General terms and conditions for the use of Rukakeskus Oy’s online services
INFORMATION ABOUT RUKAKESKUS OY’S WEBSITES (ski.ruka.fi, ski-inn.fi, shop.ruka.fi, pyha.fi, ski.pyha.fi, pyhabooking.fi and laplandgames.fi)
Ruka’s and Pyhä’s Ski-Inn and Webshop are web services provided by Rukakeskus Oy. These online webshop services provide booking services for Rukakeskus Oy and its affiliates Pyhätunturi Oy and Ski-Inn Hotels & Apartments Oy. All payment transactions pass through Rukakeskus Oy.
The websites use a Secure Socket Layer (SSL) digital certificate with which the service provider’s (Rukakeskus Oy) identity is certified and also the connection between the service user's computer and the server is SSL-protected.
Please contact Ruka and Pyhä booking services for any questions regarding bookings and services:
Phone number +358 8 8600 300, firstname.lastname@example.org
Rukankyläntie 9, FI-93830 Rukatunturi, Finland
Phone number +358 8 8600 400, email@example.com
Kultakeronkatu 21, FI-98530 Pyhätunturi, Finland
The online services do not store any information related to customer transactions such as credit card numbers or bank account numbers. The payment transaction is always secured and follows bank security regulations and the regulations of the payment service provider Nets (Luottokunta).
Rukakeskus Oy (Business ID 1886917-7), Pyhätunturi Oy (Business ID 0726785-9), Ski-Inn Hotels & Apartments Oy (Business ID 1905064-9).
REGISTER DESCRIPTION 23 May 2018 (In accordance with § 10 of Personal Data Act (523/99))
1. Register controller: Rukakeskus Oy, Rukatunturintie 9, FI-93830 Rukatunturi, Finland. Phone number +358 400 101 600.
2. Person in charge of the register: Mika Määttä, Rukakeskus Oy, Rukatunturintie 9, FI-93830 Rukatunturi, Finland.
3. Name of the register: Customer register of Rukakeskus Oy’s webshop for Ski-Inn apartments, ski passes, tickets and gift cards.
4. Legal basis for the processing of personal data: Processing of customer data is based on a legitimate interest of the controller or an agreement between the controller and the registered customer.
5. Aim of processing personal data: Managing and developing customer relationship such as selling and purchasing services, strengthening online service purchasing, enabling accommodation activities and identifying online bookings. Both the company’s and its partners’ marketing and communications. Developing the register controller’s business and customer service.
6. Register data content: The register controller processes the following personal data:
– Customer’s first and last name, date of birth, phone number, address, email address
– Information about accommodation bookings (value of reservation, booked apartment, special diets, possible customer feedback and complaint details)
– Customer’s payment method information, invoicing information, possible reference number information
– Information about possible marketing bans
– Information about customer’s consent to electronic direct marketing (marketing via text messages or email)
– Information about the use or purchases of services
– Information about customer-specific choices and special wishes (e.g. concerning apartment, accessibility issues etc.)
– Possible customer feedback and complaint details
7. Regular data sources: Information is collected from customers themselves during booking. Additionally, information can be collected when using services and making purchases and possibly from third party registers.
8. Release of data: To be able to provide their services, the register controller uses a subcontractor or subcontractors who need personal data for providing their services.
9. Data transfers outside the EU: According to the Personal Data Act Section 22 a Article 1, personal data may be transferred outside the EU member states or the European Economic Area in so far as the Commission has found that the country in question guarantees an adequate level of data protection. In its services, Rukakeskus Oy uses the services of US-based LiveChat, Inc. and Bokun as well as Google and through these services personal data (such as customer’s IP address and contact details) are transferred outside the EU. Rukakeskus Oy is responsible for the third party processing of personal data according to the Personal Data Act.
10. Data retention period: Personal data in the customer register is processed during the customer relationship. The register controller considers the customer relationship terminated if the customer has not used the services provided by the register controller in twenty (20) years. This period is calculated from the end of the calendar year in which the customer last used the services of the company. The information is deleted six (6) months after the customer relationship has ended if there are no grounds for retaining the data.
After the ending of the customer relationship, data can still be retained and processed for handling complaints. The retention period of the data in the customer register also complies with the statutory retention periods such as the Accounting Act. The information required by the Accounting Act is retained for as long as the Accounting Act requires.
Similarly, business customer contact information will be deleted after the business relationship is terminated. However, data can then be stored if there are other reasons.
When data is processed under a contract between the controller and the registered customer, data shall be retained for as long as necessary for the implementation of the contract. Once the agreement has been completed, data will be retained as long as the customer relationship exists or there is another reason for processing the information (e.g. complaints or Accounting Act).
