Privacy policy

Data controller
Hotel Kakola Oy, Kakolankatu 14, 20100 Turku, y-tunnus 3093306-3

Contact person for matters related to the register
For matters related to the register and the rights of the data subject, the contact person is: Johanna Lähteenmäki tel: +358 25150555

Register Name
Hotel Kakola Oy – customer register

Legal basis for processing personal data
The processing of personal data is based on legitimate interests, i.e., the processing of personal data in the customer register is based on the customer relationship of consumer customers and business customers with Hotel Kakola Oy. The data controller also processes customer data based on an agreement between the data controller and the data subject. This basis is used for processing personal data collected from customers when making restaurant or room reservations and for restaurant and room billing.

Purposes of processing personal data
The purposes of processing customer data in the customer register include:
• Processing of customer reservations
• Managing and developing customer relationships
• Customer communication
• Sales and delivery of services
• Marketing of services
• Processing of personal data related to payments, billing, monitoring of payments, and debt collection
• Development of the data controller's business and customer services
Any special dietary information provided by the customer is used solely for food preparation and service.

Processed personal data
The data controller processes the following personal data:
• Customer's first and last name, date of birth, phone number, address, email address
• Nationality
• Information related to reservations
• Information about the use of services and purchases
• Customer's payment methods, billing information, possible payment delay information
• Information about customer preferences and requests
• Possible customer feedback and complaint information
• Direct marketing opt-out information as required by law
In the case of business customers, the data controller processes the following personal data:
• Contact person's name, address, email address, phone number
• Possible customer feedback and complaint information
• Possible customer feedback and complaint information

Sources of personal data
The data controller receives personal data from:
• The data subjects themselves, e.g., through email and phone contact or during sales promotion events
• Data obtained from the use of services and visits
• Through their website's order and quote request forms
• From external restaurant table reservation websites
• From external hotel reservation service companies
• From the data subject's employer when making service reservations
• From external sources such as public registers

Recipients or recipient groups of personal data:
Only individuals whose job tasks require processing of the data have access to the customer register. Separate usernames and passwords are required to access the register. Data is not disclosed to external parties, but information may be disclosed to authorities based on their lawful data requests.

Transfer of data outside the EU
In providing services, we use subcontractors who may be located outside the EU or the European Economic Area. When transferring data outside the EU and EEA, we ensure the adequate level of protection of personal data by, among other things, agreeing on the confidentiality and processing of personal data in the manner required by law.

Retention period of personal data
Personal data in the customer register is processed for the duration of the customer relationship. The data controller considers the customer relationship terminated if the customer has not used the company's services for 2 years.
After the termination of the customer relationship, data can still be retained and processed if there is a legitimate reason or for the handling of complaints. The retention of information in the customer register complies with the retention periods required by law, such as the Accounting Act. Information required by the Accounting Act is retained as long as required by the law. The contact details of business customers are deleted in a similar manner after the termination of the customer relationship. Data can be retained even after this if there is another legitimate reason. When information is processed based on the agreement between the data controller and the data subject, the data will be retained for as long as necessary for the fulfilment of the agreement. After the agreement has been executed, the data will be retained for as long as the customer relationship exists or there is another legal basis for processing (e.g., complaint cases or accounting laws). During the customer relationship, only information necessary for the specified purposes is processed. The data controller regularly performs periodic checks to remove unnecessary information.

Data Subject's Rights
Data subjects have the right to request access to their personal data and the right to request correction if the data is inaccurate. Upon request by the data subject, data processing can be restricted, or the data can be deleted from the register entirely. Data subjects have the right to object to the use of their data such as in direct marketing.

Right to lodge a complaint with the supervisory authority
Data subjects have the right to lodge a complaint with the relevant supervisory authority if they believe that the data controller has not complied with applicable data protection regulations.

Requests relating to the exercise of data subject rights
For questions related to the processing of personal data and situations involving the exercise of personal rights, the data subject can contact the data controller's contact person mentioned in section 2.
Requests for the right of access or other requests related to the exercise of data subject rights should be made in writing, either by email or by mail. The request can also be made in person at the data controller's office. The data controller may request the data subject to specify in a sufficiently detailed manner the information or processing activities to which the data subject's request pertains.

To ensure that personal data is not disclosed to anyone other than the data subject, the data controller may, if necessary, request the data subject to provide a signed access request. The data controller may also request the requestor to prove their identity with an official identity document or in another reliable manner.