Privacy policy for Great Northern
At Great Northern (“we”, “us” or “our”), we give priority to data security and confidentiality. This privacy policy sets out clear guidelines for Great Northern’s processing of your personal data when you visit our website, Great Northern | Golf – Spa – Restaurant – Hotel | Outstanding experiences, or otherwise communicate with Great Northern.

1. Data controller
Great Northern is the data controller for the processing of your personal data:

Great Northern A/S

Great Northern Ave. 1
DK-5300 Kerteminde
Denmark
CVR: 35801987
Tel.: +45 3333 7711
E-mail: info@greatnorthern.dk

2. Purpose, basis for processing and types of personal data
In the following, we set out the purposes for which we process your personal data when you interact with Great Northern.

a. To reply to enquiries
If you contact us on our website, by e-mail or otherwise, we will process your personal data in order to reply to your enquiry. We typically process the following standard personal data about you: name, address, e-mail, phone number, company name, title and information about your booking.

We base this processing on the provision on legitimate interest stipulated in Article 6(1)(f) of the General Data Protection Regulation (GDPR) as it is necessary in order to reply to your enquiry and communicate with you.

We collect personal data directly from you and will only store it for as long as necessary to fulfill the above purposes.

b. Hotel
If you book a night or a stay, we will process standard personal data about you. We will typically process the following personal data to be able to book your night or stay: name, invoicing details, address, e-mail, phone number, company name, country, confirmation of acceptance of terms and information about your chosen stay and what is included as well as passport or identification.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to perform the agreement with you. In addition, we base our processing on the balancing of interests rule in Article 6(1)(f) of the GDPR as we have a legitimate interest in being able to adjust the provided services to your needs and preferences and to send evaluation forms related to your stay.

In certain cases, we have an obligation to process information about your name, nationality, position, address, arrival date and information about your passport or other travel identification. The basis for processing such personal data is Article 6(1)(c) of the GDPR and statutory provisions on the obligation to keep authorised guest records in pursuance of

Executive Order no. 2022-08-23 no. 1206 and Executive Order 2021-12-28 no. 2693 on passports, etc.

We collect personal data directly from you and will only store it for as long as necessary to fulfil the above purposes. We store invoicing data for the current financial year plus five years in accordance with Danish accounting law.

We store passport and identification data for a maximum of two years, after which time the data will be deleted in accordance with the above-mentioned executive orders.

Bookings result in the generation of a customer card in Great Northern’s booking system; see further details in section e.

Please note that stays with included spa, golf or events are described in the other sections of this privacy policy.

c. Spa
In connection with your visit to Great Northern Spa, we collect, process and store information about you and any accompanying guests, for the purpose of carrying out your booking or inquiry.

In this regard, we may process information about name, address, phone number and email address.

A guest profile is created for all our guests, so we know who and how many are staying in the spa area, and to be able to enforce the spa area’s rules of conduct towards our guests. In connection with the creation of the guest profile, you must present photo ID. Your photo ID is not registered but used to verify the information provided when creating your guest profile.

When creating the guest profile, we process: name, phone number, date of birth via your health insurance card (The last 4 digits of your social security number are encrypted, so they are not visible to us), picture of you. In addition, when using the guest profile, we also register the date and time of your visits, which is done by scanning your health insurance card in connection with the visit.

In case of expulsion, the reason, date and period of the expulsion are registered in the guest profile.

Our processing of your personal data is based on Article 6 (1) (b) of the Data Protection Regulation, as the information is necessary to fulfil our agreement on booking and creation of a guest profile.

When registering your social security number, we use consent, as you consent to our registration of your social security number by pressing accept to the creation of your guest profile cf. Section 11 (2) no. 2 of the Data Protection Act and Article 7 of the Data Protection Regulation. If consent is withdrawn from an expelled guest, the guest profile is maintained in the quarantine period without a social security number.

We also use Article 6 (1) (b) of the Data Protection Regulation when we register a breach of the agreed rules of conduct, and we use the balancing of interests rule to process information about any expulsions and breaches of our rules of conduct in accordance with Article 6 (1) (f) of the Data Protection Regulation. The legitimate interests that justify the processing are our desire to ensure that expelled guests do not have access to our spa to ensure the well-being of the other guests and staff.

