In the current Privacy Policy (the \u201cPrivacy Policy\u201d) we describe how Nothel O\u00dc (the \u201ccompany\u201d) processes the personal data of its employees, clients or other persons who cooperate with the company, and what means we utilise to protect this personal data.<\/p>\n
The personal data is processed according to the General Data Protection Regulation (Regulation (EU) 2016\/679), as well as the other domestic and European privacy laws and regulations (jointly the \u201cdata protection legislation\u201d). The company has established physical, technical and organisational means to protect the personal data against its unlawful or unauthorised destruction, loss, manipulation, publication, possession or access.<\/p>\n
1. SCOPE<\/strong><\/p>\n The current Privacy Policy applies to all of the personal data we process as a controller.<\/p>\n Examples of the individuals whose personal data the company processes include the company\u2019s employees, temporary employees, self-employed persons, work and job position candidates, supplier contact persons, clients, visitors and other cooperation partners.<\/p>\n 2. AIM<\/strong><\/p>\n The aim of the current Privacy Policy is to explain what types of personal data we process, as well as to show why we process this data. The Privacy Policy further describes our obligations and responsibilities with regard to data protection.<\/p>\n TERMS<\/strong><\/p>\n The current Privacy Policy uses the following terms, with the following meanings:<\/p>\n EEA<\/strong> \u2013 European Economic Area<\/p>\n GDPR<\/strong> \u2013 this is the EU General Data Protection Regulation (EU) 2016\/679), the implementation of which began on 25 May 2018.<\/p>\n Personal data<\/strong> \u2013 this includes all the kinds of data and information which are connected with a physical person or a human, which permit that person\u2019s identity to be determined. A person is identifiable if, without disproportionate effort, the data permits the identity to be established on a reasonable basis. Identifiable characteristics include, singly or jointly, the person\u2019s name, identity code, location information, network indicator or physical, physiological, genetic, mental, economic, cultural and social characteristics.<\/p>\n Personal data special categories<\/strong> \u2013 this is the personal data which establish a person\u2019s racial or ethnic background, political views, religious or philosophical beliefs or union membership, as well as the genetic data and biometric data used for the unique identification of a person, health data or data about a person\u2019s sexual life or sexual orientation.<\/p>\n Personal data related violations<\/strong> \u2013 these are security breaches that result in personal data that is forwardable, saveable or processable by other means being unwillingly or illegally destroyed, lost, changed, publicised or accessed in an unauthorised manner.<\/p>\n Client<\/strong> \u2013 this is a physical person to whom the company provides services and\/or offers goods through its economic activities.<\/p>\n Third party<\/strong> \u2013 this is a physical or legal person, public sector institution, agency or an entity, except a data subject, controller or an authorised processor, and the persons who may process personal data as the direct subordinates of the controllers or authorised processors.<\/p>\n Cooperation partner<\/strong> \u2013 this is a physical person that is a supplier to the company or is the employee \/ representative \/ contact person for another legal person in a cooperation partnership.<\/p>\n Guest registration card data<\/strong> \u2013 the data required by the tourism legislation concerning the visitor to a place of accommodation including the name, date of birth, citizenship and address; name, date of birth and citizenship of the accompanying spouse and underage children; accommodation dates; and for citizens outside of Estonia, the EEA or Switzerland, or for foreigners in Estonia with a residency permit or residency rights, the type and number of the travel document and its issuing country.<\/p>\n Profile analysis<\/strong> \u2013 this is any kind of automated personal data processing, which includes using the personal data for the purpose of evaluating personal aspects known to be associated with a physical person, foremost for the analysis and prognosis of such aspects which are related to the work results of the relevant physical person, as well as the economic condition, health, personal preferences, interests, trustworthiness, behaviour, location or mobility.<\/p>\n Processing<\/strong> \u2013 this is an activity, or a collection of activities, performed with the personal data such as collecting, documentation, ordering, structuring, storing, adjusting and changing, making enquiries, reading, using, forwarding, distributing or publicising the data through making it otherwise accessible, unifying or joining, restricting, erasing or destroying the data. Such processing may take place by hand or through automated systems such as IT systems.<\/p>\n Contractor<\/strong> \u2013 this is a physical person (not a company), with whom the company has signed a service contract (service provision contract) including the members of the management body of that company.<\/p>\n Controller<\/strong> \u2013 this is the person who decides why and how (the aims and methods) the personal data is processed. Answering the following questions may help to determine the controller: The person who decides on the processing of the personal data, which is accessible to himself\/herself, and is responsible for the data, is the controller.