Welcome to the privacy centre of Santa’s Lapland. Here you can find details on how we sensitively handle the personal information you provide when you interact with us via the website, sales and customer service team or in other ways.
We appreciate there is a lot of information contained here, but we wish you to be fully informed of your rights and hope that we can answer any questions you have.
Santa’s Lapland is a data controller. We are a company registered in England (no. 350786) registered address; Nelson House, 55 Victoria Road, Farnborough, Hampshire, GU14 7PA. Santas Lapland is part of the larger Hotelplan UK Group which is a collection of niche tour operators in the UK including Inghams, Esprit Ski, Santa’s Lapland, Explore Worldwide, Inntravel and the wider Hotelplan Group, a large European travel group with headquarters in Switzerland and owned by Migros, the leading Swiss co-operative retailer.
The processing of personal data in relation to the Hotelplan Group is set out in this supplementary privacy notice.
When we state “we”, “us”, or “our” in this privacy statement, we are referring to “Santa’s Lapland”.
Please note that the information given here equally applies if someone else makes arrangements on your behalf and provides us with your details. If you handle the arrangements for other travellers, please ensure that they are aware of the information contained within this Privacy Centre.
Privacy Statement explained
Santa’s Lapland understands and respects the importance of your privacy. We are committed to safeguarding your personal information and this statement outlines our commitment to you;
- we will be transparent about the information we collect and what we will do with it;
- we will use the information you give us only for the purposes described in our Privacy Statement;
- we will use the information to help understand your needs and provide more relevant offers;
- if you tell us to cease marketing messages, we will stop sending them (albeit we will continue to send important information relating to a product or service you have purchased to keep you informed about your booking and travel itinerary);
- we will put in place measures to protect your information and keep it secure;
- we will respect your data protection rights and aim to give you control over your own information.
Sharing of personal data across Hotelplan UK
We are part of the Hotelplan UK group, which comprises Inghams, Esprit Ski, Santa’s Lapland, Explore Worldwide Ltd and Inntravel, as such we manage our data within a Single Customer View (SCV) for all five brands. This means that whilst each brand can only see the data relevant to their brand, if you have given your data to two or more of the brands, any updates to your personal data with one, will update the SCV as a whole to maintain the data’s integrity and currency; this includes, but is not exclusive to, your name and your contact details.
We have appointed a Data Privacy Manager who is responsible for responding to questions you may have. The Hotelplan UK Group has also appointed a Data Protection Officer (DPO@hotelplan.co.uk) who is a point of escalation should you feel your request has not be dealt with satisfactorily by the Data Privacy Manager. If you feel your data has been incorrectly handled, or you are unhappy with our response to any requests you have made, you have the right to make a complaint to the Information Commissioner’s Office (ICO). You can contact them on 0303 123 1113 or go online to www.ico.org.uk/concerns
Information we collect from you
We may collect information about you when you, or someone acting on your behalf, contact(s) us by phone, email, post or otherwise, and when you correspond(s) with us via our website and online forms. Please note that calls may be recorded for training and quality control purposes. Information that you provide us with can take many forms, including;
- when booking holiday arrangements, we will ask you to provide information such as;
- your name, gender, date of birth, contact details (postal address, email address and telephone number) and marketing preferences;
- your preferred rooming arrangements and other special requests (which may include Special Categories of personal data, see below);
- the name and telephone number of an emergency contact person (whom we will only contact in urgent circumstances while you are away);
- your travel insurance details; o where necessary, we may also request your passport details and other information directly required to provide your holiday arrangements;
- when you call us or correspond with us about your booking, we may record the call and/or keep information on why you contacted us, and the advice we gave you;
- when you make a payment to us, we will receive information from you including details of your payment card or your bank account (this information is processed using a third party payment services provider and is not stored by us);
- on your return from holiday we e-mail or post a satisfaction survey to you. This gives us specific feedback on any issue you may have experienced, and statistical data we can amalgamate in order to monitor the quality of our holidays;
- when you visit us at a public event, such as trade show or exhibition or participate in one of our surveys, competitions or prize draws, we may ask for information, such as your name, contact details, interests and marketing preferences;
- when you use our online services, we may receive content that you choose to upload such as reviews, comments, photos, forum posts or details of your interests and marketing preferences;
- you may also provide us with written or photographic content for us to load on to our website, including reviews and articles.
