Last updated 04 05 2018
First and foremost, we want you to know that your privacy concerns us, and we take the responsibility you directly or indirectly have entrusted us, seriously.
This policy explains how the KILROY Group collects customer data, use the data and in which situations and to whom the data is disclosed.
ISIC is part of a European group of companies that operates within travel, educational counselling and student benefits as subsidiaries of KILROY International A/S.
ISIC is data-responsible for the processing of personal data for these purposes.
KILROY Sweden AB
111 60 Stockholm
The head office address of the KILROY Group is: KILROY International A/S Nytorv 5, DK-1450 København K, Denmark.
More information about the processing of customer data at ISIC can also be obtained by writing to [email protected]
1. Protection and safety is important to us
2. What is personal data?
Personal data is any kind of data about an identified or identifiable living individual. An identifiable individual is understood as a person, who directly or indirectly can be identified, among other things, by an identification number or one or more elements, that are particular to a given person’s identity.
3. What type of personal data are we processing and why?
Your personal data will be used for different purposes in relation to your position as customer and the operation of ISIC. The data collected may vary, depending on whether you are a customer, supplier or business partner, but in general it will be data regarding customer administration, supplier administration, direct marketing and data regarding ISIC’S rights and obligations.
Failure to provide personal data on your part, may mean that ISIC is unable to fulfill its obligations towards you as customer or supplier.
As a rule, ISIC only collects and processes regular personal data. In specific cases of booking a trip, it can be necessary for us to a limited extent, to process sensitive personal data (e.g. information regarding special meals or special needs assistance during your trip), as well as information regarding social security numbers (e.g. in connection with collecting passport copy for visa applications), but only when it is necessary for booking the trip and assistance you require.
ISIC will typically gather the following information:
3.1 Information concerning our customers
The information provided to us when booking a trip or creating a customer profile with us, e.g. online via the webpage or by contacting our customer service, including contact details (first name, middle name(s), surname, address, telephone number, email address, title and job position), social security number (for visa applications etc.), passport number, bank details, debit- and credit card details, information you provide regarding special preferences during your trip (e.g. information on dietary restrictions, special needs assistance due to disability or illness, etc.), health information (when booking trips for health- or medical treatments, sports trips, etc.), information regarding your height, weight, clothing and shoe size (for booking equipment on ski trips, sports trips, etc.), purpose of travel, information regarding which languages you speak, citizenship, contact information of your next of kin, requisition (in the case of business- or health trips), information regarding your marketing and communication preferences, along with information you have given us if you contact us with questions, to report a problem or when you contact us with reference to your customer relationship, information regarding student, teacher, youth card issuance photo, place of study (applies only for ISIC), place of work (applies only for ITIC), promotional code, card validity, date of issue, card number, information regarding fees payment (price, type of payment, date, payment confirmation).
3.2 Information concerning our suppliers and business partners
Information you provide when entering a contract or agreement with us, including contact information (job, job title, first name, middle name(s), surnames, addresses, telephone number, email address), information regarding your marketing and communication preferences, as well as information you have given us if you contact us with questions, to report a problem or when you contact us with reference to your customer relationship.
3.3 Information concerning collection of applications for universities and organizations
4. What do we use your personal data for?
ISIC processes your personal data to fulfill the purposes stated below. Notice, that not all purposes, categories of information, recipients of information and types of procedures are applicable to you in all cases.
ISIC exclusively processes your personal data to the extent necessary for you as customer, supplier or business partner (as specific interests in each case, are taken into account) or in accordance with existing law.
4.1 Customer administration
ISIC processes your personal data when establishing and administering your customer relationship with ISIC, as a part of the operation of our company, including booking trips and delivery of our different products (e.g. visa applications, travel insurance, transfer service, student, teacher, youth card issuance, etc.), maintenance of our customer registers, billing, marketing, statistics, etc. All statistics and analysis are compiled in anonymized form and therefore do not contain information, that can lead directly back to you as a person.
4.2 Administration of supplier and business partner relationships
ISIC processes your information when co-administrating supplier and business partner relations, where you are the supplier or business partner, or contact person with a supplier or business partner, which ISIC is working with as a part of the operation of our company, including maintenance of our CRM-registry with information about our contact with each supplier and business partner.
4.3 Compliance with current laws and regulations
ISIC processes your personal data in compliance with the laws and regulations that ISIC is subject to with respect to the operation of the business or for filing different liability and disclosure requirements in accordance with applicable laws and regulations.
ISIC does not use your personal data to make decisions, that are solely based on automatic processing, except for profiling.
