S Group processes your personal data in order to provide the best possible services for you. We store personal data of our hotel and restaurant clients, our business partners and our staff. Personal data includes, e.g. first and last name, telephone number or data on how you use a service.
S Group has allocated the processing of personal data into various registers according to how the data is used. For example, data in the S-Card customer loyalty register is only used for managing memberships.
Most of the registers used by our hotels and restaurants are maintained by the SOK Travel and Hospitality Industry Chain Management. It is, however, possible that our business units act as the data controllers of their own personal data registers.
Processing of personal data
What type of personal data do we collect?
S Group's personal data registers process personal data of customers, staff and business partners. The data processed in each register is based on the purposes of use of such data by the register. We only process personal data that is necessary for fulfilling the purposes of the registers.
How do we use your personal data?
We use data stored in S Group's personal data registers for pre-determined purposes. Based on the register, such purposes may include, for example, activities related to customer relationship management.
How do we collect your personal data?
Your personal data stored in S Group's personal data registers consists mainly of data submitted by yourself, e.g. when making a room or table booking at one of our locations.
Legal grounds for personal data processing
The processing of personal data by S Group's personal data registers has several legal grounds, including law, contract, agreement or legitimate interest.
Who processes your personal data?
Your personal data is only processed by employees of S Group and our service providers, who are specifically tasked with processing of personal data. We will always process your personal data carefully, maintaining good data processing practices.
Further information on the items discussed above, please read the privacy policies of each personal data register.
Travel and Hospitality Industry's customer register
Articles 12, 13, 14 and 19 of the European Union's General Data Protection Regulation (EU) 2016/679 (GDPR)
Postal address: PO BOX 1, 00088 S-RYHMÄ, Finland
Street address: Fleminginkatu 34, 00510 Helsinki
Business ID: 0116323-1
2. Contact details of data protection officer
3. Contact details of officer in charge of register matters
4. Name of the register
Customer register of the Travel and Hospitality Industry
5. Purpose of personal data processing
Personal data is processed for the following purposes:
- the processing of room, table and venue bookings, the production of services
- the identification of customers
- customer relationship management, the consideration of customers
- customer communication related to bookings, contacting customers
- marketing communications
- investigating interruptions and disturbances and communicating them
- the accrual of the loyalty and bonus programme purchases
- visa invitations when booking rooms from Russian hotels
- the payment of booking fees; booking fees can consist of the booking fees of travel agencies, for example
- the development of customer service, research related to the development
- securing the rights of the parties and ensuring the accuracy of services
6. Grounds for personal data processing
The law and the GDPR
- Citizenship (Regulation (EU) 692/2011), purchase data or parts of them for accounting purposes (Accounting Act 1336/1997)
The protection of data subjects
- Payment cards and the related purchase and payment transactions, in accordance with the party which has issued the card
- Customer details related to bookings, such as name and contact details
- language codes, information on fellow travellers or event participants
- invoicing data or other data involving payment or means of payment
- basis for pricing, such as information on a corporate customer account or information about other factors affecting prices
- Purchase data and information on reserved or used services, including point of sale
- class of reserved service, such as room type, and information on any other desired services
- Information on a person's inclusion in the loyalty programmes of S Group or its partners, such as Co-op membership and S-Card or the loyalty programmes of airlines
Data collected on the basis of a legitimate interest
- Gender, information on past and future reservations
- Recordings of phone conversations, email correspondence
- Website and application visits
7. Description of controller's legitimate interests
We want to serve our customers while accounting for their needs and wishes. When we process data concerning titles, gender, or previous or future reservations, we can pre-complete passenger cards, account for a customer's wishes at hotels and restaurants and consider our customers particularly on national holidays or on birthdays. The travel business is about experiences, which means that accommodation and visits to restaurants involve a lot more than just the physical setting and surroundings. As part of the experience, hotels and restaurants are also expected to recognise their customers and consider their special needs.
We also want to consider our customers increasingly better and to improve our services by, for instance, automatic identification when they get in touch with our customer service.
8. The personal data processed
Last name, first names and contact details, such as phone number and email address. Address details, such as home address and any other possible address, such as their workplace address, in accordance with what the customer has indicated.
Language code, the gender possibly deducible from a title, nationality, any other people staying with a customer at the hotel, any possible information concerning employees of S Group, information about the level of loyalty cards.
Basis for pricing, such as corporate information or any other information having an impact on room prices, such as a campaign code.
When invoicing, the invoicing address, if it is different from the other address details provided. Any possible information on deviant behaviour impacting other customers or defaulting on a payment.
Date of birth and passport number, subject to a separate consent, provided that the customer wishes that the visa invitation documents be sent to them when booking St. Petersburg hotels.
Other information improving the implementation of a service, such as information on dietary preferences or the accessibility of rooms.
Information on past and future reservations as well as information on purchases and means of payment.
Information on loyalty cards as well as on any membership in the loyalty programmes of our partners, such as airlines.
Any possible recorded phone conversations, contact history.
9. The categories of personal data processed
Customers' name and contact details, any possible opt-in or opt-out regarding marketing, information about membership in loyalty programmes, information on future bookings, information about past accommodation bookings or restaurant visits, information required for visa invitations. Recordings of phone conversations and contact history.
