Controllers
Hiihtokeskus Iso-Ylläs Oy
Iso-Ylläksentie 44
95980 Ylläsjärvi
Business ID: 0424437-9
Lapland Hotels Oy
Yrjö Kokon tie 4
99300 Muonio
Business ID: 2199747-9
The controllers are hereinafter referred to collectively as “the Ski Resort”.
Data security coordinator
Aija Heikkilä
Iso-Ylläksentie 44
95980 Ylläsjärvi
aija.heikkila@iso-yllas.fi
+358 16 510 3500
Name of the data file
Ylläs ski resort customer data file
Purpose and legal grounds for processing personal data
Personal data is collected for a specific, express and legal purpose, in order to meet the contractual obligations of the customer relationship and produce the related services. The data sources of the data file are the customers and stakeholders. Personal data is collected in accordance with this privacy statement, and it is not used, modified or transferred in ways not specified in this privacy statement under any circumstances.
Personal data is specifically handled for the following purposes:
- Selling tickets
- Organising events
- Arranging skiing lessons
- Website analytics
- Camera surveillance
Data content of the data file
The data file includes the personal data of the Ski Resort’s customers and other data that is needed for managing customer relationships and producing services.
The types of personal data processed in different situations:
Selling tickets
Name, photograph, phone number, e-mail address, personal identity code, language, customer group
Organising events
Name, phone number, e-mail address, date of birth, language, customer group
Arranging skiing lessons
Name, phone number, e-mail address and, in the case of children, age, lesson time, skill level
Website analytics
Anonymised IP address, approximate location, time of visit, duration of visit, source of visit, browser, operating system, clicks and other data on user behaviour on the website
Camera surveillance
Time and place-based imagery on the company’s premises
Regular sources of data
Personal data is collected from the data subjects and from the camera surveillance system. The website analytics are collected with Google Analytics and Hotjar tools.
Cookies
If the user accepts cookies, the website places Google Analytics and Hotjar cookies on the user’s browser for the purpose of identifying the user. If the user refuses cookies, the cookies that identify the user will not be placed.
Regular disclosure of data
The necessary customer data may be disclosed to authorities for legal purposes and to the relevant partners of the Ski Resort. The Ski Resort may disclose the customer’s data to a designated party in individual cases, if the party in question requests the Ski Resort to do so or if the competent authority requires the Ski Resort to disclose specific data from the Ski Resort’s data file on the basis of legislation.
Transfer of data to third countries or international organisations
Website analytics are processed on Google Analytics and Hotjar servers that may be located in third countries.
Right of inspection
The data subjects have the right to inspect their data that has been stored in the data file. They also have the right to receive, after making a specific inspection request, the data that concerns them and is included in the records. The inspection request must be made in writing, signed, addressed to the controller’s contact person and equipped with a copy of the data subject’s identity certificate.
Right to request the removal or rectification of data
The controller must rectify any errors in the content of the data file that are contested by the concerned party. The controller must also inspect the accuracy and validity of the data through its independent actions. The data subject may also request the controller to remove their data from the data file. The data protection manager coordinates the actions.
Other rights related to the processing of personal data
The data subject has the right to request restricting the processing of their personal data. The data subject also has to right to gain access to the personal data they have given to the controller in a structured, generally used and mechanically readable format and the right to transfer the data to another controller. In addition, the data subject has the right to reject the processing of their data, automatic decision-making and profiling.
Removal of data and retention period
The Ski Resort will remove the customer’s data from the data file after the business-related purpose for processing the data ends. Personal data is processed for the duration of the customer relationship and afterwards for as long as necessary for the warranty and liability period.
Personal data is deleted by overwriting after the legal grounds for processing or retaining the data end. However, the data will not be removed if otherwise provided by law, if the competent authority has started a process that requires the ski resort to retain the data or if another party has applied for a protection ruling for the data from a Finnish court.
Approval of the privacy statement
This privacy statement has been approved on a continuous basis and reviewed on 31 May 2018.