Privacy policy
1. Processing of personal data
- OURWAY Tours AB, reg. no. 556848-7978 (the “Company”, ”we”) is the Data Controller for the processing of your personal data (“Personal Data”) that you provide us with by e.g. using the digital channels, such as our website or e-mail system for support (the “Digital Channels”) or by registering with us when you are booking or using our services, such as guided tours, segway tours, bike tours, driving tours, transfers, rooftop tours, craft beer tours, sailing tours, kayaking tours, food tours, cooking classes, amphibious bus tours (the Ocean Bus) at different locations in Sweden, Norway and Denmark (the “Services”) or information received in connection with your application for internship/employment or other information which we for other reasons collect directly from you or from any third party.
- This privacy policy (the “Privacy Policy”) gives you with information on how we process personal data so that you as a user and a Data Subject can feel confident that the Company, as Data Controller, handles your information in an appropriate manner and complies with applicable regulatory frameworks on the legality of the processing of personal data. Below we describe how the Company processes your Personal Data and what rights you have, and how you can contact the Company in case you have any questions or want to exercise your rights.
- Kindly keep in mind that we may process your Personal Data if you choose to use the Digital Channels and/or the Services. Such processing will only take place to the extent necessary to be able to provide the Digital channels and/or the Services to you.
- It is not necessary to provide us with any Personal Data to visit the Digital Channels or to use the Services, but if you do not provide the required information or explicitly consent to our processing of data when this is required, you may not be able to visit all parts of the Digital channels or to access the Services.
2. Personal data, purposes and lawfulness of processing
- Personal Data is any information that relates to an identified or identifiable living individual. Different pieces of information, which together can lead to the identification of a particular person, may also constitute Personal Data.
- The main purpose of the processing of your Personal Data is that we, as providers of the Services, shall be able to offer you the Services, information about the Services and market these to you. We collect and process your Personal Data only to the extent necessary to be able to provide the Services to you.
- Collection and processing of your Personal Data are conducted solely with your consent or on the basis of an existing agreement with you or our legal obligations when we i.e. must save the personal data according to i.e. accounting regulations. Exceptions are made i.e. in cases where prior consent is not possible to obtain due to practical reasons, but the processing of the data is permitted by law or we have a legitimate interest in processing the Personal Data i.e. for marketing purposes, follow-up of the Services or for defending ourselves against legal claims, according to a so-called balance of interests. Please find more information under section 2.4 below.
- When you use the Digital Channels and/or the Services your Personal Data is processed according to the following:
- When you book the Services through our website and use the Services the Personal data processed about you are: name, address, e-mail address, telephone number, age (applicable only for particular Services), credit/debit card details or other banking or billing details. We process the Personal Data to administer your booking, ensure your age (applicable only for particular Services), enable communication with you, to manage and administer invoice- and payment services, and to be able to perform the Services (the legal basis for such processing of data is our contractual relationship with you, see the General Terms and Conditions). When you contact us via our support service provided through an e-mail system on our website, we process the Personal Data we need to be able to provide to you the support service as a part of the Services, administer support and complaint cases and to be able to contact you (the legal basis for such processing of data is our contractual relationship with you, see the General Terms and Conditions).
- When you use the Digital Channels, we automatically collect, register and process IP-addresses, geographical information and cookies. We process these Personal Data in order to collect statistical information, such as the duration of your visit at the website, parts of the website that are visited and to study the behaviour at the website through information registration tools, e.g. Google Analytics, in order to be able to develop and quality assure the Digital Channels and to continuously improve your user experience and the IT security. Legal basis for the processing is the balance of interests. Kindly be aware that the default settings in most browsers are set to accept cookies automatically. You may change and customize your settings manually. We may not process your data if you change your settings. For more information regarding our use of cookies, we refer you to our Policy for Cookies.
- We process your name, address, e-mail address and telephone number for direct marketing to you via e-mail and SMS messages, e.g. to promote campaigns, special offers or offers from our business partners, conduct user surveys etc. (the legal basis for the processing is the balance of interests). We will send our newsletter e-mails to you based on your consent, which you can submit in connection with you booking and which you can withdraw when you so wish in accordance with what is stated below in section 11 (the legal basis for the processing is your consent). In some cases, we will also process the Personal Data comprising of audio-, video- and photographic materials. However, this processing will only occur upon your consent (the legal basis for such processing of data is your consent).
- We may process your Personal Data in order to fulfil our legal obligations imposed on us by law, judgments or authority decisions etc. (the legal basis for such processing of data is our legal obligation.)
- We may process your Personal Data in order to exercise our rights and defend our rights in case of legal claims reached to us (the legal basis for such processing of data is our legitimate interests ).
