Privacy Policy

Privacy Policy for Rehabilitation at Peurunka
Privacy policy in accordance with Article 13 of the EU General Data Protection Regulation 2016/679

Updated on 15.12.2021

1. Registry
   Rehabilitation data registry (patient data registry)
2. Data Controller
   Peurunka Oy (business ID 0176471-5), Peurungantie 85, 41340 LAUKAA
   Phone: 020 751 601, Fax: 020 751 603
3. Contact Person for Registry-related Matters
   Responsible Doctor: Pekka Tiura, Phone: 020 7516 770, pekka.tiura@peurunka.fi
4. Data Protection Officer Contact Details
   Data Protection Officer: Jari Tuomala, Phone: 020 7516 511, jari.tuomala@peurunka.fi
5. Purpose and Legal Basis for Processing Personal Data

The planning, implementation, and follow-up of rehabilitation for rehabilitation clients, as well as quality assurance.
Rehabilitation records with attachments are patient records generated in a healthcare unit. The purpose of these records is to assist in the planning and implementation of rehabilitation and to ensure continuity of the process. Healthcare professionals are obligated to record the necessary information for the intended purpose in the documents. Patient records must not be used or processed for purposes other than the original intended use, even if the healthcare unit ceases operations. Based on the above, all rehabilitation events are documented in accordance with good professional practice in an appropriate manner, so that they can be reviewed during and, if necessary, after the rehabilitation process.
Personal data is processed in accordance with data protection legislation.

6. Contents of the Registry

• Personal information: Name, personal identification number, contact details
• Referral information, admission assessment details, treatment and rehabilitation details, discharge assessment details, test results, treatment duration details
• Contact details of relatives, if necessary: Name, address, phone number

7. Regular Sources of Information
   Information provided by the client, information received from referring and previously treating parties with the client’s consent, information obtained from examinations and assessments conducted at Peurunka.
8. Regular Disclosure of Information
   Information is disclosed to:

• The client themselves (a written copy of the rehabilitation feedback with attachments)
• Personnel directly involved in the rehabilitation process, only to the extent necessary for their duties
• The referring party and other treating parties, only with the client’s consent
• Other parties, only with the client’s written consent, in a form approved by the client
• The party organizing and/or funding the rehabilitation, only to the extent required for reporting
• Certain authorities (e.g., Valvira, Regional State Administrative Agency), as required by laws and regulations

9. Transfer of Data Outside the EU or EFTA
   No data stored in the registry is transferred outside the EU or EFTA.
10. Data Retention Period
    Patient data is retained for 12 years after the patient’s death or, if the date of death is unknown, for 120 years after the patient’s birth.
11. Principles of Registry Security

• Manual data: The protection follows the law concerning the status and rights of patients, as well as Peurunka’s data protection guidelines. Information contained in rehabilitation documents is confidential. Paper documents are stored in locked facilities designed for archiving and approved by authorities.
• Electronic data: General principles as mentioned above. The electronic management system used is Kuntomaster, where the client’s basic information, payment guarantee details, rehabilitation period information, and appointment details are stored. The electronic patient data system used is Mediatri, where client data is saved. Necessary data is transferred from Kuntomaster to Mediatri automatically once a day. Data required for billing is automatically transferred to the hotel system from Mediatri. Access to data systems is restricted to personnel involved in rehabilitation, only to the extent necessary for their duties (personal username and password). Usage monitoring is conducted through system capabilities, such as the log data system, and is carried out according to a separate plan. The systems are also protected by antivirus software and a firewall.

12. Rights of the Data Subject
    Every data subject generally has the right to review the information concerning themselves. The right of access is free of charge if exercised no more than once per year (12 months). The review request must be made in writing, either by a personally signed letter or in person at the data controller’s premises. Review requests should be addressed to the person responsible for registry matters (see section 3).
    Every data subject has the right to request the correction of inaccurate data in the registry. The correction request must be made in writing and be sufficiently specific. Correction entries will follow applicable legislation, other authority directives, and Peurunka’s internal guidelines. Correction requests should be addressed to the person responsible for registry matters (see section 3).

