Datapolicy – Folks Hotels

This is the privacy notice of Folks Hotels Oy in accordance with the EU General Data Protection Regulation
(Regulation (EU) 2016/679, GDPR). This notice describes how personal data is processed and what rights
data subjects have. Originally issued on 18 August 2020. Updated in 2026.

1. Data Controller
Folks Hotels Oy
Business ID: 2859494-7
Päijänteenkatu 9 A 3, 15140 Lahti, Finland

Contact for data protection matters:
Folks Hotels Oy
Email: info@folkshotels.fi

Register name: Folks Hotels Oy customer and stakeholder register.

2. Purpose and legal basis for processing personal data
Personal data is processed for the management, maintenance and development of customer and business relationships, for communication purposes, for fulfilling contractual obligations, and for the development of business operations.

The legal bases for processing are:
– performance of a contract or pre-contractual measures
– the legitimate interests of the data controller (customer relationship management and development)
– the data subject’s consent, where required

Personal data is not used for automated decision-making or profiling as defined in the GDPR.

3. Content of the register
The register may contain the following personal data:
– name and position within an organisation
– contact details (email address, telephone number, postal address)
– basic information related to the organisation or company
– customer and communication history
– contract and invoicing information
– technical data collected through the use of online services

4. Sources of personal data
Personal data is primarily collected from the data subject in connection with customer relationships,
communications, contracts and online forms. Data may also be collected from public registers within the limits permitted by applicable legislation.

5. Disclosure and transfer of personal data
Personal data is not regularly disclosed to third parties.
Personal data is not transferred outside the EU or EEA without appropriate safeguards in accordance with the GDPR, such as standard contractual clauses approved by the European Commission.

6. Retention period
Personal data is retained for the duration of the customer or contractual relationship and thereafter for a maximum period of six (6) years, unless mandatory legislation requires longer retention.

7. Rights of the data subject
The data subject has the right to:
– access their personal data
– request rectification of inaccurate personal data
– request erasure of personal data in accordance with applicable law
– request restriction of processing
– object to processing based on legitimate interests
– receive their personal data in a structured, commonly used and machine-readable format
– lodge a complaint with the supervisory authority (Office of the Data Protection Ombudsman, Finland)

8. Security of processing
Personal data is protected by appropriate technical and organisational measures.
Access to personal data is restricted to authorised persons who require such access for their work duties.