Customer events of Travel and Hospitality Industry's sales team
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Visiting address: Fleminginkatu 34, 00510 Helsinki
Business ID. 0116323-1
2. Contact details of data protection officer
3. Contact details of officer in charge of register matters
4. Name of the file
Customer events of the Travel and Hospitality Industry's sales team
5. Purpose of personal data processing
Personal data is collected on a temporary basis for the purpose of organising customer events. The people invited are always informed separately of the purpose and details of the event.
The event may be organised in cooperation with a partner of ours; this, too, will be communicated separately in connection to the invitation.
The collected data is used for purposes of the following kind:
- the management of the invitation and registration lists
- the organisation of any possible transportation, venue and accommodation bookings and catering
- contacting the registered in relation to any possible travel arrangements
- contacting the registered after the event
6. Grounds for personal data processing
The personal data processing is based on consent.
7. Description of controller's legitimate interests
The personal data processing is not based on the controller's legitimate interest.
8. The personal data processed
- The person's first name and last name
- Address, phone number, email
- Information on the person's employer
- When necessary, passport number or the number of some other travel document and any other identifying information Date of birth, personal identity code or other information required for organising travel
- Any other information provided on the basis of consent, such as data concerning any special diet
- The information regarding the person originally invited to the event, if that person has forwarded the invitation, e.g. within the organisation they belong to.
9. The categories of personal data processed
- Name and contact details
- Identifying information when necessary
10. Information source and description of information sources, if the data has been collected from public sources
11. Recipients of personal data
Personal data can be disclosed to said service providers insofar as these service providers participate in the implementation of measures within the framework of the relevant assignment. Such service providers can include tour operators, for example.
When organising an event in cooperation with a partner, the list of participants can be shared with the partner in question. Data on the participants can be saved in the customer registers of both the controller and the aforementioned partner.
We ensure the adequate level of our partners' personal data protection in the manner required by legislation.
12. Transfer of personal data to third countries or international organisations, and the safeguards employed
The personal data is not transferred directly to third countries or outside the European Union or the European Economic Area. However, when booking the units of SOK's subsidiary OOO Sokotel in Russia, the data is disclosed to the systems managed by OOO Sokotel to implement the service.
Customer data is transferred outside the EU and the EEA when necessary for the service production. Our service provider has committed to the EU's standard contractual clauses with the appropriate contracts.
13. Storage period of personal data or criteria for determining the storage period
Registrations and any separate lists derived from them are stored for a maximum period of 3 months after the event. Once the storage period has expired, the data is erased.
14. Rights of the data subject
A data subject may check and change information concerning their registration, or request their erasure or transmission to another system by contacting the event's organiser.
15. Withdrawing consent
Data subjects can request the erasure of information concerning them using the link that can be found in the invitation or communication concerning the event.
16. Impact of failure to provide personal data on contracts
Normally, participation in events is possible only if we are provided with the information requested.
17. The meaningful information of automated decision-making or profiling
The personal data processing does not involve automated decision-making and no profiling with legal effects for the data subject is carried out on the basis of the personal data.
18. Impact of personal data processing and general description of the technical and organisational security measures
We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.
At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the personal data will be misused and that a personal identity code provided to us will be used on false grounds, for example. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.