<\/p>\n Authorised processor<\/strong> \u2013 this is the person who processes the personal data on behalf of the controller. If this person possesses the personal data or processing it, but does not have the authority to decide how the data is processed, meaning that the processing takes place according to the controller\u2019s instructions, then this person is an authorised processor. The authorised processor may also be a service provider (for example, a payroll service provider).<\/p>\n 1. PERSONAL DATA CATEGORIES<\/strong><\/p>\n 1.1 Employees and contractors<\/strong><\/p>\n The company processes the personal data of its employees, job and office candidates (e.g. board members) and contractors, as well as former employee and contractor data.<\/p>\n The personal data that is processed includes:<\/p>\n \u2022 Personal data such as a person\u2019s name, date of birth, bank account-related data, visa \/ passport \/ ID card data or a copy of the appropriate document; 1.2 Clients<\/strong><\/p>\n The company also processes the personal data of its clients. The client personal data may include the following:<\/p>\n \u2022 Personal data such as a person\u2019s name, date of birth \/ identity code; We use cookies on our website. You can read the Coockie Policy here.<\/p>\n 1.3 Cooperation Partners<\/strong><\/p>\n The company processes the personal data of its cooperation partners. The personal data of cooperation partners may include the following:<\/p>\n \u2022 Cooperation partners representatives or contact persons personal data \u2013 for example, a person\u2019s name, job position, work-specific identification numbers, department, business unit (incl. training\/evaluation reports and relevant contact data); 2. AIMS OF DATA PROCESSING<\/strong><\/p>\n The company processes personal data according to the aims for which the personal data was collected.<\/p>\n For example, the employee personal data is processed with the following aims: The personal data of clients and cooperation partners is processed, for example, for the following reasons: 3. DATA SUBJECT\u2019S RIGHTS<\/strong><\/p>\n People have certain rights in connection with their personal data, according to the data protection legislation.<\/p>\n 3.1. Right to data access \u2013 you have the right to know what data we hold concerning you, and how that data is processed. 3.5. Right to present objections \u2013 you have the right to present objections concerning the processing of your personal data, considering the concrete situation, if the data processing is taking place according to our legitimate interests or the interests of the general public. Objections to the processing of data for direct marketing purposes can be made at any time. 4. PUBLICATION OF PERSONAL DATA<\/strong><\/p>\n The company may occasionally release personal data to third parties, or provide access to the personal data processed in the company (for example, when the law enforcement authority or the Data Protection Inspectorate presents a valid demand for the accessing of personal data).<\/p>\n The company may also share personal data: a) with a person in another company within the same group (e.g. a parent and subsidiary company, or the group\u2019s end beneficiary and its subsidiary companies); b) with selected other parties incl. business partners, suppliers and contractors; c) with other parties when selling or buying other companies and assets (incl. while making transactions); or d) when the company has a legal obligation to release the personal data (which includes information exchanges with other companies and organisations for the purpose of avoiding fraud).<\/p>\n When the company signs agreements with other parties for the processing of personal data on behalf of the company, then the company shall ensure that the appropriate contractual protection means are in place for the protection of the personal data used by others.<\/p>\n 5. DATA STORAGE<\/strong><\/p>\n The company stores personal data only for as long as the preserving of the personal data is deemed necessary to fulfil the aims for which the personal data was collected. The personal data is stored according to the relevant legislation and company principles.<\/p>\n The company shall consider the following criteria when storing personal data:<\/p>\n \u2022 How long the personal data must be kept in order to offer the company\u2019s services.<\/p>\n \u2022 If the person has a client account or a loyalty card, then the personal data will be stored for as long as the account \/ card is active or for as long as is required in order to offer personalised services.<\/p>\n \u2022 When the company has a legal, contractual or other similar obligation for storing the personal data, then the data will be stored for as long as is required to fulfil such an obligation.<\/p>\n \u2022 After the end of the contractual relations, certain data will be stored for as long as the person (data subject) or the company itself has the right to present demands to the other party based on a contract.<\/p>\n Some examples include:<\/p>\n \u2022 Guest registration cards are stored for 2 years, from the moment when the card is filled in according to the requirements of the tourism legislation.<\/p>\n \u2022 Work contract written documents are stored for a period of 10 years after the work contract has ended, according to the requirements of the Employment Contracts Act.<\/p>\n \u2022 Credit card data is stored until the accommodation services have been provided in an orderly fashion, according to the contract.