Privacy Policy

1. GENERAL

This privacy policy provides you, as a data subject, with information required by the General Data Protection Regulation (EU) 2016/679 (“GDPR”) regarding how we process your personal data in connection with our operations and the services we provide.

2. DATA CONTROLLER

Noli Studios Finland Oy (“Noli” or “we”) acts as the data controller for the purposes of this privacy policy.

3. CONTACT INFORMATION

You may contact us with questions concerning this privacy policy and data protection matters using the contact information below:

Email: hello@nolistudios.com
Telephone: +358 9 674 410
Address: PO Box 66, 00131 Helsinki, Finland

4. DATA SUBJECTS

The data subjects covered by this privacy policy include Noli’s customers, potential customers and guests of customers. This privacy policy also applies to users of Noli’s website.

5. DESCRIPTION OF THE PROCESSING OF PERSONAL DATA

We may process your personal data on several legal grounds. Below is a summary of the different purposes for processing personal data, the applicable legal bases and the categories of personal data being processed. To use our services, you must provide us with certain data about yourself. In certain situations, we are also required by law to collect and store data concerning you. Data that is necessary for the use of the service or required by law is marked below with an asterisk (*).

Purpose of processing: providing accommodation and other services (e.g. sauna, kitchen and laundry room reservations), maintenance and management of customer relationships, customer communications, making reservations, checking customer credit information
- Legal basis: Performance of a contract: performance of the accommodation services agreement and taking necessary actions preceding it; Legitimate interest of the controller: Noli’s legitimate interest in providing accommodation services and risk management and service development related thereto Categories of personal data: name*, contact information* (email, telephone number, address), social security number*, estimated duration of stay* (in cases of flexible stay), nationality*, information concerning the accommodation location*, duration of stay*, number of guests*, information concerning payment*, information about additional services (e.g. cleaning or parking space), information about possible special requests you may have made
Purpose of processing: ensuring the safety of the premises, prevention and investigation of misconduct, access control on a case-by-case basis based on key logs and/or camera surveillance (more detailed information on possible camera surveillance is provided on a site-specific basis)
- Legal basis: Legitimate interest of the controller: the legitimate interests of Noli, Noli’s employees and the visitors of the premises in ensuring safety and investigating misconduct
- Categories of personal data: information collected by key logs (including point in time), camera surveillance recordings

Purpose of processing: marketing of Noli’s services, opinion polls, website analytics enabled by cookies related to the use and number of users of Noli’s websites
- Legal basis: Legitimate interest of the controller: Noli’s legitimate interest to market and develop its services; Consent: consent to electronic direct marketing, the use of cookies and the exclusion of existing customers from advertising on external advertising platforms
- Categories of personal data: name, contact information (e.g. email), interests, occupation, age, information about the use of our services and possible consents or prohibitions related to marketing

Purpose of processing: maintaining the traveller data file to maintain public order and security, prevent and solve crimes, and compile statistics
- Legal basis: Legal obligation: complying with the obligations of the Finnish Act on Accommodation and Food Service Activities (308/2006, as amended; the “AFSAA“); Legitimate interest of the controller: Noli’s legitimate interest to carry out the purposes (e.g. compiling of statistics) permitted by the AFSAA
- Categories of personal data: traveller registration form and traveller data in accordance with section 6 of the AFSAA*

Purpose of processing: compliance with statutory obligations (related to, inter alia, accounting legislation and regulations concerning the travel industry)
- Legal basis: Legal obligation: compliance with the obligations of the AFSAA and the Finnish Accounting Act (1336/1997, as amended)
- Categories of personal data: personal data included in invoices and other receipts*, information required for traveller registration formsin accordance with section 6 of the AFSAA*

6. DATA RETENTION PERIOD

We retain your personal data only for as long as necessary to fulfil the processing purposes for which it was collected, including managing the customer relationship between you and Noli. We regularly review the necessity of retaining personal data and delete unnecessary or outdated data upon such review and at other times as necessary, including when an individual withdraws consent to the processing of their personal data.

The following sets out the specific retention periods applicable to different categories of personal data:

Basic information related to the provision of accommodation services is retained for the duration of the accommodation agreement and for three years following its termination.
Reservation information related to additional services booked during accommodation (such as sauna, kitchen and laundry room reservations) is retained for 12 months.
Camera surveillance recordings are retained for a maximum of two months. This retention period is based on Noli’s legitimate need to investigate security-related incidents (such as thefts), respond to requests for information from police and other authorities, and prepare, present and defend legal claims. Since such situations may not become immediately apparent and may only be discovered weeks after the relevant event, the retention period has been established to adequately address these requirements.
Access control data is retained for a maximum of 12 months.
Traveller data is retained for one year from the date of entry. Please note that we may process such data for other purposes (such as customer service and direct marketing) for periods longer than this.
Traveller registration forms and related traveller data are retained for one year from the date the traveller registration form is completed.
Accounting material is retained for six years from the end of the relevant financial year in accordance with the Accounting Act.

