Finnair Holidays and Aurinkomatkat privacy policy


Aurinkomatkat’s Privacy Policy (the “Privacy Policy”) has been provided to inform you of how we process your personal data. This Privacy Policy addresses the informational duties placed on data controllers in article 14 of the European Union General Data Protection Regulation (Regulation (EU) 679/2016) and describes the practices and purposes of personal data processing at Aurinkomatkat.

This Privacy Policy covers all the personal information that we may collect when you use our services, plan your trip and travel with Aurinkomatkat or when you visit our websites, mobile applications, contact our customer service personnel and destination guides, or give feedback in our surveys. We store and use personal data in connection with providing and developing the services of Aurinkomatkat, including Finnair Holidays services. Personal data is also processed to provide you ancillary services, for example airport transfer, excursion, travel insurance or car rental services. In this Policy, we also describe the processing of your personal data for marketing and communication, personalisation, analytics, safety and security as well as for regulatory purposes.

You can find more information about the processing of your personal data below in each category. We may update this Privacy Policy from time to time. We will notify you on our website if we make any significant changes.

Your privacy is our priority.

About us

The responsible tour operator for Finnair Holidays trips is Oy Aurinkomatkat – Suntours Ltd Ab (later Aurinkomatkat). Aurinkomatkat is a part of the Finnair Group and Finnair Holidays is an auxiliary firm-name of Aurinkomatkat.


Oy Aurinkomatkat – Suntours Ltd Ab
Business ID  0200991-4
Address         PL 200 01531 VANTAA


Finnair Group Data Protection Officer contact details:

Your data, your rights


You can use your rights as data subject by contacting us by at Please note that we may need to request additional information to confirm your identity.

We will provide you a confirmation of the actions we have taken in response to your request (for example, confirmation of deletion). We will also let you know if we cannot fulfil a certain request, as well as the reasons behind such a decision.

Making a personal data request is free of charge once every six (6) months. For additional requests during this time frame we may charge a reasonable fee to cover the administrative costs involved.

We reserve the right to reject requests that are unreasonably repetitive, excessive or clearly unfounded.


You have the right to access and be informed about your personal data processed by us. We give you the possibility to view certain data in our digital channels and you may request a copy of your personal data. We will provide you with it unless we have lawful reasons not to share this data with you or in cases when sharing the data with you would result in severe damage to your rights or the rights of others.


You have the right to have inaccurate or incomplete personal data about you rectified or updated. You may update some of your personal data through our digital channels and you have the right to request correction of your contact details or other personal data by contacting us.


You may ask us to delete your personal data, for example if your personal data are no longer needed for the purposes for which they were collected; you withdraw your consent where our data processing is based only on your consent; you object to processing and there are no overriding legitimate grounds for the processing.

We will erase such personal data without undue delay unless we have a legal basis to continue processing such data, for example if there is an overriding legitimate interest of our company, if the data is necessary for the performance of a contract, or if the data is necessary for establishing, exercising or defending legal claims or complying with a legal obligation which we are subject to.


You may also request us to restrict processing of your personal data for example when a request concerning rectification or removal of your data is pending; our company no longer needs the said personal data for its processing purposes but you need the data for the establishment, exercise or defence of a legal claim; or you have objected to the processing of the personal data based on the legitimate interests of our company and the verification whether the legitimate interests of our company override your rights is pending.

When processing is restricted for any of these reasons, such personal data may, with the exception of storage, only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person.


You have the right, at any time, to prohibit us from using your personal data for direct marketing purposes, which includes profiling related to such direct marketing. You can unsubscribe from marketing communication via the “unsubscribe” link or by other means included in each marketing message.


You have the right to change your mind and withdraw any consent you previously provided to us.


You have the right to receive the personal data you have given us in a structured and commonly used electronic format and to independently transmit those data to a third party.


If you feel we have not handled your personal data correctly, you can contact the data protection supervisory authority and lodge a formal complaint.

Safeguarding your data


At Aurinkomatkat we take data protection, and compliance with the applicable data privacy laws, very seriously.

We have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

In practice this means that your personal data is protected in accordance with the sensitivity of the data and the associated risks. The circle of users with access to personal data is restricted on a need-to-know basis and by access controls, and processing of personal data is logged. Our information technology environment is appropriately protected and monitored, with regular updates, testing and assessment to ensure ongoing security. Our personnel are trained to comply with applicable data protection legislation as well as applicable policies and instructions.

With Aurinkomatkat’ s implementation of privacy by design described above, involving people, processes and technology, you can rest assured that your personal data is protected in accordance with the applicable legislation.


Your personal data may be transferred and processed outside of your home country and outside of the European Economic Area. We transfer your data responsibly. We take steps to ensure that your personal data receives an adequate level of protection in the jurisdictions in which it is processed. We provide adequate protection for the transfers of personal data to countries outside of the European Economic Area based on the European Union Commission Standard Contractual Clauses or through other appropriate safeguards, such as the Privacy Shield Framework.


We do our best to keep your data safe and secure. If, however, a security breach occurred, we will inform you if your privacy is likely to have been compromised in a way that poses a high degree of risk towards your rights and freedoms. We will provide such information as soon as possible within the time frames set out in data protection legislation.


