+34 928 153 776 [email protected]

Privacy policy on customer and marketing information

This privacy policy includes the information required by the European Union’s data protection regulation about processing activities (hereafter “privacy policy”). Holiday Club Resorts Oy adheres to data protection regulation and Finnish Privacy Policy Act (1050/2018) in its processing of personal information.

Holiday Club Resorts Oy can, from time to time, change this privacy policy by publishing a new version of it. We recommend that you read our privacy policy on a regular basis.

Date of preparation: 17 May 2018

Updated: 17 May 2018

Table of Contents

1 Controller  
2 Registers  
3 Purpose of processing personal data, and legal basis for processing  
3.1 Customer registers
3.2 Marketing registers  
3.3 Recording of phone calls 
3.4 Camera surveillance  
3.5 Cookies
3.6 Online forms 
4 Information contained in the registers  
4.1 Shareholders and share transactions  
4.2 Hotel guests, rental customers, and buyers of other services  
4.3 Marketing 
4.4 Viewing reservation register  
4.5 Corporate service customers  
4.6 Corporate customers  
4.7 Camera surveillance  
4.8 Phone recordings  
4.9 Forms
4.10 Cookies  
5 Sources of data 
5.2 Customer requiring accommodation 
5.3 Camera surveillance 
5.4 Cookies  
5.5 Online forms and physical forms 
6 Updating of data  
7 Disclosure and transfer of data  
8 Storage periods of personal data  
9 Register protection principles  
10 A person’s right to verify personal data concerning him or her 
11 Rectification and erasure of personal data, and a data subject’s right to request restriction of processing  12 Right to object to personal data related to a particular, personal reason  
12 Right to object to personal data related to a particular, personal reason
13 Right to prohibit direct marketing 

14 Right to withdraw consent given  
15 A person’s right to data portability  
16 Right to lodge a complaint with a supervisory authority 

 

OUR WEB SERVICE

1 Controller

Controller: Holiday Club Resorts Oy (on its own behalf and on behalf of all group companies, hereinafter “Holiday Club”)
Hitsaajankatu 22
FI-00810 Helsinki, Finland

Contact:
Hitsaajankatu 22
FI-00810 Helsinki, Finland
[email protected]

2 Registers

  • Customer registers on guests requiring accommodation and lessees of hotels and holiday flats
  • Registers on timeshare and villas owners and share transactions
  • Marketing registers
  • Register on viewing reservations
  • Registers on property management and maintenance
  • Management registers on treatment bookings
  • Management registers on activity bookings (including golf)
  • Accounts systems
  • Holiday booking and draw registers on corporate customers
  • B-to-B customer database
  • Camera surveillance – phone recordings
  • Form registers
  • Register on customers who have submitted a marketing ban

Holiday Club has an employee register in addition to the registers mentioned above. The company has prepared a separate privacy policy on it.

Although the registers are described as separate register entities in this document, for the sake of clarity it must be noted that they constitute a register entity that cannot always be distinguished in such a crude manner. Forms, for example, can become a part of Holiday Club’s marketing register. We have prepared the specification in this policy so it would be easier to read and would better describe the channels through which we collect information. One should also note that separate lists of individuals or documents can be extracted from the registers, but these do not constitute a separate personal register.

3 Purpose of processing personal data, and legal basis for processing

3.1 Customer registers

Holiday Club processes personal data of customers in several different contexts. Our key customer registers are: 1) A customer register maintained in the hotel reservation system, and 2) A register maintained based on timeshare and villas share transactions

In addition to these registers, Holiday Club also has the other registers listed in section 2 above. The processing of personal data is based on a contractual relationship, a reason based on the law, or Holiday Club’s legitimate interest.

The processing basis based on the law pertains to a share register maintained regarding shareholders. Holiday Club acts as the property manager of several villas and timeshare companies, and for this reason the company maintains a share and shareholder register on behalf of property companies. The Limited Liability Companies Act and the Limited Liability Housing Companies Act (depending on which Act is applied to the company) determine the processing of this information to some extent. As the property manager, Holiday Club sends shareholders bulletins from the property companies as well as invitations to General Meetings and other similar documents.

The law also regulates how patient data must be processed and stored. In the context of different treatments (primarily massage services), Holiday Club may collect patient data whose processing is stipulated in several different laws and decrees, as described below.

