Söderfjärden B&B’s registry and Privacy statement
Register and data protection statement according to the EU General Data Protection Regulation (GDPR). Latest change 14 June 2023.
1 Registrar
The registrar of the register is Söderfjärden B&B
The contact person for registry matters is: Camilla Ostberg
Phone: +358 505939632
Email: ostbergcamilla@gmail.com
2 Registry name
The name of the register is Söderfjärden B&B contact and customer register.
3 Purpose of personal data processing
Personal data is processed for purposes related to managing and developing customer relationships, providing and delivering services and developing services, processing job applications and invoicing. Personal data is also processed for the purposes required to settle possible complaints and other claims.
In addition, personal data is processed in communications aimed at customers, such as for information and news purposes, as well as in marketing, as part of which personal data is also processed for purposes related to direct marketing and digital marketing.
The customer has the right to refuse direct marketing aimed at her/him.
4 Legal grounds for processing personal data
The legal bases for the processing of personal data are the following bases according to the EU General Data Protection Regulation (hereinafter also “GDPR”):
the data subject has given his consent to the processing of his personal data for one or more specific purposes (GDPR 6 art. 1.a); the processing is necessary for the implementation of an agreement to which the data subject is a party, or for the implementation of pre-contractual measures at the request of the data subject (GDPR 6 art. 1.b); the processing is necessary to fulfill the legitimate interests of the controller or a third party (GDPR 6 art. 1.f).
The aforementioned legitimate interest of the data controller is based on a relevant and appropriate relationship between the data subject and the data controller, which is a consequence of the fact that the data subject is a customer or partner of the data controller, and when the processing takes place for purposes that the data subject could reasonably have expected at the time of the collection of personal data and in connection with the relevant relationship.
5 Data content of the register (groups of personal data to be processed)
The register by default contains the following personal information about all registered persons: the person’s basic information and contact information: [first name, last name, address, telephone number, e-mail address]; information related to the person’s company or other organization and the person’s position or job title in a company or organization; the person’s direct marketing permits and prohibitions. Regarding job applications, information provided by the applicant.
6 Regular sources of information
Personal data is collected from the registered person himself. Personal data is also collected and updated within the limits of the applicable legislation from generally available sources, which are related to the implementation of the customer relationship between the controller and the registered person and with which the controller fulfills its obligations related to maintaining customer relationships.
7 Personal data retention period
The information collected in the register is kept only for as long and to the extent necessary in relation to the original or compatible purposes for which the personal information was collected.
The need to retain personal data is assessed annually, and in any case, information about the registered person is removed from the register at the request of the registered person. Accounting documents are kept for five years after the end of the accounting period.
The controller evaluates the necessity of storing data regularly in accordance with its internal code of conduct. In addition, the controller takes all possible reasonable measures to ensure that personal data that is inaccurate, incorrect or outdated in relation to the purposes of the processing is deleted or corrected without delay.
8 Recipients of personal data (recipient groups) and regular transfers of data
Personal data will not be disclosed to external parties.
9 Data transfer outside the EU or EEA
Personal data included in the register will not be transferred outside the EU or EEA.
10 Principles of registry protection
Materials containing personal data are stored in locked rooms, to which only designated and authorized persons have access due to their duties. The database containing personal data is on a server, which is kept in a locked state, to which only designated and authorized persons have access due to their duties. The server is protected by an appropriate firewall and technical protection.
Access to databases and systems is only possible with separately issued personal user IDs and passwords. The registrar has limited access rights and authorizations to information systems and other storage platforms in such a way that the data can be viewed and processed only by the persons necessary for their legal processing. In addition, the usage events of databases and systems are registered in the log data of the controller’s IT system. The employees and other persons of the registrar are committed to observe the obligation of confidentiality and to keep secret the information they receive in connection with the processing of personal data.
11 The right of inspection and the right to demand correction and deletion of information
Every person in the register has the right to check their information stored in the register and demand the correction of any incorrect information or the completion of incomplete information. If a person wants to check the information stored about him or demand correction, the request must be sent in writing to the controller. If necessary, the registrar may ask the requester to prove his identity. The controller responds to the customer within the time stipulated in the EU data protection regulation (generally within a month).
A person in the register has the right to request the removal of personal data about him from the register (“right to be forgotten”). Those registered also have other rights according to the EU’s General Data Protection Regulation, such as limiting the processing of personal data in certain situations. Requests must be sent in writing to the controller. If necessary, the registrar may ask the requester to prove his identity. The controller responds to the customer within the time stipulated in the EU data protection regulation (generally within a month).