Privacy policy

PRIVACY NOTICE 

PRIVACY NOTICE CONCERNING THE GUEST REGISTER
In accordance with Sections 10 and 24 of the Finnish Personal Data Act and Section 7 of the Act on Accommodation and Catering Operations.
Date of drafting: 21 April 2025 

Data Controller 

Company:
Basecamp and Adventure Oy (Business ID: 2953180-9)
Contact person for matters related to the register and the exercise of data subject rights:
Margit Eskonen
margit[at]cahkalhotel.fi 

Name of the Register 

“Customer Register of Basecamp and Adventure Oy” 

Purpose of Personal Data Processing 

The processing of personal data in the customer register is based on the customer relationship. 

Legal Basis for Processing Personal Data 

Processing of personal data is based on the customer relationship between private and corporate customers and Basecamp and Adventure Oy. Therefore, data processing is based on a legitimate interest.

The controller also processes customer data based on a contract between the controller and the data subject. This applies to personal data collected in connection with room, table, or activity bookings or for the invoicing of such services.

When processing is based on a legitimate interest or contract, no separate consent is required from the data subject. 

Processed Personal Data 

The controller processes the following personal data of customers:
– First and last name, date of birth, personal ID-number, phone number, address, email address
– Nationality
– Passport number for non-Nordic citizens
– Reservation and equipment details
– Payment method, billing details, and any payment delays
– Information on whether the customer has objected to direct marketing
– Information on whether the customer has consented to electronic direct marketing
– Details on service usage or purchases
– Customer preferences and requests (e.g. special accommodation requirements)
– Possible dietary restrictions
– Possible customer feedback

For corporate customers, the following personal data may also be processed:
– Name, email address, and phone number of the corporate customer’s contact person
– Information on marketing prohibitions reported by the contact person and required by current legislation
– Possible customer feedback 

Purposes of Personal Data Processing 

Customer data in the register is used for:
– Processing and managing reservations
– Sales and provision of services
– Payments, invoicing, tracking, and possible collection actions
– Management and development of customer relationships
– Customer communication
– Marketing of the controller’s services
– Dietary information is used only for food preparation and service 

Recipients or Categories of Recipients of Personal Data 

Data may be disclosed to authorities upon lawful request.
Data may also be disclosed to third parties – subcontractors or partners providing services. 

Transfer of Data Outside the EU or EEA 

Data is not transferred outside the EU or EEA. 

Principles of Register Protection 

The secure processing of your personal data is important to us. The register is handled carefully, and data processed via information systems is properly protected. When register data is stored on Internet servers, appropriate physical and digital security measures are taken. The data controller ensures that stored data, server access rights, and other critical information related to personal data security are treated confidentially and only by employees whose duties include such processing. 

Retention Period of Personal Data 

Collected personal data is stored as long as it is necessary for fulfilling the purposes of the processing. When the data is no longer needed, it will be anonymized or deleted. 

Rights of the Data Subject 

Each individual in the register has the right to request access to their personal data from the controller, as well as the right to request the rectification or deletion of such data, restriction or objection to processing, and the right to data portability. Requests must be sent in writing to the data controller. The controller may request identity verification if necessary. The controller will respond within the time limits set by the EU General Data Protection Regulation (typically within one month).

The data subject also has the right to withdraw any consent for direct marketing at any time and to file a complaint with the supervisory authority.