Information we may collect from other sources
We may also collect information from publicly available sources and third parties, including:
- from a Travel Agent acting on your behalf in the sale of a travel arrangement to you, and sharing some information about your purchase with us;
- information about you from other Hotelplan UK Group companies that you interact with;
- payment information from our payment services provider including debit/credit card numbers, bank account and other details in order to issue refunds;
- information relating to your use of any of our social network applications, pages or plugins.
Information we may collect when you use our website
Our websites provide us with information about your use, including:
- details of the content that you view and interact with during a browsing session;
- technical information such as, but not limited to, service, product or server logs, IP address, time and location, domain, device and application settings, errors and hardware activity etc;
- interests and preferences that you specify during the curation of your holiday arrangements;
- email/chat communications you have with us may be monitored and logged.
Aggregated information derived from your personal data
We collect, use and share aggregated data such as statistical and demographic data for analytical purposes. Whilst derived from your personal data, it is not considered personal data as this data does not directly or indirectly reveal your identity.
Special categories of personal data
We may collect, use and share the following special categories of personal data about you only where it is strictly necessary in order to deliver the travel arrangements you have purchased (for example, to assist with visa applications or ensure appropriate food for those with serious/life threatening allergies);
- dietary requirements which may disclose health matters or your religious or philosophical beliefs;
- health, including information about any disability or medical condition which may affect the chosen holiday arrangements
If you fail to provide personal information
Should you fail to provide data required either by law, or necessary to provide your chosen travel arrangements, we will not be able to provide the services you have booked or are attempting to book. This may result in Santa’s Lapland being unable to process your booking and be forced to cancel the booking. In this case, we will treat this as a ‘cancellation by you’ in accordance with the relevant Booking Terms & Conditions and notify you accordingly.
We ask that you please take care when submitting information to us, in particular when completing free text fields or uploading documents and other materials. Some of our services are automated and we may not recognise that you have accidentally provided us with incorrect or sensitive information.
How Santa’s Lapland uses the information that it collects
We may use the information we collect for a wide range of purposes to ensure we give you the best possible customer experience and ensure the appropriate performance of the contract, including;
- to share your data with third party service providers used in the delivery of your purchased holiday arrangements. These providers will be named on your holiday confirmation and/or in your holiday documentation, and include;
- accommodation and transport providers;
- local ground partners and agents, where we use them;
- equipment hire operations, including our cycling partners and ski hire providers;
- guides, tutors and local attractions where booked on your behalf.
- to provide you with information on our products and services, and also to deal with your requests and enquiries regarding holiday arrangements;
- to contact you if we need more information or if there are changes to your travel arrangements;
- provide customer care and other after sales services;
- for staff training and quality assurance purposes;
- ask for your opinions on our products and services (via ourselves or through a third party agent);
- conduct prize draws, contests and other promotional offers;
- consider employing you if you send us your details in response to our recruitment advertising or if you approach us with a speculative employment enquiry.
We may use your information to provide you with brochures, newsletters and other communications if you have provided your prior consent or we are permitted under an identified and assessed legitimate interest.
Personalised and targeted content, recommendations and advertisements
We may use the information we collect to personalise and more effectively target our services, content, recommendations, adverts and communications. For example, you may see an advertisement for a holiday that you have recently viewed on one of our websites when browsing at a later stage.
We may use your information to create anonymous, aggregated statistics about the use of our websites, products, services and loyalty programs, which we may share with third parties and/or make available to the public.
We may use your information to develop and improve new and existing products and services, recommendations, advertisements and other communications and learn more about our customers’ holiday preferences in general.
Publish your reviews, comments and content
Where you upload or provide us with product reviews, comments or content to our websites that are publicly visible, we may link to, publish or publicise these materials elsewhere including in our own advertisements.
Combining the information we collect
We may link or combine the information that we collect from the different sources outlined above (including information received from other Hotelplan UK Group companies) via a unique identifier, such as a cookie or email address. We may do this to provide a more seamless customer support whenever you contact us and to provide you with better, personalised services, content, marketing and adverts.