In addition, we process booking information for the purpose of optimizing our spa. The basis for our processing of your information for this purpose is the balancing of interests rule in Article 6 (1) (f) of the Data Protection Regulation. The legitimate interests that justify the processing are that we continuously want to be able to analyse visitor data to optimize and develop the experience for our guests and enable internal reporting.

The guest profile is deleted no later than 12 months after the last visit to Great Northern Spa. Guest profiles of expelled guests are maintained for 24 months from the expulsion unless special circumstances apply.

When booking online, a customer card is generated in Great Northern’s booking system for the booking responsible see more about this in section e.

d. Restaurant
If you book a table or have ordered a stay with meals, we will process standard personal data about you. We will typically process the following personal data to book your table upon request: e-mail, phone number, name, number of guests, special requests, special dietary considerations and confirmation. We typically use the following additional data for online bookings: data registered in your user profile, see section e.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to perform the agreement with you. In addition, we base our processing on the balancing of interests rule in Article 6(1)(f) of the GDPR as we have a legitimate interest in being able to adjust the provided services to your needs and preferences.

We process the data you have submitted in connection with your booking and the data from your profile, if applicable.

We store your personal data for as long as necessary to fulfil the agreement with you and evaluate it. We store invoicing data for the current financial year plus five years in accordance with Danish accounting law. The data in your user profile will not be deleted until you delete your profile or if you contact us to have the data deleted.

e. Great Northern Customer Card
Restaurant:
When booking a table at Restaurant Eat, a customer card will be created in the restaurant booking system to enable planning and service at the restaurant and to enable the customer to change and maintain an overview of reservations.

The customer card contains the data stated in item d. as well as reservation ID.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to book your table and plan the restaurant operations accordingly.

In addition, we base our processing of your customer card on the balancing of interests rule in Article 6(1)(f) of the GDPR as we have a legitimate interest in storing your preferences and history and offering access to future bookings, including changing such bookings.

The data on your customer card will not be deleted until you delete your customer card or if you contact us to have data or your customer card deleted.

Hotel and Spa:
When you book a Spa or Hotel stay, the booking system will create a customer card to enable registration and management of your booking and any added options. The customer card is necessary to manage and settle your stay. In addition, Great Northern has an interest in being able to use the customer card to optimise our service by storing your service preferences.

The customer card contains the personal data stated in items b and c.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to book your stay, manage your stay and out of consideration for the operation of Great Northern.

In addition, we base our processing of your customer card on the balancing of interests rule in Article 6(1)(f) of the GDPR as we have a legitimate interest in storing your preferences and history with a view to accommodating future bookings.

The data on your customer card will be deleted when there is no longer a purpose of storing the data and always within a maximum of five years from the last booking on the customer card. You are welcome to contact us if you wish to have your customer card deleted, but please note that after deletion, we will no longer be able to service you in accordance with the data previously stated and registered in your customer card.

f. Gift certificate
If you order a gift certificate, we will process standard personal data about you. We will typically process the following personal data to prepare your gift certificate: e-mail, phone number, name, amount, address, date of birth, delivery and payment details.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to perform the agreement with you.

We process only the data that you have submitted in connection with your order.

We store your personal data for as long as necessary to fulfil the agreement with you and evaluate it. We store invoicing data for the current financial year plus five years in accordance with Danish accounting law.

g. Events
If you attend one of our events, seminars or workshops, we will use your personal data to be able to register you and communicate with you before, during and after the event in question. In connection with a seminar, webinar or workshop, we will typically only process the following data about you: name, position, e-mail, phone number, company and type of event.

We base our processing on Article 6(1)(b) of the GDPR when you register for an event, as this is necessary to fulfil our agreement with you. However, we may also use the balancing of interests rule stipulated in Article 6(1)(f) of the GDPR as the basis for such processing as it is necessary in order to manage registrations and distribute evaluation forms, etc.

While we get most personal data directly from you, we may also receive your personal data from other sources, such as your employer if they handle your registration.