The processing of accommodation cards is based on the law. Customers requiring accommodation are expected to fill out an accommodation card, because a traveller register must be maintained on customers requiring accommodation (Act on Accommodation and Food Service Operations, Sections 6-9).

Holiday Club’s legitimate interest is based on business interests, such as quality control of services, development of services, measurement of customer satisfaction, training of employees, and provision of additional services by utilising direct marketing. The legitimate interest is also based on protection of rights and property, and implementation of physical and information security.

Regarding customer registers, the purpose of the processing of personal is to ensure that the parties act in accordance with the agreement they have signed. This can mean that, for instance, a customer receives holiday accommodation, or another service or product acquired in accordance with the agreement, or that a share according to the agreement is recorded in the ownership of the customer. The purpose of the customer registers can also be another business function related to services or shares, such as administration and development of business operations, management, and development of a customer relationship, or ensuring the rights and duties of Holiday Club and a customer.

Holiday Club also processes personal data when the company manages fault notifications and the maintenance of accommodation. Personal data are also processed in the context of use of key cards, surveillance cameras, and the recording of phone calls. The company can also process personal data in other similar contexts or ones linked to business operations.

The other registers described below can be linked to Holiday Club’s customer register, and together these constitute an entity although the processing of personal data is described through various channels below.

3.2 Marketing registers

In marketing efforts, the processing of personal data can occur on the basis of either Holiday Club’s legitimate interest or a customer’s valid consent. With regard to marketing, Holiday Club’s legitimate interest can be related to business interests, such as quality control of services, development of services, measurement of customer satisfaction, training of employees, provision of additional services or direct marketing.

Electronic direct marketing always requires consent submitted by the customer, and this is always obtained in writing. For electronic direct marketing, such permission is needed even if the customer is a Holiday Club customer on some other grounds. Consent is requested in writing, and the customer can withdraw it at any time if they so wish. With regard to electronic direct marketing, consent is requested upon an order for the newsletter, or possibly at the time when a customer stays overnight, acquires a share, takes part in a marketing competition at a trade fair, another event or online, or in another situation involving a contact between Holiday Club and the customer.

Information contained in customer data systems is also used for sending electronic and printed letters, the customer magazine, invitations to shareholder events (such as General Meetings of property companies), and similar bulletins. Personal data included in customer data system can also be used, on the basis of a legitimate interest, for direct marketing over the telephone.

We maintain a separate register on customers who have submitted a marketing ban. This register is necessary, so the customer in question is not transferred from another customer register back to the customer marketing list or a viewing call list, for instance.  The other registers described below can be linked to Holiday Club’s marketing register (mostly matters described in the section ‘forms’), and together these constitute an entity although the processing of personal data is described through various channels below.

3.3 Recording of phone calls

Phone calls with our customer service (telephone exchange, customer service, Holiday Club property management, Holiday Club service centre, phone contacts for hotels and any other phone contacts) can be recorded. The recording of phone calls is based on Holiday Club’s legitimate interest. The purpose of recording phone calls is to use the calls for improving and developing customer service, for training purposes, and for ensuring the contents of agreements between the parties. Phone calls are not used for any other purposes.

3.4 Camera surveillance

Holiday Club can collect data from camera surveillance to ensure security and legal protection at and outside of Holiday Club’s premises and properties. We use these data for resolving any criminal and loss events and, if necessary, for identifying individuals who have moved around the facilities. We inform people of camera surveillance with signs in the facilities and areas where cameras have been placed.

3.5 Cookies

We collect IP address and cookie data on customers when they visit Holiday Club’s online service. Cookie data are anonymised. The collection of cookies is based on consent customers give when accessing the website or on the controller’s legitimate interest.

We can use cookies for targeting our advertising. In networks of our business partners, for example, visitors can be shown advertisements of products they have browsed in our web shop.

Holiday Club’s online service can have links to third parties’ websites that may collect personal data. Holiday Club is not responsible for the said parties or for any collection of personal data carried out by them. Holiday Club endeavours to ensure that all business partners whose links are available in Holiday Club’s online service are reliable operators. Our business partners may use cookies to target their advertising.

3.6 Online forms

In its online service, Holiday Club has several different online forms whose purpose is indicated on the form in question. Our online forms include, for example:

  • Orders for electronic newsletters whose processing is based on consent given by the customer.
  • Reservation enquiries and requests for offers whose processing is based on the processing of the customer’s reservation enquiry, i.e. the customer relationship
  • Forms for marketing competitions whose processing is based on the customer’s participation in the competition, and the customer can give consent to marketing at the same time. However, in this context, consent is always requested specifically.

