The Hotel Maria icon

Privacy Policy



SC Hotels Operations Oy (Business ID 3291502-9)
Kauppakatu 18C 35
40100 Jyväskylä

Target operated by controller

The Hotel Maria
Mariankatu 23
00170 Helsinki

Contact information regarding the register

In matters regarding the register and the use of the rights of the data subject, please contact:

Name of the register

Customer and Marketing Register

Purpose and legal basis for processing personal data

Processing of personal data is based on legitimate interest, the relationship between consumer and business customers at The Hotel Maria, operated by SC Hotel Operations Oy. Personal data is collected for a certain, explicit and legal purpose to fill the contractual obligations of the customer relationship. Data collected from the customers
while making a room-, restaurant or event reservation or in matters to do with the invoicing of these is processed based on this. The controller is allowed by legitimate interest or a contract to exercise marketing. Personal data is collected according to this Privacy Policy, and it is under no circumstances used, changed or transferred differently from what is stated in this Privacy Policy.

Purposes of personal data processing

Customer data in the customer and marketing register is used in the following purposes:

  • Handling customer reservations
  • Maintaining and developing customer relationships
  • Informing and customer communications
  • Sales and execution of services
  • Marketing of services
  • Processing of personal data in connection with payments, invoicing, controlling and collection of payments
  • Business and customer service development of the controller
  • Customers’ possible special diet information will only be used in the preparation and serving of food.Customers’ possible health information will only be used in the safe execution of wellness services. Indirect health information may arise through a customer’s own statement, e.g. of reduced mobility when making a room reservation.
  • Communication between The Hotel Maria and customers, e.g. email messages, may be saved in customer service situations to develop customer service or as proof of content.

Information content of the register

The controller processes the following personal data
  • The customer’s first and last name, date of birth, passport information, telephone number, address, email address, citizenship and position in company
Information about reservations
  • Dates of arrival and departure
  • Modes of travel
  • Purpose of trip (e.g. pleasure, business or other)
  • information about possible pets
  • Information about use of services and purchases
  • Loyal customer data
  • Information about the customer’s payment method, invoicing information, possible payment reference information
  • The customer’s choices, wishes and information they have given themselves
  • Possible feedback and complaint information
  • Prohibitions and approvals of direct marketing
Regarding business customers, the controller processes the following information
  • The name, address, email address, telephone number and position in company of a business customer’s contact person
  • possible customer service and complaint information
  • Prohibitions and approvals of direct marketing as stated by a business customer’s contact person

A passenger notification is required upon arrival. The processing of the information required by the notification is based on a legal obligation of the controller.

Regular sources of information

The controller receives personal data from
  • the data subjects themselves, e.g. through email and telephone conversations, in sales promotion events or from stakeholder sources
  • the use of services or information received in connection to visiting
  • their website: through order- and inquiry forms,
  • homepage booking engines
  • third party restaurant table reservation sites
  • third party hotel booking companies
  • the data subject’s employer in connection to service reservations
  • third parties, such as public records, organization contact details stated on websites or address registers

Regular disclosure of data and handlers of the register

The controller is committed to handling your personal information confidentially and with proper care. The processed data is appropriately protected with information systems. Necessary customer data can be transferred inside The Hotel Maria for account management purposes or if data transfer is needed for legitimate interest. Necessary
customer data can be disclosed to authorities for legal purposes. The controller may also, in individual cases, disclose a customer’s personal data to an appointed party, if the subject asks the controller to do so, or if, based on legislation, a legally valid authority requires the controller to disclose an explicit piece of information from the database operated by the controller.

The data in the customer and marketing register will only be processed by persons whose tasks essentially include processing such data. Logging in the register requires individual usernames and passwords. The collected data is also processed by The Hotel Maria’s subcontractors and service providers, whose right to process customer data is limited to the production of agreed services.

Marketing and targeted advertising:
Marketing is based on the controller’s legitimate interest (in e.g. B2B functions) or on consent by the customer (e.g.consumer customer newsletters). The Hotel Maria performs targeted marketing based on earlier purchasing behavior or information saved in your customer data. This way, the customers can be offered services that are of interest to them. Profiling is based on the customer’s consent. The customer has the right to prohibit direct marketing by removing themselves from the newsletter subscriber list or by sending a removal request to .

Data transfer to locations outside of the EU
In our service production we use service providers that are mainly located in the European economic region. Some of the service providers store information outside of the European economic region. Our service providers are committed to ensuring a sufficient level of data security in all processing of personal data.

On the rights of the data subject

Right of access

The subject has the right to check what data regarding them has been saved in the register. They also have the right to access this data, once they have made a sufficiently precise and identified request for inspection. The controller may ask the subject to adequately specify what data or processing actions the request is about. The request for inspection must be addressed signed and in literal form to the contact information provided by the controller and have a copy of photo proof of identity attached.

Right to request correction or removal of data

The controller is obliged to correct false information in the personal data register as pointed by the subject. The controller is also obliged through their own action to check that the data in the register is appropriate and up to date. The data subject may also request that the controller remove any data about them from the register. See exceptions
under Removal and retention period of data.

Other rights to do with processing personal data

The subject has the right to require a limitation to the use of their personal data and the right to oppose the use of the data in e.g. direct marketing. The subject also has the right to receive any data about themselves that they have given the controller in a structured, commonly used and machine-readable form, and the right to transfer said data to another controller. The subject also has the right to oppose automatic decision-making and profiling. The subject has the right to file a complaint to the competent supervisory authority, if the subject sees that the controller has not obeyed appropriate data security regulations in their actions.

Removal and retention period of data

The controller will remove customer data from the register once there is no more a commercial reason to process it, or if the subject themselves, based on legislation, demands that the controller remove any data about them. Personal data will not, however, be removed if

  • the law stipulates differently (e.g. the accounting act), or the competent authority has started a process that requires that the controller retain the data or if another party has filed for a safety protection decision regarding the data with the Finnish judicial system.
  • The customer has an on-going case handled by the customer service or an upcoming event.
  • The customer is suspected of misuse of the services or has unpaid debt to The Hotel Maria.

The controller will execute regular periodic inspections to remove unnecessary data. Our privacy policy is subject to changes and updates. Changes may also be due to changes in legislation. We recommend that you check these conditions regularly.

Privacy policy updated 10 Jan 2023.

Contact us

Join Our Insider List