1 Data controller

Data controller:  Naali Travel Oy (2871743-3)
Contact person: Catherine Chevillard
Company:  Naali Travel Oy (Naalilodge)
Address: Saarisiulantie 16 A 1, 97900 Posio
Phone: 044 9749691
Email: catherine@naalilodge.com

2 Name of the data register

Naali Travel Oy customer register.

3 Data processing purposes

Personal data is being processed for purposes related to billing, customer relationship management, and development and to providing, delivering, and developing services. An example of these services would be catering or equipment rental. We will also process personal data while handling possible complaints or other claims.

In addition, we will process personal data in our customer-targeted communication, such as informing and marketing. Personal data will also be processed in our digital direct marketing.

A customer has the right to refuse targeted marketing.

The data controller processes the personal data itself and utilizes third-parties acting on behalf of and for the account of the controller.

4 Legal grounds of data processing

The legal bases for the processing of personal data are the following in accordance with the General EU Data Protection Regulation (hereinafter also the “GDPR”):

  • the data subject has consented to the processing of his or her personal data for one or more specific purposes (Article 6 1.a of the GDPR);
  • processing is necessary for the execution of a contract to which the data subject is a party or for taking pre-contractual measures at the request of the data subject (Article 6 1.b of the GDPR);
  • the processing is necessary to achieve the legitimate need for the controller or a third-party interest (6 GDPR art. 1.f).

The data subject’s legitimate interest referred to above is based on a relevant and appropriate relationship between the data subject and the data controller, which is a result of the data subject being a customer to the data controller and based on processing for purposes which the data subject could reasonably have expected at the time and during the appropriate relationship.

5 The data content of the register (data subject groups processed)

The register contains the following personal data of all registered persons:

  • basic information and contact details of the person: [first name, surname, phone number, e-mail address];
  • information related to the person’s business or other organization
  • other self-reported information, food allergies, or other additional information


6 Regular sources of personal data

Personal information is collected directly from the registered person.


Personal data will also be collected and updated, within the limits of the applicable law, from publicly available sources related to carrying out the customer relationship between the controller and the data subject and through which the controller fulfills its customer relationship responsibilities.


7 Retention period of personal data

The data collected to the register will be kept only for as long and to the extent necessary in relation to the original or related purposes for which the personal data was collected.

The need to retain personal data is assessed annually, and the data of the data subject will be deleted from the register one year after the end of that data subject’s customer relationship with the controller and the customer relationship obligations and measures have been completed.

The controller regularly assesses the need for data retention in accordance with its internal code of conduct. In addition, the controller takes all reasonable measures to ensure that inaccurate, incorrect, or out of date personal data are deleted or rectified without a delay.


8 Recipients of personal data (groups of recipients) and regular disclosures of data

Personal data will not be disclosed to third parties.


9 Transferring data outside of the EU or EEA

The personal data collected will not be transferred outside the EU or the EEA.


10 Security principles

Materials containing personal data are kept in locked premises to which only designated and authorized persons have access.

The database containing personal data is held on a server, which is stored in locked premises, that are only accessible by designated and authorized persons. The server is protected by an appropriate firewall and technical protection.

Access to databases and systems is only possible with separately issued personal usernames and passwords. The controller has limited the access rights and authorizations to the information systems in such a way that the data can be viewed and processed only by persons who are necessary for their lawful processing. In addition, database and system access transactions are recorded in the log data of the controller’s IT system.

The controller’s employees and other persons committed to confidentiality when processing customers’ personal data.


