The European Union has taken a monumental step in protecting the fundamental right to privacy for every EU resident with the General Data Protection Regulation (GDPR) which will take effect from May 25, 2018. Simply put, EU residents will now have a greater say over what, how, why, where, and when their Personally Identifiable Information (PII) is used, processed, or disposed. The regulation also clarifies how the EU personal data laws will apply beyond the borders of the EU. Any organisation that works with EU residents’ personal information in any manner, irrespective of their location in the world, has obligations to protect this data.
Definitions Used within the GDPR
These terms refer to the definition of terms given in Art. 4 of the Basic Data Protection Ordinance (DSGVO).
'PII' stands for Personally Identifiable Information and this refers to any information that relates to an indentifiable person, whether that information is either directly or indirectly related. In other words, it includes, but is not limited to, data such as names, an id number, location data, an online identifier (e.g cookies) or to one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that) person.
'Processing' means any operation carried out with or without the aid of automated procedures or any such series of operations in connection with personal data. The term goes a long way and covers practically every aspect of handling data.
In our case, for instance, assuming that we can show a legally legitimate reason for needing to collect information for a business purpose (e.g. when using agents, web hosts etc., or when sending automated follow-up emails through sites like Tripadvisor, requesting that clients share photos or leave feedback on third party feedback sites like Tripadvisor or Facebook), we still need to gain legal permission (consent) to collate the email contacts of our multiday clients for these purposes. The same also applies to the sharing of client information with companies like payment service providers (banks, paypal etc., in accordance with Art. 6, Para. 1 lit. b DSGVO) in order to fulfil the contract between both parties.
'Responsible' means the natural or legal person, authority, institution or other body that alone, or together with others, decides on the purposes and means of processing personal data. In this case, this is CAPE Lapland Oy / Hetta Huskies and any third parties we cooperate with.
'Data Subjects' (aka the people identifiable through their PII), according to Art. 15 DSGVO, have the right to request information about what data we hold and how their data is being processed. They also have the right to request access to (which links to the right to data portability) or to correct data, to restrict its future processing (Art. 18 & 21 DSGVO) or even immediately delete it, even if this revokes previously granted consents (Art. 7 para. 3 DSGVO). They can also object to the future processing of the data concerning them in accordance with Art. 21 DSGVO at any time. This object may be lodged, in particular, against processing for direct marketing purposes.
Hetta Huskies' Commitment
At Hetta Huskies we have always honoured our users’ right to data privacy and protection and, as a small business, we generally do not collect and process personal information beyond that which is required for the functioning of our products.
How Hetta Huskies prepared for GDPR
We carried out a mini data protection impact assessment (DPIA) around the Personally Identifiable Information (PII) that both we and our third-party partners collect for our products in accordance with GDPR guidelines. As part of this, we considered how it is processed - in other words the purpose for which it is collected, used and stored - and when and how it is disposed of.
Hetta Huskies' Data Protection Declaration
Our data protection declaration explains to you the type, scope and purpose of the processing of personal data within our physical company and our 'online offer'. Our online offer includes our associated websites, functions and contents as well as external online presences, e.g. our social media profile.
What PII do we currently process?
We understand that providing information online involves a great deal of trust on your part. We take this trust very seriously, and make it a high priority to ensure the security and confidentiality of the personal information you provide to us when you visit our Website or use our services. Before submitting your personal information to us, please read this Policy carefully to learn about our privacy practices. By visiting Hetta Huskies' website, www.hettahuskies.com, or using any of our linked sites or services, you are accepting the practices described herein.
We receieve and process so-called Personally Identifiable Information (PII) from you when you approach us by phone or email and when you enter information on our website or social media channels. PII which is directly collected from clients, staff, interns and partners is stored in our (portable and transferable) internal Customer Relationship Management System ("CRM System") and processed in a number of ways and for a number of reasons:. a) You supply your basic contact details and standard inventory data (for instance your first and last name, telephone number, postal and email addresses) when you contact us about our products and we respond, as solicited, to your questions and comments in order to facilitate your booking reservations to the point of sale (as per Art. 6 Para. 1 lit. b) DSGVO.
Clients can opt in to it being permissable for us to retain a very basic level of PII information (standard inventory data and basic contact details) for simple marketing purposes. For instance, we occassionally send general follow-up emails to our clients which contain useful or interesting information about our farm, dogs, and current tour options or special offers. (Please note that you will have the opportunity to choose not to receive these email messages in any such email we send.)