Profiling is a form of automated processing of your personal data. We use profiling and data modelling e.g. to be able to offer you specific services and products that meet your preferences for marketing purposes.
ISIC strives to guarantee that all personal data we process is correct and up to date. We therefore always ask you to inform us regarding possible changes in your personal details (e.g. change of address, name, phone number or payment) so that we can guarantee that your personal data is always correct and up to date. You should update your personal data immediately in case of changes.
5. Legal base for processing your personal data
ISIC essentially processes your information on the following grounds: (1) Your consent (2) Entering into and fulfilling contractual agreements with ISIC, (3) Consideration for the legitimate interests of ISIC, as described above, (4) Fulfilment of legal duties that ISIC is required to meet, (5) Protection of your or another physical individual’s vital interests, (6) the processing is necessary, in order for a legal claim to be established, enforced or defended, and (7) The processing is necessary to comply with ISIC’s or your employment, health and social rights, that arise from national law or EU law. In addition, there may be situations where we treat your personal data for the sake of third parties' legitimate interests with regard to the purposes described above, unless consideration for your interests is deemed more important.
6. Sharing of Personal Data
ISIC only discloses data to the extent necessary for the operation of our business, including to provide your trip and the other products you have purchased with us in connection therewith.
ISIC will typically pass personal data to the following recipients when booking a trip and related products:
6.1 Global Distribution System (GDS)
A GDS is an IT network system owned or operated by a company that allows transactions between the travel industry's service providers, mainly airlines, hotels, car rental companies and travel agents. A GDS connects services, prices and booking by consolidating products across the three travel sectors, i.e. flight reservations, hotel reservations and car rental.
ISIC discloses personal data to airlines when booking your trips. For the purpose of booking your flight, we will typically provide details of first name, middle name(s), surname, departure airport, destination, departure and return dates, bonus card number, special requests regarding your trip, including booking special meals during flights and necessary special needs assistance on the plane or at the airport for the chosen airline.
With respect to trips to special destinations, we can also provide information about your passport number to the airline.
ISIC passes personal data to the hotels that you intend to use during your trip. For the purpose of booking your hotel accommodation, we will typically provide information about first name, middle name(s), surname, destination, date of arrival and departure, room category, bonus card number, special requests for your trip, including dietary restrictions or special needs assistance due to disability or illness, during your stay at the given hotel.
6.4 Car rental services
ISIC discloses personal data to car rental companies if you require a vehicle during your trip. For the purpose of booking your rental car, we will typically provide information about your first name, middle name(s), surname, pickup location, rental period, vehicle category, bonus card number, special needs in connection with rental of the vehicle, including special requirements relating to disability or illness, child seats etc.
6.5 Bus operators
ISIC discloses personal data to bus companies if a bus trip is part of your trip (e.g. for day trips to tourist attractions, etc.). For the purpose of booking your bus trip, we will typically provide information about first name, middle name(s), surname, pickup location, date and time of bus, destination and special requests during the bus trip, including booking special meals and necessary special requirements or assistance relating to disability or illness.
6.6 Shipping companies
ISIC discloses personal data to shipping companies if you are going on a ship trip as part of your trip (e.g. for day trips to tourist attractions, cruises, etc.). For the purpose of booking your ship trip, we will typically provide information about first name, middle name(s), surname, destination, itinerary, date and time of departure and return as well as special requests during sailing, including booking special meals and necessary special requirements or assistance relating to disability or illness and information about travel documents.
A bedbank is an IT network system owned or operated by a company that allows transactions between travel industry service providers, mainly hotels and travel agencies or end customers. ISIC discloses personal data to bedbanks to book the hotels that you will use on your trip. For the purpose of booking your hotel accommodation through a bedbank, we will typically provide information about first name, middle name(s), surname, destination, date of arrival and departure, room category, bonus card number, as well as special requests, including booking special meals during the hotel stay and necessary special requirements or assistance relating to disability or illness.
6.8 Travel Agents
If you, as a part of your trip, participate in excursions or need transfer, ISIC may pass personal data to travel agents. The travel agent’s responsibility is to organize the excursion or transfer, when booking a given service from a local supplier at the destination. For booking your excursions, transfers, etc. we typically provide information about first name, middle name(s), surname, date and time of arrival and departure, type of vehicle, destination, as well as special requests, including booking special meals during the hotel stay and necessary special requirements or assistance relating to disability or illness.
