Privacy policy

Name of the register
The customer and marketing register, and newsletter register of Oulun Matkailu Oy (hereinafter VisitOulu) stores and processes personal information in accordance with the EU GDPR. We may change this Privacy Policy from time to time and, therefore, we recommend that you review any changes as appropriate to your needs.

Oulun Matkailu Oy
Torikatu 18
90100 Oulu
+358 40 1463150
Business ID: 2339167-3

Person responsible for the register
Yrjötapio Kivisaari /

Purpose of processing personal information
Our business is based on legitimate business activities, so we comply with GDPR guidelines on the storage of personal information:

The information we store about you is lawful, fair and transparent in relation to the processing.
Data is purpose-bound – for example, the information we collect from individuals is only tied to a specific purpose. We will not disclose your information to any third parties, unless there is a good reason to do so. We only store the information we require. We strive to keep our information accurate.
We limit data retention – data has a defined lifetime, after which it will be either automatically or routinely deleted, unless there is a legal reason to keep it in the archive for longer.
We collect and store information about potential new customers, based on customer relationships or business operations. The main uses of the data are: marketing planning and targeting, marketing reporting and analysis, and customer communication. VisitOulu uses personal information for direct marketing purposes as permitted by the Data Protection Act. The collection of data on new potential customers is based on business activity.

Data content of the register
We will store a minimal amount of information regarding the customer relationship. This typically includes the unique name of the person and/or company and contact information, such as an email and phone number.

The data collected include:

Name and surname
Contact information (such as company name, contact details, etc.)
Other customer-related information in text format
Marketing consent or prohibition
Billing information
Data collected through cookies
Data collected through social media channels
Website address
Regular sources of information
Sources of information include:

Google Analytics and web forms on our site
Personal information is collected from the data subject through the course of the controller’s own activities in connection with customer contacts, including by telephone, online services and customer events.
In addition, through the course of our business operations, including in the acquisition of new customers, we may use names, such as those from the media, that we may contact for business purposes.

Regular disclosures of data
We use third party services to process and store data that may contain personal information. However, the third parties are acting purely as processors of personal information and are only allowed to process such data to the extent that is deemed necessary for the agreed on services, and VisitOulu remains the sole controller of such data.

The personal information we disclose with other parties is limited.

For marketing, we use the services of an external service provider with whom we have a separate contract.

For email marketing, we use the Mailchimp newsletter tool, where we store the person’s name and email address.

We also use our website to manage customer relationships, where we store the following: the person’s name, contact information and actions related to the customer relationship, such as requests for offers from the site.

Transfer of data outside the EU or EEA
Data will not be regularly transferred outside the EU and the European Economic Area.

Principles for the protection of the register
VisitOulu has appropriate technical and organisational security policies and processes in place to protect personal information from loss, misuse or other similar unlawful access.

The personal information contained in the register will be kept confidential. The use of the register is regulated within the controller’s organisation and access to the personal register is restricted so that only those employees who are entitled to access the data stored in the register by virtue of their duties and who need the data for their tasks have access to and are entitled to use the data. Staff processing personal data have a duty of confidentiality.

The systems are protected by security software. Access to the system requires each user in the registry to enter a username and password. The server environment is protected by passwords and an appropriate firewall. Communication between the server and the user’s computer is encrypted. In addition, the data network of the controller and the hardware on which the register is stored are protected by a firewall and other technical measures. The deletion of material containing personal information will be carried out in a secure manner.

Inspection rights
You have the right to access your personal information and have inaccurate information regarding you rectified. You have the right to request the deletion of your personal information, at any time, unless our legitimate interests or a legal requirement prevent the deletion of some personal information. The information will be provided to the customer in writing in an understandable form.

The request for inspection shall be presented in writing by e-mail. The identity of the data subject will be verified before the data is provided.

The right to request rectification of data
The controller shall correct, delete or complete personal information in the register which are inaccurate, unnecessary, incomplete or outdated for the purposes of processing, on its own initiative or at the request of the data subject. In addition, personal information may be deleted if the customer misuses the service or engages in criminal or other prohibited activities when using the service. The data subject should contact the controller by e-mail to ask for the rectification of data.

The identity of the data subject will be verified before the data is provided.

Purpose of processing personal information
The data subject also has the right to object to the processing of data concerning him or her by the controller for the purposes set out in this privacy statement, unless otherwise agreed on between the controller and the data subject. Requests for rectification of data concerning marketing prohibitions (telemarketing, printed direct marketing, SMS and e-mail) shall be sent by e-mail.