However, in addition to these standard information exchanges, we also request, as mentioned in section (c) and (d), above, detailed information about the drugs prescribed to - or taken by - our forthcoming clients, and their relevant medical history. We do this in conjunction with an explicit explanation as to both the reason behind the request, and information about how long we will retain the information. Essentially, this is requested in order for us to highlight individuals 'at increased risk of' cold-related injuries or those who might struggle, in general, with the physical demands of their proposed tour. Article 6(1)(d) provides a lawful basis for granting this type of request under provides a lawful basis for processing since it falls within the category of data in which “processing is necessary in order to protect the vital interests of the data subject or of another natural person”. Similarly, if the personal data is manifestly made public by the data subject, then processing is deemed permissable (Article 9(2)(e) and (Article 9(2)(h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
Aspects of this request cover topics included within special category data, as determined by Category 9. This includes race; ethnic origin and health since these are considered the type of data that could create more significant risks to a person’s fundamental rights and freedoms. For example, by putting them at risk of unlawful discrimination because of sexual preferences or ethnic origin.
FYI: The guide states that 'Your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate.'
We also explain that internal access to the digital forms requested in advance and maintained in our internal databases (or to the physical forms completed in situ by those who failed to send them in advance) is restricted to specifically designated members of staff.
Of course, you can choose not to provide information to us, but some information about you is required in order for you to participate in our products. For example, only registered members of our social media pagges may be able to post travel reviews or photos in them, access members-only newsletters, enter surveys or contests. Similarly, we have the right to refuse access to products if we know that you are choosing to withhold information about your medical history. However, we may not know that you have withheld data until after an incident has occured. Therefore, withholding requested data has to always be at your own risk.
With whom we share your information
Hetta Huskies may share your information with the following entities:
. Third-party vendors who provide services or functions on our behalf, including business analytics, payment processing, distribution of surveys or sweepstakes programs, and fraud prevention.
. Business partners with whom we may offer products or services in conjunction. You can tell when a third party is involved in a product or service you have requested because their name will appear either with ours or separately. If you choose to access these optional services, we may share information about you, including your personal information, with those partners. Please note that we do not control the privacy practices of these third-party business partners.
. Referring Websites. If you were referred to TripAdvisor from another website, we may share your registration information, such as your name, email address, mailing address, telephone number and travel preferences, about you with that referring website. We have not placed limitations on the referring websites’ use of personal information and we encourage you to review the privacy policies of any website that referred you to Hetta Huskies.
. Social Media Services. You can choose to access certain third party social media websites and services through our site (such as Facebook). When you do so, you are sharing information with those sites, and the information you share will be governed by their privacy policies. You may also be able to modify your privacy settings with these third party social media websites.
. We also may share your information if we believe, in our sole discretion, that such disclosure is necessary to either comply with legitimate and enforceable subpoenas, court orders, or other legal process; to establish or exercise our legal rights; to defend against legal claims; or as otherwise required by law. In such cases we reserve the right to raise or waive any legal objection or right available to us.
. Finally, we also may share your information if we believe, in our sole discretion, that such disclosure is necessary in connection with a corporate transaction, such as a divestiture, merger, consolidation, or asset sale, or in the unlikely event of bankruptcy.
Other than as set out above, you will be notified when personal information about you will be shared with third parties, and you will have an opportunity to choose not to have us share such information.
How we protect your information
We want you to feel confident when interacting with us, and we are committed to protecting the information we collect. While no website can guarantee security, we have implemented appropriate administrative, technical, and physical security procedures to help protect the personal information you provide to us. For example, only authorized employees are permitted to access personal information, and they only may do so for permitted business functions. We also employ firewalls and intrusion detection systems to help prevent unauthorized persons from gaining access to your information.
Deletion of data
Unless expressly stated in this data protection declaration, the data stored by us in our CRM systems will be deleted as soon as it is no longer required for its intended purpose and so long as the deletion does not either conflict with any statutory storage obligations or its storage is necessitated for other legally permissable purposes (e.g. data that must be retained for commercial or tax reasons). If there is a statutory storage requirement beyond the time when it is required for its intended purpose, its processing will be restricted in accordance with Articles 17 and 18 DSGVO.
Rights of data access, modification and portability / transferability
GDPR gives end users the right to not only access, modify or delete personal information but also to request that the controller be able to transfer it to another controller (depending on technical feasibility). To that end, an active and continuous GDPR implementation and privacy program needs to be in place for employees, in addition to a data breach notification protocol.
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, security services and technical maintenance services.
