Privacy Policy

Ehrensvärd Society, customer register


1. Data controller

Ehrensvärd Society (Business ID: 0220249-0)
Suomenlinna B 40
00190 Helsinki, Finland


2. Data Protection Officer

Name: Carita Wilenius-Rantala
Address: Suomenlinna B 40, 00190 Helsinki, Finland
E-mail: carita.wilenius-rantala(at)
Phone: +3584578843315


3. Controller’s contact information

Name: Carita Wilenius-Rantala
Address: Suomenlinna B 40, 00190 Helsinki, Finland
E-mail: carita.wilenius-rantala(at)
Phone: +3584578843315


4. The collected information from customers and data sources

The booking, purchasing and using of the services and products offered by the Ehrensvärd Society and its subsidiary, Suomenlinnan Matkailuexpert Oy, require providing certain personal information. Your personal information may be collected in various ways. We mainly collect and process personal information received primarily:

  • From customers themselves during ordering and registration and during the purchasing and using of services through the internet, by phone, by using customer cards, via email or by other similar ways; during transactions completed in the online store or at the checkout point; when the customer subscibes our newsletter or contacts us to request an offer or information,
  • Generated when using the service or visiting the website, for example, when logging into the service, through cookies, or other similar technologies,

We may also obtain information from other sources to the extent permitted by applicable laws, such as the Finnish Trade Register, the Finnish Population Information System, the Finnish Business Information System, or the Address Data System of the Finnish postal service Posti, without limiting the sources to only those mentioned above.

You do not have to provide us with your personal information, but if you choose not to do so, we may not be able to provide our service to you.


Examples of the personal data categories that we collect and process:

  • Basic information such as name, contact details (email address, address and phone number, age) and preferred language of communication,
  • Customer relationship-related information, such as service and/or product details, order information, payment and payment method details, invoicing information, marketing permissions and opt-outs,
  • Customer inquiries and related correspondence, as well as records concerning the rights of registered individuals,
  • Personal data generated during the use of our service or collected during the use of our website, such as usernames, passwords, identification-related information, service usage logs, information collected from our website through cookies or similar technologies (device ID and type, operating system and application settings),
  • Other data specifically defined on a case-by-case basis based on your consent, such as necessary information for service provision, for example, allergies or similar information.



We use cookies and similar technologies on our website. Cookies are small text files placed on your device for the collection and preservation of useful information, to improve the functionality and usability of our website. We may also use cookies and other similar technologies for statistical purposes, such as compiling statistics on website usage to understand how users interact with the website and to improve the user experience.

You may prevent the setting of cookies, limit their use or remove them from your browser. Since cookies enable the functioning of our website, limiting their use may affect the usability of the website.


5. Purpose and legal basis of processing personal data

The processing of personal data is typically based on, for example, the consent of the data subject, the legitimate interest of the data controller, or the performance of a contract in which the data subject is a party.

We collect and process only the personal data necessary for the operation of our business, management of customer relations, and for appropriate commercial purposes.

We process your personal data for the following purposes based on the legal grounds derived from data protection legislation:


Provision of service and management of customer relations

  • We process your personal data primarily to offer and deliver our services and products to you or to the company/organization you represent. To do so, we maintain and manage the customer relationship between you or the company/organization you represent and us. In this case, the processing of personal data is based on the agreement between us and you or the company/organization you represent.

For example: When it comes to information regarding customers and users of the online store up until the completion of an order, the processing and retention of data are necessary for the performance of the contract and for the implementation of pre-contractual measures (including managing customer relations, orders, invoicing, payment monitoring, granting of payment terms and debt collection, customer communication). When it comes to customers who have provided their information after completion of the contract and for marketing purposes (e.g. participants in competitions and newsletter subscribers), processing is necessary for the legitimate interests of the data controller (including customer relations management, development and analysis of customer communications, operational planning and monitoring).


Service and product development, data protection and internal reporting

  • Be also process personal data to ensure the security of our services, products and the website, to improve the quality of the service and website, and to develop services and products. We may also compile internal reports based on personal information for management and various operational units to properly manage our business. We segment our customers for marketing purposes, based on factors such as service usage and/or behaviour on our website. In these cases, the processing of personal information is based on our legitimate interest in ensuring the appropriate security for our services and website, as well as obtaining sufficient and appropriate information for the development of services and the management of our business.

Compliance with laws

  • We may process your personal data to fulfill our legal obligations, such as accounting requirements, or to comply with requests from authorities (e.g. the tax authorities).