10. Information source and description of information sources, if the data has been collected from public sources
The collected data is provided directly by the customer or the system that produced the customer's booking. Such systems may include those used by traditional travel agencies, for example, or the systems used by agencies transmitting online bookings.
In the context of group bookings, the data is provided by the party taking care of the booking.
Incomplete data is supplemented on the basis of the customer's notification from the statutory accommodation registry maintained by hotels (Act 308/2006).
Personal data can also be updated from the files of the Population Register Centre and other controllers offering address update and other similar services.
11. Recipients of personal data
The data is transferred to other registers of S Group for the accrual of co-op members' bonuses, for example.
Customer and booking information is transferred to the hotels operated by OOO Sokotel in St. Petersburg in the context of bookings. Any feedback and booking inquiries concerning St. Petersburg units can be transferred to OOO Sokotel.
Customer and accommodation data is sent to the relevant partners, if the person wishes to accrue their purchases in the loyalty programmes maintained by the partners in question.
The booking data and the customer's name is exported to systems that transmit travel agency fees.
Customer and accommodation data is delivered from Radisson Blu hotels to the licence holder for the accrual of purchases related to membership in the loyalty programme, for example.
When a customer gives feedback on a hotel stay or restaurant experience, their data can be transferred to the party carrying out the research automatically.
We ensure the adequate level of our partners' personal data protection in the manner required by legislation.
For the purpose of service production, the data can be transferred other registers of S Group; in the context of signing up for membership, for instance, the data is transferred to the customer register of SOK Travel and Hospitality Industry Chain Management to improve customer service.
We disclose data to the authorities within the limits permitted and required by valid legislation when responding to authorities' requests for information.
12. Transfer of personal data to third countries or international organisations, and the safeguards employed
When booking Russian hotels, the personal data related to the booking is transferred to an environment maintained by OOO Sokotel. OOO Sokotel complies with local legislation when processing the data. The protection is guaranteed by the standard contractual clauses (model clauses) between controllers approved by the European Commission (2004/915/EC).
When transferring data to the United States, we require the recipients to be certified under the EU–USA Privacy Shield.
13. Storage period of personal data or criteria for determining the storage period
The personal data related to bookings will be anonymised or erased no later than when three years have passed since a person's most recent booking. An exception to this concerns the data required by the Accounting Act (1336/1997), which are stored in a separate system maintained by SOK Finance.
Any possible phone recordings are stored for training purposes, to secure the rights of the parties and to ensure the accuracy of the service for six months, at maximum.
14. Rights of the data subject
Data subjects have the right to check the data concerning them and to rectify it by filling in the information request form available on the website of S Group and at customer service points, where the identity of the person making the request is verified.
Data subjects have the right to have data concerning them erased, provided that the controller has no legitimate grounds for storing the data. The request to have data erased is submitted by visiting a customer service point of S Group or at the reception of an S Group hotel, where the identity of the person making the request is verified.
If a data subject wishes to exercise their right to restrict processing or object to processing, they can do so by contacting the controller. The controller must also be contacted if the data subject wishes to have their data transmitted from one system to another.
People also have the right to lodge a complaint with the supervisory authority if they consider the processing of their personal data to violate the applicable data protection provisions.
15. Withdrawing consent
The consent to direct marketing can be withdrawn through a link included in all newsletters.
16. Impact of failure to provide personal data on contracts
Bookings require the customer's personal data to be disclosed to the service provider (hotel, restaurant, meeting venue). Bookings cannot be done if the data is not provided.
A failure to disclose data collected on the basis of content may impact the service provided; the visa invitations for Russia, for example, cannot be delivered to a customer without a passport number and information on their date of birth and gender.
17. The meaningful information of automated decision-making or profiling
Profiling is used to target marketing communications in such a way that the message is sent to a person holding an S-Card and has opted to receive said marketing.
Profiling does not have a legal effect on the data subject.
18. Impact of personal data processing and general description of the technical and organisational security measures
We protect personal data carefully throughout its entire life cycle, by employing the appropriate data protection and information security measures. System suppliers process personal data in secure server facilities. Access to personal data is restricted and our personnel is subject to a non-disclosure obligation.
At S Group, we protect personal data with, among other things, anticipatory risk management and security planning, data communication protection means, the continuous maintenance of information systems and backups and by using secure hardware facilities, access control and security systems. After initial processing, hard copies containing personal data are stored in locked and fire-safe storage facilities. The granting and monitoring of access rights is managed. We train our personnel engaged in the processing of personal data regularly and ensure that the staffs of our partners also understand the confidential nature of personal data and the significance of secure processing. We select our subcontractors carefully. We update our internal policies and instructions on a continuous basis.
If, despite all of our safeguards, personal data falls into the wrong hands, it is possible that the data will be misused and that earned benefits, for instance, will be used on false grounds. If we detect an event of this kind, we will start investigating it immediately and attempt to prevent any damage it may cause. We will inform the relevant authorities and data subjects of any information security breaches in accordance with legislative requirements.