The data stored in the rehabilitation data registry is only used for the purposes described in section 5. The data controller does not disclose data for purposes such as direct marketing, remote sales, other direct marketing activities, market or opinion research, personal directories, or genealogy. Therefore, the data subject does not need to separately prohibit the use of registry data for the aforementioned purposes.

Customer Register/Peurunka Oy
REGISTER AND PRIVACY POLICY:
Peurunka Oy Customer Register

Privacy and register policy of Peurunka Oy in accordance with the EU General Data Protection Regulation (GDPR), the Finnish Personal Data Act (Sections 10 and 24), the Act on Accommodation and Catering Services (Section 7), and marketing legislation.

This privacy and register policy includes a description of Peurunka Oy’s customer register, where customer data is processed from the perspective of legal requirements, public duties, customer relationship management, sales, and marketing.

Created on 20.4.2018, updated on 14.6.2022

1. Data Controller
   Peurunka Oy, Peurungantie 85, 41340 Laukaa
   Phone: 020 751 601, Email: peurunka(at)peurunka.fi
2. Contact Person Responsible for the Register
   CEO Timo Kaisla, Peurungantie 85, 41340 Laukaa
3. Name of the Register
   Peurunka Oy’s Customer Register
4. Legal Basis and Purpose of Processing Personal Data
   Peurunka Oy collects and maintains customer data in accordance with the applicable legislation to fulfill legal and public obligations, manage and develop customer relationships, execute services and events, verify customer transactions, improve customer service and business operations, and handle billing and credit control. Additionally, the data is used for advertising, marketing, market research, and targeted direct marketing for registered customers who have given consent or have established such an agreement. Communication identification data may be used for legal purposes such as information dissemination, sales, and marketing. The data is not used for automated decision-making or profiling.

The legal basis for processing personal data under the EU General Data Protection Regulation is:

• The accommodation law MaRaL 308/2006 requiring a guest register for guest reporting, maintaining public order and safety, preventing and investigating crimes, and for statistical purposes (law and public duties)
• Customer relationship, which is established when booking accommodation, services, or making purchases (legitimate interest)
• Consent for direct marketing, opinion and market research, and subscription to newsletters (consent)
• Business contract, loyalty agreement, or service subscription for sports services, etc. (contract)

5. Contents of the Register
   The following information is collected and stored in the register, depending on the customer relationship or customer preferences:

Customer Information

• Individual customers/travelers: First and last name, Finnish personal ID or date of birth, customer number, contact details (phone number, home address, email address, and billing address if applicable), title or profession, language code, gender, and nationality, as well as the country of origin. Names and Finnish personal IDs or birth dates of adults and children staying with the guest. The travel document number for the guest, except if they are a Nordic citizen or resident in Finland. Arrival and departure dates of the guest and the purpose of the stay.
• Company/organization contacts: Contact person(s) details according to individual customer information, company/organization details, contact information (email, phone number, address), website addresses, company location, interests in corporate customer services, or details of ordered services and their changes, billing information, and other details related to the customer relationship and ordered services.

Customer Relationship Information

• Usage, purchase, booking, and cancellation information (reservation history and future bookings). Information on how the service was purchased or found. Payment method and payment behavior details, as well as billing information. Customer feedback and contacts. Information related to customer preferences, e.g., desired services, room category, etc. Information on any agreements (corporate contract, sports contract, loyalty membership, partnership, etc.).

Sales and Marketing Information

• Customer’s consent for direct marketing via email, SMS, and other digital systems. Information on prohibiting direct marketing, distance selling, and other forms of direct marketing according to legislation. Profiling and interest data, if provided by the customer.
• Information on the use of services such as browsing and search data (cookies).

Other Information Collected with Customer’s Consent

• Information provided by the customer that is necessary for the safe and seamless provision of the requested service (e.g., mobility restrictions, injuries, illnesses, etc.).