<\/p>\n 6. AREAS OF RESPONSIBILITY<\/strong><\/p>\n The company is responsible for processing personal data. The general responsibility for following the stated Privacy Policy in the company rests with the company management, which shall assign a chief contact in connection with: i) the processing of the personal data of company employees and contractors; ii) the processing of the personal data of clients and cooperation partners; and iii) the security of the personal data processed in the company.<\/p>\n All company employees who are in contact with the personal data for the processing purposes are obligated to follow the most current issue of this Privacy Policy.<\/p>\n If you want to specify any information regarding this policy or wish to make an application to perform data subjects rights please contact us by e-mail hello@nothel.ee<\/p>\n Date: 23.07.2019<\/p>\n","protected":false},"excerpt":{"rendered":" In the current Privacy Policy (the \u201cPrivacy Policy\u201d) we describe how Nothel O\u00dc (the \u201ccompany\u201d) processes the personal data of its employees, clients or other persons who cooperate with the company, and what means we utilise to protect this personal data. The personal data is processed according to the General Data Protection Regulation (Regulation (EU) […]<\/p>\n","protected":false},"author":4,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"template-text.php","meta":[],"acf":[],"_links":{"self":[{"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/pages\/495"}],"collection":[{"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/comments?post=495"}],"version-history":[{"count":3,"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/pages\/495\/revisions"}],"predecessor-version":[{"id":498,"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/pages\/495\/revisions\/498"}],"wp:attachment":[{"href":"https:\/\/nothel.ee\/en\/wp-json\/wp\/v2\/media?parent=495"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
\n– Who decides what items of personal data are stored?
\n– Who decides for the aims for which the personal data will be used?
\n– Who decides how the personal data will be processed?<\/p>\n
\n\u2022 Contact data, such as a person\u2019s address, phone number and e-mail address;
\n\u2022 Personal file data including: work relation conditions, training data, work result evaluations, promotions, personal development plans, behavioural and disciplinary data, work location, salary data, bank account data, as well as a person\u2019s taxpayer number and identity code;
\n\u2022 Work relation history \/ candidacy data \u2013 for example, a person\u2019s education and former employment history;
\n\u2022 Family member data \u2013 for example, the names and dates of birth of a person\u2019s children (this data is relevant when, for example, the person applies for parental leave);
\n\u2022 Work achievement-related data \u2013 for example, an employee\u2019s annual salary review etc.
\n\u2022 Special categories of personal data: health data such as medical certificates and sick leave certificates;<\/p>\n
\n\u2022 Contact data \u2013 for example, a person\u2019s address, telephone number and e-mail address;
\n\u2022 Guest registration card data;
\n\u2022 Credit card data such as the card number expiry date and CVV number;
\n\u2022 Surveilance camera recordings.<\/p>\n
\n\u2022 Contact data \u2013 for example, a person\u2019s e-mail address, telephone number and work location;<\/p>\n
\n\u2022 Fulfilment of the obligations stipulated in the employee\u2019s contract;
\n\u2022 Salary and compensation management;
\n\u2022 Management of personnel activities, performance and talent;
\n\u2022 Internal audits.<\/p>\n
\n\u2022 The fulfilment of the tourism legislation stipulated the obligation to name the accommodation place (e.g. the completion of guest registration cards and their storage for 2 years;
\n\u2022 Preparation and fulfilment of a contract signed with a client \/ cooperation partner;
\n\u2022 Marketing and public relations;
\n\u2022 Development of the company\u2019s product and services;
\n\u2022 Development of the company\u2019s business strategy;
\n\u2022 Company, our customers and employees property protection and ensuring safety; avoiding and discovering unlawful and\/or criminal behaviour involving the company or our clients and employees.<\/p>\n
\n3.2. Right to data rectification \u2013 you have the right to demand corrections to your personal data, in cases where it is inaccurate.
\n3.3. Right to data erasure (\u201cright to be forgotten\u201c) \u2013 you have the right, under certain conditions, to request that we erase your personal data (e.g. if we no longer need the data, if you revoke the agreement giving us the right to process the data, etc.).
\n3.4. Right to restrict data processing \u2013 You have the right, under certain circumstances, to forbid or restrict the processing of your personal data for a certain period (e.g. if you have submitted an objection concerning the data processing).<\/p>\n
\n3.6 Right to data portability \u2013 in cases where the personal data processing is based on your agreement or a contract signed with us, and the data is processed automatically, you have the right to access the data concerning yourself, which you have given to our controller, in a structured, generally usable format as well as in a machine-readable format for the purpose of forwarding to another controller. You may also request that the company forward the data directly to the other controller, if this is technically possible.<\/p>\n