order to comply with an information request issued by a competent authority or in relation to judicial proceedings;
  • when we are using external service providers for the processing of personal information and in support of such processing. Such situations include e.g. the maintenance and support tasks for IT-systems; using a provider of payment, invoicing and accounting services by the controller’s commission. We will only employ processors of personal information who ensure appropriate security measures and ensure that the processing meets the relevant data protection legislation requirements. At the customer’s request, we will inform the customer of the name and contact information of the service provider processing the personal information, so that the customer may familiarise themselves with the provider’s data protection policies;
  • if we are involved in a merger, reorganisation or the sale of a business or a part of the business;
  • when we believe that a hand-over is necessary in order to safeguard our legitimate interests, to protect the safety of you or anyone else, or to investigate suspected misuses or respond to an authoritative request;
  • by your consent to all parties covered by the consent.

• Your data will not be handed over or transferred outside of the EU, the European Economic Area or such countries where the European Commission has determined that the level of data protection is sufficient, an exception being companies party to the Privacy Shield arrangement between the European Union and the United States. The latter is here represented by the Google Analytics cookies used on our website. The data collected by said cookies is transmitted and stored on Google servers, some of which may be located outside of the EU. Google Inc. is a member of the Privacy Shield system instituted between the European Union and the United States. All data will be transmitted safely and legally within this arrangement and in accordance with the European Commission decision concerning sufficient data protection. The data will be stored for 26 months.

8. Storing personal information

• All personal information will be stored only for as long as is necessary to carry out the purposes specified in this notice.
• Personal information will be primarily stored for the duration of the customer relationship. Personal information may be stored to a relevant extent even after the customer relationship has ended, as allowed or required by applicable law. We may also store your personal information to a necessary extent for example for the purposes of respecting the direct marketing ban issued by you and to develop our services.
• All personal information will be deleted or anonymised when storing them is no longer necessary for the realisation of legal or legitimate party interests or obligations.

9. Your rights

• You have the right to review your personal data. You may at any time also request the rectification, updating or deletion of your personal data. Please note however, that if the controller is obliged or entitled by law to store the data, it may not be deleted.
• You are entitled to object to or limit the processing of your personal data to the extent required by applicable law.
• When processing your personal data on the basis of your consent, you are entitled at any time to withdraw your consent. We will no longer process your personal data in this case, unless there is another legal basis for the processing.
• The data subject is entitled to review their data stored in the registry. A review request must be submitted in writing to the person responsible for the registry or issued in our customer service system.
• You are entitled to receive your data from us in a structured and commonly used format for the purpose of transmitting your data to another controller. This right only applies to such data as are in an electronic format and whose processing is based on your consent or the fulfilment of an agreement.
• You may exercise your rights by submitting a request to us at the address guidebooking@suomenlinnatours.com or by visiting our office.

10. Data security

• We will implement all purposeful measures (including physical, digital and organisational measures) to protect your personal data from loss, destruction, misuse and unauthorised access or transmission. Your personal data will only be processed by persons specifically authorised to do so by the Ehrensvärd Society. (See also section 6)
• Please note, that even purposeful measures may not be able to prevent all possible data security violations. In case of a data security violation, we will notify you of it in accordance with applicable laws.

11. Modifying this notice

• We reserve the right to modify this notice.

12. Contact us

• You may ask us about this notice or the processing of your personal information by contacting us at guidebooking@suomenlinnatours.com or by visiting our office.