The personal data is processed according to the General Data Protection Regulation (Regulation (EU) 2016/679), as well as the other domestic and European privacy laws and regulations (jointly the “data protection legislation”). The company has established physical, technical and organisational means to protect the personal data against its unlawful or unauthorised destruction, loss, manipulation, publication, possession or access.
Examples of the individuals whose personal data the company processes include the company’s employees, temporary employees, self-employed persons, work and job position candidates, supplier contact persons, clients, visitors and other cooperation partners.
EEA – European Economic Area
GDPR – this is the EU General Data Protection Regulation (EU) 2016/679), the implementation of which began on 25 May 2018.
Personal data – this includes all the kinds of data and information which are connected with a physical person or a human, which permit that person’s identity to be determined. A person is identifiable if, without disproportionate effort, the data permits the identity to be established on a reasonable basis. Identifiable characteristics include, singly or jointly, the person’s name, identity code, location information, network indicator or physical, physiological, genetic, mental, economic, cultural and social characteristics.
Personal data special categories – this is the personal data which establish a person’s racial or ethnic background, political views, religious or philosophical beliefs or union membership, as well as the genetic data and biometric data used for the unique identification of a person, health data or data about a person’s sexual life or sexual orientation.
Personal data related violations – these are security breaches that result in personal data that is forwardable, saveable or processable by other means being unwillingly or illegally destroyed, lost, changed, publicised or accessed in an unauthorised manner.
Client – this is a physical person to whom the company provides services and/or offers goods through its economic activities.
Third party – this is a physical or legal person, public sector institution, agency or an entity, except a data subject, controller or an authorised processor, and the persons who may process personal data as the direct subordinates of the controllers or authorised processors.
Cooperation partner – this is a physical person that is a supplier to the company or is the employee / representative / contact person for another legal person in a cooperation partnership.
Guest registration card data – the data required by the tourism legislation concerning the visitor to a place of accommodation including the name, date of birth, citizenship and address; name, date of birth and citizenship of the accompanying spouse and underage children; accommodation dates; and for citizens outside of Estonia, the EEA or Switzerland, or for foreigners in Estonia with a residency permit or residency rights, the type and number of the travel document and its issuing country.
Profile analysis – this is any kind of automated personal data processing, which includes using the personal data for the purpose of evaluating personal aspects known to be associated with a physical person, foremost for the analysis and prognosis of such aspects which are related to the work results of the relevant physical person, as well as the economic condition, health, personal preferences, interests, trustworthiness, behaviour, location or mobility.
Processing – this is an activity, or a collection of activities, performed with the personal data such as collecting, documentation, ordering, structuring, storing, adjusting and changing, making enquiries, reading, using, forwarding, distributing or publicising the data through making it otherwise accessible, unifying or joining, restricting, erasing or destroying the data. Such processing may take place by hand or through automated systems such as IT systems.
Contractor – this is a physical person (not a company), with whom the company has signed a service contract (service provision contract) including the members of the management body of that company.
Controller – this is the person who decides why and how (the aims and methods) the personal data is processed. Answering the following questions may help to determine the controller:
– Who decides what items of personal data are stored?
– Who decides for the aims for which the personal data will be used?
– Who decides how the personal data will be processed?
The person who decides on the processing of the personal data, which is accessible to himself/herself, and is responsible for the data, is the controller.
Authorised processor – this is the person who processes the personal data on behalf of the controller. If this person possesses the personal data or processing it, but does not have the authority to decide how the data is processed, meaning that the processing takes place according to the controller’s instructions, then this person is an authorised processor. The authorised processor may also be a service provider (for example, a payroll service provider).
1. PERSONAL DATA CATEGORIES
1.1 Employees and contractors
The company processes the personal data of its employees, job and office candidates (e.g. board members) and contractors, as well as former employee and contractor data.
The personal data that is processed includes:
• Personal data such as a person’s name, date of birth, bank account-related data, visa / passport / ID card data or a copy of the appropriate document;
• Contact data, such as a person’s address, phone number and e-mail address;
• Personal file data including: work relation conditions, training data, work result evaluations, promotions, personal development plans, behavioural and disciplinary data, work location, salary data, bank account data, as well as a person’s taxpayer number and identity code;
• Work relation history / candidacy data – for example, a person’s education and former employment history;
• Family member data – for example, the names and dates of birth of a person’s children (this data is relevant when, for example, the person applies for parental leave);
• Work achievement-related data – for example, an employee’s annual salary review etc.
• Special categories of personal data: health data such as medical certificates and sick leave certificates;
The company also processes the personal data of its clients. The client personal data may include the following:
• Personal data such as a person’s name, date of birth / identity code;
• Contact data – for example, a person’s address, telephone number and e-mail address;
• Guest registration card data;
• Credit card data such as the card number expiry date and CVV number;
• Surveilance camera recordings.