We or our hosting provider process inventory data, contact data, content data, contract data, usage data, meta- and communication data of customers, interested parties and visitors of this online offer on the basis of our legitimate interests in an efficient and secure provision of this online offer according to Art. 6 Para. 1 lit. f DSGVO in conjunction with. Art. 28 DSGVO (conclusion of order processing contract).
Our hosting provider collects, on our behalf, data on each access to the server on which this service is located (so-called server log files) on the basis of our legitimate interests within the meaning of Art. 6 para. 1 lit. f. DSGVO.
Access data includes the name of the accessed website, file, date and time of access, transferred data volume and notification of successful access. Meta / communication data includes device and browser type and version, the user's operating system, referrer URL (the previously visited page) and the requesting provider (i.e., IP address). Usage data (e.g. interest in content, access times) is also available to us for analysis by default.
Log file information is stored, as standard, for a maximum of 7 days for security reasons (e.g. to investigate misuse or fraud) and then deleted. Data whose further storage is required for evidentiary purposes are excluded from deletion until the respective incident has been finally clarified.
Online presence in social media
We maintain online presences within social networks and platforms in order to communicate with active customers, interested parties and users and to inform them about our services. When accessing the respective networks and platforms, the terms and conditions and the data processing guidelines of their respective operators apply.
Cookies, the Collection of access data and log files and Other Web Technologies
A cookie is a small piece of data that a website asks your browser to store on your computer or mobile device (if your Web browser permits). The cookie may be either permanent or temporary and allows the website to "remember" your actions or preferences over time. Most browsers support cookies, but users can set their browsers to decline them and can delete them whenever they like.
The cookies are stored on the user's devices for a number of purposes, including but not limited to security, the presentation of the website, to identify the user and save their user decisions and preferences (so that, for instance, they can complete tasks without having to re‑enter information when browsing from one page to another or when visiting the site later), to measure reach and for marketing purposes. Cookies can also be used for online behavioural target advertising and to show adverts relevant to something that the user searched for in the past.
The Help portion of the toolbar on most browsers will tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable cookies altogether.
Integration of third-party services and content.
Within our online offer, we make no representations or warranties of any kind based on our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) content or service offerings of third parties to incorporate their content and services, such as videos or fonts (hereinafter uniformly referred to as "content"). This always presupposes that the third party providers of this content perceive the IP address of the users, since without the IP address they could not send the content to their browser. The IP address is therefore required for the display of this content. We make every effort to use only those contents whose respective providers use the IP address only for the delivery of the contents.
In addition to using cookies to collect data about visitors visiting our pages on their sites, third-party providers like YouTube, Facebook, Tripadvisor etc., may also use so-called pixel tags (invisible graphics, also known as "web beacons") for statistical or marketing purposes. Pixel tags" can be used to evaluate information such as visitor traffic on and between the pages of this website. The pseudonymous information may also be stored in cookies on the user's device and may include technical information about the browser and operating system, referring websites, visiting time and other information about the use of our online offer, as well as may be linked to such information from other sources.
The following presentation provides an overview of third-party providers and their contents, together with links to their data protection declarations, which contain further information on the processing of data and, in some cases already mentioned here, possibilities of objection (so-called opt-out):
According to GDPR, any organisation which uses Google Analytics, however infrequently (and this is something we would only look at very sporadically), is considered a Data Controller - since it controls which data is sent to Google Analytics - and Google Analytics, in turn, is considered to be one of that organisation's Data Processors.
Google, as a Data Processor, has obligations to conform to the EU GDPR. According to Google’s own Privacy Compliance website, they are “working hard to prepare for the EU’s General Data Protection Regulation.” You can see more details on this site and it is almost certain that Google Analytics will be fully compliant by May 25, 2018. As part of being a Data Processor, Google must provide a data processing agreement that you’ll need to accept.
Within our online offer we use the marketing functions (so-called "LinkedIn Insight Tag") of the network LinkedIn. The provider is LinkedIn Corporation, 2029 Stierlin Court, Mountain View, CA 94043, USA. Every time you visit one of our pages that contains functions of LinkedIn, a connection to LinkedIn's servers is established. LinkedIn is informed that you have visited our website with your IP address. With the help of the LinkedIn Insight Tag we can analyse the success of our campaigns within LinkedIn or determine target groups for them based on the interaction of the users with our online offer. If you are registered with LinkedIn, it is possible for LinkedIn to associate your interaction with our online service with your user account. Even if you click on the "Recommend-Button" of LinkedIn and are logged into your LinkedIn account, LinkedIn is able to assign your visit to our website to you and your user account. LinkedIn is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with ()European data protection law.
