What is S-Card?
Bus Club of the Travel and Hospitality Industry
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1
2. Contact details of data protection officer
3. Contact details of officer in charge of register matters
4. Name of the register
Bus Club of the Travel and Hospitality Industry
5. Purpose of personal data processing
Personal data is collected and processed within the framework of the register for the following purposes:
- the maintenance of the Bus Club membership register
- the identification of a contact person belonging in the Bus Club
- customer communication related to the membership, contacting customers
- marketing communications
- communicating any interruptions or disturbances
6. Grounds for personal data processing
The personal data processing is based on the controller's legitimate interest.
7. Description of controller's legitimate interests
The legitimate interest is driven by the tour operator's needs and desire; the tour operator wants to be part of the Bus Club to receive the benefits offered to member companies.
The personal data is needed for communication with the tour operator. To receive information about the benefits offered, the tour operator must provide the contact details of their contact person. Without these details, we cannot inform the tour operator of benefits worth money.
8. The personal data processed
With respect to the tour operator's contact person (persons): last name, first names, phone number, email address and marketing opt-in.
9. The categories of personal data processed
Contact details, marketing opt-in or opt-out.
10. Information source and description of information sources, if the data has been collected from public sources
The data collected is received directly from the data subject.
11. Recipients of personal data
We ensure the adequate level of our partners' personal data protection in the manner required by legislation.
We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.
12. Transfer of personal data to third countries or international organisations, and the safeguards employed
We do not transfer personal data to third countries, outside the European Union or the European Economic Area or to international organisations.
13. Storage period of personal data or criteria for determining the storage period
Any personal data related to membership in the Bus Club is stored for the duration of the membership. The data can be erased if the data subject so wishes.
14. The rights of the data subject
Data subjects have the right to check the data concerning them and to rectify it by filling in the information request form available at S Group's customer service points, where the identity of the person making the request is verified. Changes to a tour operator's Bus Club membership, for example, can also be effected by sending a message to firstname.lastname@example.org, which takes care of club-related matters.
The data subject may exercise their right to object to commercial communications by sending an email to email@example.com.
The data subject has the right to have data concerning them erased and to change for instance the tour operator's contact details by sending a message to firstname.lastname@example.org.
15. Withdrawing consent
Any withdrawal of a consent to direct digital marketing communications should be sent to email@example.com.
16. Impact of failure to provide personal data on contracts
Membership in the Bus Club requires the specification and details of the tour operator's contact person; without this information, we cannot create an account for the company in the Bus Club.
17. The meaningful information of automated decision-making or profiling
Profiling is used to target marketing communications in such a way that the message is sent to the email address indicated by the tour operator's contact person, provided that the person has opted to receive said marketing.
Profiling does not have a legal effect on the data subject.
18. Impact of personal data processing and general description of the technical and organisational security measures
We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.
At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the identity will be stolen or that the personal data will be otherwise misused. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.