6.9 Insurance companies
As part of the booking of your trip with us, you can purchase a travel and/or cancellation insurance. If you wish to purchase this insurance, we will disclose personal data to the insurance company for the purpose of taking out the insurance with them. For the purpose of taking out a travel and/or cancellation insurance, we typically provide information to the insurance company about first name, middle name(s), surname, e-mail address, destination, departure and return date, and travel type.
6.10 Equipment Rental Companies
As part of the booking of your trip with us, you can rent any equipment that you may need on your trip, e.g. ski equipment, diving equipment, etc. If you wish to rent such equipment, we will disclose the information to the company at your destination from which you will be renting the equipment. For equipment rental we typically provide information to the rental company about first name, middle name(s), surname, type of equipment, pick-up location, rental period and information about height, weight, clothes and shoe size.
6.11 Tour operators
ISIC discloses personal data to tour companies if you are going on a tour as part of your trip (e.g. for a day tour to tourist attractions, scuba-diving, etc.). For the purpose of booking your tour, we will typically provide information about your first name, middle name(s), surname, tour, itinerary, date and time of tour as well as special requests during the tour, including booking special meals and necessary special requirements or assistance relating to disability or illness, information about travel document (only if needed).
When ordering a student, teacher or youth card ISIC passes personal data to ISIC Global Office BV, Keizersgracht 174, Amsterdam, 1016 DW The Netherlands. This is where ISIC Global Office BV stores cardholder data for all active student, teacher or youth cards globally. The purpose of the data provision is to prove student, teacher or youth card validity globally. The following data is provided: first name, surname, birth date, place of study, photo, place of work (applies only for ITIC), email address, address, C/O-address, card number.
6.13 Specially regarding qualified offers
When you choose ISIC, you have the opportunity to get a qualified offer on a trip. A qualified offer is a type of offer, in which a preliminary reservation of the desired trip is made for you when preparing the offer. This allows you to reserve space on the desired departures for up to three days before deciding whether a ticket should be issued for the preliminary reservation or it should be annulled.
In order to create a qualified offer, we provide information about you and the requested reservation to a GDS (as mentioned above), which makes the preliminary reservation at the airline, the hotel, etc. As a part of obtaining a qualified offer, personal data is passed on to several new independent data controllers (GDS, airlines, hotels, etc.), your information may be retained by these recipients after the expiry of the offer - also in case the offer is annulled.
Furthermore, ISIC may disclose your personal data to other suppliers and service providers as a part of normal operation of the company, e.g. in connection with external administration of our IT systems, analysis reports, marketing, debt collection, credit rating, audit, legal assistance, etc.
ISIC strives to limit the disclosure of personal data in personally identifiable format to the maximum extent possible, thereby limiting the cases where information can lead back to you personally.
ISIC does not disclose your personal data unless it is necessary to perform our business or meet your needs.
7. International transfers of your personal data
Due to the nature of ISIC’s business, your personal data may be transferred to countries outside the EU / EEA when booking a trip with us. In order to be able to deliver our services to you, we have to use partners and suppliers outside the EU/EEA in certain cases.
Without the possibility of transferring your information to recipients outside the EU / EEA, ISIC will be unable to deliver certain travel arrangements. This applies if booking your trip requires that information is sent to recipients outside the EU/EEA, for example, to book flights, hotels, etc. at your travel destination.
Data protection legislation in these countries may be more lenient than it is in Denmark and in the rest of the EU/EEA, as in most cases there will be countries where the EU Commission has assessed that the data protection level is not at par with the data protection level within the EU/EEA.
In the event that it is practically possible for us, the transfer of your personal data will be based on the standard transfer contracts developed by the European Commission, which are specially prepared for this purpose. As far as transfers to the United States are concerned, they will as far as possible be done on the basis of Privacy Shield. Privacy Shield is an agreement between the EU and the United States, which establishes a strong set of data protection rules and security measures that US companies, who have joined the agreement, are obliged to comply with when processing personal data.
However, in certain cases it may not be practical for ISIC to enter into a standard transfer contract or use Privacy Shield as a legal transfer basis. In such cases, the transfer of the information will be carried out pursuant to Article 49.1(b) of the Data Protection Regulation, as the transfer of your personal data to a certain country is necessary for the purpose of fulfilling the contract between you and ISIC (the booking of your trip) or for the purpose of executing measures at your request prior to entering such a contract (e.g. in the case of a qualified offer as mentioned in section 6.13).
It is therefore important that you are aware that transferring your personal data to countries outside the EU/EEA when booking a trip with ISIC means that your personal data will not enjoy the same protection as when subject to Danish or EU laws and regulations.