We store your personal data for as long as necessary to hold the event in question and evaluate it. If you have paid for your participation in the event, we store invoicing data for the current financial year plus five years in accordance with Danish accounting law.

h. Photos, video and audio recordings
We often make photo or video recordings (audio and picture) of our activities (e.g. tournaments, open air events or virtual events) to share them on our website or other social media such as LinkedIn, Facebook and Instagram.

If you attend an event that we record, we will always let you know when the event starts, and we will inform all participants accordingly during the introduction.

If you do not wish to be filmed/recorded during a virtual event, you can turn off your microphone and camera before you participate. When we publish recordings from our virtual events, we use the balancing of interests rule in Article 6(1)(f) of the GDPR as the basis for such processing as we have a legitimate interest in being able to market Great Northern and our many offerings and experiences.

Please note that when we share photos and recordings on social media, we comply with the terms and conditions of the relevant social media. You can see our privacy policy for Instagram and Facebook in section O of the privacy policy.

We also film other events to document activities and internal training which we may share on our website or on social media. We base our processing of such recordings on Article 6(1)(a) of the GDPR (consent). However, we may also use the balancing of interests rule in Article 6(1)(f) of the GDPR as the basis for such processing if we consider it suitable based on a general assessment of the situation and the motive as we have a legitimate interest in sharing our activities.

We generally make the recordings ourselves or employ an external photographer, but we can also receive photos or other recordings directly from you or other participants.

We store your personal data (photos and recordings) for as long as necessary to fulfil the above purposes, but no longer than five years after the event in question.

i. Marketing/Newsletters
We use your personal data for marketing purposes, including direct marketing, e.g. in the form of newsletters.

The newsletters may also contain marketing material from our business partners. In this case, we may process data about your name, age, e-mail, phone number, declaration of consent and nationality with a view to sending you relevant news.

We process your personal data for use for direct marketing based on our legitimate interest in selling our products and services and those of our business partners in accordance with Article 6(1)(f) of the GDPR.

However, we only send marketing material by e-mail based on your active prior consent in accordance with section 10(1) of the Danish Marketing Practices Act. Our business partners will not contact you directly and we will not disclose your data to them.

We will delete your personal data when the marketing consent is withdrawn or if we do not use the consent within a period of 12 months. However, we store the actual declaration of consent for two years after the withdrawal or elapse of the consent.

When the marketing consent has been withdrawn, we will consequently no longer process your personal data for the use for sending newsletters or for any other marketing purposes.

j. Use of our website
When you access our website, we use cookies to collect personal data about your activities. We also use various plug-ins to facilitate your sharing of content from our website on social media such as Facebook, Instagram, LinkedIn, etc. Read more about this and get an overview of these third-party providers in the cookie list that is accessible via our cookies policy [insert link].

We process your personal data in connection with your use of our website as described above and as further described in our cookie list. In connection with our use of necessary cookies, we process your personal data based on Article 6(1)(f) of the GDPR, as we have a legitimate interest in offering you a functional website.

If you consent to the use and setting of additional cookie categories, we will process your personal data in this connection based on Article 6(1)(a) of the GDPR about consent.

Read more about the use of cookies in our cookies policy [link]. You may withdraw or change your consent by rejecting cookies in the cookie list or by blocking cookies in your browser settings.

k. Surveillance
We have installed CCTV surveillance of certain targeted areas of our indoor and outdoor premises. The areas covered by video surveillance are clearly marked by signs.
In this connection, we process personal data in the form of CCTV surveillance recordings of traffic in Great Northern’s area.

The purpose of the video surveillance is to control access to the relevant premises, crime prevention and to ensure the safety of our employees and visitors. We may also use the recordings to clear up incidents and document them. Recordings will only be watched and reviewed in case of suspicion of criminal acts or in connection with internal/external audits.

We base our processing of your personal data on the Danish Act on CCTV Surveillance and the balancing of interests rule in Article 6(1)(f) of the GDPR as it is necessary to record such personal data to ensure a sufficient degree of security for our employees and visitors in relation to unauthorised access, suspicious behaviour, protection of assets and to prevent and prosecute crime. We use section 8(3) of the Data Protection Act as the basis if the surveillance reveals criminal acts.