To protect your own privacy, please avoid sharing your personal data, for example login information or travel documents, with others or on social media. Please avoid sending copies of your identification documents or sensitive personal data to us by unsecured e-mails and instead use web forms or other secure transfer methods provided by Aurinkomatkat.

What personal data do we collect and process?


We collect and process your personal information, such as your name, date of birth, gender, traveller type (adult, child, infant) and title (Mr, Mrs, Ms). We also process your contact information, such as address, telephone number, email address and, in certain cases, we may also collect and use company details, billing addresses and ground transportation addresses for baggage. This may include personal information provided for the person travelling, the person making the booking, legal guardians and dependents.


In order to make your journey possible, we process booking and ticket information. This may include flight details (departure date, flight number), Passenger Name Records (booking reference), ticket numbers, pricing information, booking date, travel type (one-way or return) and flight itinerary (possible stopovers). We may also process information regarding the sales channel, journey origin and destination. This also covers information on ancillary services, such as selected seats, pre-ordered meals, travel class upgrades and other purchases such as hotels and car rentals.

We process data about your travel arrangements, such as group information, check-in methods, travelling companions in case of joint check-in, seat type and number and baggage tag numbers.

Based on your request, we may process special service request information. These types of requests can include, for example, diet information, transporting pets in the cabin or the cargo hold, or special assistance required.

We also process your travel document information for passengers travelling to or from outside the Schengen area, such as passport number, passport validity period, issuing country for passport and nationality. Visa information and destination addresses are also collected when required by the destination authorities. We may also process payment information, such as payment method and credit card information.


We process information regarding your hotel or other form of accommodation. This includes information such as hotel name and location, travel dates, room type, board type (with breakfast for example), special meals or needs concerning hotel in order to provide the services requested.


We offer several activities to our customer during the holiday and for that reason we may process service-related information of the customer. This may include information such as the excursion and activities service provider, excursion dates, room number, and pickup information in order to provide transfer to the excursion.

For the excursions and activities, we may, in some special cases, need information such as age, body dimensions (weight and height), dietary, medical and passport information. For airport transfers Aurinkomatkat processes information about your flights or schedules. Entrance tickets may require processing your name if tickets have been bought from Aurinkomatkat.


Your name, birth date and e-mail and travel details such as travel dates and destination may be required to provide travel insurance. Car rental related information is required in case you have booked a car via Aurinkomatkat. Gift vouchers may require company details or name and contact details.


We may process loyalty program information, such as loyalty name, contact, preference, membership number, point balances, point accruals and redemption, tier level, transactions, awards and benefits.


We process data about your communication with us, for example customer service phone call recordings, chat history, customer feedback forms and other messages.


We process information for providing specific services that the customer wants to participate in, such as special event, customer satisfaction surveys and other similar happenings, and for this we may process information such as name and contact details.


In case you choose to share additional information, such as for claims, for instance through our customer services channels, this data will be processed by Aurinkomatkat. In case of emergency or other situations where a destination guide helps the customer, data describing this event may be processed.


We may collect and use the customer’s name, address, phone number, email address, birth date, direct marketing opt-ins and opt-outs and profiling prohibition for marketing purposes.


We try to limit the collection of sensitive personal data, such as information regarding your religion or health, to a minimum. However, in certain cases we may need to process this type of information, for example due to a special medical assistance request or when other health related activity is required.


Due to the nature of our services, we process information about children under the age of 13.

How we use your data?

Based on our contract with you

Providing the service to you

We process your data to provide you with service along entire customer journey. To create a booking, we need personal data, for example, your contact information. This applies to individual bookings, but also to group bookings. In case of disruptions or irregularities we need to reach out to our customers by using the provided contact details and hence modify the bookings.

We assist you in queries and changes related to your booking with us – such as transportation, accommodation, excursions and other destination services. If you have enrolled in other services, for example trainings, we will process the data provided during the registration.

Based on our legal obligations

Cooperating with authorities

We may need, in some circumstances, to process your information in order to fulfil our legal obligations, such as sharing your information with authorities such as a foreign ministry or tax authority.

In case of emergencies or disruptions such as earthquakes or other natural catastrophes, robbery or accidents, we may process data related to the event to fulfil our legal responsibilities as a service provider.

Keeping track of our records

Based on accounting legislation, we are required to store our transactions and other accounting material for the period defined by law.

Based on our legitimate interests

Communication and engagement

In order to help you with any questions, collect your feedback, handle your complaints, claims and refunds we use your contact details provided to us.

We may also use your personal, contact and reservation data to provide you better customer service in disruption situations. We may also send you pre-departure communication or disruption messages, to inform you about your travel.

We may also invite and engage customers to participate in the customer community. We may contact customers to collect feedback or for surveys. Customer survey results are used for analytics and can also be combined with other data in our database, such as reservation data, for customer experience improvement purposes. Customers may be contacted after the survey for additional information. We may also contact a select or limited group of customers to participate in testing our new products and services. Aurinkomatkat processes travel journey and other services-related information when processing customer feedback and claims. This is done to ensure that we handle all cases fairly and we understand what has happened.

