Combined privacy and information notice in compliance with the Finnish Personal Data Act and the General Data Protection Regulation (2016/679/EU) of the European Union.
Drawn up on 20 February 2019
1.0 Controller, company ID and contact information
Urban Sanctuary is a Business Concept and Brand of Ikigai Solutions Ltd.
IKIGAI SOLUTIONS LTD
Incorporated on 2 June 2017
32/8 Hardengreen Business Park
Eskbank, Scotland, EH22 3NX
2.0 Contact in database and data protection related matters
+44 131 229 6346 / email@example.com
3.0 NAME OF THE DATABASE
Urban Sanctuary Customer Database / Simplybook.it
4.0 Purpose and reason for processing personal data
The processing of personal data is based on customer or contractual relationship, other justified grounds or the express consent of the data subject. Personal data may be processed to meet contractual or legal obligations and to maintain contacts with data subjects and other relevant parties in terms of managing contractual relationships, to send news and other information, to market products and services, to conduct market analyses, and to develop business activities.
4.1 The information in the customer database may be used for the following purposes:
Maintenance and development of customer relationships
Production, provision, development, improvement and protection of services
Invoicing, debt collection and verification of customer transactions
Service analysis and statistics
Customer communication, marketing and advertising
Protection and securing of the rights and/or assets of the controller and other persons and parties involved in assignments to provide services, management of the controller’s legal obligations and other similar purposes.
5.0 Contents of the database
The information collected on the data subject may include the following: name and necessary contact information, such as address, telephone number, email address, business ID, position in the organisation, date of birth or personal identity code; information on the products and services ordered by the customer, including delivery and invoicing information; messages, comments, materials, approvals, prohibitions and customer feedback exchanged between the controller and the data subject or another party required to manage the contractual relationship.
6.0 Data sources
The information to be saved in the customer database is obtained from the data subjects themselves, technically from the use of the Internet and digital services by the data subjects, analysis services provided by third parties such as Google Analytics, public data sources or providers of public contact information services.
7.0 Data disclosures
In principle, no data is disclosed to third parties. However, data may be disclosed for a justified, well-founded purpose.
8.0 Transfer of data outside the EU or the EEA
In principle, no personal data is transferred outside the EU or the EEA. However, if data is transferred, the controller will ensure that the personal data is protected sufficiently by measures such as agreeing on the confidentiality and processing of personal data in a manner required by law.
9.0 Principles of protecting personal data
Electronically or manually processed materials are stored, protected appropriately, on a computer or a storage medium in the controller’s premises or, protected appropriately, on an external server or in an external service. The data may only be processed by the controller’s staff members who need the data to perform their duties.
The personal data is protected from access by third parties by means of technical solutions and applications. Confidential data, such as bank and credit card data, is collected and transferred by using SSL-protected connections.
10.0 Retention periods
In principle, customer data is deleted when there is no need for retaining personal information. If the collection and retention of personal data is based solely on the customer’s consent, the data is deleted at his/her request. In principle, regular customer data related to invoicing, accounting and email services is retained in the storage facilities of third party service providers. The customer data is retained in the services as long as business operations continue and customer relationships exist. The customers may delete their email addresses from email services by deleting their email accounts from the mailing lists.
11.0 Right of access
In principle, every data subject has the right to access the personal data held on him/her to check its accuracy. A subject access request must be sent to the controller’s contact person at the above address in writing by mail or electronically.
12.0 Right to rectify or delete
Every data subject has the right to request that inaccurate data on him/her is rectified or deleted. A rectification/deletion request must be sent to the controller’s contact person at the above address in writing by mail or electronically.
13.0 Other rights related to the processing of personal data
All data subjects have the right to request that their data is transferred to another service provider in an electronic format, to cancel their consent to the processing of their personal data, and to forbid the processing of their personal data for the purpose of distance sales and other direct marketing, market surveys or opinion polls. The request must be sent to the controller’s contact person at the above address in writing by mail or electronically.
The information in the marketing database is retained until further notice.
The controller retains personal data in compliance with legislation that is valid at the time concerned and only as long as retaining the information is necessary to meet the purposes described in this privacy notice.
Visitors to the controller’s website may clear or disable cookies in the settings of the browsers that they use. It may, however reduce the user experience or cause malfunctions.
All data subjects have the right to object to the processing of their personal data, to demand that the processing of their personal data is restricted, and to submit a complaint to the Office of the Data Protection Ombudsman (https://gdpr-info.eu/).