CCTV surveillance recordings made for the purpose of preventing crime may be transferred to the police in case of criminal acts or if the transfer is otherwise authorised by applicable law. We may also transfer the recordings to attorneys and other advisers as well as public authorities, where so authorised by applicable law. If it is necessary to transfer the recordings for purposes other than the aforementioned, we will request your consent to such transfer if you are part of the recordings.

CCTV surveillance recordings made for the purpose of preventing crime are deleted or made anonymous no later than 30 days after the recording was made, unless it is necessary for us to store the recordings for the purpose of handling a specific case, for example in connection with clearing up an offence. In this case, we will store the data for as long as it is necessary to process the specific incident.

CCTV surveillance recordings made for any other purposes will be deleted when it no longer serves a purpose to store the data.

l. Great Northern Golf Club
Personal data that you give voluntarily and that Great Northern Golf Club otherwise processes in connection with the administration of your membership is not subject to this privacy policy. You can find Great Northern Golf Club’s privacy policy here: Privacy policy – Great Northern Golf Club | Great Northern

m. Golf
For booking of tee times, green fee, training, etc., we use various modules in the GolfBox app. In connection with booking tee times, green fee, training, etc., we may process data about you, including name, address, date of birth, phone number, e-mail address, current golf handicap, membership number with the Danish Golf Union and your former/current golf club. We collect this from GolfBox.

If you are not a member of a golf club, you will be created as a guest. In this connection, we will register your name, the golf club of which you are a member and your handicap.

We use Article 6(1)(b) of the GDPR as our basis for processing this data as we need to process such personal data to be able to perform the agreement with you.

GolfBox users (members, clubs/organisations, Pro trainers, tour operators and DGU) may search for other members via GolfBox, and these users may also add members to tee times, tournaments, lessons and courses. Personal data (membership number, gender, handicap and age) is visible to all GolfBox users, and information is shown about tee bookings in your own club, but also in other clubs. If you register for a tournament, the above personal data will also be visible to other GolfBox users. In addition, the club/organisation responsible for the tournament can see your contact details for the purpose of cancellation or changes to the event, for instance. If you book a training lesson, your personal data is shown to the Pro/trainer/club/organisation responsible for the training, but not to other members.

If you do not want your personal data to be visible to others when using GolfBox, you can choose to be anonymous in your user settings when you are logged into GolfBox.

If you have any questions about the use of GolfBox, please do not hesitate to contact us.

You can log on to GolfBox here: GolfBox – please note that cookies may be set when using the link.

n. Facebook fan page and Instagram

When does this privacy policy apply?
This privacy policy applies to the processing by Great Northern A/S (”Great Northern”) of the personal data you leave and/or submit when you visit Great Northern’s Facebook page (the “Facebook page”) and Great Northern’s Instagram page or when you participate in competitions through Facebook or Instagram held by Great Northern. This privacy policy supplements Facebook Ireland Ltd.’s (‘Facebook’) general privacy policy.

In the following, ‘Facebook’ and the ‘Facebook page’ are also used as designations for the Instagram page.

Who is the data controller for my personal data?
Great Northern and Facebook are joint data controllers of the processing of your personal data.

Facebook’s company information is:
Facebook Ireland Ltd.
4 GRAND CANAL SQUARE, GRAND CANAL HARBOUR
D2 Dublin
IRELAND
Reg no.: 462932

Great Northern follows the guidelines of the Danish Data Protection Agency regarding joint data controllers and Great Northern will do its best, with the existing means, to ensure that you will be notified of the processing of your personal data when you visit the Facebook page.

Facebook has in this regard published an appendix on the joint responsibility for “Facebook Insights” which you can find here.

What personal data does Facebook collect?
Depending on your traffic on the Facebook page, Great Northern and Facebook may collect the following personal data about you:

• Whether you ‘like’ or have used other reactions on the Facebook page
• Comments you leave on the Facebook page
• The fact that you have visited the Facebook page
• Your behaviour and interests on the Facebook page
• Personal data collected in connection with competitions (e.g. name and interests)

Furthermore, Facebook uses ‘Facebook Insights’ on the Facebook page to collect statistical information about visitors’ behaviour on the page, including age, gender, relationship status, work, lifestyle, interests, information about purchases and geographical data. For this purpose, Facebook has placed cookies on your device when you visit the Facebook page. Each cookie contains a unique identification code that will remain active for a period of two years unless deleted before the expiration of this period. Facebook receives, stores and processes your personal data through these cookies.

