The company processes e.g the personal data of employees, temporary employees, sole proprietors, applicants for jobs and positions, contact persons of suppliers, customers, guests and other cooperation partners.
EEA – European Economic Area
GDPR – means the general data protection regulation, (EU) 2016/679, which is applied starting from 25 May 2018.
Personal data – means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
Personal data breach – means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
Customer – means a natural person whom the enterprise provides services and/or offers goods in connection with its economic activity.
Third party – means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
Cooperation partner – means a natural person who is the supplier of the enterprise or an employee/representative/contact person of another cooperation partner who is a legal person.
Visitor’s card data – data required in the Tourism Act on the visitor of an accommodation establishment: name, date of birth, citizenship and address; the name, date of birth and citizenship of the spouse or a minor accommodated together with him or her; the period of provision of the accommodation services; if the visitor is not a citizen of Estonia, another Member State of the European Economic Area or Switzerland or an alien residing in Estonia on the basis of a residence permit or right of residence, the visitor’s card shall also set out the type and number of his or her travel document and the state which issued it.
Profiling – means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict aspects concerning that natural person’s performance at work, economic situation, health, personal preferences, interests, reliability, behaviour, location or movements.
Processing – means any operation or set of operations which is performed on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing may either be manual or with the use of automated systems such as IT systems.
Contractor – means a natural person (i.e not a company) with whom the company has concluded a contract for services; this also includes the members of management bodies of a company.
Controller – means the person who determines the purposes and means of the processing of personal data. Upon determining the controller, answering the following questions may be helpful.
- Who decides which personal data are retained?
- Who decides for which purposes personal data are used?
- Who decides in which manner the personal data are processed?
If a person decides him or herself on the processing of personal data in his or her possession and is responsible therefor, that person is the controller.
Processor – means a person who processes personal data on behalf of the controller. If personal data are in the possession of a person or the person processes personal data but the person is not authorised to decide on the processing thereof i.e the person processes data following the instructions of the controller, that person is the processor. A processor may be e.g a service provider (e.g provider of wage calculation service).
1. CATEGORIES OF PERSONAL DATA
1.1 Employees and contractors
The company processes data on its employees, applicants for jobs and positions (e.g members of the management board) and contractors as well as former employees and contractors.
Such personal data include the following:
- Personal data such as the name, date of birth, bank account details, close relatives, data on social media accounts, visa/passport/ID card data or copy of the relevant document;
- Contact details such as the address and telephone number, e-mail address;
- Personnel file data, including: terms of employment relationship, training data, assessment of performance at work, promotions, personal development plans, behaviour and disciplinary data, location of work, salary data, bank account details and taxable person’s number and personal ID code;
- Data of employment history / application data such as education and previous career history;
- Data on family members such as dates of birth and names of children (these are relevant e.g in case the person applies for parental leave);
- Data of memberships in trade union;
- Data relating to performance at work e.g annual review of salary of employees, psychometric tests etc.
- Special categories of personal data: medical data such as medical certificates and sickness leaves;
The above list is not exhaustive but includes the most frequently collected, used or otherwise processed personal data.
The company also processes the personal data of its customers. Such personal data may include the following:
- Personal data such as the name, date of birth/personal ID code;
- Contact details such as the address and telephone number, e-mail address;
- Visitor’s card data;
- Credit card information such as the number, term of validity of the credit card and CVV
- Data on personal preferences such as music preferences, pillow preferences.
1.3 Cooperation partners
The company processes the personal data of its cooperation partners. Such personal data may include the following:
- Personal data such as the name, title, position, work-related identification numbers, department, business unit (also contact details collected for training/inspection);
- Contact details such as the e-mail address, telephone numbers and location of work;
- Tax information such as VAT/taxable person’s numbers.
2. PURPOSES OF DATA PROCESSING
The company processes personal data for the purposes the personal data have been collected.
The personal data of employees is processed e.g for the following purposes:
- Performance of employer’s obligations provided for in the Employment Contracts Act;
- Management of wages and benefits;
- Management of personnel activities, performance and talent;
- Internal audits.
