The purpose of the privacy policy is to provide to a natural person - a data subject - with information about the purpose, scope, and protection of personal data processing, the period of processing, the data subject’s right during the data acquisition, and the processing of data and when transferring the data to competent authorities or any other data controller.
1. Data controller and its contact information
1.1. The controller of personal data processing shall be Mogotel Kista Hotel AB, registration No.559468-9639, VAT No.:SE559468963901, with its registered seat at Torshamnsgatan 39, 164 40 Kista, Sweden telephone: ____________________________________________, website: https://www.stockholmkistahotel.com/ (hereinafter - the Controller).
1.2. Contact information of the data protection officer of the controller on issues related to personal data processing: dpo@mogotel.com.
2. Applicable laws and regulations
2.1. Regulation No. 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as - the GDPR), and
2.2. Other applicable national data protection law.
3. Purposes of Personal Data Processing. Categories of Personal Data Processed by the Controller
3.1. Provision of services:
3.1.1. for customer identification – the data of the customer's identity document is processed;
3.1.2. for the preparation and conclusion of the contract - the customer's name, surname, date of birth, correspondence address or address of the declared place of residence, telephone number, e-mail address, list of planned services, bank account number, telephone and electronic communication information, voice record;
3.1.3. for the provision/maintenance of services, customer support using telephone and electronic communication – the customer's name, surname, date of birth, telephone number, e-mail address, list of received or planned services, telephone and electronic communication information between the customer and the employee are processed;
3.1.4. while the customer is checking-in at the hotel - the data of the customer's identity document is processed (name, surname, date of birth, nationality and its type, country of residence, type of travel document, its series, number, issuing country, date of issue, validity period, date of arrival at the tourist accommodation, date of departure from the tourist accommodation), phone number, e-mail address, car registration number;
3.1.5. for administration of settlements – the customer's name, surname, date of birth, e-mail address, list of received services, bank account number, payment administration information are processed;
3.1.6. for consideration and processing of objections/claims – the customer's name, surname, date of birth, correspondence address or address of the declared place of residence, telephone number, e-mail address, list of received services, payment administration information, telephone and electronic communication information are processed, voice recording;
3.1.7. for advertising and distribution of services or for commercial purposes/ retaining customers and improving their loyalty, satisfaction measurements - the customer's name, surname, e-mail address, language, location, list of received services and service description are processed.
3.2. Business planning and analytics:
3.2.1. for planning and accounting - the name, surname and position of the employee are processed.
3.3. Fulfilling the requirements of regulatory acts, providing answers to the requests of state institutions, defending interests in state and local government institutions, institutions, representation in legal proceedings - the data subject's name, surname, date of birth, correspondence address or address of the declared place of residence, telephone number, e-mail address are processed, as well as other information at the Controller's disposal in order to fulfil the legal obligation attributed to the Controller to provide answers to the requests of state authorities, or which is at the Controller's disposal and which the Controller has the right to use for the protection of his interests in accordance with the procedures specified in the regulatory acts.
3.4. Management of the company, accounting, record keeping, data archiving carried out by the Controller and ensuring internal processes - the data subject's name, surname, date of birth, correspondence address or address of the declared place of residence, phone number, e-mail address, position, bank account number, payment administration information, data on membership of the Church of Sweden (church tax), list of received and/or planned services are processed, as well as other information that the Controller has at his disposal and has the obligation/right to process/archive in accordance with regulations.
3.5. The Controller's employment legal relationships and recruitment – the employee's name, surname, date of birth, gender, correspondence address or address of the declared place of residence, language skills, work experience, education (including courses and certificates), phone number, e-mail address are processed, as well as other information provided to the Controller by the employee or the candidate for the vacant position.
3.6. Conclusion of contracts on economic activity of the Controller and ensuring their execution - name, surname, phone number, e-mail address, position, bank account number, payment administration information of the business partner are processed.
3.7. Ensuring the safety of the Controller's customers, employees and business partners, the protection of the Controller's property - audit records of access control devices and alarming equipment, audit records of workstations/work e-mail/internet and work telephones with employee data, video surveillance system records (personal images/voice recording) with data of customers, employees and business partners.