4 Information contained in the registers

4.1 Shareholders and share transactions

For shareholders (villas and timeshare owners), the company maintains a share and shareholder register on behalf of property companies. Processing is based on a property management contract signed between Holiday Club and the property companies. The Limited Liability Companies Act and the Limited Liability Housing Companies Act (depending on which Act is applied to the company) determine what information about a shareholder must be contained in the register. These details that must be stored according to the Act include information about the shares owned, the flat, the date of issue of the share certificate, the shareholder’s name and address, and the date of birth of a natural person; for a legal person, domicile, register number and the register in which the legal person is recorded, any limitations related to control, and any other details laid down in the law. According to the Limited Liability Housing Companies Act, the recipient of a share is recorded in the list when sufficient information about ownership and a certificate of the payment of asset transfer tax have been obtained. Holiday Club stores information on a shareholder for as long as they own the share. In addition, data on previous owners is stored for 10 years from the date when the new owner was recorded in the share register (Limited Liability Housing Companies Act, Chapter 2, Section 14).

In addition to the aforementioned information based on the law, other key data can also be collected on shareholders and former owners of a share, but this processing is based on the customer relationship between Holiday Club and the shareholder. Holiday Club has the right to store such data based on share transactions made between Holiday Club and the customer. Holiday Club stores bills of sale on shares and the documentation related to the share transaction. Besides physical documents, personal data are contained in the management system for timeshares, villas shareholders and share transactions, accounts systems, and possibly in marketing systems (a customer can be registered in several different systems and registers simultaneously). Details that are collected and stored can include a person’s name, date of birth, personal identity code, address, phone number, e-mail address, IP address, language, citizenship, any number of similar detail on a travel document in case the customer does not have a personal identity code, membership number, customer number, date of purchase of a share, information about ownership or previous ownership, use of a flat owned (rental, personal use, exchange or other), information about guardianship or trusteeship, gender, profession, employment, duration and nature of employment relationship, form of household and number of family members, information on income and assets, payment behaviour and invoice payment details, sanction monitoring information, marital status, bans on disclosure of data specified by an authority, details on a bill of sale, rental brokerage details, data on an agreement with a telecom operator, payment details on rent and other fees or sale price related to a contractual relationship, marketing segmentation details, any other contact details (contact person), and other details sent by the customer.

If the company concludes a financing transaction with a shareholder, the customer should note that Holiday Club acts as the broker of financing but information about the customer is submitted to the bank offering such financing. Regarding this information, the bank acts as the controller and the data are stored in the bank’s systems by Holiday Club. In this respect, the customer should also explore the financing company’s data protection.

4.2 Hotel guests, rental customers, and buyers of other services

Details collected and stored of customers include a person’s name, address, phone number, e-mail address, citizenship, personal identity code or date of birth if there is no personal identity code, full names and Finnish personal identity codes of the traveller’s spouse and minor children or dates of birth if there are no Finnish personal identity codes, the country from which the traveller arrives in Finland, the number of the traveller’s travel document, the dates of the traveller’s arrival and departure to the accommodation business, reason for accommodation (leisure time, work, meeting or another reason).

The only details stored in the hotel and rental customers’ information system are a person’s name, address, phone number, e-mail address, accommodation location, accommodation dates, and other essential and key details related to accommodation (such as the number of overnight guests, any pets, and special needs).

Details on the accommodation card required by Sections 6-9 of the Act on Accommodation and Food Service Operations) are collected on customers. Sections 6-9 of the Act on Accommodation and Food Service Operations contain principal details on what data must be collected from travellers and how these data should be processed. Individuals’ dates of birth or social security numbers are not stored in electronic systems; instead, these details are only indicated on a traveller notification. The company stores traveller notifications for one year from the accommodation period, and they are stored in a locked cabinet.

Besides hotel reservations, Holiday Club sells several other services that have separate systems for use. For these, the company can collect a customer’s personal data (such as name, address, phone number, e-mail address) in addition to the content of the service. In the context of hotel reservations and provision of other services, the company can also request parental consent for a service offered to a minor if this is necessary for any reason, and in this context the company can collect data on a minor child separately. However, these data are not used for any purpose other than verification of such permission.