Functions of the service or the Twitter platform (hereinafter referred to as "Twitter") can be integrated within our online offer. Twitter is an offer of Twitter Inc, 1355 Market Street, Suite 900, San Francisco, CA 94103, USA. The functions include the presentation of our contributions within Twitter within our online offer, the link to our profile on Twitter as well as the possibility to interact with the contributions and the functions of Twitter and to measure whether users reach our online offer via the advertisements we place on Twitter (so-called conversion measurement).
Tripadvisor's policy statement on privacy settings can be found here.
Tripadvisor automatically collects some information from client computers or devices when people visit TripAdvisor. For example, they collect session data, including IP addresses, Web browser software, and referring website. They may also collect information about their client's online activity, such as content viewed, pages visited, and searches and/or reservations facilitated or made. One of their goals in collecting this automatic information was to help us understand the interests and preferences of their users and to customize their user experience.
When you use an Application on a Device, they collect and use information about you in generally similar ways and for similar purposes as when you use the TripAdvisor website. In addition, they may collect information about your location if you have instructed your Device to send such information to the Application via the privacy settings on that Device, or if you have uploaded photos tagged with location information. They may use the location information collected from your Device or photos to enhance your use of the Application by providing you with relevant content and contextual advertising. For example, they may use your location to show you reviews of hotels or restaurants near you when you are traveling. You can change the privacy settings of your Device at any time, in order to turn off the functionality to share location information with the Application and/or the functionality to tag your photos with location information. Please note that turning off location sharing may affect certain features of their App. If you have any queries about the privacy settings of your Device, we suggest you contact the manufacturer of your Device or your mobile service provider for help.
The ways in which TripAdvisor utilises cookies is also explained in this page. The Help portion of the toolbar on most browsers should tell you how to prevent your browser from accepting new cookies, how to have the browser notify you when you receive a new cookie, or how to disable most types of cookies. Please note that if you refuse to accept cookies, you may not be able to access many of the travel tools offered on their sites.
Facebook Social Plugins
Facebook Social Plugins
On the basis of our legitimate interests (i.e. interest in the analysis, optimisation and economic operation of our online offer within the meaning of Art. 6 para. 1 lit. f. DSGVO) Social Plugins ("Plugins") of the social network facebook.com, which is operated by Facebook Ireland Ltd, 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland ("Facebook"). The plugins can display interaction elements or content (e.g. videos, graphics or text contributions) and are identified by one of the Facebook logos (white "f" on blue tile, the terms "like", "like" or a "thumbs up" sign) or are marked with the addition "Facebook Social Plugin". The list and appearance of Facebook Social Plugins can be viewed here:
Facebook is certified under the Privacy Shield Agreement and thus offers a guarantee to comply with European data protection law ().
When a user calls up a function of this online offer that contains such a plugin, his device establishes a direct connection to the Facebook servers. The content of the plugin is transmitted by Facebook directly to the user's device and integrated into the online offer. The processed data can be used to create user profiles. We therefore have no influence on the amount of data Facebook collects with the help of this plugin and therefore inform users according to our level of knowledge.
By integrating the plugins, Facebook receives information that a user has called up the corresponding page of the online offer. If the user is logged in to Facebook, Facebook can assign the visit to his Facebook account. When users interact with the plugins, such as pressing the Like button or posting a comment, the information is sent directly from your device to Facebook and stored there. If a user is not a member of Facebook, it is still possible for Facebook to obtain and store their IP address. According to Facebook, only an anonymized IP address is stored in Germany.
The purpose and scope of the data collection and the further processing and use of the data by Facebook, as well as the relevant rights and setting options for the protection of users' privacy, can be found in Facebook's data protection information: .
If a user is a Facebook member and does not want Facebook to collect data about them via this online offer and link it to their membership data stored on Facebook, they must log out of Facebook before using our online offer and delete their cookies. Further settings and objections to the use of data for advertising purposes are possible within the Facebook profile settings: https://www.facebook.com/settings?tab=ads or via the US page http://www.aboutads.info/choices/ or the EU page http://www.youronlinechoices.com/. The settings are platform-independent, i.e. they are applied to all devices, such as desktop computers or mobile devices.
The copyright and all other rights to content, images, photos or other files portrayed on the website belong exclusively to Hetta Huskies / CAPE Lapland Oy or the specifically named owners. The written consent of the copyright holders must be obtained in advance for the reproduction of any elements.
How you can contact us