3.8. Filming, photographing and audio recording of the work events organized by the Controller - images (photo/video) of the data subject, voice recording are processed.
3.9. For other specific purposes, about which the data subject is informed at the time when he or she provides the relevant data to the Controller.
4. Legal Basis for Processing Data of Natural Persons
4.1. The purpose of processing personal data is to provide services:
4.1.1. The processing of your personal data may be based on the consent of the data subject - the data subject himself/herself has given his/her consent to the collection and processing of data for one or more specific purposes, i.e. for the promotion and distribution of services or for commercial purposes/retaining customers and improving their loyalty, satisfaction measurements (legal basis - Article 6(1)(a) of the GDPR);
4.1.2. The processing of your personal data is necessary before or after the conclusion of the contract, i.e. customer identification, management of customer relations (including remote, using telephone and electronic communication), ensuring the conclusion and execution of contracts, as well as ensuring the implementation of related processes, cooperation with customers and ensuring the implementation of related processes, settlement administration (legal justification – Article 6(1)(b) of the GDPR);
4.1.3. The processing of your personal data is necessary for the fulfilment of legal obligations applicable to the Controller, i.e. to identify the data subject, to ensure the fulfilment of the obligation to fill out the foreigner's declaration (legal justification – Article 6(1)(c) of the GDPR);
4.1.4. The processing of your personal data is necessary to ensure the implementation of the Controller's legitimate interests, i.e. carry out economic activity, provide services, customer retention, service provision quality measurements (including remotely using telephone and electronic communication), promotion and improvement of the Controller's image and services, settlement administration, marketing activities (legal justification – Article 6(1)(f) of the GDPR).
4.2. Purpose of personal data processing – Business planning and analytics:
4.2.1. The processing of your personal data is necessary to ensure the implementation of the Controller's legitimate interests, i.e. conducting business development planning and accounting (legal justification – Article 6(1)(f) of the GDPR).
4.3. The purpose of processing personal data – fulfilling the requirements of regulatory acts, providing answers to requests from state institutions, defending interests in state and local government institutions, institutions, representation in legal proceedings:
4.3.1. The processing of your personal data is necessary for the fulfilment of legal obligations applicable to the Controller, i.e. when the Controller provides answers to the requests of state authorities for the performance of the task delegated to state administrative authorities (legal justification – Article 6(1)(c) of the GDPR, national regulations);
4.3.2. The processing of your personal data is necessary to ensure the implementation of the Controller's legitimate interests, i.e. implementing the Controller's defence/representation in state and local government institutions, institutions, representation in legal proceedings (legal justification – Article 6(1)(f) of the GDPR, Code of Administrative Offences, Administrative Procedure Code, Civil Procedure Code, Criminal Procedure Code).
4.4. The purpose of processing personal data – management of the company, accounting, record keeping, data archiving and ensuring internal processes implemented by the Controller:
4.4.1. The processing of your personal data as an employee may be based on the consent of the data subject, i.e. giving consent to the Controller in ensuring internal processes, for example publishing birthday data in the electronic resource management system (Intranet) (legal justification – Article 6(1)(a) of the GDPR);
4.4.2. The processing of your personal data as an employee/customer/business partner is necessary for the fulfilment of the legal obligations applicable to the Controller, i.e. ensuring the Controller's accounting records, the creation and operation of the whistleblower system, providing answers to the requests of data subjects (legal justification – Article 6(1)(c) of the GDPR, Article 12 of the GDPR, national regulations);
4.4.3. The processing of your personal data as an employee is necessary to ensure the legitimate interests of the Controller, i.e. the Controller in the implementation of company management and provision of internal processes, for example, processing your data related to employment legal relations in the electronic resource management system (Intranet) (legal justification - Article 6(1)(f) of the GDPR); on the other hand, the personal data processing as an employee/customer/business partner, is necessary, for example, for the purpose of archiving the Controller's documents, including for creating a digital archive. Or for the implementation of record keeping processes of the Controller, for example, administering the flow of incoming and/or outgoing documentation (legal justification – Article 6(1)(f) of the GDPR, national regulations).