- We may process your Personal Data, such as your CV with other relevant documents (work experience, letters of recommendation, personal letters, references, grades, certificates, other background information), image (when applicable) in order to evaluate your application for employment or internship, undertake measures prior entering an employment agreement or other relevant agreement (the legal basis for such processing of data is our legitimate interests ), to continue saving your application and Personal Data in the event if you would be considered as a candidate for future employments (the legal basis for the processing is consent) and to carry out our obligations and exercise our rights as an employer in the area of employment (the legal basis for the processing is a legal obligation and our legitimate interests.
- When you book the Services through our website and use the Services the Personal data processed about you are: name, address, e-mail address, telephone number, age (applicable only for particular Services), credit/debit card details or other banking or billing details. We process the Personal Data to administer your booking, ensure your age (applicable only for particular Services), enable communication with you, to manage and administer invoice- and payment services, and to be able to perform the Services (the legal basis for such processing of data is our contractual relationship with you, see the General Terms and Conditions). When you contact us via our support service provided through an e-mail system on our website, we process the Personal Data we need to be able to provide to you the support service as a part of the Services, administer support and complaint cases and to be able to contact you (the legal basis for such processing of data is our contractual relationship with you, see the General Terms and Conditions).
3. Special categories of personal data
- Special categories of personal data include inter alia information that reveals the ethnic origin, political opinions, religious beliefs or information regarding trade union membership or information relating to physical or mental health or sex. Health information can include information regarding the state of health, illness, pregnancy, food allergies etc. As a principle rule, the Company does not process any special categories of personal data within the framework of our Services. In case we still need to process such data, when it is necessary and relevant to fulfil the agreement with you and to be able to provide you with the Services, we do it only after receiving explicit consent from you or we are otherwise entitled to do so according to applicable regulatory frameworks governing the processing of personal data.
- In case of processing of special categories of personal data, we apply particular strict routines, which implies a higher protection level for your Personal Data of special category.
4. Who has access to the personal data
- Beyond what is stated in this Privacy Policy, we will not share the Personal Data with any third party, unless disclosure of the Personal Data is not required by law.
- We hire subcontractors/business partners for services in connection with the Digital Channels and the Services, such as cloud services, transport services (bus, taxi, limousine etc.), catering and restaurant services, bike rental services. The Personal Data is shared with these subcontractors/business partners on our behalf, as processors (the “Processors”) and as per instructions from the Company and according to the Data Processing Agreement that the Company has entered with the Processors. We will always limit the Processors´ access to the Personal Data and only share the Personal Data that is required to be able to offer you access to the Digital Channels and the Services. We also require that the Processors (i) protect your Personal Data in accordance with this Privacy Policy and (ii) not use or disclose your Personal Data for any other purpose than to provide us with the contracted services, so we can be able to offer you access to the Services.
- We also hire subcontractors/business partners in connection with the Digital Channels and the Services, which provide their services directly to you and are themselves responsible for the personal data processing (i.e. such as our subcontractor for payment methods Stripe or booking services Rezdy). You will in some cases be asked to submit your Personal Data directly to such a subcontractor/business partner. In those cases, the processing of your personal data will not be covered by this Privacy Policy. For information regarding how such subcontractors/business partners process your Personal Data, please see the respective subcontractor’s/business partner’s privacy policy.
5. How long do we process and store the personal data
Your Personal Data will not be processed and stored longer than it is necessary with regard to the purposes of the processing, the legal obligations to us as a company (i.e. accounting regulations) and according to applicable regulatory frameworks applicable to the processing of your personal data. We will also erase your Personal Data in a safe and secure manner.
6. Transfers to third countries
As a principle rule, we or the Data Processors will not transfer the Personal Data to third countries (a country outside the EU/EEA). In cases where we have to do so, because of the fact that we use a digital service provider based in third countries and the transfer is necessary for the performance of the agreement with you, we will ensure that adequate safeguards are implemented and only transfer the Personal Data according to applicable regulatory frameworks on the processing of personal data.
7. Right of access by the data subject
- You have the right to request and obtain (free of charge) information regarding which Personal Data (if any) is being processed by us about you (so-called extract from the register) and also get any incorrect information corrected. If you want to know if we process any Personal Data about you, you can send us a written and signed request (for instructions, see below under section 16). When you send your request to us, you need to indicate specifically what kind of information you are interested in receiving (unless you are interested in receiving all Personal Data about you). In that way, we can provide you with information that is relevant to you. In case your requests for extracts from the register are manifestly unfounded or excessive, e.g. because several and repetitive requests, we may charge a fee taking into account the administrative cost of providing you with the information or, in some cases, in accordance with statutory cases, refuse to comply with your request.
- The extract from the register will be sent to you within 30 days from the time we received the request. This period may be extended by further two months where necessary taking into account the complexity and number of requests. We will notify you of any such extension.
8. Right to rectification
- In order to fulfil our obligations to always have accurate and relevant Personal Data, we work systematically with our records and update the Personal Data, where it is necessary. If you notice that the information, we have about you, is incorrect or inaccurate or if we lack important information, you have the right to, within 30 days from the time we received the request, get your information corrected or incomplete information completed. This period may be extended by further two months where necessary taking into account the complexity and number of request. We will notify you of any such extension. We normally correct simple data without consideration, but in other cases, we may need to consider your request. If your request is manifestly unfounded or excessive, e.g. because several and repetitive requests, we may charge a fee taking into account the administrative cost of providing you with the information or, in some cases, in accordance with statutory cases, refuse to comply with your request. If you request so, we will also inform you about to whom the correction has been submitted.