Guest registration information (individual customers/travelers) is retained manually for 1 year. In systems, registration data is stored for the duration of the customer relationship or contract, or until the customer notifies otherwise. The contract or customer relationship ends when notified by the customer or after three years of inactivity in the system.

6. Regular Sources of Information
   Customer information is obtained from the registered individual during the offer process, accommodation or service reservation, purchase, and/or guest registration, as well as from the data controller’s guest register. Information is also received from the customer when they provide details, for example, during a marketing campaign, exhibition, public event, competition, or other interactions through various channels, and when they give consent for the use of their information. Contact information may also be acquired from service providers that maintain company and customer registers. In customer service situations, phone calls may be recorded, and other communication, such as emails, may be stored.

We prioritize the accuracy and timeliness of customer information, which is why data may be collected, stored, and updated from publicly and freely available information services maintained by data controllers.

7. Regular Disclosures and Transfer of Data Outside the EU or EEA
   Customer data is not regularly disclosed to other parties. Data may be disclosed as agreed with the customer or if essential for safety. Data may be disclosed to subcontractors/service provider networks (producers of Peurunka’s program services, catering services, event producers) to the extent necessary or as defined by law. These disclosures aim to ensure the customer’s safety during service delivery and the flexibility of customer service.

Information in the guest register may be disclosed to authorities for the purposes and to the extent required by MaRaL. Guest information is not typically transferred outside the EU or EEA. The privacy policy is available on Peurunka’s website and at the hotel reception.

8. Principles of Register Security
   Only employees who are authorized to handle customer information as part of their duties have access to systems containing customer data. Each user has a personal username and password for the system.

Care is taken in handling the register. Data is collected in databases that are protected by firewalls, passwords, and other technical safeguards. The databases and their backups are located in locked facilities, and only designated personnel have access to the data.
Manual records are stored in archives. Manual registration forms are destroyed immediately after the data is entered into the system, unless their retention is based on law or public duty, in which case the data is retained accordingly. Digital data is stored in databases. User management is the responsibility of the IT department in cooperation with designated administrators. Servers are located in Peurunka’s own or an authorized operator’s locked facilities. User monitoring is the responsibility of the manager of each unit. Only designated personnel have access to the databases.

Peurunka Oy ensures that the principles of privacy protection and personal data legislation are followed. The data is handled carefully and confidentially.

9. Right to Access and Correct Information
   In accordance with Section 26 of the Personal Data Act, registered individuals have the right to access their data in the register and the right to request the correction of any inaccurate or incomplete data. Inspection requests must be made in writing and sent, signed, to the address mentioned in Section 2. The data controller may also correct such data on its own initiative. The data controller may request proof of identity from the person making the request. The data controller will respond to the customer within the time specified in the EU data protection regulation (generally within one month).
10. Other Rights Related to the Processing of Personal Data
    Registered individuals have the right to request the deletion of their personal data from the register (“the right to be forgotten”). The registered individual also has other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. Requests must be sent in writing to the data controller. The data controller may request proof of identity from the person making the request, if necessary. The data controller will respond to the customer within the time specified in the EU data protection regulation (generally within one month).

PRIVACY POLICY
Personal Data Act (523/1999) Sections 10 and 24

CAMERA SURVEILLANCE IN PEURUNKA’S PREMISES AND OUTDOOR AREAS

Prepared: 22.5.2018, Updated: 14.6.2022

Data Controller
Peurunka Oy (business ID 0176471-5)
Peurungantie 85, 41340 LAUKAA

Contact Person for Registry Matters:
CEO Timo Kaisla, Peurungantie 85, 41340 Laukaa

Purpose of Processing Personal Data:
Camera surveillance is conducted to ensure general safety and order, as well as to trace events in cases such as vandalism or other criminal incidents. The surveillance cameras record common lobby and hallway areas, customer service and checkout points, and exterior doors. Camera surveillance is also conducted in the pool areas and water slides of the spa. However, there is NO camera surveillance in areas where privacy is protected, such as the spa’s washing and dressing rooms or restrooms. There is NO camera surveillance in private staff offices or break rooms. In outdoor areas, camera surveillance covers the area in front of the hotel reception, the entrance to the spa, the kitchen’s inner courtyard, and part of the parking lot.