For treatment reservations, some of the data collected on customers must be processed as health information. These include, in particular, details of an advance survey made for massage services, used for establishing a customer’s state of health and any problems such massage is intended to help with. Information concerning a person’s health can also be collected for other treatments. Holiday Club processes sensitive data upon the collection of such information concerning a person’s state of health. In the processing of such data, Holiday Club complies with the provisions of the General Data Protection Regulation, the Act on the Electronic Processing of Client Data in Social and Health Care, the Act on the Status and Rights of Patients, and the Decree of the Ministry of Social Affairs and Health on Patient Documents, to the extent Holiday Club provides services covered by said Acts.

4.3 Marketing

The marketing register includes basic details of customers, including name, address, phone number and e-mail address. In its marketing, Holiday Club can utilise an enrichment service, but the said personal data obtained do not become a part of Holiday Club’s personal data register, as described below in section ‘Disclosure and transfer of data’.

For electronic marketing, we also collect data on when consent to marketing has been given.

Holiday Club is in the process of developing a CRM system. Once the system is in working order, Holiday Club intends to start collecting purchase history and segmentation data and other similar details.

4.4 Viewing reservation register

Holiday Club has a register that maintains data on persons who have been invited to and who have attended viewings. Details stored include name, address, phone number, e-mail address, viewing date, viewing duration, customer type, (new customer or one who already owns a share), information on whether the viewing resulted in a sale or not, and other details related to the viewing round and essential for the viewing (such as whether the person came or not). The register also contains information about any viewing reservations that have been cancelled.

4.5 Corporate service customers

Corporate service customers are existing customers who own holiday flats at a resort or who, alternatively, have signed an agreement to purchase accommodation services. Holiday Club provides corporate customers with accommodation and a draw service for accommodation use, and reservation management service. For the said customers, the register includes information on the company or organisation the customer belongs to, customer number, address, phone number, e-mail address, and other details directly related to the service acquired or participation in the draw.

4.6 Corporate customers

Holiday Club maintains a separate B-to-B customer register. The register includes information about Holiday Club’s existing and potential corporate customers. The register contains basic information about the company in question and basic details of its contact person, such as name, address, phone number and e-mail address. The system can also include information on what kind of cooperation has been done with the company and which kinds of services have been offered.

4.7 Camera surveillance

The camera surveillance system stores video images digitally taken by a camera.

Key card systems contain details on when people have walked in the facilities and which card has been used (such as a hotel room), but the said key cards are not linked to any personal data, so they do not constitute a personal register.

4.8 Phone recordings

Phone recordings automatically store the contents of phone conversations. Calls are recorded as sound files. Details recorded of phones include the time of the phone conversation, the customer service representative who answered the phone, the number to which the call was made, and the phone number from which the call came.

4.9 Forms

Our company uses several different online forms and some traditional, physical forms. The use of the form is indicated in the purpose of the form. The key forms we use include, for example, forms used for resale assignment, rental brokerage, offer request and different marketing competitions. The information contents of forms vary depending on the form, but the details can include, for instance, name, address, phone number, e-mail number, and information about the share owned.

4.10 Cookies

Holiday Club uses cookies to collect information about how and when our services are used on our website. Details collected can include the page from which a user moved to the service, which websites and when the user has browsed, what items were clicked, which browser was used, the resolution of the user’s display, and the operating system and version of the device.

We use cookies and other similar techniques for statistical monitoring of the number of visitors and for measuring the effect of advertising. We can also collect data on, for example, our electronic letters and establish whether a letter was opened, and whether the recipient logged to a link or entered the web shop. To improve the usability of our websites, we can make short-term surveys during which we can store information about a user’s mouse movements and clicks on a certain page.

5 Sources of data

5.1 Shareholders

The primary source of data is the customer who discloses data while in contact with Holiday Club by different means. As a rule, most of the data is collected from the customer who buys a share or books a viewing appointment. Even before a share transaction, Holiday Club may have customer information used for making a viewing reservation.

Holiday Club contacts a customer and invites them to a share viewing by using the various customer registers. Customers are invited to share viewings by contacting them on the phone, or a customer can reserve a viewing appointment via the website or over the phone. These details are transferred to the viewing reservation register if a reservation is made for a viewing appointment. From there, the details can be further transferred to the register of timeshare and villas shareholders and share transactions, if the customer acquires a share.

A customer can also attend a viewing after reserving a “get-to-know holiday” from Holiday Club. A get-to-know holiday includes accommodation and a viewing. When a customer reserves a holiday, the company asks the customer for information that is stored in both the hotel reservation system and the viewing reservation register, from where the information can be used as the shareholder’s data if the person decides to acquire a timeshare.

