Nothel OÜ (hereafter “we”) places a high value on the privacy of every client (hereafter “you“). This Privacy Notice explains the types of data we collect about you, why we collect this data and what we do with the data.
1. Who are we?
2. What data do we collect concerning you, and from whom do we obtain the data?
3. Why do we need your data? What happens if you do not present us with the data?
4. What is the legal basis for the processing of your data?
5. With whom do we share your data?
6. How long do we store your data?
7. What are your rights concerning your data?
Who are we?
Nothel is a new type of hotel in the heart of Tallinn. We have thrown out everything that is unnecessary in a hotel and tried to make your stay as much as at home. We do not have a classical reception; you can navigate the house with your smart phone and QR-code
We apply the necessary technical, physical and organisational security measures to protect your personal data against losses, destruction and unauthorised access.
Should you have questions about the information in the Privacy Notice then contact us at: email@example.com.
What data do we collect concerning you, and from whom do we obtain the data?
We collect the following types of data about you:
- Personal data: for example, your first and family name, date of birth / identity code.
- Contact data: for example, your residential address, phone number and e-mail address.
- Guest registration card data: this is data required by the tourism legislation concerning visitors to places with accommodation; e.g. your citizenship, name of your accompanying spouse and underage children, date and place of birth, accommodation provision dates, etc.
- Credit card data: for example, your card number, owner’s name and expiry date.
- Surveillance camera recordings – when you visit our accommodation, the premises or other rooms may be equipped with video or other electronical or digital surveillance systems or equipment for security reasons.
- Doorlock system data, your personal QR or PIN code usage time and place.
Usually, you will provide the data yourself when you make a booking or a query on our website, by phone or e-mail, or when you purchase services directly from us at the location.
Your data is also forwarded to us by travel companies, booking companies and other persons involved in the intermediation of accommodation services, through which you have ordered the accommodation or other services provided by us.
Why do we need your data? What happens if you do not present us with the data?
We use your data to provide the accommodation and/or other services you have ordered from us, as well as for fulfilling the obligations placed on us through the legislation regulating our activities and general business aims, such as:
- Personal data – this data is required for identifying your person, which is important to ensure that the services are provided to the person for whom they were actually ordered.
- Contact data – this data is required to contact you. We will most often contact you by phone or e-mail; however, under certain circumstances, it may be necessary to use your residential address (e.g. when other means of communication fail to function).
- Guest registration card data – we have an obligation, according to tourism legislation, to collect this data. The aim of this data collection is to avoid problems; for example, the dangers inherent in illegal immigration.
- Credit card data – this data is required if, based on our Terms and Conditions we have the right to block a certain amount on your credit card, as a payment for the services ordered or as compensation for expenses.
We are not able to provide you with accommodation services if you do not present us with the guest registration card data.
What is the legal basis for the processing of your data?
We rely on different legal bases for the processing of your data:
- The need to create a contractual relationship with you, or to fulfill an agreement that has been signed.
- The need to fulfill our legal obligations (e.g. completing and storing guest registration cards for a period of 2 years).
- The need to carry out our legitimate interests, including the management of the company and the general realization of its business activities, as well as the discovery of legislation violations and fraud.
- The need to protect your vital interests or those of other persons (e.g. releasing your data to ambulance workers in the case of an accident).
- Other legally permitted bases.
With whom do we share your data?
We do not share the information you have entrusted to us, except in limited cases which are described below, and cases that are necessary for fulfilling the aims described in this Privacy Notice:
- Our subsidiary and related companies: we may share your personal data with our subsidiary or related companies, all of which are located within the European Union.
- Service providers: like many other companies, we may order data processing services from reputable third party service providers – for example, IT and consultation services;
- Public authorities and state institutions: we may share the data if we are legally obligated to share the data with public institutions, or if the data sharing is necessary to ensure the protection of our rights;
- Professional consultants and others: we may share your data with professional consultants such as auditors, lawyers, accountants and other persons responsible for providing consultation services;
- Third parties related to the company transactions: occasionally, we may share your data with third parties related to a corporate transaction, such as the selling of a company or a part thereof to another company. Similarly, a company reorganization, joint company creation, and the relocation of company assets or shares through other means may require the sharing of data.
We will ensure the protection of your data if we share your data with the above-mentioned persons, through establishing a data processing agreement between us and such persons.
We do not store or forward your data outside the European Economic Area or to countries to which the Directive 95/46/EC Article 25(6) does not apply, or if a decision concerning sufficient protection has not been made based on the directive’s subsequent document, which is the General Data Protection Regulation (EU) 2016/679 Article 45(1).
How long do we store your data?
We will store your data for as long as it is necessary for the purpose of fulfilling our different data processing aims.
The company shall consider the following criteria when storing personal data:
• The data will be stored for as long as it is necessary for the purpose of providing our services.
• If the person has a client account or a loyalty card, then the personal data will be stored for as long as the account / card is active, or for as long as is required in order to offer personalized services.
• When the company has a legal, contractual or other similar obligation for storing the personal data, then the data will be stored for as long as is required to fulfill such an obligation.
• After the end of the contractual relations, certain data will be stored for as long as the person (data subject) or the company itself has the right to present demands to the other party based on a contract.
Guest registration card data, for example, is stored for a period of 2 years from the moment when the card is filled in according to the requirements of the tourism legislation. However, credit card data is only stored until the accommodation services have been provided in an orderly fashion, according to the contract existing between us.
What are your rights concerning your data?
Your rights as a data subject are:
1. Right to data access – you have the right to know what data concerning yourself is being stored, and how that data is processed.
2. Right to data rectification – you have the right to demand corrections to your personal data, in cases where it is inaccurate.
3. Right to data erasure (“right to be forgotten“) – you have the right, under certain conditions, to request that we erase your personal data (e.g. if we no longer need the data, if you revoke the agreement giving us the right to process the data, etc.).
4. Right to restrict data processing – you have the right, under certain circumstances, to forbid or restrict the processing of your personal data for a certain period (e.g. if you have submitted an objection concerning the data processing).
5. Right to present objections – you have the right to present objections concerning the processing of your personal data, considering the concrete situation, if the data processing is taking place according to our legitimate interests or the interests of the general public. Objections to the processing of data for direct marketing purposes can be made at any time.
6. Right to data portability – you have the right to demand that the data you have forwarded to us is transferred to you in a machine-readable format. You may also demand that the data be transferred directly to another controller, but only if such a transfer is technically possible. The right to a data transfer is only valid for the data which we are processing based on your permission, or for fulfilling a contract signed with you.
Please contact us via the e-mail address firstname.lastname@example.org if you have questions concerning the information in this notice, or if you wish to present an application for the fulfilling of your rights as a data subject.
We will do our best to address your application and desires in a timely manner, and on a complimentary basis, except in cases where the costs are disproportionately high. You may turn to the Data Protection Inspectorate if you are not satisfied with the response we have offered.