7. RECIPIENTS OF PERSONAL DATA

As required by the AFSAA, we disclose information relating to traveller registration forms concerning foreign nationals to the police department in whose jurisdiction the accommodation location is situated. In individual cases, personal data may also be disclosed to third parties in other circumstances, for example to authorities in situations required by law or in the context of corporate acquisitions. Personal data may also be disclosed to advertising platforms (Google, Meta) to exclude customers from advertising when the customer has given consent to this.

We may also use external processors in the processing of personal data, to whom personal data may be transferred for processing in accordance with this privacy policy. Such processors may include, for example, debt collection agencies that carry out debt recovery on our behalf and other companies providing services to us, such as cleaning and catering companies. Additionally, our affiliated companies may have access to personal data for carrying out the purposes of processing described in this privacy policy. Such processors process personal data only on our behalf and in accordance with our instructions. In order to ensure appropriate data protection and security, we enter into agreements with all processors of personal data we use, as required by the GDPR.

8. TRANSFER OF PERSONAL DATA OUTSIDE THE EU/EEA

As a principle, Noli does not transfer personal data outside the European Union or the European Economic Area (“EU/EEA“). However, data may be transferred outside the EU/EEA in situations where our service providers or their parent companies are located in such third countries. In addition, Noli may transfer data outside the EU/EEA in connection with targeted advertising services when data subjects have given their consent to this. Where data is transferred outside the EU/EEA, such transfers will be subject to the conditions set out in data protection legislation, such as the European Commission’s Standard Contractual Clauses or other transfer mechanisms designated in the GDPR.

9. SOURCES OF PERSONAL DATA

As a general rule, we collect personal data directly from you when you make a reservation for accommodation or other services.

We may additionally receive your personal data from the following sources:

From your employer in situations where the employer makes a reservation on your behalf
From companies providing credit assessment services
Through access control systems at our premises
Through cookies when you visit our website
From our social media sites, for example our Facebook page (e.g. related to your likes or our campaigns)

10. RIGHTS OF THE DATA SUBJECT

As set out in the GDPR, you, as a data subject, have the following rights, which you can exercise by contacting us using the contact information provided above in section 3.

Right of access to your data: You may seek confirmation from us about whether or not personal data concerning you is processed or has been processed. If your personal data is being processed, you have the right to receive a copy of the personal data which is being processed or has been processed by us.
Right to rectification of your data: You may request that inaccurate personal data concerning you be corrected or that incomplete personal data be completed.
Right to erasure of your data: You may request us to erase your personal data concerning you in certain cases set out in the GDPR. However, please note that legal obligations may require us to retain the data despite your request.
Right to restriction of processing of your personal data: In certain situations set out in the GDPR, you have the right to request that we restrict the processing of your personal data concerning you.
Right to object to the processing of your personal data: In certain situations set out in the GDPR, you have the right to object to the processing of your personal data concerning you. We may refuse such a request if the processing is necessary for our legitimate interests or those of a third party, and these interests override your interests, rights and freedoms.
Right to data portability: In situations where we process your personal data based on your consent or our contractual relationship with you (as described in section 5 above) and the processing is carried out by automated means, you may request that we transmit your personal data to you or to another controller in a structured, commonly used and machine-readable format.

You also have the right to object to the processing of your personal data for direct marketing purposes at any time.

If you consider that the processing of your personal data is not in accordance with data protection legislation, you may contact us regarding the matter or, if you so prefer, lodge a complaint with the supervisory authority. In Finland, the Office of the Data Protection Ombudsman acts as the supervisory authority and can be contacted using the following contact information:

Visiting address: Lintulahdenkuja 4, 00530 Helsinki, Finland
Postal address: PO Box 800, 00521 Helsinki, Finland
Email: tietosuoja@om.fi

11. RIGHT TO WITHDRAW CONSENT

Where we process your personal data based on your consent, you have the right to withdraw such consent at any time without providing a reason for the withdrawal.

The withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.

12. COOKIES

Cookies are small text files that are stored on your device when you visit our website or use our booking service.

We use cookies to improve the functionality of our website and your user experience. Cookies may also be technically necessary for the performance of certain functions, such as completing booking forms. Additionally, we may use cookies for analytical purposes, including tracking user numbers, and for marketing our services and targeted advertising. Third-party cookies may also be used on our websites.

You can decide for yourself what types of cookies you allow to be stored on your device, for example through our website’s cookie consent mechanism. If you wish, you can also refuse the use of all cookies except those that are technically necessary. Please note, however, that the functionality of our website may be impaired if you refuse all cookies, and all functionalities may not be available.

You can also delete all cookies stored on your device through your internet browser settings.