For shareholders (villas and timeshare owners), the company maintains a share and shareholder register on behalf of the property companies. Processing is based on a property management contract signed between Holiday Club and the property companies. In these cases, the shareholder must, based on the Limited Liability Housing Companies Act or the Limited Liability Companies Act, report their share ownership without undue delay, so share ownership can be recorded in the person’s name. Even in such cases, data are collected from the person, as a rule. In some situations, the former owner of a share can submit information about the new owner to Holiday Club, if the new shareholder has not registered share ownership in their own name. We can collect and update credit and payment behaviour details and sanction monitoring information from, for example, registers maintained by Suomen Asiakastieto Oy. Regarding share transactions, we verify a person’s credit and payment behaviour if we offer a customer financing for a share transaction. If a customer acquires a share through a financing service brokered by Holiday Club, the financing company can have separate channels for collecting and processing personal data.

 

5.2 Customer requiring accommodation

Holiday Club collects data on hotel guests upon the making of an accommodation reservation. Such data can be collected through various reservation channels that can include Holiday Club’s own channels, such as Holiday Club’s online service, chat, phone service and e-mail. Data can also be stored in the reservation channel’s service, such as for the service provider of the chat platform, and in the services of the online service provider. The said service providers are processors of data, and Holiday Club has signed contracts on data processing with these service providers, ensuring that the service providers do not misuse the data. This has also been agreed with the system supplier who provides the hotel reservation system.

Holiday Club can also receive data from a travel agent or organiser (such as online accommodation channels and travel agencies). Since Holiday Club is the service provider, a contractual relationship is created between the customer and Holiday Club. Even in this contractual relationship, Holiday Club, as the controller, processes personal data in the same way as if the reservation were made directly through Holiday Club’s own channels. However, the customer should note that their data are processed, as an independent controller, by any administrator of the reservation channel or the travel broker, besides Holiday Club.

Besides making an accommodation reservation, customers requiring accommodation must fill out a traveller notification on which the customer submits certain information.

If the company agrees with the customer that the bill will be paid by an invoice, it can verify and collect credit information on the customer. As a rule, invoicing is only applied to corporate customers.

5.3 Camera surveillance

The camera surveillance register consists of digital recordings transmitted by cameras that Holiday Club has positioned in the necessary locations. Camera surveillance data are stored automatically.

When a customer uses a key card upon accommodation, this information is automatically stored in the system, but the key card does not store any personal data, so it does not constitute a personal register.

5.4 Cookies

Holiday Club collects IP address and cookie data on its customers when they visit the online service. These data are used for targeted marketing and for the provision of services.

5.5 Online forms and physical forms

Ordinarily, customers fill out forms either online or on a paper form. Data on a form can also be collected by a customer service representative of Holiday Club.

6 Updating of data

As a rule, we update data on customers based on notifications submitted by the customers themselves. The source of data for such notifications can be an outside party besides the person in question. Our aim is to ensure that any outside sources of data are reliable and that all data and information are accurate. We can update data based on details contained in the Population Information Register, for example. Such details are not updated in our registers automatically, so we hope that our customers submit a notification of the updating of data to our company, so the data in our customer registers maintain up to date. We can collect and update personal data based on information received from authorities and businesses that provide various services (such as the Postal Service and Aller).

7 Disclosure and transfer of data

Holiday Club does not publish the personal data it collects and complies with a secrecy obligation regarding personal data, unless otherwise required by legislation or the establishment, exercise or defence of legal claims. The share and shareholder registers are public documents on the basis of the Limited Liability Housing Companies Act and the Limited Liability Companies Act, so they can be disclosed upon request, or they can be available for viewing in a certain location.

Holiday Club does not transfer any data outside the Group except to contractual partners who provide Holiday Club with a certain service or support function. Such operators can be, for instance, system suppliers, service providers related to customer relationship management, providers of cleaning services, providers of sales services, providers of security services, parties that manage debt collection, postal services, marketing services, providers of additional services, and other similar business partners. Holiday Club has signed data protection agreements with these business partners. The data protection agreements include an agreement that these parties process personal data in a secure manner and only for the purpose referred to in the agreement, and on the standard of information security and how any personal data breaches must be reported.

