In some cases, we may handle so-called “special categories of personal data” about you, which may be considered sensitive. This would be the case, for example, if you (i) have submitted a medical certificate for use of a cancellation protection or a refund (ii) have a medical or health condition affecting your trip and for which you request assistance or where certain clearance is needed, or (iii) have made a request revealing some other sensitive personal data about you.
Before we handle sensitive personal data about you, we require your consent to do so. We will not handle any sensitive personal data that we are not permitted by you to handle, or that you have not provided us with. A limited amount of our personnel will have access to your sensitive personal data, and after handling your sensitive data in accordance with your request, we will erase the data as soon as possible.
To be allowed to handle your personal data, the applicable data protection legislations obligate us to have a so-called “legal basis” for each of our purposes to process your personal data. For this reason, we have drafted the below table to show our legal basis for each of our purposes.
|What we do (our purposes with handling your personal data)||Our legal basis||Storage time|
|Enable the rental arrangements and bookings you have||Performance of our contract with you. Where you have provided us with sensitive personal data, consent is the legal basis.||10 years from the date of purchase. Consent for sensitive personal data may be withdrawn at any time.|
|If you have create a user account on our website, we will make such account available to you. The account includes access to information on your previous rental arrangements and bookings. We will also store your username and password.||Performance of our contract with you.||Your user account data, as well as personal information related to your previous rental arrangements and bookings, will be stored until you decide to cancel your user account via our website.|
In addition to the above, we undertake such day-to-day measures that are necessary for businesses providing services to consumers, such as bookkeeping, accounting, billing, fulfilling anti-money laundering obligations and maintaining our website security. To the extent this is not mandatory under applicable laws, we undertake these measures based on our legitimate interest. We may also analyze our customers’ behavior in order to improve our websites and services on a general level. However, such analysis will use generalized or anonymized data on an aggregated level.
Each partner is responsible for its own handling of your personal data after it has received it from us, meaning that you must contact the partner in question for any requests related to your rights under applicable data protection legislation. We recommend that you read the partners’ respective privacy policies for information on their handling of your personal data.
Due to the global nature of the industry, your personal data may be processed in different locations around the world when the parties we share your personal data with reside in a country outside the EU/EEA. Our sharing of personal data outside the EU/EEA requires certain legal ground under applicable data protection legislation. Where a country is regarded by the European Commission to be a country with adequate level of protection for personal data, this will be our legal ground. Otherwise there are three main types of legal ground on which that we may base such sharing.
According to the applicable data protection legislation, you have certain rights as a so-called “data subject”. Below, we have listed your rights. Your rights include the following:
Finally, you also have the right to lodge a complaint with the applicable data protection supervisory authority.