Contents of the Register:
Video footage and images from surveillance cameras in digital format. The footage is stored for a maximum of 8 days, after which it is automatically deleted. Camera surveillance does not record sound. Customers are informed about camera surveillance through signs with either the text ‘recording camera surveillance in the area’ or a camera surveillance symbol.

Regular Sources of Information:
Footage from surveillance cameras.

Regular Disclosures of Information:
Information is only disclosed in accordance with the Personal Data Act, meaning individuals may inspect only the footage related to themselves by submitting a written request. Information is disclosed only upon request from authorized authorities (e.g., the police).

Transfer of Data Outside the EU or EEA:
Data is not transferred outside the EU or EEA.

Principles of Data Protection:

• A. Manual Data
  No manual data.
• B. Computer-Processed Data
  The data is stored in Peurunka’s closed camera surveillance system, which is accessible only to designated and authorized Peurunka employees and contracted cleaning service employees. Access is protected by a username and password. The computer is located in a locked room and cabinet, which customers do not have access to. The data is stored only on the hard drive of the surveillance system for a maximum of 8 days.

Right of Access
In accordance with Section 26 of the Personal Data Act, the registered individual has the right to inspect their own data held in the register. The inspection request must be made in writing and sent, signed, to the address mentioned in section 2. The data controller may request the individual to prove their identity.

Right to Request Correction of Data
In accordance with Section 26 of the Personal Data Act, the registered individual has the right to request the correction of incorrect data or the completion of incomplete data. The request for correction must be made in writing and sent, signed, to the address mentioned in section 2. The data controller may also correct such data on its own initiative.

Other Rights Related to the Processing of Personal Data:
The registered individual has the right to request the deletion of their personal data from the register (“the right to be forgotten”). The registered individual also has other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations.

PRIVACY POLICY
Personal Data Act (523/1999) Sections 10 and 24

CUSTOMER REGISTER FOR SPA AND FITNESS SERVICES

Prepared on 22.5.2018, Updated on 14.6.2022

Data Controller
Peurunka Oy (business ID 0176471-5)
Peurungantie 85, 41340 LAUKAA

Contact Person for Registry Matters:
Sari Liimatainen, Director of Fitness and Wellness Services
Peurungantie 85, 41340 Laukaa

Name of the Register:
Customer Register for Spa and Fitness Services

Purpose of Processing Personal Data:
Personal data of spa and fitness service customers is collected and stored for the purpose of managing the customer relationship, customer communication, use of booking systems, and billing for spa and fitness services. The data is collected, processed, and stored in DL Software’s information systems. Peurunka Oy and DL Software have an agreement that includes provisions for the processing of personal data of Peurunka Oy customers. DL Software has its own data protection documentation related to its software, which complies with GDPR requirements.

Contents of the Register:
Names, addresses, email addresses, and phone numbers of fitness service customers and spa membership cardholders are stored digitally in the TAC and DL Software systems. In the context of fitness group registrations and the execution of group activities, manual paper lists are also used. These lists are stored in a locked cabinet and are destroyed no later than after the end of the customer relationship and any necessary billing.

One-time use name lists (used, for example, to check group participants) are destroyed immediately after they are no longer needed following the event.

Personal data of individual spa customers is not requested, stored, or retained. Some (corporate) fitness service customer data is manually compiled into folders, and these manual archives are stored in a locked location.

Regular Sources of Information:
The data subject themselves.

Regular Disclosures of Information:
Information is only disclosed in accordance with the Personal Data Act, meaning individuals may inspect only the material related to themselves by submitting a written request. Information is disclosed only upon request from authorized authorities (e.g., the police).

Transfer of Data Outside the EU or EEA:
Data is not transferred outside the EU or EEA.

