- Using and processing personal data
- Automated decision-making
- Sensitive information
- Disclosure and transfer of data
- Information security
- Access to data and using your rights
- Data retention
- Changes to this privacy statement
- Controller and contact information
Updated on 16.11.2018 Protection of your privacy is important to us. Forenom Group (Hereafter Forenom) is committed to protecting your privacy in the best possible way and to processing your personal data transparently in accordance with applicable data protection laws and good privacy practices. Forenom Group companies are the joint-controller of your personal data. This privacy statement provides information on how we collect, process and protect your personal data in all our operations.
We collect and process personal data only to such extent that is necessary for our business operations, and for providing and developing our services and products. We collect and process your personal data e.g. for customer communication and relations, invoicing, marketing or advertising, as well as for other business operation purposes. Moreover, we process personal data if it is necessary for preparing and performing customer agreements, whenever we are required to do so by law or if it is in our legitimate interest, e.g. for prevention of misuse or fraud. As a rule, personal data will be collected from you personally during our customer relationship. In certain situations, we also collect personal data from other external sources upon your explicit consent or to the extent permitted or required by law (e.g. when we receive guest data from buyer, or purchase marketing lists, or when your data is transferred to us from OTA channels such as Booking.com). The type of personal data we choose to collect in various situations and for different reasons will depend on the purpose of the processing. We process your below mentioned personal data only on legitimate grounds for the below defined purposes:
|Purpose of personal data processing|
|Accommodation/rental contracts, delivery of service, invoicing|
We process your personal data (such as contact information, other descriptive data such as date of birth, language and registration data, such as user ID or possible other unique identifiers) in order to prepare and perform customer agreements (including invoicing) and fulfil legal requirements. We process information on your credit rating with your consent as it is in our legitimate interest to ensure the smooth handling of invoicing. In providing and delivering services, we will process your personal data also based on our legitimate interest for maintaining customer relations, providing customer service, and resolving misconducts and defects (e.g. camera surveillance, log details, code lock usage logs, phone call recordings, chat history).
In order to be able to perform customer agreements, we process the following personal data in our webshop: - Contact information, e.g. address, phone number, email address - Registration details, e.g. user ID
|Customer service and communication|
- We process information on your credit rating with your consent as it is in our legitimate interest to ensure the smooth handling of invoicing - Processing customer relationship data (e.g. information on newsletter subscriptions or contact information on customer contact requests) is in our legitimate interest in order to improve our services and to respond to your queries.
|Analysis, compilation of statistics, developing business operations, products and services|
- Processing customer relationship data (e.g. buying behaviour, customer feedback) is in our legitimate interest in order to improve our services.
|Direct marketing and marketing campaigns|
It is in our legitimate interest to market our services. However, we conduct traditional or electronic direct marketing only to corporate customers. As a private customer, you are also able to order our newsletter from our website. In this case, the newsletter marketing is performed with your consent which you have the right to withdraw. In some cases, e.g. with Open Door Events, you can leave your contact details in order to e.g. participate in a lottery. We may contact you later in order to market our services which however you have the right to opt-out. Marketing mainly processes only your contact information (e.g. address, phone number, email address). Regarding corporate clients, also buying behaviour effects message targeting.
We process customary job application information on the basis of our legitimate interest only to the extent that is necessary and appropriate for determining the suitability of the applicant for the relevant role. The personal data processed includes e.g. name, contact details, completed studies, work experience, language skills, IT-skills, personal webpage, application, cover letter, information received from third parties (such as references, possible background checks, personality and aptitude assessments, recruitment agencies and social media used for recruitment e.g. LinkedIn).
We may pilot technology to collect data from an apartment to help us determine if the apartment is occupied or not, and to determine if the apartment keys are all present or not on guests' days of arrival and departure. We would use this information to improve the guest experience by decreasing the chances of disputes over lost keys and by optimizing our cleaning and maintenance schedules. All data collected from any pilot programs will be permanently deleted in a timely fashion, and will only be accessible by Forenom employees directly involved in the pilot project. Any data shared with third-party partners will be anonymous in nature.
Automated decision-making herein means an entirely automated decision-making that is made without human interaction and which has significant consequences to your rights. Forenom does not perform automated decision-making at this time.
Special categories of personal data, in other words so called “sensitive personal data” means such information that reveals race or ethnic origin, political view, religious or philosophical belief or trade union membership, genetic or biometric data or details on a natural person’s health or sexual behaviour or orientation. Processing sensitive personal data is only allowed if it is necessary in order to fulfil our obligations due to labour law, within the field of social security or social protection, or based upon your explicit consent. Forenom does not collect or process sensitive information, unless it is with your explicit consent and necessary for the arranging of services agreed on in the accommodation agreement.
We will process your personal data confidentially and will not disclose the data to third parties except as stated below:
- Within Forenom Group as we are an international company with international customers.