4.5. The purpose of personal data processing – the Controller's employment legal relations and recruitment:
4.5.1. The processing of your personal data is necessary before or after the conclusion of an Employment Agreement, i.e. to ensure the conduct of the recruitment competition by concluding the Employment Agreement with the candidate for the vacant position, to ensure the fulfilment of the Employment Agreement and the realization of the employee's rights (legal justification – Article 6(1)(b) of the GDPR);
4.5.2. The processing of your personal data is necessary for the fulfilment of legal obligations applicable to the Controller, i.e. ensuring the execution of bailiffs' orders, providing workplace accident investigations, work safety and fire safety briefings, the employee passing mandatory health checks (legal justification – Article 6(1)(c) of the GDPR, national regulations);
4.5.3. The processing of your personal data is necessary to ensure the implementation of the Controller's legitimate interests, i.e. by submitting a curriculum vitae to the Controller during the recruitment process, the Controller has a legitimate interest in ensuring the employee recruiting, as well as evaluating the employee in the course of employment legal relations (legal justification – Article 6(1)(f) of the GDPR).
4.6. The purpose of processing personal data is concluding and ensuring the execution of economic activity contracts of the Controller:
4.6.1. The processing of your personal data is necessary before or after the conclusion of the Cooperation Agreement, i.e. data processing to ensure the conclusion and execution of the Cooperation Agreement (legal justification – Article 6(1)(b) of the GDPR, national regulations);
4.6.2. The processing of your personal data is necessary to ensure the implementation of the Controller's legitimate interests, i.e. by concluding the Cooperation Agreement with the Controller, the Controller has a legitimate interest in processing your data as a contracting party (legal justification – Article 6(1)(f) of the GDPR, national regulations).
4.7. The purpose of processing personal data is ensuring the safety of the Controller's customers, employees and business partners, and the protection of the Controller's property:
4.7.1. The processing of your personal data as an employee when implementing access management is necessary to ensure the execution of a contract where the employee is a contracting party, namely for the purposes of working time control (legal justification – Article 6(1)(b) of the GDPR, national regulations);
4.7.2. The processing of your personal data as a client, employee, and cooperation partner is necessary to ensure the legitimate interests of the Controller, i.e., to protect the property of the hotel and third parties located in the hotel, hotel premises and areas, office, ensure the safety of individuals, prevent potential violations of the law, record the occurrence of criminal offenses, identify possible offenders (ensuring the legality of evidence), as well as monitor the performance and quality of work of hotel staff (legal justification – Article 6(1)(f) of the GDPR);
4.7.3. The processing of your personal data as an employee is necessary to ensure the legitimate interests of the Controller, i.e. i.e., when conducting equipment auditing records (log files), ensure the protection of confidential information available to the Controller (legal justification – Article 6(1)(f) of the GDPR, national regulations).
4.8. The purpose of personal data processing – filming, photographing and audio recording of work events organized by the Controller:
4.8.1. The processing of your personal data may be based on the consent of the data subject, i.e. giving the Controller consent to take your photo/video/voice recording and further use your data to promote the Controller's image (legal justification – Article 6(1)(a) of the GDPR).
5. Data Storage Period
5.1. Personal data obtained on the basis of the consent of the data subject, for example, for the promotion and distribution of services or for commercial purposes/retaining customers and improving their loyalty, satisfaction measurements, market and public opinion research/efficiency measurement, data publishing in the electronic resource management system (Intranet), for photography/ video recording/ voice recording to promote the Controller's image, are stored until the consent of the data subject is valid, but no longer than five years;
5.2. Personal data that was obtained on the basis of the need to conclude a contract with the data subject, such as a contract with a customer for the provision of a service, an employment contract or a contract with a business partner, is stored until the contract is concluded, in the event that it is not concluded, all data are deleted, on the other hand, when concluding a contract, they are stored for as long as the contract concluded with the data subject is valid. After the termination of the contract, the customer's personal data is stored for two years, but in the event that the applicable regulatory act determines another term, in accordance with this term, the business partner's personal data is stored in accordance with the statute of limitations for a possible claim, but no longer than three years in the case of a commercial transaction or ten years according to the civil statute of limitations. Personal data obtained during the recruitment process are stored for no longer than four months. On the other hand, the employee's personal data from the access/working time control devices are stored for no longer than ten days.