Principles of Data Protection:

• A) Manual Archive:
  The manual archive is stored in a locked location. Manual data is destroyed no later than one year after the end of the customer relationship.
• B) Computer-Processed Data:
  The register is protected against external access. Only individuals whose job duties require access to the register have access, which is protected by passwords and usernames.

Right of Access:
In accordance with Section 26 of the Personal Data Act, the registered individual has the right to inspect their data held in the register. The inspection request must be made in writing and sent, signed, to the address mentioned in section 2. The data controller may request the individual to prove their identity.

Right to Request Correction of Data:
In accordance with Section 26 of the Personal Data Act, the registered individual has the right to request the correction of incorrect data or the completion of incomplete data. The request for correction must be made in writing and sent, signed, to the address mentioned in section 2. The data controller may also correct such data on its own initiative.

Other Rights Related to the Processing of Personal Data:
The registered individual has the right to request the deletion of their personal data from the register (“the right to be forgotten”). The registered individual also has other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations.

Name of the Register
Website Visitor Register

Data Controller
Peurunka Oy

Legal Basis and Purpose of Processing Personal Data
The purpose of the register is to ensure the security of the website. The information obtained (IP address) is used only in the event of a malfunction or during the investigation of data breaches.

The legal basis for processing is legitimate interest.

Basis of Legitimate Interest
General internet security and usage. The data controller’s legitimate interest in processing the collected and used personal data is based on the freedom to conduct business.

Categories of Personal Data
IP address, visit time, and visited pages. Information submitted via forms.

Processing of Personal Data in the WordPress System
The information you submit via forms is stored in the WordPress system and is deleted within 30 days.

Personal data is not processed outside the EU.

Trimedia Oy processes personal data entered into the WordPress system to provide web services.

Recipients and Categories of Recipients
The authorized, limited personnel of the company providing the website hosting service. Both Peurunka and the technical website maintenance team handle the information you provide. Only those individuals who are authorized by their work are allowed to process this data. All processors are bound by confidentiality obligations.

Contents of the Register
The personal data register contains the following information:

• IP address
• Web visit time
• Pages visited

The contact and feedback form register contains the following information:

• Email address
• Phone number
• First name
• Last name

Regular Sources of Information
The information is collected from the customer during their visit to the organization’s website.

Additionally, the data controller collects visitor data using Google Ads and Google Analytics (GA4) to analyze and improve the website and to target relevant marketing to visitors.

Retention Period of Personal Data
Information collected through web forms is deleted after 30 days.

Regular Disclosures and Transfers Outside the EU or EEA
The register’s data is only accessible to Peurunka’s authorized personnel and, if using external service providers, to them as well. Data is not disclosed to external entities or their partners, except in cases of data breaches or similar incidents.

Principles of Data Protection
Only designated employees of Peurunka and companies acting on its behalf have the right to use the website’s hosting server. Each designated user has a personal username and password. The system is protected by a firewall that shields it from external access. The protection and processing of the register’s data comply with data protection laws and principles, as well as official regulations and good data management practices.

Cookies
We use cookies on our website. You can read more about this on the cookies policy page.

Rights of the Data Subject
You may withdraw your consent at any time by contacting us.

The information you provide is not supplemented from other sources. Your personal data is not transferred outside the EU or to international organizations.

You also have the right to:

• Access your personal data
• Request corrections to your data
• Request the deletion of your data
• Restrict the processing of your personal data

You can exercise your rights primarily in writing via email or post.

You also have the right to file a complaint with the supervisory authority if the data protection regulations are violated:

Contact details of the national supervisory authority:

Office of the Data Protection Ombudsman
P.O. Box 800
Ratapihantie 9
00521 Helsinki

Phone: 029 56 66700
Email: tietosuoja@om.fi
Website: www.tietosuoja.fi

Other Rights Related to the Processing of Personal Data
The data subject has the right to prohibit the disclosure and processing of their data for direct marketing or other marketing purposes, request anonymization of data where applicable, and the right to be completely forgotten.