We process the personal data of customers and cooperation partners e.g for the following reasons:
- Performance of the obligations of an accommodation establishment provided for in the Tourism Act (e.g filling out the visitor’s card and retention thereof within 2 years;
- Preparation of contracts entered into with customers/cooperation partners and implementation thereof;
- Marketing and public relations;
- Improvement of the company’s products and services;
- Research and statistical analysis;
- Development of the company’s business strategy;
- Prevention and detection of unlawful and/or criminal behaviour towards the company or our customers and employees.
From time to time we may also process personal data for other reasons. The company attempts to ensure the notification of people about the purposes of processing their personal data at the time of receipt of the personal data. If it is not possible or reasonable, we shall attempt to notify people upon first opportunity after receipt of personal data or processing thereof in another manner.
The company performs profiling with regard to different people (e.g employees, contractors, applicants for jobs or positions but also customers). The company engages in the following profiling:
The company processes such data, provided that: a) it is explicitly allowed with the law; b) it is necessary for entry into or performance of a contract or c) the person has submitted a consent therefor as required.
If we make automated decisions, including profiling, we shall notify people of the applied logic and of the importance of such processing and the estimated consequences for the data subject.
4. RIGHTS OF DATA SUBJECT
People have certain rights relating to their personal data based on the Data Protection Act.
4.1. Right to access his or her data – you have the right to know which data is preserved on you and how the data are processed.
4.2. Right to rectification of data – you have the right to request the rectification of your personal data if the data are incorrect.
4.3. Right to erasure of data („right to be forgotten“) – in certain cases you have the right to request that we erase your personal data (e.g if we no longer need the data, you withdraw the consent submitted to us for data processing etc).
4.4. Right to restrict processing – in certain cases you have the right to prohibit or restrict the processing of your personal data for certain time (e.g if you have stated an objection to the data processing).
4.5. Right to state objections – based on the specific situation you have the right to state objections regarding the processing of your personal data if the processing of your data is based on our legitimate interest or public interest. Objections to processing of data for the purposes of direct marketing may be stated at any time.
4.6 Right to transfer of data – if data processing is based on a person’s consent or a contract entered into with the company and data processing is automated, the person has the right to receive personal data which he or she has submitted to the controller in a structured, general format and in typewritten form and the right to transfer the data to another controller. The person also has the right to request the company to transfer the data directly to another controller if it is technically possible.
4.7. Making automated decisions (including profiling) – if we have notified you that we perform decision-making based on automated processing (including profiling), which is accompanied by legal consequences concerning you or which has a significant effect on you, you have the right to request for the decision not to be made based on only automated processing.
The procedure of rights and requests of a data subject explains how the requests relating to the aforesaid rights can be submitted and how the company manages such requests.
4.9 Complaints. Should a data subject find that the personal data processing related to them does not correspond to the provisions of data protection laws and general data protection regulations, the data subject is entitled to submit a complaint for the body executing national data protection supervision. In Estonia, this supervisory body is Estonian Data Protection Inspectorate.
5.1 Security measures
The company has established physical, technical and organisational measures for the protection of personal data against unlawful or unauthorised destruction, loss, amendment, disclosure, acquisition or unauthorised access thereto.
The company applies the following physical data security measures:
- documents on paper containing personal data are kept in locked rooms and cabinets to which only certain employees have access for the performance of their official duties;
- data processing rooms and IT systems have sufficient protection against fire, overheating, water, power-fluctuations and power cuts;
The company applies the following technical security measures:
- Video surveillance;
- All the work computers are protected with a password screensaver after the employee has left;
- It has been ensured that the IT-system does not enable new entry attempts and locks the user after the number of failed entry attempts exceeds a certain limit;
- It has been ensured that especially threatened systems (e.g laptops, smartphones) have been sufficiently protected (by applying encrypting or other measures);
As organisational security measures we apply:
- Access to important IT systems and rooms has been regulated;
- Roles and profiles have been determined for all the IT system users;
- It has been determined which data can be accessed by which users and the access rights correspond to the needs arising from the official duties of an employee;
- It has been ensured that access rights shall be cancelled after the employee has left the company;
- It has been ensured that without an authorisation there is no entry from public spaces into spaces used for processing personal data;
- Visiting procedure has been prepared for the visitors of the company (i.e not the visitors of public spaces) and the visitors’ data, times of arrival and departure shall be registered upon arrival and departure;
- The spaces where the computers enabling access to the IT system and the spaces where documents containing personal data are kept are under surveillance also after the working time has ended;
5.2 Personal data breaches
The company deals with personal data breaches according to the provisions of the reaction procedure to breaches of personal data. Instructions concerning the detection of personal data breaches and the notification thereof can be found in the reaction procedure to breaches of personal data.