11 Data subject rights

The data subject has the following rights under the EU general data protection regulation:

the right to receive a confirmation from the controller that personal data concerning him or her are being processed or not processed and, if such personal data are being processed, the right to access the personal data and the following information: (i) the purposes of the processing; (ii) the data subject groups that are processed; (iii) the recipients or recipient groups that have received or are about to receive the personal data; (iv) the planned retention period of data or if not possible, the criteria by which the retention period is being defined; (v) the right of the data subject to request from the controller the rectification or erasure of personal data concerning him or her or to restrict or object to the processing of personal data; (vi) the right to file a complaint with the supervisory authority; (vii) all available information about the origin of the data if personal data are not collected from the data subject (GDPR 15 art.). The described basic information (i) – (vii) will be provided to the registrant on this form;

the right to withdraw consent at any time without affecting the legality of the informed consent prior to withdrawal (GDPR 7 art.);

the right to have inaccurate and incorrect personal data concerning the data subject rectified by the controller without undue delay and the right to have incomplete personal data supplemented, inter alia by providing additional information taking into account the purposes for which the data were processed; (GDPR 16 art.);

the right to have the controller delete personal data concerning the data subject without undue delay, provided that (i) personal data are no longer needed for the purposes for which they were collected or which they were otherwise processed for; (ii) the data subject withdraws the consent on which the processing is based and there are no other legal bases for the processing; (iii) the data subject objects to the processing on the basis of his or her specific personal situation and there is no valid reason for the processing or the data subject objects to the processing of data for direct marketing purposes; (iv) personal data has been processed unlawfully; or (v) personal data must be deleted in order to comply with a legal obligation applicable to the controller under Union law or national law (GDPR 17 art.);

the right to have the controller restrict the processing, if (i) the data subject disputes the accuracy of the personal data, in which case the processing is limited until the controller can verify their accuracy; (ii) the processing is unlawful and the data subject opposes the deletion of personal data and instead demands restricted use of the data; (iii) the controller no longer needs such personal data for the purposes of the processing, but the data subject needs them in order to establish, present or defend a legal claim; or (iv) the data subject has objected to the processing of personal data on the basis of his or her specific personal situation pending verification that the data subject’s legitimate reasons override the data subject’s reasons; (GDPR 18 art.);

the right to have personal data concerning him or her communicate to the controller by the data subject in a structured, commonly used and machine-readable form and to transfer such data to another controller without prejudice to the controller to whom the personal data have been transmitted, subject to consent under the regulation (GDPR 20 art.);

the right to complain to the supervisory authority if the data subject considers that the processing of personal data concerning him or her violates the general EU data protection regulation; (GDPR 77 art.).

Requests for the exercise of the data subject’s rights shall be addressed to the controller’s contact person referred to in paragraph 1.

12 Web analytics

The following services collect anonymized information about visits to the website without including personal information.

  • Google Analytics
  • Facebook

13 Targeted marketing

Based on your page views, we may run targeted advertising on the following services

  • Facebook
  • Instagram

Sometimes we may place a cookie file on your device when you visit our website. The cookie is a small text file that the used internet browser saves onto the user’s device. Cookies are installed on the user’s device only based on the website the user has inducted. Only the server that sent the cookie is able to read and use the cookie. Cookies do not harm the user’s device or files, and cookies cannot be used to transmit or use malware or any other software. A user cannot be identified solely based on cookie information.

The cookies are used to improve analytics, marketing, and communication. The cookies are divided into the following subcategories: functional cookies, product development and business reporting, marketing reporting, and targeted marketing.

There are some third-party tools and applications in use that are necessary for the service to function. Such tools may include social media and video services’ embeddings or social media sharing and liking functionalities. These third-party applications may in addition collect information of the web services users in order to e.g. recommend content or follow visitor amounts.

You can prevent your browser from using cookies, delete cookies installed, or make your browser to notify you about new cookies. You can find more information about cookies and how to delete them from https://www.aboutcookies.org/ Rejecting cookies may influence the user experience on our website and prevent you from utilizing some functionalities or services.

You may read more about cookies and the Finnish requirements concerning cookies from Traficom’s website: https://www.kyberturvallisuuskeskus.fi/en/our-activities/regulation-and-supervision/confidential-communications

We reserve the right to update the cookie policy upon the development of these services or due to changes in legislation.