Privacy/GDPR

Information document regarding the processing of personal data in the customer register of Pieksämäen Kinolinna Oy in accordance with the EU General Data Protection Regulation.

Data Controller

Pieksänlinna Oy

Business ID: 0750581-0

Address: Lipatie 1, 76850 Naarajärvi

Contact Information

for matters concerning the register

Contact person for matters related to the register and the exercise of data subject rights:
Rami Lepistö – rami @ pieksanlinna.fi

Register Name

Hotel Pieksänlinna customer register


Legal Basis for Processing Personal Data

The processing of personal data in the customer register is based on legitimate interest, i.e., the customer relationship between consumer customers and corporate customers with Pieksämäen Kinolinna Oy. The data controller also processes customer information based on the agreement between the data controller and the data subject. Personal data collected from customers when making room reservations or for service – as well as for room billing purposes – are processed on this basis.

Purposes of Processing Personal Data

The purposes of using customer information in the customer register include:

  • Processing of reservations made by customers
  • Management and development of customer relationships
  • Possible customer communication
  • Sale and delivery of services
  • Marketing of services
  • Processing of personal data related to payment, billing, monitoring of payments, and debt collection
  • Development of the data controller’s business and customer services

Processed Personal Data

The data controller processes the following personal data:

  • Customer’s first and last name, date of birth, phone number, address, email address
  • Nationality
  • Reservation-related information
  • Information about the use and purchase of services
  • Customer’s payment method information, billing information, possible information on payment delays
  • Information about customer preferences and requests
  • Possible customer feedback and complaint information
  • Direct marketing opt-out information as required by law

For corporate customers, the data controller processes the following personal data:

  • Contact person’s name, address, email address, phone number for corporate customers
  • Possible customer feedback and complaint information
  • Direct marketing opt-out information as required by law provided by the company’s contact person

Sources of Personal Data

The data controller obtains personal data from:

  • Data subjects themselves, e.g. , through email, reservation system, or phone calls
  • Information obtained from the use of services and visits
  • From external hotel booking service companies
  • From the data subject’s employer when booking services
  • From external sources such as public registers

Processing of Personal Data

Only individuals whose job responsibilities include handling the customer register data are allowed to process the data. Access to the register requires separate usernames and passwords. The information is not disclosed to individuals outside of employment or specifically established cooperation with Pieksänlinna Oy. However, information may be disclosed to authorities based on their legally mandated requests for information.

Transfer of Data Outside the EU

We use subcontractors for service delivery, some of whom may be located outside the EU or the European Economic Area (EEA) When transferring data outside the EU and the EEA, we ensure an adequate level of data protection by, among other things, entering into agreements on the confidentiality and processing of personal data as required by law.

Retention Period of Personal Data

Personal data of customers in the customer register are processed for the duration of the customer relationship. The data controller considers the customer relationship terminated if the customer has not used the company’s services for two (2) years.

After the termination of the customer relationship, data may still be retained and processed if necessary for justified reasons or for handling complaints. The retention period of the data in the customer register complies with the legal requirements such as the Accounting Act. Information required by the Accounting Act is retained for as long as the Accounting Act requires.

Contact details of corporate customers’ contact persons are deleted in a similar manner after the termination of the company’s customer relationship. However, information may still be retained if there is another legal basis for it.

When data is processed based on a contract between the data controller and the data subject, the data is retained as long as it is necessary for the performance of the contract.

Once the agreement has been fulfilled, the data will be retained for as long as the customer relationship exists or there is another legal basis for processing (e.g., complaint cases or accounting legislation).

During the customer relationship, only data necessary for the defined purposes are processed. The data controller regularly conducts periodic reviews to delete unnecessary information.


Data Subject Rights

The data subject has the right to request access to their personal data and to request the correction of any inaccuracies.

Upon the data subject’s request, the processing of data may be restricted or the data may be completely deleted from the register.

The data subject has the right to object to the use of data, for example, in direct marketing.

Right to Lodge a Complaint with the Supervisory Authority

The data subject has the right to lodge a complaint with the competent supervisory authority if they believe that the data controller has not complied with the applicable data protection regulations in their operations.

Requests Related to Exercising Data Subject Rights

For questions regarding the processing of personal data and situations related to the exercise of one’s own rights, the data subject can contact the contact person mentioned at the beginning of this document.

Requests regarding the right to inspect or any other requests related to the exercise of data subject rights should be made in writing via email. Since all actions required for making a reservation can only be carried out electronically, email is a justified channel for sending the request. The request can also be made in person at the data controller’s premises. The data controller may request the data subject to sufficiently specify which information or processing actions the request concerns.

To ensure that personal data is not disclosed to anyone other than the data subject in relation to the exercise of data subject rights, the data controller may, if necessary, request the data subject to submit the inspection request with a signature. The data controller may also request the requester to prove their identity with an official identification document or by other reliable means.


Last edited: 03.04.2024