- In case your Personal Data is changed at your request, we will inform the Processors, that the information about you has been updated.
9. Right to restriction of processing
- You have the right to request to have certain processing of your Personal Data restricted if:
- you have objected to the accuracy of the Personal Data, but only for as long as it takes to verify that accuracy ;
- the processing is unlawful and you request restriction (as opposed to exercising the right to erasure);
- we no longer need your Personal Data for their original, but you need them to be able to determine, claim or defend legal claims; or
- you have objected to our processing, and verification of overriding grounds is pending, in the context of an erasure request.
- Restrictions of processing imply that the Personal Data will be marked so that in future these Personal Data are only to be processed for certain limited purposes.
10. Right to erasure (“Right to be forgotten”)
- You have the right to at any time request that we delete your Personal Data if:
- your Personal Data are no longer needed for the purposes for which they have been collected and for which we process them;
- we process the Personal Data on the basis of your consent and you have withdrawn it;
- we process the Personal Data based on our legitimate interest and there are no overriding legitimate grounds for the processing;
- we have not processed the Personal Data in accordance with applicable regulatory frameworks governing the processing of personal data;
- it is required that Personal Data are deleted in order to fulfil a legal obligation; or
- Personal Data has been collected in relation to the offer of information society services.
- However, we have the right to refrain from erasing your Personal Data if the relevant data is necessary:
- for exercising the right of freedom of expression and information;
- for compliance with a legal obligation;
- for the performance of a task carried out in the public interest;
- for reasons of public interest in the area of public health, for achieving
- purposes in the public interest, scientific or historical research purposes or statistical purposes; or
- for the establishment, exercise or defence of legal claims.
- If we receive your request regarding erasure, we will conduct an assessment in order to evaluate if there are reasons to erase your Personal Data. You will then be informed about our assessment. We will inform you within 30 days from the time we received the request. This period may be extended by further two months where necessary taking into account the complexity and number of requests. We will notify you of any such extension. In case your Personal Data is erased at your request, we will inform the Processors, that the information about has been erased. If your request is manifestly unfounded or excessive, e.g. because several and repetitive requests, we may charge a fee taking into account the administrative cost of providing you with the information or, in some cases, in accordance with statutory cases, refuse to comply with your request.
11. Right to withdraw consent and object to processing
- You have the right to object to our processing of your Personal Data where the processing is either based on public interests or our legitimate interest. If so, you need to specify in writing which processing you object to. In such cases, we can only continue to process your Personal Data if we can demonstrate compelling legitimate grounds for the processing which override your interests, rights and freedoms or if we require the data in order to establish, exercise or defend legal rights.
- If your Personal Data are processed for direct marketing purposes, including profiling, you shall have the right to object to the processing at any time. If your personal data is processed for scientific or historical research purposes or statistical purposes, you shall also have the right to object on the grounds relating to your particular situation, unless the processing is necessary for the performance of a task carried out for reasons of public interest.
12. Right to data portability
If you have submitted your Personal Data to us and we process them by automated means and on the basis of consent or to fulfil our contractual obligation, you have the right to obtain your Personal Data in a structured, commonly used and machine-readable format, e.g. in order to transmit such to another Personal Data Controller or get our assistance to transmit the Personal Data. This right shall not adversely affect the rights and freedoms of others. The right to data portability does not apply if it is not technically feasible.
13. Right to complain
In case you have any complaints or objections as a result of our processing of your Personal Data, please contact us primarily, so that we can help you in the best possible way. Nevertheless, you have always the right to reach your complaints directly to the relevant Data Protection Authority in each country:
- Norway – Norwegian Data Protection Authority (Datatilsynet),
- Denmark – Danish Data Protection Authority (Datatilsynet) or
- Sweden – Swedish Data Protection Authority (Datainspektionen).
14. Security, technical and organizational measures
We undertake all appropriate technical and organizational security measures, that are required in accordance with applicable regulatory frameworks governing the processing of personal data, to ensure a high level of security appropriate to the risks and to protect your Personal Data from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to processed Personal Data.
15. Changes in the privacy policy
In case we need to change this Privacy Policy, we will announce it on our website.
16. Contact details
- If you wish to make a request in accordance with your rights stated above, such request must be made in writing and sent to us by e-mail at info@ourwaytours.com. Since it is important that we do not disclose your Personal Data to anyone else, a request must be made in writing, signed by you, scanned in and sent to us by e-mail. A signed copy of your valid ID document (passport or driver’s license) must also be attached to the request.
- If you have any questions about this policy or our personal data processing, please contact us at info@ourwaytours.com.