To read more about Facebook’s use of cookies on the Facebook page, including deletion, please refer to Facebook’s general cookies policy.

Go to Facebook’s cookies policy via the following link:
Facebook
Instagram

What is the purpose of the processing of your personal data?
Great Northern also processes your personal data to improve products, improve the Facebook page, conduct surveys, compile statistics, develop and protect Great Northern’s services and products, including based on your feedback. In this connection, Great Northern uses aggregated data, which is made available through Facebook cookies by ‘Facebook Insights’, e.g. information about age, gender, relationship status, work, lifestyle, interests, purchases and geographical data.

Facebook processes your personal data to enable Facebook to improve its advertising system and to provide Great Northern with statistics that Facebook produces based on your visit on the Facebook page, in order to advertise and customise the activities on the page. Through cookies, Facebook and Great Northern will know if you ‘like’ the Facebook page and use the page’s applications, so that Facebook and Great Northern are able to customise the content on the Facebook page and develop functions that you might be interested in.

What is the legal basis for the processing?
Great Northern processes your personal data based on Great Northern’s legitimate interest in improving Great Northern’s products and services and to enable you, a friend or family member to participate in competitions for prizes (Article 6(1)(f) of the GDPR.

Facebook processes your personal data based on Facebook’s legitimate interests, including Facebook’s interest in providing an innovative, individually tailored, secure and profitable service (Article 6(1)(f) of the GDPR). Facebook will also process your personal data in accordance with your consent, which you can withdraw at any time via the Facebook settings (Article 6(1)(a) of the GDPR).

For more information about Facebook’s legal basis for the processing of personal data, please refer to Facebook’s general privacy policy under the section “What is our legal basis for processing data?”.

Go to Facebook’s privacy policy via the following link:
Facebook
Instagram

Who receives my personal data?
Great Northern does not disclose your personal data to other companies but uses data processors in the form of media agencies and IT providers and may in some cases transfer your personal data to third countries. If your personal data is transferred to countries outside the EU/EEA, such transfer will be made on the following legal basis: Binding corporate rules, the country has been approved as a so-called ‘safe’ third country or if the country has not been approved as a ‘safe’ third country, we transfer data based on standard provisions adopted by the EU Commission.

Facebook may share personal data with the following categories of recipients:

• Internally among the Facebook companies
• Externally with Facebook partners who use analytics services
• Advertisers
• Other people using the Facebook page
• Measurement partners
• Researchers and academics

For more information about who Facebook shares your personal data with, please refer to Facebook’s general privacy policy under the section “How is this information shared?”.

Facebook can transfer your personal data to Facebook in the United States and other third countries. Facebook uses standard contracts approved by the European Commission and applies European Commission decisions on an adequate level of protection as the basis of transfer to third countries. You can find more information under “How do we process and move data as part of our global services?” in Facebook’s general privacy policy.

See Facebook’s general privacy policy via the following link:
Facebook
Instagram

3. Recipients
In some cases, Great Northern leaves your personal data to service providers (data processors) who process the personal data on behalf of Great Northern and in accordance with our instructions. By way of example, we may leave your personal data to: (i) suppliers with whom we work to provide services to you in connection with your visit to Great Northern, your membership and/or your use of our golf club, Great Northern Golf Club, as well as other services that we offer and (ii) other third parties in connection with the management of your membership and/or the use of our golf club, including GolfBox A/S (owner of the GolfBox app) or Visbook, the supplier of our booking and administration system.

In addition, we use data processors for IT, consultants, marketing and other suppliers with whom Great Northern works.

We may disclose your personal data to third parties if you have given your consent for this or if it is necessary for fulfilling an agreement to which you are a party. In addition, we may disclose the data if necessary for pursuing our legitimate interest, unless this is outweighed by the concern for your interests. In certain circumstances and by law, it may be necessary to disclose personal data to public authorities or the police, for instance. Information may be disclosed to the police in case of suspected credit card fraud, for instance.