1.3 Cooperation Partners
The company processes the personal data of its cooperation partners. The personal data of cooperation partners may include the following:
• Cooperation partners representatives or contact persons personal data – for example, a person’s name, job position, work-specific identification numbers, department, business unit (incl. training/evaluation reports and relevant contact data);
• Contact data – for example, a person’s e-mail address, telephone number and work location;
2. AIMS OF DATA PROCESSING
The company processes personal data according to the aims for which the personal data was collected.
For example, the employee personal data is processed with the following aims:
• Fulfilment of the obligations stipulated in the employee’s contract;
• Salary and compensation management;
• Management of personnel activities, performance and talent;
• Internal audits.
The personal data of clients and cooperation partners is processed, for example, for the following reasons:
• The fulfilment of the tourism legislation stipulated the obligation to name the accommodation place (e.g. the completion of guest registration cards and their storage for 2 years;
• Preparation and fulfilment of a contract signed with a client / cooperation partner;
• Marketing and public relations;
• Development of the company’s product and services;
• Development of the company’s business strategy;
• Company, our customers and employees property protection and ensuring safety; avoiding and discovering unlawful and/or criminal behaviour involving the company or our clients and employees.
3. DATA SUBJECT’S RIGHTS
People have certain rights in connection with their personal data, according to the data protection legislation.
3.1. Right to data access – you have the right to know what data we hold concerning you, and how that data is processed.
3.2. Right to data rectification – you have the right to demand corrections to your personal data, in cases where it is inaccurate.
3.3. Right to data erasure (“right to be forgotten“) – you have the right, under certain conditions, to request that we erase your personal data (e.g. if we no longer need the data, if you revoke the agreement giving us the right to process the data, etc.).
3.4. Right to restrict data processing – You have the right, under certain circumstances, to forbid or restrict the processing of your personal data for a certain period (e.g. if you have submitted an objection concerning the data processing).
3.5. Right to present objections – you have the right to present objections concerning the processing of your personal data, considering the concrete situation, if the data processing is taking place according to our legitimate interests or the interests of the general public. Objections to the processing of data for direct marketing purposes can be made at any time.
3.6 Right to data portability – in cases where the personal data processing is based on your agreement or a contract signed with us, and the data is processed automatically, you have the right to access the data concerning yourself, which you have given to our controller, in a structured, generally usable format as well as in a machine-readable format for the purpose of forwarding to another controller. You may also request that the company forward the data directly to the other controller, if this is technically possible.
4. PUBLICATION OF PERSONAL DATA
The company may occasionally release personal data to third parties, or provide access to the personal data processed in the company (for example, when the law enforcement authority or the Data Protection Inspectorate presents a valid demand for the accessing of personal data).
The company may also share personal data: a) with a person in another company within the same group (e.g. a parent and subsidiary company, or the group’s end beneficiary and its subsidiary companies); b) with selected other parties incl. business partners, suppliers and contractors; c) with other parties when selling or buying other companies and assets (incl. while making transactions); or d) when the company has a legal obligation to release the personal data (which includes information exchanges with other companies and organisations for the purpose of avoiding fraud).
When the company signs agreements with other parties for the processing of personal data on behalf of the company, then the company shall ensure that the appropriate contractual protection means are in place for the protection of the personal data used by others.
5. DATA STORAGE
The company stores personal data only for as long as the preserving of the personal data is deemed necessary to fulfil the aims for which the personal data was collected. The personal data is stored according to the relevant legislation and company principles.
The company shall consider the following criteria when storing personal data:
• How long the personal data must be kept in order to offer the company’s services.
• If the person has a client account or a loyalty card, then the personal data will be stored for as long as the account / card is active or for as long as is required in order to offer personalised services.
• When the company has a legal, contractual or other similar obligation for storing the personal data, then the data will be stored for as long as is required to fulfil such an obligation.
• After the end of the contractual relations, certain data will be stored for as long as the person (data subject) or the company itself has the right to present demands to the other party based on a contract.
Some examples include:
• Guest registration cards are stored for 2 years, from the moment when the card is filled in according to the requirements of the tourism legislation.
• Work contract written documents are stored for a period of 10 years after the work contract has ended, according to the requirements of the Employment Contracts Act.
• Credit card data is stored until the accommodation services have been provided in an orderly fashion, according to the contract.
6. AREAS OF RESPONSIBILITY
If you want to specify any information regarding this policy or wish to make an application to perform data subjects rights please contact us by e-mail firstname.lastname@example.org