5.3. Personal data obtained on the basis of the Controller's legal obligation to process personal data are stored as long as the Controller's obligation to store data specified in regulatory acts is in force, for example, the data of the customer's identity document in accordance with the provisions of the Tourism law shall be stored by the Controller for two years.
5.4. Personal data obtained by video surveillance is stored for Thirty days. In the event of a conflict situation, or the video surveillance records were requested by the law enforcement agency, the data is stored until the conflict situation is resolved, or until the video surveillance records are handed over to the law enforcement agency.
5.5. Personal data obtained during electronic communication information is stored for two years. In the electronic resource management system (Intranet), the employee's personal data is stored for a maximum of five years, while the audit records of workstations are stored for a maximum of one year.
6. Criteria Used for Determining the Storage Period of Personal Data
6.1. as long as the period for storage of data determined by the regulatory enactments in force has not expired;
6.2. as long as the agreement concluded with the data subject is in force;
6.3. as long as the consent of the data subject is in force;
6.4. as long as it is necessary in order to implement and protect the legitimate interests of the Controller;
6.5. as long as the legal obligation to store the data exists;
6.6. upon expiry of any of the above-mentioned time periods, all data shall be deleted or anonymized in accordance with the procedure determined by the Controller.
7. Sources of acquisition of the personal data of the data subject:
7.1. documents and information submitted by data subjects;
7.2. data of other controllers, processors, and sub-processors;
7.3. service provision process;
7.4. video and/or photo equipment data of the Controller;
7.5. computer network equipment data of the Controller;
7.6. Visiting and browsing data of the website of the Controller https://www.stockholmkistahotel.com/.
8. Data processing process of the data subject:
8.1. when identifying the data subject;
8.2. during commercial activity;
8.3. when entering into commercial agreements and controlling the fulfilment thereof;
8.4. when selecting employees, establishing and maintaining legal employment relations;
8.5. when fulfilling the requirements of regulatory enactments;
8.6. when participating in court proceedings;
8.7. when providing information to state and municipal authorities and officials, as well as receiving information from them.
9. Processing of cookies of the data subject:
9.1. Cookies are small text files which are created and saved on the device of the data subject (computer, tablet, or mobile phone) upon visiting websites of the Controller. Cookies “remember” user experience and basic information, thus making the use of the site more convenient;
9.2. With the help of cookies information about users habits and history of use of the site are processed, problems and deficiencies in the operation of the site are diagnosed, statistics of user habits are collected, and complete and convenient use of the site is ensured;
9.3. If the data subject does not want to use cookies, it is possible to refuse their use in the browser’s settings; however, in such a case use of the site may be significantly disrupted and made difficult. Deletion of saved cookies is possible in the settings of a device’s browser by deleting the history of saved cookies.
9.4. The data Controller processes cookies in accordance with the Cookies Policy.
10. Sharing and issuing of personal data of the data subject
10.1. In order to provide the services and perform the work tasks, the Controller may share the data of the data subject, including in the countries of the European Union and EEA (European Economic Area);
10.2. When providing special data protection, like the GDPR regulation requires, in order to guarantee the fulfilment of functions and duties, as well as the work of the Controller, the Controller may transfer the data to a third country (outside of the European Economic Area) or international organizations;
10.3. In order to fulfil the provisions of regulatory enactments, the Controller may share the data of the data subject with the state and municipal authorities, law enforcement authorities, court, or other institutions;
10.4. The Controller shall issue the data only to the extent determined by the regulatory enactments in force, including the GDPR and complementary Data Protection Law.
10.5. The Controller shall provide the data subject's personal data to the cooperation partner, the independent Controller Mogotel Hotel Group AS, registration No. 40103376919, legal address: Latgales str. 240-3, Riga, LV-1063, Latvia, which provides sales, marketing and reservation services.