With regard to camera surveillance and accommodation cards, data can be disclosed to the authorities if they require this from Holiday Club. As far as foreign guests are concerned, traveller notifications are delivered to the police. Data contained in traveller notifications are submitted to the authorities upon request. A traveller notification can also be partially completed, on the basis of information requested when an accommodation reservation is made.

In the context of share transactions, the parties usually agree that Holiday Club submits a notification of asset transfer tax to the Tax Authority on behalf of the buyer. In such a case, Holiday Club discloses personal data to the Tax Authority with an asset transfer tax notification.

Data are not disclosed or transferred outside the EU or the European Economic Area (EEA) or to international organisations. An exception to this is made in terms of the management system timeshare and villas shareholders and share transactions, because the system in which these data are managed is supplied by an America business partner and the system’s servers are situated in the United States. The company has signed an agreement according to the EU’s standard contractual clauses with the said system supplier, which has been used as a basis for ensuring data protection and appropriate processing of data. Furthermore, Holiday Club can disclose data to its group companies outside the EEA, but in such cases commitments according to the EU’s standard contractual clauses are signed with the group companies.

Marketing acquires a data enrichment service from an outside service provider as an additional service. Through this enrichment service, the service providers combine with Holiday Club’s customer information personal data to be used for targeting direct marketing mailings, for instance, to certain customer groups. This service is only used for telephone marketing and direct mailing purposes. Personal data used in the enrichment service include, for example, age, gender, language, residential area, size of household, phase in life, and education. These additional details are not transferred as part of Holiday Club’s own customer register, instead they remain as information in the service provider’s register. Holiday Club discloses personal data to the processor for the purpose of implementing this enrichment service.

8 Storage periods of personal data

Data collected for marketing purposes are erased from the register after the person has withdrawn consent given. Personal data are stored for a maximum of one year if the case involves a non-functioning e-mail address in the marketing register.

In the shareholder register personal data must be stored for as long as the person is a shareholder, and for 10 years after the person has relinquished such share ownership. Holiday Club stores data on an old shareholder for 11 years at most.

A person’s data are stored in hotel and other service customer registers for no longer than five years from the date when the customer last acquired services.

Personal data classified as patient data are stored for the prescribed time according to the Decree of the Ministry of Social Affairs and Health on Patient Documents. As a rule, this means for Holiday Club that data are stored for 12 years after a patient’s death or, if there is no information about this, for 120 years after the patient’s birth. However, not all material related to treatments is subject to the storage periods of patient documents, and in these cases, data are stored for a maximum of five years from the provision of the service.

Data from camera surveillance are stored for a period deemed necessary, if they contain data that are based on the purpose and must be investigated. After the investigation has ended, data are stored for the period necessary for the establishment, exercise, or defence of legal claims. After the need for storing such material has ended, the data are erased within three years. In other cases, the data are regularly destroyed and are stored for no longer than six months from the recording.

Data collected by means of cookies are stored for no longer than three years, depending on the type of the cookie.

The processing period for personal data on corporate customers is three years from the end of the year in which such data were last needed for implementing a service under the service agreement in terms of the person in question.

Accounts and debt collection data and other data possibly classified as accounting material, which may contain customer information, are stored for the prescribed time required by the Accounting Act. For instance, invoice vouchers are stored for six years from the end of the accounting period involved.

Phone recordings are stored for a maximum of one month from the date of the phone call.

Data in the viewing reservation register are stored for a maximum of five years from the time when the person previously attended a viewing of a share.

Personal data in property management and maintenance registers are stored for 10 years at most.   In the B-to-B customer database, personal data are stored for a maximum of five years from the time of the previous cooperation with the company or from the most recent contact between the parties.

Data from online forms related to a marketing competition are erased within six months of the end of the competition. However, if the form in question was used to give consent to direct marketing or online marketing, information on such consent is stored as described above regarding consent submitted. If data on the form are related to an assignment, the data are stored for a maximum of five years from the end of the accounting period when the service according to the assignment was implemented (rental time, resale).

A shareholder can submit a rental assignment using either a form sent by post, or a document found on the website. We store rental assignments for a maximum of six years from the end of the year during which the week submitted for rental expired. Assignments are stored as printouts in a locked space. Rental assignments are also processed in electronic systems and processed as part of a shareholder’s data, and in the manner described regarding the data of a timeshare owner.

Data on other forms are stored for as long as necessary regarding their purpose of use.

