Privacy Notice | De Après Ski / After Hours Society B.V.
1. Introduction
The Après Ski / After Hours Society B.V. (hereinafter: “we”, “us” and “our”) places great importance on the protection of personal data. We process personal data carefully and in accordance with applicable laws and regulations, including the General Data Protection Regulation (GDPR).
In this privacy notice, we explain which personal data we process, from whom we receive it, for which purposes we use it, on which legal bases these processing activities are based, with which third parties personal data may be shared, how long we retain personal data, whether personal data are transferred outside the European Economic Area, and which rights data subjects have.
This privacy notice applies to all processing of personal data by us in connection with our services and business operations, including providing information about travel and related services, preparing, offering, selling, booking, organising, mediating and carrying out package holidays and other travel services, handling requests, maintaining contact with customers and travellers, managing bookings and traveller data, processing payments, digitally recording or signing documents and using our website.
2. Data Controller
The data controller for the processing of personal data is De Après Ski / After Hours Society B.V., based at Prinsengracht 769, 1017 JZ, Amsterdam.
You can get in touch with us via our website www.apresskisociety.com and via the contact details listed there. Any questions about this privacy notice or the processing of personal data can be sent to us using those contact details.
3. Whose personal data we process
We process personal data from people who contact us, from people who make an enquiry or show interest in a trip or other services, from customers with whom we enter into, or intend to enter into, an agreement, from travellers and other people who use our services, from people who are registered by a customer, lead booker or contact person in connection with a booking or participation, from users of digital environments we use for bookings, traveller registration, payments or document storage, and from visitors to our website.
4. How we obtain personal data
We generally obtain personal data directly from the data subject, for example when the data subject contacts us via the website, email, telephone, WhatsApp or other communication channels, submits an enquiry, enters into an agreement, provides details in a digital environment, makes a payment or signs documents digitally.
Additionally, we may receive personal data via a customer, lead traveller, contact person or fellow traveller acting on behalf of other data subjects. In that case, this may include contact details, booking details, travel details, participation details and other information necessary for the preparation, performance and administrative completion of the agreement.
If personal data are provided to us by a customer, lead traveller or other representative for the benefit of another data subject, we assume that that person is authorised to provide those details and has duly informed the relevant data subjects about this processing.
5. What personal data we process
Depending on the nature of the contact and the services provided, we may process personal data such as your name, title, gender where relevant, date of birth, address details, telephone number, email address and other contact details. We may also process booking details, travel details, participation details, contract details, communication details, payment details, bank details and information about outstanding, paid or payments by instalments.
Where necessary for the performance or settlement of the agreement, we may also process passport details or a copy of a passport. We may also process data about special requests or personal circumstances that are relevant to the services provided.
Where data subjects or their representatives provide us with information about allergies, dietary requirements, medical details or other sensitive personal circumstances, we process this only insofar as necessary for the preparation or performance of the services and insofar as the GDPR provides a lawful basis for this.
We may also process technical data about your use of the website, such as IP address, browser details, device details, cookie data and information about how the website is used.
6. Purposes and bases of processing
We process personal data only for clearly defined purposes and on the basis of a relevant legal basis.
We process personal data for handling enquiries, preparing offers, entering into and performing agreements relating to package holidays and other travel services, registering travellers, managing bookings, processing payments, recording travel and traveller information, and digitally recording or signing documents. This processing is based on the necessity of performing the agreement or taking steps at the request of the data subject before entering into the agreement.
We also process personal data in order to communicate about enquiries, quotations, bookings, journeys, payments, changes, operational matters, safety aspects, customer service and other topics connected with our services. This processing is based on the performance of the agreement and, where necessary, on our legitimate interest in properly organising and documenting our services.
When a customer, lead booker or contact person provides us with personal data of other travellers, we process that data insofar as this is necessary for the preparation, performance and administrative settlement of the relevant agreement. This processing is based on the performance of the agreement and our legitimate interest in making the trip and the associated communication and administration possible.
Where necessary, we process passport details and other data relevant to the execution of the trip for the purposes of identification, booking administration, communication with service providers and meeting requirements directly related to the service.
To the extent that data subjects provide us with information about allergies, dietary requirements, medical particulars or similar circumstances, we process this only insofar as it is strictly necessary for the service requested by the data subject and insofar as the GDPR provides a lawful basis for doing so, such as explicit consent or another applicable legal exception. Such data is processed by us with restraint and limited to what is necessary.
We further process personal data for our financial administration, compliance with tax and other legal obligations, maintaining proper records and substantiating claims or defences in legal proceedings. This processing is based on a legal obligation and, where relevant, on our legitimate interest.
We may also process personal data to secure systems and processes, prevent misuse, manage payment risks, protect business interests and monitor the quality of our services. To the extent that these processing activities are not already necessary for the agreement or a legal obligation, they are based on our legitimate interest.