- Authorities: we may have to disclose some data to authorities or judicial administrators when required by law. We will do so only on the grounds of a valid decision of a court of law, upon the order of an authority or on the basis of a subpoena.
- Company acquisitions: the acquiring party may gain access to relevant customer data in case of an acquisition or other corporate reorganisation.
- Consent: we may disclose your personal data to third parties upon your consent.
We use subcontractors and service providers in our processing activities (e.g. for technical maintenance or carrying out campaigns and direct marketing, accommodation unit maintenance, customer service backup, surveillance, or other service providers such as meal services). They have the right to process your personal data only to the extent necessary for carrying out the agreed services. This means that the third party subcontractors cannot use your personal data for their own purposes. Any service provider we use is under contractual obligation to ensure an adequate level of data protection in all processing of your personal data. Data we have collected will be stored and processed partially outside the European Economic Area e.g. when we use a service provider outside the European Economic Area or the service provider stores data outside the European Economic Area. We will only use partners whose privacy processes are appropriate and adequately arranged and protected (e.g. Privacy Shield or standard clauses). Any service provider we use is under contractual obligation to ensure an adequate level of data protection in all processing of your personal data.
We have taken adequate technical and organisational measures for protecting your personal data from loss, misuse or other similar unlawful access. These methods include, among others, use of firewalls, encrypting and safe server premises. Access to your personal data is restricted internally through access control, as well as through granting and controlling access rights. Your personal data will be processed only by such employees who have the right to do so within the scope their duties.
You have the right to review the data we have collected in our register and influence the way we use them. You can for example decide whether you want to receive direct marketing, and in certain cases you have the right to erasure or to ask your data to be transferred to another controller. Your rights are as follows:
- The right to withdraw consent
If data processing is based on your consent, you have the right to withdraw your consent at any time. For example, you can withdraw your consent to electronic direct marketing at any time.
- The right of access and right to rectification
You have the right to access the personal data we have collected about you at any time, or receive confirmation that we do not have any personal data about you in our filing systems. If your personal data is inaccurate or incomplete, you have the right to make a request for rectification or completion of your personal data.
- Right to restrict or object processing
In certain circumstances, for example if your personal data is inaccurate, you have the right to restriction of the processing until we have verified the accuracy of your personal data. Further, in certain situations you also have the right to object the processing of your personal data completely. You can for example object the processing for direct marketing purposes at any time (including profiling).
- Right to be forgotten
In some cases you have the right to be forgotten. We will erase all personal data we have collected if they no longer are needed for the purposes they were originally collected for. We will also erase personal data if the processing was based on consent and you decide to withdraw your consent or restrict the processing, or there is no other reason nor grounds for the processing.
- Right to transfer data from one system to another
You have the right to request transferring your personal data. This is possible only in such cases, when we process your electronic personal data based on your consent or agreement, and applies only to such personal data you have provided us yourself. We will provide your personal data in machine-readable format so that you can store them yourself or transfer them to another controller (e.g. another service provider). Upon your request, we will transfer the data to another controller directly if it is technically feasible.
- Right to complain
In addition to the above-mentioned rights, you have the right to make a complaint about your personal data processing to the national supervisory authority. If you want to use your above-mentioned rights, you can do it
- by presenting the request personally in Forenom office with a valid ID such as a passport, or
- by sending your inspection request to firstname.lastname@example.org.
Please enclose sufficient information for us to explicitly identify you, such as
- your full name, and
- the phone number / email address you have used with dealing with us with your accommodation contracts, as well as
- a contract number or customer id.
We reserve the right to request additional identifying information if necessary. Should you have questions about your rights, please contact: email@example.com.
We will retain your personal data as long as needed for the purpose they were originally collected for, as long as we are legally obligated or until we receive a request for erasure. We will retain your personal data only as long as it’s necessary to fulfil the purposes specified in section 1, and within the limits of applicable laws. The retention time of your personal data depends on the following criteria: Contractual obligations, national laws (e.g. accommodation laws, bookkeeping acts), withdrawal of consent, as long as long as necessary for providing or securing the services. After this your personal data will either be erased completely or made anonymous by modifying them irreversibly.
We are continuously developing our privacy statement, thus this privacy statement is subject to changes. Changes may also be based on changes in the law. We recommend that you regularly visit this privacy statement page in order to keep track of possible changes. We also inform you directly of the changes, if needed.
Forenom is the controller of your personal data. Should you have any questions or comments, please contact us: Forenom Group Oy* Forenom Group Business Id: 2798053-9 Headquarters: Mannerheimintie 113, 00280 Helsinki, Finland Privacy matters: firstname.lastname@example.org Other questions: email@example.com Customer service: +358 20 198 3420 *Forenom Group companies: Forenom Finland / Sweden / Norway / Denmark / Estonia, Forenom Vuokra-asunnot Oy, Forenom HotelliKoti Oy, Forenom Holding Oy, StayAt Hotel Apart Ab, Forenom Apartments Ab, Fisso Oy