When transferring data there is a potential risk that there are no clear, precise and accessible laws and regulations in the country in question regarding access to personal data by the authorities of the country; that there are no laws and regulations that the access of a country's authorities to your information, must be necessary and proportionate; that the country does not have an independent and effective supervisory authority and that the country has no available and effective legal remedies for the registered.
If you do not wish that ISIC sends your personal data to recipients outside of the EU/EEA, please advise us at the latest when booking your trip.
ISIC does not, in any case, pass your personal data to recipients outside of the EU/EEA, unless this is necessary to carry out our business and meet your needs e.g. by delivering the requested trip.
8. Data integrity and security
Personal data will be stored no longer than necessary in order to fulfill the purpose for which they have been collected, unless the storage is required to comply with national legal requirements, including statutory storage periods in connection with bookkeeping, etc.
It is ISIC’s policy to protect personal data by taking adequate technical and organizational security measures. When your personal data is no longer needed, we will ensure that they are deleted in a safe manner.
9. Your rights
You are entitled to access to any personal data we have registered and use, information on where it comes from and what we use it for. You can obtain information about how long we store your data, who receives data about you and to what extent we disclose data in Denmark and abroad. Your right of access may, however, be restricted by legislation, protection of other persons’ privacy and consideration for our business and practices. Our know-how, business secrets as well as internal assessments and material may also be exempt from the right of access.
In certain circumstances, you have the right to object to our processing your personal data. This is the case for example when the processing is based on our legitimate interests.
Objection to direct marketing. You have the right to object to our use of your personal data for direct marketing purposes, including profiling that is related to this purpose.
If the data is incorrect, incomplete or irrelevant, you are entitled to have the data corrected or erased with the restrictions that follow from existing legislation and rights to process data. These rights are known as the “right to rectification”, “right to erasure” or “right to be forgotten”.
If you believe that the data we have registered about you is incorrect, or if you have objected to the use of the data, you may demand that we restrict the use of these data to storage. Use will be restricted to storage only until the correctness of the data can be established, or it can be checked whether our legitimate interests outweigh your interests.
If you are entitled to have the data we have registered about you erased, you may instead request us to restrict the use of these data to storage. If we need to use the data we have registered about you solely to assert a legal claim, you may also demand that other use of these data be restricted to storage. We may, however, be entitled to other use to assert a legal claim or if you have granted your consent to this.
You can withdraw your consent at any given time. Please note that if you withdraw your consent, we may not be able to offer you specific services or products. Note also that we will continue to use your personal data, for example, to fulfil an agreement we have made with you or if we are required to do so by law.
If we use data based on your consent or as a result of an agreement, and the data processing is automated, you have a right to receive a copy of the data you have provided in an electronic machine-readable format.
If you wish to claim one or more of your rights, please contact us at [email protected] Your request will be processed in accordance with the data protection legislation currently in force.
Complaint about the processing of your personal data by ISIC can be made to: Datatilsynet Borgergade 28, 5. 1300 København K Denmark E-mail: [email protected]
Office of the Data Protection Ombudsman PO Box 315, 00181 Helsinki. Tel. 010 36 66700, fax 010 36 66735 www.tietosuoja.fi
Bureau of the Inspector General for Personal Data Protection (GIODO) Stawki 2 00-193 Warszawa Poland Tel. +48 (22) 860-73-93 Fax: +48 (22) 860-70-86 www.giodo.gov.pl [email protected]
Dutch Data Protection Authority Autoriteit Persoonsgegevens Postbus 93374 2509 AJ DEN HAAG Telephone number: (+31) - (0)70 - 888 85 00 Fax: (+31) - (0)70 - 888 85 01 (only by appointment) Bezuidenhoutseweg 30 2594 AV Den Haag
Commission de la protection de la vie privée. Rue de la Presse 351000 Bruxelles Tel. +32 2 274 48 00. Fax +32 2 274 48 10 e-mail: [email protected]
Datainspektionen Drottninggatan 29 5th Floor Box 8114 104 20 Stockholm Tel. +46 8 657 6100 Fax +46 8 652 8652 e-mail: [email protected] Website: http://www.datainspektionen.se/
The Icelandic Data Protection Authority Data Protection Commissioner - Helga Þórisdóttir Address: Rauðarárstígur 10, 105 Reykjavík, Iceland. Tel. +354-510-9600 [email protected]
Datatilsynet Visitor address: Tollbugata 3, 0152 Oslo Postal address: P.O. Box 8177 Dep., 0152 Oslo Organization number: 974 761 467 [email protected] + 47 22 39 69 00