11. The rights of the registered customer: Personal data contained in the customer register shall be processed in the legitimate interest of the controller (Data Protection Regulation Article 6 Article 1 subsection e). In this case, the legitimate interest is the customer relationship. Personal data is also processed on the basis of an agreement between the controller and the registered customer (Data Protection Regulation Article 6 Article 1 subsection b). This criterion of treatment is further explained in section 4 of the privacy statement. When processing information on the basis of a legitimate interest and a contract, the registered customer has the following rights:
REGISTERED CUSTOMER’S RIGHT TO ACCESS THEIR PERSONAL DATA
– The registered customer has the right to request access to his or her personal data (right of access) in order to ascertain whether the data concerning him or her are or is processed in the register or not.
– As a rule, the registered customer has the right to know what information concerning him or her is stored in the customer register. The register controller may request the registered customer to sufficiently specify which data or processing operations the registered customer's request relates to.
– The registered customer's right to information may be restricted or rejected under the Data Protection Regulation if disclosure would adversely affect the rights and freedoms of others. Such protected rights include, but are not limited to, the business secrets of the controller or personal data of another person. The right of the registered customer may also be restricted by national law (e.g. Data Protection Act).
RIGHT TO INFORMATION RECTIFICATION
– The registered customer has the right to demand that the controller rectify inaccurate and incorrect personal data concerning the registered customer without undue delay.
RIGHT TO INFORMATION DELETION
At the request of the registered customer, the register controller shall, without undue delay, delete the personal data relating to the register controller if any of the following conditions are met:
– Personal data is no longer needed for the purpose for which they were collected or otherwise processed
– The registered customer objects to the processing of personal data and there are no legitimate grounds for such processing
– The registered customer opposes the processing of personal data for direct marketing purposes (however, processing is possible in this case for other purposes)
– Personal data has been processed unlawfully
Even if one of the conditions is met, the data do not need to be deleted if processing is necessary to comply with statutory obligations, for example, EU law or national law applicable to the controller or to formulate, file or defend a legal claim.
RIGHT TO OBJECT TO THE PROCESSION OF PERSONAL DATA
– The registered customer has the right to object to the processing of his or her personal data on the basis of his or her particular personal situation when the data is processed on the basis of a legitimate interest.
– The registered customer has no right to object to the processing of personal data where the processing is based on an agreement between the controller and the registered customer.
– If the registered customer has objected to the processing of his or her data on the basis of his or her particular personal situation, the registered customer must identify the specific situation on the basis of which he or she objects to the processing on legitimate grounds. The register controller may continue to process the data, regardless of any objection, if there is a compelling and well-founded reason for the processing, which overrides the interests, rights and freedoms of the registered customer or where it is necessary for filing, presenting or defending a claim.
The registered customer has the right to object at any time to the use of personal data concerning direct marketing. If the registered customer objects to the use of personal data in direct marketing, the data may no longer be processed for this purpose.
RIGHT TO REQUEST A LIMITED PROCESSING OF PERSONAL DATA
At the request of the registered customer, the register controller shall restrict the active processing of personal data in the following situations:
– The registered customer denies the accuracy of the personal data and processing must be restricted until the register controller can verify the accuracy of the data
– The processing is unlawful and the registered customer insists on limiting the processing of personal data rather than the deletion of personal data
– The personal data in question is no longer required by the register controller for the purposes of processing, but it is required by the registered customer in order to formulate, present or defend a legal claim, or
– The registered customer has objected to the processing of the personal data (on the right of objection above) and the assessment of whether the legitimate grounds of the controller override the registered customer's grounds is ongoing.
In principle, data may only be stored for the duration of the processing restriction. Data may also be processed for the purposes of filing, presenting or defending a legal claim, for the protection of the rights of another natural or legal person, or for important public interest reasons. Prior to the removal of the processing restriction, the registered customer must be informed.
RIGHT TO TRANSFER DATA FROM ONE SYSTEM TO ANOTHER
In so far as the registered customer him/herself has provided personal data to the customer register which is processed by means of automatic data processing and under a contract between the register controller and the registered customer, the registered customer is generally entitled to receive such data in a machine-readable form.
12. Right to make a complaint to the supervisory authority: The registered customer has a right to file a complaint with the competent supervisory authority if the registered controller fails to comply with applicable data protection rules.
13. Requests concerning the registered customer’s use of rights: In matters relating to the processing of personal data and the exercise of his or her rights, the registered customer may contact the contact person of the controller referred to in section 2. A request for access or any other request for the exercise of the rights of the registered customer to the controller must be made in writing, either by email or by post. The request may also be made in person at the controller's office. The register controller may request the registered customer to sufficiently specify which data or processing operations the registered customer's request relates to.
Cookies are small text files that are stored on the user's device when visiting a website. The next time you visit the website, your browser reads the cookie and transfers information back to the website or other party which placed the cookie.
Disabling of cookies
You can disable cookies by changing your browser’s information security settings. Disabling cookies may affect some functionalities and your user experience of the service.
Rukakeskus Oy websites and services contain links and connections to third party websites and so-called social extensions (for example, Facebook social plugins). The third party-maintained plugins on Rukakeskus Oy websites upload from the servers of these services.
The appropriate third party user regulations and other conditions apply to the third party services and third party-maintained plugins on Rukakeskus Oy websites and services. More information about the terms and conditions of the third party services can be found from the companies’ websites.