Privacy statement

Privacy Statement regarding customer, marketing, and order data of Bomba Safaris – Karelian Adventures & Experiences Oy (effective from May 25, 2018)

General Data Protection Regulation of the European Union (EU) 2016/679, articles 12, 13, 14, and 19

1. Data Controller

Bomba Safaris – Karelian Adventures & Experiences Oy
Postal address: c/o PKO, PO Box 102, 80101 Joensuu
Visiting address: Nurmeksentie 2, 80100 Joensuu
Business ID: 3439404-4

2. Contact details of the Data Protection Officer
[email protected]

3. Person handling registry matters
[email protected]

4. Name of the register
Bomba Safaris customer register

5. Purpose of processing personal data
The purpose of using personal data is to manage, maintain, and handle customer relationships. Personal data in the register are used for the production and implementation of services to customers, customer communication, payment/billing processes for services, and targeting advertising and/or direct marketing.

The purposes of processing personal data are:

• Receiving and responding to quotation inquiries
• Recording and billing of quotations, order confirmations, and executed contracts
• Delivery of products and services (e.g., equipment rental activities)
• Responding to customer contacts
• Ensuring customer satisfaction
• Direct marketing and targeted marketing
• Organizing raffles or competitions
• Managing events (e.g., corporate events or family celebrations)

In direct marketing, the purposes of processing personal data are:

• Marketing of services and products
• Sending invitations to events
• Contacting potential customers

6. Basis for processing personal data
Personal data are processed on the following grounds:

Art. 6.1 b) Contract
Recording and billing of offers, order confirmations, and executed contracts. Reservations; rental and service activities (e.g., equipment rental)

Art 6.1 a) Consent
Consent for direct marketing
Consent to the processing of personal data as part of a competition or raffle, order, or feedback. Consent for the publication of the winner's name and place of residence in media selected by the organizer of the competition or raffle. Consent for the publication of the participant's response, image, or other content in media selected by the organizer of the competition or raffle.

7. Description of the data controller's legitimate interest
The processing of personal data is not based on the data controller's legitimate interest.

8. Personal data processed
The register processes the following information:

• person's name
• email address
• home address
• address
• phone number
• IP address
• personal identification number (if necessary, for example in unusual billing situations)
• special dietary requirements

9. Groups of personal data processed
Customers and potential customers

10. Source of Information and Description of Sources:
If data are collected from public sources, the information is primarily obtained from customers themselves.

11. Recipients of Personal Data:
Personal data is processed for the purposes defined in this statement, using electronic systems and services. We use external service providers for system support and services. Personal data may be transferred to service partners to the extent they participate in carrying out the actions within the scope of their assigned tasks.

We ensure our partners protect personal data adequately as required by law.

We disclose information to authorities within the limits allowed and required by current legislation, for example, in response to requests from authorities.

12. Transfers of Personal Data to Third Countries or International Organizations and Safeguards Used:
We do not transfer personal data to third countries outside the European Union or the European Economic Area or to international organizations.

13. Retention Period for Personal Data or Criteria for Determining the Retention Period:
Personal data described in this statement are retained only as long and to the extent they are necessary and the data controller utilizes them for the processing purposes related to the activity.

Offers are processed for the duration after which the data are either anonymized or completely destroyed.

Trade and order agreements for the current + 6 years.

Online store order history for the current + 6 years.

Customer-signed rental service agreements are retained for the duration of the service and destroyed at the end of the rental day.

In the case of a raffle or competition, personal data are retained for the duration of the draw and delivery of the prize. Data are deleted no later than one month afterwards.

14. Rights of the Data Subject:
The data subject has the following rights:

• The right to access personal data (via a data request)

• The right to rectification of data

• The right to restrict processing (in case of disputing data accuracy or unlawful processing)

• The right to withdraw consent for data processing where no other legal basis exists

• The right to be informed of personal data breaches

If a person wishes to exercise their rights or obtain more information on the processing of their personal data, they can contact the data controller mentioned in this statement.

Individuals also have the right to file a complaint with a supervisory authority if they believe that the processing of their personal data violates applicable data protection regulations.

15. Withdrawal of Consent:
To the extent that the processing of personal data is based solely on consent, the data subject has the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.

16. Consequences of Not Providing Personal Data:
The trade or booking will not proceed.

17. Significant Information on Automated Decision-Making or Profiling:
No automated decision-making or profiling based on personal data is involved in the processing.

18. Impact of Personal Data Processing and General Description of Technical and Organizational Security Measures:
We protect personal data carefully throughout their lifecycle using appropriate data protection and security measures. System providers process personal data in secure server environments. Access to personal data is limited, and personnel are bound by confidentiality obligations.

In S-group, we protect personal data with proactive risk management and security planning, secure communication measures, continuous maintenance of information systems, backups, secure device facilities, access control, and security systems. Physical documents containing personal data are stored in locked and fireproof storage facilities after initial processing. Granting and monitoring of access rights are controlled. We regularly train staff involved in processing personal data, ensuring that they understand the confidential nature and significance of secure data handling. We carefully select our subcontractors and continuously update our internal practices and guidelines.

In the event that, despite all our security measures, personal data fall into the wrong hands, it is possible that identity theft or misuse of personal data may occur. If we detect such an event, we will immediately investigate and try to prevent any resulting damage. We inform the necessary authorities and registered individuals as required by law.