When processing personal data, we rely on our legitimate interest in maintaining business relationships and communicating with you about our operations and our events.

Background processes

As part of running the business we may process personal data when carrying out certain background processes. For all your bookings and purchases, we need to make sure they are paid for (accounting processes), no fraudulent activities are taking place, such as credit card theft (revenue protection processes) and no false bookings are created.

To analyse business performance, we need to analyse our traffic flows, commercial and operational performance and the related customer behaviours. To improve our processes and improve the customer experience, transactional or behavioural data may be analysed.

Digital touchpoints and cookies

Personal data is also processed in connection with our digital services. We collect and process certain data when you visit our website or when you use our applications or other digital touch points. We also use cookies for functionality, analytics, personalisation and advertising. We receive personal data from Finnair Holidays webpages which has been collected with the help of cookies, from Finnair Group digital services. For more information on how we use cookies please see Finnair’s cookie policy.

Personalisation of services

Aiming to continuously improve the customer experience and to make our offering more relevant to the customer, we may offer personalised content based on an individual transaction, for example, offering services related to your destination. We may also perform customer segmentation, for instance for providing relevant ancillary services and travel products to the customer through our digital touchpoints. We may also derive other secondary metrics based on the individual transactions, such as the travel purpose.

By identifying you and your travel history we can identify previous communications, past irregularities or services and bookings. Accordingly, we can recognize your specific needs and pay special attention to certain elements of the customer journey, experience and interactions.

Based on your consent

Direct marketing

If you have given us your consent, we will send you direct marketing messages. For instance, if you have subscribed to our newsletter or other direct marketing material, your contact details will be processed to send you the requested messages. Details of these communications will be processed, and customers have the right to unsubscribe or opt out of receiving marketing messages at any point.

Digital touchpoints and cookies

Personal data is also processed in connection with our digital services. We collect and process certain data when you visit our website or when you use our applications or other digital touch points. We also use cookies for functionality, analytics, personalisation and advertising. We receive personal data from Finnair Holidays webpages which has been collected with the help of cookies, from Finnair Group digital services. For more information on how we use cookies please see Finnair’s cookie policy.

Processes including medical and other special categories of personal data

When processing customer medical or health-related data or other special categories of data, explicit consent will always be asked from the customer before this data is recorded in our systems. Once consent has been received, the special categories of personal data will be processed by us. Customers may be asked to provide additional information such as a doctor’s certificate to ensure the customer can travel according to the evaluation of a medical professional and to ensure that we have the required information to take care of the customer’s safety.


We keep your personal data for as long as necessary in order for us to fulfil the purpose for which it was collected unless we have lawful grounds to store it for a longer period of time. The criteria we use to determine our data storage periods are the following:

  • The period of time we have an ongoing relationship with you, for example the period of time you have an active booking, you have an account to our online services or you have enrolled in one of our services.
  • Whether there is a legal obligation to which we are subject, for example certain laws, such as accounting laws, require us to keep records of your transactions for a certain period of time before we can delete them.
  • Whether the processing is necessary for the purposes of, for example, claims handling, litigation and regulatory investigations.

For example, Aurinkomatkat booking-related data is stored five years from the last travel activity, phone recordings are stored for twelve months and accounting related documents are stored maximum seven years.

Where do we get your data from and with who do we share it with?


We get your data directly from you when you purchase our products or services in one of our channels, for example when making a booking on our websites or you enrol in one of our services, for example when registering for our customer community.

We may also get some information from authorities or registers kept by authorities or from partners or from other third parties.


We can share your personal data with Finnair group companies and other third parties for the following purposes:

Providing services

We need to share your contact information with hotels in order to provide the hotel you have booked from us. If you have bought some other services, for example excursions, we need to share information with the excursion service provider. In order to provide you with a smooth flight journey, Aurinkomatkat also shares your information with airlines that are related to the journey. We send your contact details and other hotel specific preferences to the accommodation service providers that are related to the travel product you have purchased. Additionally, in claim cases we may also share customer data with the hotel. We may share your information with sales representatives in Aurinkomatkat destinations. We may also send contact details and booking-related information to sales representatives that, on behalf of Aurinkomatkat, provide you for example with excursions, activities, accommodations and transfers. In order to provide excursion and other destination services (for example, car rental service, airport transfer, and other services), we need to provide your contact information or other service specific information to the service provider providing the service. Sometimes a destination guide may support customers in finding their lost baggage, and this may require data such as customer´s baggage, flight, and contact information to be processed. In order to provide you with flights, we may need to share your booking-related information with airlines. In order to provide a service, we may need to need to share your data with third parties such as insurance providers or different informational technology system providers, travel agencies or different ancillary service providers. In some cases of reclamations or claims we may need to share data with our partners.

For legal reasons, security and fraud prevention

We may share your data such as passport and visa information for formalities as required by your destination country. We share your personal data with local authorities upon entering the territory of your destination country or for other similar mandatory obligations. We may also share your personal data with relevant third parties if it is necessary to detect and prevent crime, fraudulent activities or security issues, or for other legal reasons.