Trackman
When using Trackman, personal data will be processed in accordance with the terms and conditions applicable from time to time for Trackman, including that processing may take place in a third country. Read more about Trackman’s processing of data at https://mytrackman.com/system/privacy-policy. We only upload training videos to Trackman if you have given your consent for this.

The Danish Golf Union
When you join the Great Northern Golf Club, your membership data will be shared with the Danish Golf Union so that you can be assigned a DGU card and a DGU number. Read more about the Danish Golf Union’s processing of data at https://www.danskgolfunion.dk/artikel/privatlivspolitik.

Social media
Because of the way social media work, your posts and other user content may be accessible to others at Great Northern’s websites and on social media around the world.
Additional recipients of personal data may include payment service providers, banks, public authorities and advisors.

4. Processing of personal data outside the EU/EEA
Great Northern transfers, stores and processes your data (including personal data and content) both inside and outside Denmark. Wherever in the world your personal data is stored or processed by us or by a supplier on our behalf, we will take reasonable measures to protect your personal data.

We generally store data within the EU/EEA. However, your personal data may be transferred or accessed from non-EU/EEA countries.

If your personal data is transferred to countries outside the EU/EEA, such transfer will be made on the following legal basis:

a. Binding Corporate Rules
b. The country has been approved by the European Commission as having an adequate level of security or the recipient is certified under e.g., EU-U.S. Data Privacy Framework.
c. If the country has not been approved by the European Commission as having an adequate level of security, we will ensure transfer as follows:

• • By using the European Commission’s standard contractual clauses
  • By obtaining your consent to such transfer

5. Sources
Generally, we process data that we have been given directly from you or from the devices you use. However, in some cases, we also process data about you that we have received from other sources, such as DGU, your employer or the organiser of an event that you attend.

6. Erasure
We store your personal data for as long as necessary to fulfil the above purposes.

We may process and store the data for a longer period of time if it is made anonymous or if we are legally bound to store it.

7. Revocation of consent
You may at any time revoke any consent that we may have obtained from you. You may revoke your consent by contacting us using the contact information stated above in section 1. If you revoke your consent, such revocation does not take effect until the date of revocation. It therefore does not affect the legality of our data processing up to the time when you revoke your consent.

If you revoke your consent, pictures of you will not be used in any new material, and pictures of you on websites or the like will immediately be deleted or made anonymous. Photos in printed material will be used while stocks last, after which they will be removed before reprinting. We will also make a reasonable effort to delete already published recordings available on media at the disposal of Great Northern.

8. Your rights
According to the General Data Protection Regulation and the Danish Data Protection Act, you have certain rights.

• You have a right to access, correct or erase the data we process about you.
• You have the right to object to the processing of your personal data and to limit the processing of your personal data.
• You have an unconditional right to object to the processing of your personal data for marketing purposes.
• You have the right to receive your personal data in a structured, commonly used and machine-readable format (data portability).

Please note that your rights may be subject to conditions or restrictions. Consequently, it is not certain, for example, that you always have the right to data portability. This depends on the specific circumstances concerning the processing activity.

You may exercise your rights by accessing your account settings or contacting us on info@greatnorthern.dk. If you contact us by e-mail, it will be necessary to confirm your identity for security reasons.

9. Changes to this privacy policy
We will change this privacy policy from time to time to accommodate new technologies, industry standards, to comply with authority requirements or for other reasons. You can find the updated and applicable privacy policy here: [insert link]

10. Links to other websites

Our website may contain links to other websites or to integrated pages. We are not responsible for the content of other company’s websites or for such companies’ procedures for collecting personal data. When you visit other websites, you should read their privacy policies and other relevant policies.

11. Questions and complaints
If you have any questions about this privacy policy or wish to file a complaint about our processing of your personal data, please contact us using the contact information stated above in section 1.

You may also complain to:

The Danish Data Protection Agency
Carl Jacobsens Vej 35
DK-2500 Valby
Denmark
T: +45 33 19 32 00
E: dt@datatilsynet.dk

Privacy policy version 4.0 – August 2024