DATA PROTECTION AND PRIVACY POLICY

DATA PROTECTION REGISTER AND PRIVACY POLICY

NAME OF THE REGISTER

Hotel Citi Inn customer register


1. CONTROLLER OF THE REGISTER

A. Tunneli Oy
Hotel Citi Inn
Hatanpään Puistokuja 36
33900 Tampere
+358106662114
info@citiinn.fi
2449773-6


2. CONTACT INFORMATION ON REGISTER MATTERS

Hotel Citi Inn
info@citiinn.fi


3. NAME OF THE REGISTER

Hotel Citi Inn customer register


4. PURPOSE OF HANDLING PERSONAL DATA

The legal bases for processing personal data are the following criteria in the EU general Privacy Regulation (hereafter referred to as "GDPR"):
- theconsent of the person
- the contract where the registered party is a party
- the legitimate interest of the controller of the register

The purpose of processing personal data is to communicate with customers, maintain customer relations, marketing etc.

Information is not used for automated decision making or profiling.

The aforementioned register controller's legitimate interest is based on a meaningful and proper relationship between the registered person and the controller as a result of the fact that the data subject is a registrar's customer and when the processing takes place for purposes that the data subject could reasonably have expected when the personal data was collected at the time and in the appropriate relationship.

Personal data is handled for purposes related to the customer relationship management, management and development of customer relationships, the provision and delivery of services, and the development and billing of services. Personal data are also processed for the purpose of solving any claims and other demands. In addition, personal data will be processed for customer-oriented communications such as announcements and news coverage and marketing within the limits set by the law. Disclosure of information to partners only takes place for those purposes that support the logic of the register.
Information is not used for automated decision making or profiling. Hotel Citi Inn does not collect unnecessary information about its customers and acknowledges their responsibility to protect the privacy of their customers and affiliates.


5. DATA CONTENT OF THE REGISTER

Hotel Citi Inn collects only the necessary information about its customers. The information to be stored in the register is:

- Contact person (s)
- Company / Organization
- Address
- Telephone
- Email address
- Billing information
- Reservation history
- Information provided through partners


6. DATA SOURCES ACCORDING TO THE RULES / REGULAR DATA SOURCES

Information to be stored in the register can be obtained from the customer through messages sent through the booking form via email, telephone, contract and online reservation


7. SURRENDERING THE DATA OF INFORMATION AND TRANSFER OF INFORMATION TO THE EU OR OUTSIDE THE EEA

Information will not be disclosed to other parties on a regular basis. The register may be disclosed to statutory authorities according to the law in force at the time. At the sole discretion of the controller, the data may be disclosed within the limits permitted and mandated by the current legislation.

Data will not be transmitted outside the EU or EEA territory unless the implementation of the service so requires. If the data is transferred, Hotel Citi Inn will ensure that the necessary level of security is always maintained in accordance with current legislation.

Due to technical implementation of data processing, data can be transferred or collected directly to the contractor's contract partners (such as providers of supply, payment and fraud prevention services and credit reporting companies). In that case, the obligations relating to the processing of data are organized through agreements between the parties.


8. PRINCIPLES OF PROTECTION OF THE REGISTER

Careful handling of the registry is ensured and data processed by the information systems is adequately protected. When keeping records on Internet servers, the physical and digital security of their hardware is handled appropriately. The controller shall ensure that stored data, server access privileges and other critical data related to the security of personal data are processed confidentially and only by employees whose job description they belong to.


Hotel Citi Inn has limited access and authority to information systems and other storage media so that information can only be accessed and processed by persons who are legally required to process them. Hotel Citi Inn employees and other persons are committed to observe confidentiality and keep the information they receive in connection with processing personal data.


9. AUDIT RIGHT AND RIGHT TO FIX THE INFORMATION

Everyone in the registery has the right to check his / her data stored in the register and to demand that any incorrect information be corrected or incomplete information supplemented. If a person wishes to check or request correction of his / her record, the request should be sent in writing to the registrar. The controller may, if necessary, request the applicant to prove his identity. The controller is responsible for the customer within the time limit set in the EU Data Protection Regulation (usually within one month).


10. OTHER RIGHTS CONCERNING HANDLING OF PERSONAL DATA

The registered customer has the following rights under the EU's general data protection regulation:
the right to obtain from the controller a confirmation that personal data relating to him or her are not processed and, where these personal data are processed, access to personal data and the following information: (i) the purpose of the processing; (ii) the personal data groups concerned; (iii) the recipients or recipient groups to whom personal data have been or are to be disclosed; (iv) as far as possible, the planned retention period for personal data or, if this is not possible, the criteria for determining this period; (v) the right of the data subject to request the controller to rectify or remove personal data relating to himself or to limit or refuse to process such processing; (vi) the right to appeal to the supervisory authority; (vii) where no personal data is collected from the data subject, all information available on the origin of the data (GDPR 15 art.). These basic information (i) - (vii) will be provided to the data subject by a form;
the right to withdraw consent at any time, without prejudice to consent, prior to its revocation of the lawfulness of the processing (GDPR Art. 7);
the right to require the controller to correct, without undue delay, inaccurate and incorrect personal data relating to the data subject, and the right to have incomplete personal data supplemented, inter alia, by providing further explanation in the light of the purposes for which the data were processed (GDPR Art.16);
he right to have the data controller removed personal data relating to the data subject without undue delay, provided (i) that personal data is no longer needed for the purposes for which they were collected or for which they were otherwise processed; (ii) the registered withdrawal of the consent on which the processing is based and no other legitimate reason for processing; (iii) a registered opposition to processing on a basis specific to his or her personal situation; there is no legitimate reason for processing or a refusal to object to processing for direct marketing purposes; (iv) personal data have been processed unlawfully; or (v) the personal data must be removed to comply with Union law or a statutory obligation under the national legislation for the controller (GDPR Art. 17);

the right of a controller to restrict processing if (i) the registrar disputes the accuracy of personal data, limiting the processing to a period during which the controller can verify their accuracy; (ii) the processing is unlawful and the data subject is opposed to the removal of personal data and, instead, limits their use; (iii) the controller no longer needs the personal data for purposes of processing but is required by the data subject to prepare, present or defend the legal claim; or (iv) the data subject has objected to the processing of personal data on a basis specific to his / her personal situation, pending verification of whether the legitimate grounds of the controller are excluded from the Registered Criteria (GDPR 18 art.); the right to have personal data relating to him / her that the data subject has filed with the controller, in a structured, commonly used and machine-readable form, and the right to transfer such data to another controller without the controller to whom the personal data have been provided if the processing is based on the consent of the Regulation and processed automatically (GDPR 20 art.);

the right to file a complaint with the supervisory authority if the registrar considers that the processing of personal data relating to him violates the EU's general data protection regulation (GDPR 77 art.).
Requests for the implementation of the registered rights are addressed to the controller's correspondent mentioned in section 2 in writing. The request will be answered within the time limit set by the EU Data Protection Regulation (usually within one month). Hotel Citi Inn may, if necessary, request the applicant to prove his identity.