Skallerup Seaside Resort (SSR) has drawn up the following policies in accordance with the requirements of the EU General Data Protection Regulation (GDPR). SSR’s Personal Data Protection Policy is designed to provide our guests with the greatest possible transparency pursuant to the GDPR’s objectives concerning personal data protection.
As data controller, we at SSR live up to the personal rights that our guests have via legislation. This Personal Data Protection Policy is supplemented by departmental-specific process descriptions and an IT security policy that ensures that processes and systems at SSR underpin these rights. At the same time, the policy clarifies that the enterprise has implemented the security measures stipulated by the GDPR, including processes in the event of breach of security.
Responsibility for advice concerning data protection at SSR is a nominated function. The function is charged with describing processes, updating these processes by means of the implementation of new systems and routines and ensuring that our procedures satisfy the requirements of the GDPR at all times.
The storage of personal data represents a risk in relation to the improper use of information and identity theft. SSR attaches high priority to the security of our guests and we acknowledge the risk posed by the fact that our systems store personal data. On the basis of this risk, we at SSR endeavour to ensure that our IT equipment is up-to-date, thoroughly tested and appropriately secured at all times. At the same time, we take the precautions outlined below and process data on the basis of this general Personal Data Protection Policy, which describes compliance with the requirements of the GDPR.
More detailed instructions for registration, processing and deletion of data are available in each department.
SSR assumes responsibility for storing and processing our guests’ personal data correctly and securely during the period in which we need access to the data for all necessary purposes, whether these are in connection with bookings, payment or marketing.
We endeavour at all times to ensure that all personal information is correct and up-to-date. If in doubt, we seek out our guests in order to correct or delete incorrect information in both digital and physical systems. Similarly, we comply with the GDPR’s requirements concerning our guests’ rights to be deleted from our systems should they so desire.
SSR is responsible for data provided by our guests being processed in accordance with the requirements of the GDPR, including necessary agreements being reached with our business partners/suppliers to the extent that we exchange data with third parties.
SSR works with a wide range of suppliers, including sole traders. Data from these is considered as personal data and processed accordingly
SSR acquires personal data about guests for necessary and legitimate purposes only. If you are a guest at SSR, you have the right to be informed at all times of the information that we acquire and the purposes for which we are collecting, processing and storing data. We typically collect information that we receive from the guests themselves, by telephone or from the website and save this data only to the extent that it corresponds to the purpose. We only collect absolutely necessary information.
In rare cases
SSR has a complete picture of data streams and in which part of the organisation and in which systems data is processed.
Information about our guests is acquired (primarily in our booking system), processed and used for:
Information is deleted when the reason for storing said information no longer applies. The point in time at which deletion takes place varies depending on what the information is used for and in relation to other Danish law.
By accepting a quotation for a stay, booking of an activity, subscription to newsletters, etc., our guests and potential guests grant consent allowing us to store and process personal data for the purpose for which it is intended.
We do not use photographic material of our guests for internal use or in terms of marketing without consent. If we wish to use images, we contact the person concerned and ask for separate consent in relation to use of the material. Consent can be withdrawn at any time, after which the personal data is not reused while it is in our hands.
In connection with booking of activities, information concerning participation is disclosed to relevant parties within our organisation. The information is solely disclosed to parties with whom SSR has concluded specific agreements concerning the purposes for which the information is used. Please refer to separate section for more information concerning data processing agreements.
SSR does not disclose personal data to firms for marketing without the guest in question’s specific consent.
Guests at SSR have a number of special rights pursuant to the GDPR.
Contact us if you wish to exercise your rights.
We reserve the right to carry out revisions to this Personal Data Protection Policy from time to time. The policy that is applicable at any time will always be made available at www.skallerup.dk
SSR enters into ongoing data processing agreements with the business partners that process personal data for the enterprise in accordance with specified instructions and purposes, e.g. suppliers of IT systems. At SSR we keep a detailed overview of our agreements with data processors. Once the agreement on processing of personal data has expired, SSR makes sure as data controller that all personal data is deleted by the data processor.
SSR has drawn up – and updates on an ongoing basis – records of the processing of personal data that is carried out by us or on our behalf.
SSR’s IT policy specifies which contingency plans are employed in the event of breach of data security in order to protect personal data, as well as the process for reporting to the Danish Data Protection Agency.
Employees at SSR have access to relevant and necessary systems and personal data. A list of the roles and access of each employee is always available.
Via SSR’s procedures and guidelines, the employees receive clarification on an ongoing basis as to how they may and must acquire, process and disclose personal data with regard to confidentiality. The procedures are specifically targeted at the enterprise’s different functions. In connection with the latest revision of the GDPR, all employees have been informed of requirements and security measures.
We are always available to answer questions concerning personal data or other enquiries:
Skallerup Seaside Resort Nordre Klitvej 21 DK-9800 Hjørring Phone - +45 9924 8400 email - email@example.com www – www.skallerup.dk
1st version, 24 May 2018