Menu

Business travelers

Business travelers

Travel and Hospitality Industry's corporate customer register

PRIVACY POLICY (as of 25 May 2018)
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)

1. Controller

SOK Corporation
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID. 0116323-1 am

2. Contact details of data protection officer

tietosuojavastaava@sok.fi

3. Contact details of officer in charge of register matters

tietosuoja.mara@sok.fi

4. Name of the register

Travel and Hospitality Industry's corporate customer register

5. Purpose of personal data processing

The register contains the personal data of such natural persons who, due to their work duties, manage the booking and other tasks related to a company's accommodation, meeting and restaurant services.

The controller processes the personal data of corporate customers' contact persons for the following purposes:

  • maintenance of the corporate customer register
  • management and development of customer relationships
  • sales and marketing of the controller's products
  • development of the controller's business and related customer service
  • profiling, targeted communications, other contacting

6. Grounds for personal data processing

Data collected on the basis of a legitimate interest:

  • Name and contact details (phone number, email) of the contact person
  • The name, business ID and contact details of the corporate customer linked to the contact person
  • Title and information about the contact person's role in the corporate customer
  • Principal language of the contact person
  • Information about offers and contracts made between the corporate customer and the controller, as well as on any other measures in which the contact person has acted as the corporate customer's representative
  • Information about the corporate customer's use of the controller's services
  • Any possible customer feedback information
  • Information on any possible longer absence of the contact person (the date until which they are absent)

Data collected on the basis of the customer's consent:

  • Information about a possible opt-in with regard to email marketing
  • Information about an opt-out with regard to direct marketing

7. Description of controller's legitimate interests

We want to serve our customers while accounting for their needs and wishes. When we process information about any possible previous contacts, offers and contracts, we can continue the conversation from where we left off the previous time and maintain the customer relationship with the corporate customer's contact person as easily as possible. We use the information concerning the contact person's role in the corporate customer so that we can send marketing messages to the contact persons that are as relevant as possible, such messages including news on topical matters and invitations to our customer events.

8. The personal data processed

  • The first and last name and contact details (phone number, email) of the contact person
  • The name, business ID and contact details of the corporate customer linked to the contact person
  • Title and information about the contact person's role in the corporate customer
  • Principal language of the contact person
  • Information about offers and contracts made between the corporate customer and the controller, as well as on any other measures in which the contact person has acted as the corporate customer's representative
  • Information about the corporate customer's use of the controller's services
  • Any possible customer feedback information
  • Information about a possible opt-in with regard to email marketing
  • Information about an opt-out with regard to direct marketing
  • Information on any possible longer absence of the contact person (the date until which they are absent)

9. The categories of personal data processed

  • Name and contact details
  • Opt-in or opt-out related to marketing

10. Information source and description of information sources, if the data has been collected from public sources

Any data disclosed by the contact person in relation to themselves and transactions related to the bookings and purchases of the services preferred by the corporate customer.

Personal data can also be collected, stored and updated from the files of an external controller offering address, update and other similar services.

11. Recipients of personal data 

The personal data of corporate customers' contact persons can be disclosed to the customer and marketing registers of SOK and hotels in the Sokos Hotels and Finland's Radisson Blu Hotels chains.

The personal data is processed in digital systems and services for the purposes specified in this Privacy Policy. We use external service providers in the production of system and support services.

Personal data can be disclosed to said service providers insofar as these service providers participate in the implementation of technical measures within the framework of the relevant assignment.

We ensure the adequate level of our partners' personal data protection in the manner required by legislation.

 12. Transfer of personal data to third countries or international organisations, and the safeguards employed 

The personal data is not transferred directly to third countries or outside the European Union or the European Economic Area. However, when booking the units of SOK's subsidiary OOO Sokotel in Russia, the data is disclosed to the systems managed by OOO Sokotel to implement the service.

Customer data from our booking systems is transferred outside the EU and the EEA when necessary for the technical implementation of the personal data processing.

Our service providers have committed to the EU–USA Privacy Shield programme or the EU's standard contractual clauses with the appropriate contracts.

13. Storage period of personal data or criteria for determining the storage period

Personal data related to offers, contracts and other activities is erased no later than when five years have passed since the processing of the matter in question.

14. Rights of the data subject

Data subjects have the right to check the data concerning them and to rectify it by filling in the information request form available at S Group's customer service points, where the identity of the person making the request is verified, or by contacting the controller's representative directly.

Data subjects have the right to have data concerning them erased, provided that the controller has no legitimate grounds for storing the data. The request for erasure is submitted by a visit to S Group's customer service point, where the identity of the person making the request can be verified, or by contacting the controller's representative directly.

Data subjects may exercise their right to object by, for instance, opting out of all contacting or certain types of contacting. The objection can be submitted to a representative of the controller.

Data subjects have the right to transmit the data concerning themselves to another system. In such cases, too, the data subject can contact the controller's representative.

15. Withdrawing consent

An opt-in regarding marketing can be withdrawn by sending a request to that effect to voitto.crm@sok.fi

16. Impact of failure to provide personal data on contracts

A failure to provide personal data may prevent the conclusion of annual contract.

17. The meaningful information of automated decision-making or profiling

Profiling is used for the targeting of marketing communications in such a way that the messages are sent to the persons who are responsible for any bookings or sourcing related to accommodation in the company they represent. The profiling does not have a legal effect.

18. Impact of personal data processing and general description of the technical and organisational security measures

We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.

At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.

If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the data will be misused and that someone will impersonate the data subject on the basis of the data, for example. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.

Data request form >>