HUIPPUPAIKAT OY CUSTOMER DATA FILE
Information document according to the EU’s General Data Protection Regulation about the processing of personal data in the Huippupaikat Oy customer data file

1. Data controller
Huippupaikat Oy, Ilkantie 8, FI-88610 Vuokatti, Finland

2. Contact person
for matters relating to the data file
Lauri Suutarinen, tel. +358 50 597 5397, lauri.suutarinen@vuokatinrinteet.fi

3. Name of the data file
Huippupaikat Oy customer data file

4. Legal grounds for the processing of personal data
The processing of personal data in the customer data file is based on the customer relationship of consumers and corporate customers to Huippupaikat Oy. The personal data itemised in Section 6 is processed in the data file on the basis of the customer relationship. The data controller also processes customer data based on an agreement between the data controller and data subject. On this basis, the controller processes data registered in connection with equipment rental, ski school lesson and course reservations as well as caravan places.

5. Purposes of personal data processing
Data is collected in the Huippupaikat Oy customer data file for the following purposes:
– supervising the use of ski passes
– for equipment rental, the data necessary for signing the rental agreement and adjusting the equipment
– data necessary for reserving ski school lessons
– data necessary for reserving caravan places (traveller notifications)

6. Personal data processed
The data controller processes the following personal data of customers:
– first name and last name
– address and telephone number
– personal identity code
– age group/age
– photo
– for equipment rental, the customer’s weight and skill level
– nationality (caravan travellers)
– any customer feedback and complaint information
The data controller processes the following personal data of its corporate customers:
– contact person’s name, address, telephone number and e-mail address
– any customer feedback and complaint information

7. Sources of personal data
Huippupaikat Oy receives personal data in the customer data file from the data subject in connection with the use of services.

8. Personal data recipients or recipient groups
Ski passes: The processor of personal data in the customer data file under the General Data Protection Regulation is Ski Data, which offers the software service used for maintaining the data file.
Ski school reservations: The processor of personal data in the customer data file under the General Data Protection Regulation is Hurja Solutions Oy, which offers the software service used for maintaining the data file.
Equipment rental: The data shall not be disclosed to third parties. However, the data may be disclosed to authorities on the basis of their data requests based on the applicable law.

9. Transfer of data outside the EU
The data shall not be transferred outside the EU.

10. Storage time of personal data
The customer’s personal data in the customer data file shall be processed until the end of the customer relationship. The data controller considers that the customer relationship has ended if the customer has not used the data controller company’s services for three years. This period shall be calculated from the end of the calendar year during which the customer last used the company’s services. After the end of the customer relationship, the data shall be removed within six months unless there are other grounds for keeping the data. However, the data can be kept and processed after the end of the customer relationship if this is necessary for processing complaints. The storage time of data in the customer data file also follows storage times required by legislation, such as the Accounting Act. The data required by the Accounting Act shall be stored as long as required by the Act. Correspondingly, the contact person data of corporate customers shall be removed after the company’s customer relationship is considered to have ended. However, the data may still be kept after this if there are other grounds for keeping it. When data is processed on the basis of an agreement between the data controller and data subject, the data shall be kept as long as it is necessary for executing the agreement. When the agreement has been executed, the data shall be kept as long as the customer relationship exists or there are other grounds for the processing (e.g. complaints or the Accounting Act).

11. Principles of data file protection
A. Manual materials
Manual materials are kept in locked premises.
B. Data processed electronically
Customer data files stored electronically are protected using normally used, appropriate technical protection methods. Using the data file requires a username and password.

12. Automated decision-making
The data is not used for automated decision-making.

13. Rights of the data subject
The personal data in the customer data file shall be processed based on the legitimate interest of the data controller (General Data Protection Regulation, Article 6, Section 1, Subsection e). In this case, the legitimate interest is a customer relationship. The personal data is also processed on the basis of an agreement between the data controller and data subject. This processing criterion is described in more detail in Section 4 of this privacy policy. When data is processed on the basis of a legitimate interest and agreement, the data subject has the following rights:

Right of access by the data subject
The data subject shall have the right to obtain access to his or her personal data (right of inspection) in order to confirm whether or not personal data concerning him or her is being processed in the customer data file. As a rule, the data subject has the right to know what personal data has been stored in the register about him or her. The data controller may ask the data subject to sufficiently specify what data or processing activities the data subject’s request concerns. According to the General Data Protection Regulation, the data subject’s right of access may be limited or refused if disclosing the data would adversely affect other people’s rights or freedoms. Such rights to be protected include the data controller’s trade secrets or other people’s personal data. The data subject’s right may also be limited by national legislation (such as the data protection legislation).

Right to rectification
The data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her.

Right to erasure
The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
– the personal data is no longer necessary in relation to the purposes for which it was collected or otherwise processed;
– the data subject objects to the processing of the personal data and there are no overriding legitimate grounds for the processing;
– the data subject objects to the processing of the personal data for direct marketing (in this case, however, the data may be processed for other purposes);
– the personal data has been unlawfully processed.
Even if one of the grounds applies, the data need not be erased if the processing is necessary, for example, for compliance with a legal obligation which requires processing by Union or Member State law to which the controller is subject or for the establishment, exercise or defence of legal claims.

Right to object
The data subject shall have the right to object, on grounds relating to his or her particular situation, to the processing of personal data concerning him or her, when the data is processed on the basis of a legitimate interest. If the data subject has objected to the processing on grounds relating to his or her particular situation, the data subject must specify the situation based on which he or she is objecting to the processing on the basis of a legitimate interest. The controller may continue processing the data despite the objection if there are compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims. The data subject shall have the right to object at any time to the processing of personal data concerning him or her for direct marketing. Where the data subject objects to the processing for direct marketing purposes, the personal data shall no longer be processed for such purposes.


Right to restriction of processing
The data subject shall have the right to obtain from the controller restriction of processing where one of the following applies:
– the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;
– the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
– the controller no longer needs the personal data for the purposes of the processing, but it is required by the data subject for the establishment, exercise or defence of legal claims; or
– the data subject has objected to the processing (right to object described above) pending the verification whether the legitimate grounds of the controller override those of the data subject.
Where the processing has been restricted, the data may primarily be stored only. The data may also be processed for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. A data subject who has obtained restriction of processing shall be informed by the controller before the restriction of processing is lifted.

Right to data portability
The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller and which is processed electronically and on the basis of an agreement between the controller and data subject, in a structured, commonly used and machine-readable format and have the right to transmit that data to directly from one controller to another if this is technically possible.

14. Right to lodge a complaint with a supervisory authority
The data subject shall have the right to lodge a complaint with the competent supervisory authority, if the data subject considers that the controller has not followed the applicable data protection regulations in its activities.

15. Requests relating to the exercise of the data subject’s rights 
In all questions relating to the processing of personal data and the exercise of the data subject’s rights, the data subject shall contact a representative of Huippupaikat Oy at the company’s office or by post at Ilkantie 8, FI-88610 Vuokatti, Finland. If necessary, Huippupaikat Oy may ask the data subject to further specify his or her request in writing, and the data subject’s identity may be verified before taking further actions.

Vuokatti, 1 May 2018