Sharing information about you
We will not use information about you in ways that are not explained in this Privacy Statement. We may share information about you in the following circumstances:
Legal and business purposes
- to disclose to organisations who act as data processors and perform business functions on our behalf. Such business functions include marketing analysis and assessment of customer preferences, payment processing, e-mail newsletter delivery and brochure delivery services;
- to share your data with third party service providers used in the delivery of your purchased holiday arrangements;
- to government bodies and law enforcement agencies to prevent fraud, to comply with the law and to meet a reasonable request from such bodies;
- to third parties (including professional advisors) to enforce or defend the legal rights of Santa’s Lapland or the terms and conditions of any Santa’s Lapland product or service.
We prepare anonymous, aggregate or generic data (including “generic” statistics) for a number of purposes. As we consider that you cannot reasonably be identified from this information, we may share it with trusted third parties such as our partners, advertisers, industry bodies, the media etc.
Sharing of information by you
Some of our online services allow you to upload and share messages, reviews, photos, video and other content and links with others. We will obtain consent if we publish this information on our websites, marketing collateral or social media profiles.
You should not expect any information that you make publicly available to others via our online services to be kept private or confidential and you should always exercise discretion when using such services.
International transfers of your information
We may need to transfer your data to third parties based outside the EEA and who may process, share and store your personal data in order to fulfil the holiday arrangements you have booked with us. By submitting your personal data, you are acknowledging this transferring, storing and processing.
For all other transfers of data that are unrelated to the provision of holiday arrangements to you, whenever your personal data is transferred outside the EEA, we ensure a similar degree of protection is afforded to it by ensuring at least one of the following safeguards is implemented:
- we will only transfer your personal data to countries that have been deemed to provide an adequate level of protection for personal data by the European Commission;
- where we use certain service providers, we may use specific contracts approved by the European Commission which give personal data the same protection it has in Europe;
- where we use providers based in the US, we may transfer data to them if they are part of the Privacy Shield which requires them to provide similar protection to personal data shared between Europe and the US.
Brochures and other printed materials
We sell our holidays directly to customers and so sending out brochures and other marketing communications by post from time-to-time is very important to the way we do business. We use data we have collected from bookings, brochure requests and other forms of engagement to decide what marketing information our customers may like to receive, and we have identified and assessed this as our Legitimate Interest.
We do however provide an opportunity to opt-out of this direct marketing during the booking or enquiry process and in subsequent communications. You may contact us at any time to opt-out of this direct marketing, full contact details can be found in the “Contact us” section of our Privacy Statement. We have found over the years that the majority of people welcome these communications and, those who do not, are happy to let us know so we can ensure no more are sent.
When you communicate with us, we may give you the opportunity to subscribe to our weekly email newsletter. Once subscribed, you can choose to unsubscribe at any time:
- to unsubscribe from an email sent to you, follow the ‘unsubscribe’ link and/or instructions placed (typically) at the bottom of the email;
- this method will only unsubscribe specifically for the e-newsletter or other communication received. Should you receive other marketing such as brochure mailings, you will need to optout separately by contacting us to change your marketing preferences.
You can contact us using the details in the “Contact us” section below in order to change your marketing preferences at any time.
Please note that despite opting out of marketing communications, you will still receive service communications where necessary, for example, to confirm your booking or to provide you with an update on its status.
If you ask us to stop sending marketing communications, we will retain your personal information for the purposes of indicating that you do not want to receive marketing communications. You may continue to receive postal communications for up to 4 weeks and emails for up to 5 days after your requested change while our systems are fully updated.
What is our legal basis for using your personal information?
We will only process your personal information where we have a legal basis to do so. The legal basis will depend on the reason or reasons we collected and need to use your information. Under EU and UK data protection laws in almost all cases the legal basis will be:
- because we need to use your information to process your booking, fulfil your travel arrangements and otherwise perform the contract we have with you;
- because there is a Legitimate Interest to use your personal information to operate and improve our business as a tour operator and travel provider (a Legitimate Interest assessment is performed prior to making this determination);
- because we need to use your personal information to comply with a legal obligation;
- because you have consented to us using your information.
How long do we keep personal information?
We will keep your personal information for only as long as needed to fulfil the purposes described in this statement. For example, where you book a holiday with us, we will keep the information related to your booking, so we can fulfil the specific travel arrangements you have made and after that, we will keep the information for a period which enables us to handle or respond to any complaints, queries or concerns relating to the booking and to fulfil our obligations to our third party suppliers who provided your holiday arrangements. The information may also be retained so that we can continue to improve your experience with us while you continue to engage with and purchase from us and to ensure that you receive any loyalty rewards that you may be eligible for.