Customer profiling

  • We collect statistics, including usage of service on-site and when you visit our website, for customer segmentation in our sales processes, as well as for the development of services and products.



  • We may contact you to inform you about new features of the service or for marketing purposes and to sell you other services. This primarily applies to our newsletter subscribers. We may also process your personal data for customer surveys (customer feedback collection). The processing of personal data is based on our legitimate interest in providing information as part of the service and in marketing our other services to you. According to the law, you have the right to object to the processing of your personal data for direct marketing purposes at any time (see also section 9).


6. Personal data processors

Personal data is processed only by individuals specifically authorised by the Ehrensvärd Society for the handling of personal data, to fulfill their duties described in this statement and based on the reasons outlined. Personal data is processed only to the extent necessary for the purposes of processing. (See also section 7)


7. Transfers and disclosures of personal data

  • We may transfer your personal data within the group (Ehrensvärd Society and its subsidiary Suomenlinnan Matkailuexpert Oy) based on legitimate interests if there is a specific reason for doing so.
  • We may disclose your personal data in the following cases:
    • To the extent permitted or required by law, for example, to comply with request from competent authorities or related to legal proceedings,
    • When we use external service providers for the processing of personal data and to support such processing. Such situations include, for example, maintenance and support tasks for IT systems; using the service provider of payment, invoicing and accounting services on behalf of the data controller. We only use data processors who implement appropriate security measures and ensure that the processing complies with data protection legislation. Upon request, we will inform the customer of the name and contact details of the service provider processing personal data on our behalf, so that the customer can, if desired, familiarise themselves with the privacy policy of the company in question,
    • if we are involved in a merger, corporate reorganisation, or sale of business or its part;
    • when we believe that disclosure is necessary to enforce our rights, protect your or others’ safety, investigate misuse, or respond to a request from authorities;
    • with your consent to parties to whom the consent applies.
  • Data will not be disclosed or transferred outside the European Union, the European Economic Area, or countries recognized by the European Commission as having a sufficient level of data protection, with the except for companies adhering to the Privacy Shield arrangement between the European Union and the United States. The latter situation is represented by the Google Analytics cookies used on our website. The data collected by these cookies is transferred and stored on Google servers, some of which may be located outside of the EU. Google Inc. is a member of the Privacy Shield framework between the European Union and the United States. Data is transferred securely and lawfully within framework, in accordance with the suitability decision of the European Commission regarding data protection. Data is retained for 26 months.


8. Retention of personal data

  • Personal data will be kept only for as long as necessary to fulfill the purposes specified in this notice.
  • Personal data will be kept primarily for the duration of the customer relationship. Personal data may also be retained, where necessary, after the end of the customer relationship to extent permitted or required by applicable law. We may also retain personal data to the extent necessary to comply with your direct marketing injunction and to develop our services.
  • Personal data will be deleted or made anonymous when it is no longer necessary to retain it to fulfill the rights or obligations of the law or of either party.


9. Your rights

  • You have the right to inspect your personal data. You can also request correction, updating, or deletion of your personal data at any time. However, please note that when the data controller has a legal obligation or right to retain data, it cannot be deleted.
  • You have the right to object to or restrict the processing of your personal data to the extent required by applicable law.
  • When we process your personal data based on consent, you right to withdraw your consent at any time. After that, we will not process your personal data unless there is another legal basis for the processing.
  • The data subject has the right to inspect what information concerning them is stored in the register. A request for inspection must be submitted in writing to the person responsible for the registry or presented in our customer service regarding the right of inspection.
  • You have the right to receive your data from us in a structured and commonly used format so that you can transfer your data to another controller. This right applies to data that is in electronic form and processed based on consent or to fulfill a contract.
  • You can exercise your rights by submitting a request to us at the address guidebooking(at) or by visiting our office.


10. Information security

  • We implement appropriate measures (including physical, digital and administrative measures) to protect personal data from loss, destruction, misuse and unauthorised access or disclosure. Only individuals specifically authorised by the Ehrensvärd Society for the handling of personal data handle such data. (See also section 6)
  • Please note, that even appropriate measures cannot prevent all possible security breaches. In the event of a data security breach, we will notify you in accordance with applicable laws.


11. Modification of the statement

  • We reserve the right to modify this statement.


12. Contact us

  • You may ask about this statement or the processing of your personal data by contacting us at guidebooking(at) or by visiting our office.