9 Register protection principles

Access rights to Holiday Club’s registers are restricted to people who need personal data in their work. The granting of access rights is based on specifications made by Holiday Club, which are based on the company’s processes. Databases used for storing data and information networks are protected by organisational and technical measures. Control and protection of registers comply with regulations applied within the EU area.

Furthermore, a data protection agreement has been signed or data protection has been agreed upon in another document with all contractual partners who have access to personal data or to whom data are transferred. Contractual partners are required to maintain a sufficient level of data protection.

Logging in to Holiday Club’s personal registers requires the use of personal usernames and passwords. We have also protected our system by technical and administrative means.

Manual material that contains personal data is always stored in a locked and controlled space.

10 A person’s right to verify personal data concerning him or her

Everyone has the right to ask Holiday Club whether the company processes personal data concerning him or her, and what these personal data are.

The easiest way to request data concerning oneself is to complete an information request form in Holiday Club’s online service. The form is available at www.holidayclub.fi/tietolomake. A person can also submit an information request in person or in another written manner if they so wish.

We do not deliver camera surveillance data because the material would also include personal data on other individuals, and this would require an unreasonable effort.

We do not deliver information about cookies because cookies cannot be automatically linked to a user, and we cannot establish these details without an unreasonable effort.

To the extent Holiday Club acts as the processor in terms of a register and is not the controller, Holiday Club does not, as a rule, deliver data concerning a person; instead, a request must be submitted to the controller. This pertains to, for instance, customer financing acquired from a financing company.

We will submit a response to an information request as soon as possible, but not later than within one month of receiving the information request.

We will deliver the information either by post or by electronic means, depending on the requested method of delivery. Before we deliver the information, we endeavour to ensure that the individual who submitted the information request is the person in question. If we have reason to doubt the identity of the person submitting the request, we will ask for further information.

If an information request is unjustified or unreasonable (such as repeated requests for information), we can charge a reasonable fee for fulfilling the request or refuse to deliver the information requested.

11 Rectification and erasure of personal data, and a data subject’s right to request restriction of processing

If the personal data contain errors, a person can request that they be corrected. We will correct the data as soon as possible after a notification of an error has been submitted. Data can be corrected based on a notification submitted by the person or if information about the matter comes from another reliable source.

A person is obliged to inform Holiday Club, without undue delay, of any errors in their personal data. A notification can be made, for instance, by e-mail to: [email protected]

Everyone has the right to have personal data concerning them erased from the register (“right to be forgotten”) after the end of the storage period, if the personal data are no longer needed for the purposes for which the personal data have been collected, or if the processing of personal data is based on consent and such consent is withdrawn. The data will also be erased if the processing of personal data is unlawful or if Holiday Club is obliged to erase the data according to the law.

A person has the right to demand Holiday Club to request the processing of personal data when:

  • The person is waiting for a response to a request for the rectification or erasure of data
  • Processing is unlawful and the person objects to the erasure of personal data and, instead, demands that their use be restricted
  • Holiday Club no longer needs the said personal data for the purposes of processing personal data, but the person needs them for the establishment, exercise, or defence of legal claims
  • The person has objected to the processing of personal data, and it is established whether Holiday Club’s legitimate interest overrides that of the person in question.

Where the processing of personal data has been restricted on the aforementioned grounds, for example, such personal data shall only be processed with the person’s consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest. However, this restriction does not apply to the storage of personal data

12 Right to object to personal data related to a particular, personal reason

On the basis of a particular, personal reason, everyone has the right to object to processing measures targeted at personal data on the basis of Holiday Club’s legitimate interest.

A person can submit a demand indicating the grounds on which such processing is objected to. A request must be submitted via e-mail to: [email protected]. Holiday Club can refuse to implement a request concerning such objection on grounds laid down in the law.

13 Right to prohibit direct marketing

If personal data are used for direct marketing, a person can, at any time, object to the use of the data for marketing purposes. In such a case, personal data can no longer be processed for this purpose. If a customer wishes to prohibit direct marketing, the easiest way to do this is to send a prohibition, via e-mail, to: [email protected]

14 Right to withdraw consent given

If the processing of personal data is based on consent given, such consent can be withdrawn at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before such withdrawal.

15 A person’s right to data portability

Everyone has the right to receive the personal data concerning him or her, which have been provided to Holiday Club and which are processed based on consent given or an agreement, in a machine-readable format and the right to transmit those data to another controller, where technically feasible.

If such a transmission is not technically feasible or secure, the customer can, if so desired, deliver personal data received based on the right of verification to another controller.