10.6. The Controller shall provide the data subject's personal data to the Processor Mogotel development holding SIA, registration No. 50203298951, legal address: Latgales str. 240-3, Riga, LV-1063, Latvia, which shall provide the Controller's payment administration.
11. Protection of the data subject’s personal data:
11.1. The Controller shall protect the data of the data subject from unauthorized access, accidental loss, disclosure, or destruction. In order to achieve this, the Controller shall use modern technological possibilities, considering the existing privacy risks and organizational requirements, including using firewalls, break-in detection and analysis software, as well as encryption with standard SSL and anonymization;
11.2. The Controller shall carefully examine all processors and sub-processors who process the data of the data subject on behalf of it; the Controller shall assess whether the relevant safety measures are used, whether the data processing is performed in the way delegated by the Controller, whether it is performed in accordance with regulatory enactments in force and data protection requirements and standards;
11.3. processors and sub-processors shall not be entitled to process the data of the Controller for their own purposes;
11.4. The Controller shall not bear any responsibility for any unauthorized access to the data of the subject or the loss of that data, if they are not under the competence of the Controller, for example due to the fault or negligence of the data subject.
12. Profiling logic:
12.1. Data Controller do not carry out profiling or other automated decision-making.
13. Rights of the data subject:
In accordance with regulatory enactments in force, the data subject shall have the following rights in relation to his/her personal data’s processing:
13.1. rights of access - the data subject shall be entitled to request a confirmation from the Controller regarding whether the personal data of the data subject are processed, as well as information about all processed personal data;
13.2. right to rectification - if the data subject considers that the information about him/her is incorrect or incomplete, he/she shall be entitled to request the Controller to rectify them;
13.3. right to object - objecting to processing based on lawful interest - the data subject is entitled to object to the processing of personal data processed based on legitimate interests of the Controller, except in cases when legal acts determine the processing of such data;
13.4. right to erasure - in certain circumstances the data subject has the right to request the erasing of his/her personal data, except in cases when legal acts determine the time period for storage of such data;
13.5. right to restriction of processing - in certain circumstances the data subject shall be entitled to restrict his/her personal data processing, except in cases when legal acts determine the volume of data processing;
13.6. right to data portability - the data subject shall be entitled to receive or transfer his/her personal data to any other personal data controller. This right shall also include personal data which were provided to the Controller pursuant to consent of the data subject, on the basis of a contract or in cases where data processing is performed automatically. The data subject may use the above-mentioned rights to the extent the Controller does not implement the processing, upon fulfilling the obligations and tasks imposed under the regulatory enactments in force;
13.7. revocation of consent - the data subject shall be entitled at any time to revoke the consent given for data processing, in the same way as it was provided or by sending a relevant notification to the e-mail: dpo@mogotel.com. In this case, further processing based on prior consent regarding the specific purpose will not be performed. Revocation of the consent does not affect data processing carried out while the consent of the data subject was effective. Withdrawal of the consent cannot terminate data processing that is carried out by the Controller based on other legal grounds.
In order to carry out the above-mentioned rights, please submit a written application to the Controller or the data protection officer: dpo@mogotel.com.
14. Communication
14.1. In case of any questions and uncertainties, the data subject may contact the Controller - in person at its office at Torshamnsgatan 39, 164 40 Kista, Sweden; in presence at the hotel; or via the personal data protection officer: dpo@mogotel.com;
14.2. The Controller shall contact the data subject by using the contact information (phone number, e-mail address, correspondence address) specified by the data subject.
Data subject shall be entitled to submit a complaint concerning our processing of your personal data with the competent data protection authority: Swedish Authority for Privacy Protection, Phone number: +46 (0)8 657 61 00, e-mail: imy@imy.se, postal address: Integritetsskyddsmyndigheten, Box 8114, 104 20 Stockholm, Sweden.
The Controller shall be entitled to regularly improve or supplement the privacy policy.
The Controller shall inform the data subject of any changes by publishing the updated version of the privacy policy on the website: www.stockholmkistahotel.com/privacy-policy.