Privacy Policy for Dr. Holms Hotel

1. Introduction
We at Dr Holms Hotel process your personal data in various contexts, for example when you order services from us, stay overnight at our hotel, use services we provide, and in certain other contexts. In our privacy policy you will find more information about our processing of personal data. Below you will also find contact information if you have questions or would like to request access.
We process your personal data in accordance with the current Norwegian Personal Data Act, hereinafter referred to as GDPR.

2. Controller of your personal data

Our company, Dr Holms Hotel as, org. no. 979 306 369, Timrehaugvegen 2, 3580 Geilo, tel. +47 32 09 57 00, e-mail post@drholms.com, is responsible for all processing of personal data registered in our systems.

3. Processing of personal data related to booking and stay

In connection with your bookings, made by yourself or by others on your behalf, we process the personal data we need in order to be able to fulfill the agreement on booking and purchase of services. This is information you have given us directly or that you have given us via a travel agency or agent. For example, we process information about your identity, your contact details and your payment information. In some cases, we will store your passport number. In addition, we process other information you may have given us that is relevant to your stay with us. This can be information about allergies or about special wishes for your stay. We register all purchases and orders you make with us, such as spa, restaurant, room service etc., in order to deliver such services and for you to be able to pay for them.
We process this information for as long as it is necessary to fulfill the agreement on booking with you, and in addition for as long as the applicable legislation or authority requires us to do so.
We log the use of key cards at our hotel. We do this to prevent and solve crime, and for reasons of safety, including fire safety. We store the logs for 14 days.

4. Processing of personal data for marketing purposes

If you sign up for our newsletter, we save and use your email address to send you news and offers from us.
We may also use your email address or telephone number to send you news and offers, provided you have given your consent to this.
You can withdraw your consent at any time by sending an email to post@drholms.com

5. Processing of personal data for development, troubleshooting and security

We may process data that includes personal data to troubleshoot and correct errors, improve our services and the technology we use, and to analyze usage and user behavior. Furthermore, we will process personal data to verify your identity, including verifying identity in connection with your use of our digital services.
We process information about your purchases and orders for the development of our business operations and our customer offers, carrying out customer analysis, troubleshooting, support and tests, as well as for statistical purposes and surveys. We have a legitimate interest in processing your personal data in order to improve our offer, ensure customer satisfaction, and that our systems maintain high quality and a high level of security.

6. Processing of personal data in general

In the case of competitions or other activities in which you can participate, we will process personal data such as name and contact information when this is necessary, for example to register who is participating, and then draw one or more winners. We will, as far as possible, provide concrete information about this when you participate in competitions or other activities.
If you contact our customer service or otherwise contact us with enquiries, we will process the personal data you provide as far as is necessary to answer and log your inquiry. We also keep a list of which newsletters and offers we send out and whether these are opened. The basis for this is legitimate interests or to fulfill agreements with you or answer your inquiries. The legitimate interests are to exercise good customer care and to adjust the amount of newsletters sent out.
In addition to processing described in our privacy policy or based on your consent, we will in some cases have to or be able to process personal data when applicable legislation, including the Personal Data Act and GDPR, a valid authority order or a court requires us to do so or allows us to do so.

7. Processing of personal data about our suppliers, business customers and contacts in business

We process information about contact persons at our suppliers, business customers, business partners, participants at our events aimed at the business world and other people who act in business activities. We do this in order to work efficiently, enter into and enforce contracts, recruit, run our business and develop our business and our professional network. Such information typically consists of name, contact information, position, company, expertise, business interests and participation in our events for the business community or previously shown interest in us and our employees.
We store such information as long as we consider that the person is a business contact with us.
The basis for this is legitimate interests.

8. Disclosure of personal data and statutory processing

We do not release your personal data to third parties, unless you have consented to this, or unless applicable legislation, including the Personal Data Act and the GDPR, a valid authority order or a court allows or requires us to do so.
For the record, we state that our use of an external data processor to process information on our behalf is not considered disclosure.