We will actively review the information we hold and delete it securely, or in some cases anonymise it, when there is no longer a legal requirement, business need or customer interest for it to be retained.
By law we have to keep basic information about our customers for legal and tax purposes (including identity, contact, financial and transaction data) for up to 7 years after they cease being customers.
Security of your information
We take a number of steps to protect your information from unauthorised access, use or alteration and unlawful destruction, including where appropriate:
- we are PCI compliant when processing your payments;
- we put in place physical, electronic, and procedural safeguards in line with industry standards to limit access to the information we collect about you;
- we monitor our system for possible vulnerabilities and attacks to identify ways to further strengthen our security
Cookies and web beacons
Please note that in order for us to provide you with the optimum service, we use ‘Cookies’ on our website. Cookies are small text files sent to your computer when you access our site. The cookies used on our site are anonymous and contain no personal information (such as name and address) or card details, but do identify your computer so that you can navigate our site more easily and our website can remember your preferences. For more information regarding deleting and controlling cookies, please visit http://www.aboutcookies.org.
Access to your information and your rights
For a copy of the personal information that we store about you in our customer databases, please contact us using the details given in the “Contact us” section below. You will be asked to provide some proof of identification so that we can verify that it is you making the request.
This is in addition to your legal rights including;
- the right to access a copy of your personal information;
- the right to request the deletion or updating of any inaccurate personal data;
- and the right to object, in certain circumstances, to our processing of your personal data for direct marketing.
If you are concerned that we have not complied with your legal rights or applicable privacy laws, you may contact the Information Commissioner’s Office which is the regulator responsible for data protection in the United Kingdom, where Santa’s Lapland is located. Alternatively, if you are located outside of the United Kingdom, please contact your local data protection authority.
Links to other sites
Our website may contain links to other websites that are not operated by Santa’s Lapland. While we try to link to sites that share our high standards and respect for privacy, we are not responsible for the content, security or privacy practices of those websites. You should view the privacy and cookie policies displayed on those websites to find out how your personal information may be used.
Subject Access Request
Should you wish to raise a question or concern over how your personal data has been processed, or wish to correct an inaccuracy, you have the right to request further information. Full contact details can be found in the “Contact us” section of our Privacy Statement, however, you can email DPO@hotelplan.co.uk to raise such queries, which we are obliged to respond to within one month, subject to satisfactorily confirming your identity.
It is important that the personal data we hold about you is accurate and current. Please keep us informed if any of the details you provide to us should change, during the course of your relationship with us. If you need further assistance or would like to make a comment, you can contact us in a number of ways:
- By mail to Data Privacy Manager, Nelson House, 55 Victoria Road, Farnborough, Hampshire, GU14 7PA, England.
- By telephone on 07990 767804
- By email on DPO@hotelplan.co.uk
This Privacy Statement version was last updated on 21 July 2022
If you have any specific questions about privacy, you may find the answer in our Frequently Asked Questions.
What is privacy all about?
Privacy is the discipline of handling personal information in a strictly controlled manner, to meet the following objectives:
- to be transparent about any personal information that is collected and what it will be used for;
- to protect the information from accidental or malicious loss, damage, unlawful processing or disclosure;
- for legal compliance.
Why should I care about privacy?
Your personal information is extremely important and there are a number of threats associated with the inappropriate disclosure and/or use of your information, including:
According to the UK Fraud Prevention Service (CIFAS), nearly two thirds of all fraud is the direct result of account takeovers, impersonation and the misuse of personal details. To reduce the risks, you must treat your personal information with great care and only disclose it if you feel confident that it will be handled appropriately.
Is my personal information safe with Santa’s Lapland?
While the safety of your personal information can never be 100% guaranteed, we take privacy extremely seriously and adopt many measures to minimise the risks, including:
- we use industry standard technologies to protect our IT systems from accidental or intentional (malicious) mis-use;
- we provide privacy training to our staff, to ensure that they understand their responsibilities when handling your personal information, and the correct processes to follow;
- we perform risk assessments and privacy impact assessments when starting a new project and when hiring a 3rd party to process personal information on our behalf.
Why has Santa’s Lapland created a privacy centre?
This privacy centre aims to provide one place to find all the information you need about how we handle your personal information. There are a few key objectives:
- transparency, to make it clear what personal information we collect and how we use it, what we do to protect it, and how you can contact us;
- ease of use, to make it easy for you to find the information that you are looking for.