For sending commercial communications and for placing or reading non-strictly necessary cookies or similar technologies, we ask for prior consent, where required by law. That consent may be withdrawn at any time.
7. Required provision of personal data
Providing personal data that is necessary for preparing, entering into and performing an agreement is a condition for using our services. If such data is not provided, we may be unable to conclude an agreement, process a booking, register participation, handle payment, or provide the service at all or in full.
Where personal data is processed solely on the basis of consent, such as in certain cases for marketing or non-essential tracking, providing it is not mandatory.
8. With whom we share personal data
We share personal data only to the extent necessary for the performance of the agreement, to comply with legal obligations or on the basis of another valid legal ground.
Personal data may be shared with providers of IT, hosting, cloud, communications and software services, with providers of systems for customer relationship management, bookings, traveller administration, document capture, payments and administration, with payment service providers and banks, with marketing and analytics service providers to the extent lawful, with travel organisers, accommodation providers, transport operators, activity providers and other implementing or supporting parties involved in the preparation, organisation, performance or settlement of the trip or other services, and with competent authorities or other third parties to the extent we are legally required to do so or this is necessary to protect our rights or interests.
If a third party processes personal data on our behalf, we put in place appropriate contractual safeguards, such as a data processing agreement, to the extent required by law.
9. Transfers outside the EEA
As part of the services we provide, personal data may be processed by service providers or other parties established outside the European Economic Area, or by parties providing services from a country outside the European Economic Area. If personal data is transferred to a country outside the European Economic Area for which there is no adequacy decision by the European Commission, we ensure appropriate safeguards, such as the use of standard contractual clauses approved by the European Commission or another legally permitted transfer mechanism.
If you'd like more details about the safeguards that apply, please contact us.
10. Retention periods
We do not keep personal data for longer than is necessary for the purposes for which it was collected, unless a longer retention period is required by law or is necessary in connection with legal claims.
We generally keep data arising from contact or an enquiry that does not lead to an agreement for up to twelve months after the last point of contact, unless there is a good reason to keep it longer, for example in connection with a dispute or follow-up on a request.
We keep data connected with an agreement, booking, participation or payment for the duration of the agreement and thereafter for as long as this is necessary for administration, file management, complaint handling, disputes and legal claims.
We keep tax and administrative data in accordance with the applicable statutory retention periods, including in any event the tax retention period of seven years.
We do not keep passport details and data about allergies, dietary requirements, medical matters and other data relevant to the execution of the trip for any longer than is necessary for the preparation, performance and completion of the relevant services, unless longer retention is necessary in connection with incidents, complaints, disputes, insurance matters or legal obligations.
We keep communication data and digitally recorded or signed documents for as long as is reasonably necessary for file management, evidential purposes and legal certainty.
Where possible and appropriate, we delete personal data earlier or anonymise it.
11. Cookies and similar technologies
We use cookies and similar technologies on our website to ensure the site works properly, to improve your experience, to analyse how the website is used and, where applicable, for marketing and remarketing purposes.
If cookies or similar technologies are not strictly necessary for the website to function, we ask for your consent in advance via the cookie banner. Any consent given can be withdrawn or adjusted at any time.
Through cookies and similar technologies, we may process, among other things, IP address, browser data, device data, browsing behaviour and interactions on the website. Further information about the cookies used and how to manage cookie preferences is provided via the cookie banner and/or a separate cookie notice.
12. Security of personal data
We take appropriate technical and organisational measures to protect personal data against loss and unlawful processing. Access to personal data is restricted to people for whom that access is necessary to carry out their work.
If we use external service providers, we also require them to implement appropriate security measures. Despite the measures taken, no system can guarantee complete security. We therefore review our security measures regularly and adjust them where necessary.
13. Automated decision-making
We do not make decisions that are based solely on automated processing and that have legal effects for those involved or otherwise affect them to a significant extent. Decisions about applications, bookings, participation and the delivery of our services are made with human involvement.
14. Rights of data subjects
Data subjects have, insofar as provided for by law, the right to access their personal data, rectify inaccurate personal data, erase personal data, restrict processing, receive their data in a portable format and object to processing based on legitimate interests.
Insofar as processing is based on consent, the data subject has the right to withdraw that consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before that withdrawal.
Requests concerning the exercise of privacy rights may be addressed to us via the contact details on our website. We may ask for additional information to verify the identity of the requester and will handle such a request within the applicable statutory time limits.
Data subjects also have the right to lodge a complaint with the Dutch Data Protection Authority.
15. Changes
We may update this privacy notice. The most up-to-date version will be made available via our website. If any change is significant, we will inform those concerned in an appropriate way.
16. Contact
If you have any questions or requests regarding this privacy notice or the processing of personal data, please get in touch using the contact details listed on our website www.apresskisociety.com.
