This privacy policy and data protection statement describes the collection and processing of personal data at ISLO Hostel of the Eastern Finland Sports Institute.

We reserve the right to make changes to this privacy policy. It is recommended to review the privacy policy regularly to stay informed of any changes.

Last updated: September 17, 2024.

1. Data Controller and Data Protection Officer

Data Controller:
Eastern Finland Sports Institute Ltd.
Business ID: 0167924-6
Länsikatu 15, 80110 Joensuu
Office: +358 50 408 4792
Email: toimisto@islo.fi

Data Protection Officer:
Kimmo Simontaival, kimmo.simontaival@islo.fi

2. Contact Person for the Register

Petri Pennanen
Länsikatu 15, 80110 Joensuu
Phone: +358 50 452 2659
Email: petri.pennanen@islo.fi

Requests regarding the rights of the data subject should be directed to the contact person responsible for the register.

3. Purpose and Legal Basis of Personal Data Processing

The purpose of personal data processing is the management of guest information and the maintenance of a guest register by the data controller.

Legal basis for data processing:

• The legal basis for personal data processing under the EU General Data Protection Regulation (GDPR) is the individual’s consent, a contract for the provision of accommodation services, the data controller’s legitimate interest, and/or a statutory obligation.
• Personal data is processed in accordance with the law governing the processing of personal data in accommodation and catering activities (308/2006).

4. Content of the Register

The register stores, among other things, the following information about guests:

• Last name, first name, personal identification number or date of birth, home address, postal code, city, phone number, email address, special dietary requirements, nationality, country of origin (if the traveler’s place of residence is not Finland), travel document number (not required from citizens of Nordic countries or residents of Finland), purpose of travel.
• Name of spouse traveling with the guest, names and personal identification numbers or birth dates of underage children.
• Name of the organization, billing address of the organization, and name of the organization’s contact person.
• A group travel notification may be made for travelers participating in a group trip.
• The privacy practices of the reservation system are comprehensively described on the following websites:
  https://www.islo.fi/fi/tietosuojaselosteet/ and https://asio.fi/pdf/gdpr.pdf

If the guest uses a mobile key card, the app will record the guest’s last name, first name, and email address.

• The privacy practices of the locking system and key card app are described on the following website:
  https://www.vingcard.com/en/privacy-center/privacy-notice

The following information is stored about Eastern Finland Sports Institute Ltd. personnel:
last name, first name, and work email.

In areas of ISLO Hostel where video surveillance occurs, signage informs individuals of the surveillance.

• The privacy and data protection statement for the video surveillance system in Eastern Finland Sports Institute premises is comprehensively described on ISLO’s website:
  https://www.islo.fi/fi/tietosuojaselosteet/

Guests can also book accommodation through the Booking.com reservation site, where the guest’s last name, first name, credit card number, and phone number are obtained from the site. Booking.com B.V. acts as the data controller for the reservation system, and Eastern Finland Sports Institute as the data processor. The privacy policy can be found on the following website: Booking.com: Privacy and Cookie Statement.

Accommodation billing is handled through the financial management system. The privacy practices of the financial management system are comprehensively described on ISLO’s website: https://www.islo.fi/fi/tietosuojaselosteet/

The Webropol survey and reporting tool is used to manage accommodation-related registrations and surveys. The privacy policy for Eastern Finland Sports Institute Ltd.’s Webropol system can be found on the website: https://www.islo.fi/fi/tietosuojaselosteet/

Microsoft M365 cloud services are used for delivering reservations and booking confirmations. The privacy policies for Microsoft services can be found on the website: https://privacy.microsoft.com/en-us/privacystatement/

5. Regular Sources of Information

The information recorded in the register is obtained directly from the data subject through phone calls, emails, and other situations where the data subject provides their information. Guests can also book accommodation through the Booking.com website. ISLO Hostel can also be contacted through the Finnish Hostel Association website.

6. Regular Disclosures of Information

Information is generally not transferred outside the EU or the European Economic Area (EEA). However, data may be transferred outside the EU or EEA in the key card system, and in such cases, the parties involved have committed to complying with the EU Commission’s standard contractual clauses (SCCs) in the contractual arrangement.

Guest information is not disclosed to third parties. However, guest information may be disclosed to authorities, such as the police, border control, customs, rescue authorities, health protection authorities, and the armed forces, in accordance with the law on accommodation and catering activities (308/2006, sections 8-9).

7. Systems Used for Data Processing

Personal data is processed using the following electronic systems:

• ASIO – reservation system
• Vingcard – locking system
• M365 cloud services
• Booking.com – application
• Webropol – system
• Netvisor – financial management system

Manual materials:

• Guest notifications

8. Automated Decision-Making, Including Profiling (Article 22 of the EU GDPR)

No automated decision-making or profiling is conducted during the processing.

9. Principles of Personal Data Protection

The processing of the register is carried out with due care, and information processed by information systems is appropriately secured. The data controller ensures that stored data, access rights, and other critical information regarding personal data security are only handled by employees whose job descriptions include these tasks. Each designated user has their own personal username and password for system access.

Manual materials are stored in locked facilities.

10. Retention Period of Personal Data

Personal data collected in the register is retained only for as long as necessary. However, data deletion is carried out no later than two years after collection. Guest notifications are retained for one year from the date of the guest’s arrival.

11. Rights of the Data Subject

Under the EU GDPR, the data subject has the right to:

• Access their personal data.
• Request correction or deletion of their data.
• Request the restriction of processing or object to processing.
• Request the transfer of personal data from one system to another or from one controller to another.
• Withdraw consent if the processing of personal data is based on the data subject’s consent.
• Lodge a complaint with the Data Protection Ombudsman’s Office if the data subject believes that their personal data has been processed in violation of applicable data protection legislation.

Requests regarding the rights of the data subject should be made in writing to the contact person responsible for the register. Not all rights may be applicable in all situations. For example, the basis for processing may affect the rights available. The data controller may require the requester to verify their identity. The data controller will respond to the request within the time period specified by the EU GDPR (within one month). Contact details are provided at the beginning of this privacy policy.