9. Collection of personal information from others

To ensure that we have correct information about you, we may wash your information against other sources such as telephone directories, population registers and the like. In some cases, it may be relevant to credit check our customers, which means obtaining credit data from other sources. We collect demographic information such as age, gender and language from other sources. We collect information from our business partners and from other parts of our group when this is legal and necessary for the delivery of services and communication to you.

10. Your rights

You as an individual have several rights according to the personal data regulations.
You have the right to demand access, correction or deletion of the personal data we process about you. You also have the right to demand limited processing, object to the processing and demand the right to the disclosure of personal data to other data processors.
If you want insight into our processing of your personal data or other inquiries, you can send us an email: post@drholms.com. We will respond to your inquiry to us as soon as possible, and at the latest within 30 days.

We will ask you to confirm your identity or ask you to provide additional information before we allow you to exercise your rights with us. We have to do this to make sure that we only give access to your personal data to you – and not to someone pretending to be you.

11. Privacy complaint

If you believe that our processing of personal data is not in accordance with what we have described here or that we in other ways break the privacy legislation, you can complain to the Norwegian Data Protection Authority. You can find information on how to contact the Norwegian Data Protection Authority on the Norwegian Data Protection Authority’s website www.datatilsynet.no.

12. Use of data processor

We use several data processors to be able to deliver our services to you.
We share information with other actors who are our data processors, e.g. suppliers that we hire for data storage, system support or other data handling, payment services, distribution of information, printing, marketing or analyses. In such cases, we have a data processing agreement with the supplier. The data processor does not have the right to use the personal data for purposes other than agreed.

13. Changes in privacy policy or in processing

We are continuously working on the development and improvement of our services to our customers. This could change the way or scope of our processing of personal data. The information we provide through this privacy policy will therefore be adjusted and updated at irregular intervals. We will also change the privacy policy when new rules or official practices make it necessary.

14. How do we protect your personal data?

We and our partners for network operation and data storage have guidelines to ensure that your personal data does not go astray. Our employees and data processors must handle all information in accordance with applicable laws, rules and guidelines.
As a general rule, we and our partners process your personal data within the EU/EEA area, with the exception of the previously mentioned Google Analytics. If we enter into agreements where the information is processed outside the EU/EEA, this will only be done in accordance with current privacy legislation.

15. Use of information from websites

Web statistics and cookies

We collect de-identified information about visitors to our websites. The purpose of this is to prepare statistics that we use to improve and further develop the information offered on the website. Examples of what the statistics provide answers to are how many people visit various pages, how long the visit lasts, which websites the users come from and which browsers are used.

To analyze the information, we use the analysis tool Google Analytics.

Google Analytics uses cookies (small text files that the website stores on the user’s computer), which register the user’s IP address, and which provide information about the individual user’s online movements. None of the cookies enable us to link information about your use of the website to you as an individual.

If you do not want such information to be stored in your browser, you must go into the settings in the relevant browser yourself and deactivate this functionality.
Note that this setting may cause some websites to not function optimally.

The information collected by Google Analytics is stored on Google’s servers in the USA. Information received is subject to Google’s privacy policy.
An IP address is defined as personal data because it can be traced back to a specific piece of hardware and thus to an individual. Difi anonymises the user’s IP address before the information is stored and processed by Google. Thus, the anonymized IP address cannot be used to identify the individual user.

Your IP address is also logged for a short period by our web servers. The user’s IP address, time, web address, HTTP status, number of bytes sent, HTTP referrer and HTTP user agent are logged for 15 days. The log is then deleted automatically.

16. Search

We store information about which keywords users use on our websites via Google Analytics.

The purpose of the storage is to make our information offer better. The usage pattern for searches is stored in aggregated form. Only the search term is stored, and they cannot be linked to other information about the users, such as IP addresses.

Sharing posts from one of our sites:

When you share posts, information is entered then and there with the online community you choose. How the relevant online community handles the data further is regulated by your agreement with the online community. However, information that you have shared a post is not stored with us.