How can I stop Santa’s Lapland from sending me promotions and offers?
You have the right at any time to ask us not to process your personal data for marketing purposes. You can exercise your right to prevent such processing by ticking/un-ticking certain boxes on the forms we use to collect your data. You can also exercise the right at any time by sending an unsubscribe request to DPO@hotelplan.co.uk who can change your marketing preferences.
While we try our best to use plain and simple language, we recognise that there will be some jargon. This section aims to provide simple definitions for some of the common privacy terminology;
The legislation with which any personal information processing must comply. In this case, the applicable law is England and Wales.
These are small pieces of data that are placed on your device’s browser (e.g. PC) when you access a website. Cookies are used for a variety of purposes, including enabling features on a website, helping us to understand which parts of our websites are the most popular, where website visitors are going, and how much time they spend there.
Data aggregation is any process in which information is gathered and expressed in a summary form, for purposes such as statistical analysis. A common aggregation purpose is to get more information about particular groups based on specific variables such as age, profession, or income.
A data controller is a person in an organisation that determines how and why personal data is to be “processed” (this includes using, storing and deleting the data). The data controller is responsible for this personal data, and for ensuring that processing of the data fully satisfies the requirements of the applicable law.
A data processor is an organisation that has been contracted to process personal data on behalf of a data controller. Responsibility for the data remains with the data controller, but data processors have contractual obligations to ensure that the processing activities are performed to meet the requirements of the data controller.
Data Protection Act 1998
The Data Protection Act 1998 (DPA 1998) is a UK law that defines the ways in which information or data related to an identified or identifiable person, such as name, age, telephone number, e-mail and mailing address ("Personal Data") may be legally used and handled.
Encryption, such as Secure Sockets Layer (SSL) encryption, is a system for protecting data, used when collecting or transferring sensitive data, such as credit card details or other personal information. Encryption is designed to make the data unreadable by anyone but the intended recipients.
General Data Protection Regulation (GDPR)
The data protection law in the UK changed on 25 May 2018 to align with the rest of the EU. The GDPR is a regulation in EU law on data protection and privacy for all individuals within the European Union. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
Hotelplan UK Group companies
Hotelplan is a large European travel group with headquarters in Switzerland, owned by Migros, the leading Swiss co-operative retailer.
Hotelplan (U.K. Group) Ltd. Is the parent company of our award winning UK family of brands, which includes Inghams, Esprit, Santa’s Lapland - all based in Farnborough, Hampshire. Inntravel, based in Whitwell, York. Explore Worldwide, based in Farnborough, Hampshire.
The processing of personal data in relation to the wider Hotelplan Group is set out in this supplementary privacy notice.
Personal Information is any information about or relating to a uniquely identifiable individual, and includes:
- information that can be used to identify a specific person
- attributes of an already identified person
- information or attributes that alone may not identify an individual but which can be tied together with other information in Santa’s Lapland or a Third Party’s possession, or public information, to identify a person
Examples include name, address, phone number, email address, national insurance number, credit card number, driver’s license number, passport number or other government issued ID number, bank account number, race, physical traits, hobbies, usage patterns, family members, income, department and gender of employee when a department may only have one employee of a particular gender.
Personal information management
Personal Information Management is the set of processes and controls used to ensure that personal information is handled appropriately, to meet our internal and legal requirements.
Privacy statement is a legal document that discloses how a company gathers, uses, discloses and manages the personal information provided by an individual (such as a customer, partner, employee or potential employee). While this is a legal document, a privacy statement aims to provide transparency about these information handling practices, so should ideally be written in clear and simple language.
If you would like to unsubscribe from an email sent to you, follow the 'unsubscribe' link and/or instructions placed (typically) at the bottom of the mail. If you use more than one email address to shop or contact us, you need to unsubscribe from each email account that you use.
Web beacons, also known as single pixel or clear gif technology, or action tags, tells us which visitors clicked on key elements (such as links or graphics) on a Santa’s Lapland webpage or email.
These are non-Hotelplan companies contracted to perform functions on our behalf, such as fulfilling bookings, delivering contractual obligations such as airlines, coach companies, hotels etc., sending postal mail and emails, sending text messages (SMS), providing marketing assistance, etc
We’ve got plenty more information around our terms and conditions for you to read.