6. DISCLOSURE OF PERSONAL DATA
The company may from time to time disclose personal data to third persons or enable their access to personal data processed in the company (e.g if the law enforcement agency or Data Protection Inspectorate submits a valid requirement for access to personal data).
The company may share personal data also: a) with a person belonging into the same group with another company (e.g parent company and subsidiaries, final beneficiary of the group and the subsidiaries thereof); b) with other chosen parties, including business partners, suppliers and contractors; c) with other parties if we sell or purchase other companies or assets (i.e upon making transactions), or d) if the company has a legal obligation to disclose personal data (it includes exchange of information with other companies and organisations to avoid fraud).
If the company enters into contracts with other parties for processing personal data on behalf of the company, it shall ensure the presence of appropriate contractual security measures for the protection of personal data, by applying inter alia data protection standard clauses, which have been developed for adding into contracts to be concluded with persons who process data on behalf of the company.
The company discloses personal data or grants access thereto for the following categories of people for the purposes explained below:
- Providers of communication services – for organising the call and data communication services of employees;
- Providers of wages calculation service – for keeping the wages calculation of employees;
- Providers of occupational health services – for organising the occupational health of employees;
- Recruitment agencies – for finding new employees/contractors;
- Marketing undertakings – for performing direct marketing to customers specified by the company;
- Insurance brokers and insurance providers – for making travel, accident etc insurance of employees of the company;
7. RETENTION OF DATA
The company shall retain personal data only until the retention of such personal data is considered necessary for the purposes the personal data were collected. Personal data shall be retained according to relevant acts and the company’s principles.
Upon retention of personal data the company shall proceed from the following criteria:
- For how long the personal data need to be retained in order to provide its services
- If the person has a customer account or loyal customer card with the company, we retain the personal data during the entire time the account/card is active or for as long the data are necessary for the provision of services to the person
- If the company has an obligation arising from the law or a contractual obligation or similar to retain personal data, the data shall be retained for as long as it is necessary for the performance of such obligation
- After termination of a contractual relationship we shall retain certain data for as long as a person (data subject) or the company is entitled to file claims to the other party based on the contract
- Visitor’s card data shall be retained according to the requirements of the Tourism Act for 2 years after filling out the card.
- Written documents of an employment contract shall be retained according to the requirements of Employment Contracts Act for 10 years after termination of an employment contract.
- Credit card data shall be retained until the implementation of the accommodation service contract between us as required.
More specific criteria shall be set out in the company’s register of personal data.
8. TRANSFER OF DATA OUTSIDE EEA
The company transfers personal data to the following locations outside the EEA for the purposes specified below by applying the following measures for the protection of personal data:
- Authorities with legal rights
- On the basis of court decision
10. ASSOCIATED RULES AND PROCEDURES
- Reaction procedure to personal data breaches
- Data protection standard clauses to data processing contracts
- Procedure of rights and requests of a data subject
- Privacy notice (for employees, customers)
- Register of personal data
 GDPR Articles 45-49 provide when and on which conditions the transfer of data is permitted. According to GDPR Article 45 transfer of personal data to a third country may take place where the Commission has decided that the third country, a territory, or the international organisation in question ensures an adequate level of protection. Such a transfer shall not require any specific authorisation. The list of such countries, territories and international organisations shall be published in the Official Journal of the European Union and on its website.