processes the personal data of its employees, customers or persons otherwise cooperating
with the company and which measures we apply for the protection of personal data.
Personal data are processed according to the General Data Protection Regulation
(Regulation (EU) 2016/679) and other national and European privacy laws and regulations
(jointly „data protection act”).
The company processes e.g the personal data of employees, temporary employees, sole
proprietors, applicants for jobs and positions, contact persons of suppliers, customers,
guests and other cooperation partners.
upon data protection.
specific rules and instructions shall be established in different areas e.g such as security, of
which we notify internally within a reasonable extent.
EEA – European Economic Area (according to the applicable regulation EEA includes all the
member states of the European Union as well as Norway, Iceland and Liechtenstein).
GDPR – means the general data protection regulation, (EU) 2016/679, which is applied
starting from 25 May 2018.
Personal data – means any information relating to an identified or identifiable natural
person; an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location
data, an online identifier or to one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of that natural person.
Special categories of personal data – means personal data revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or trade union membership, and
the processing of genetic data, biometric data for the purpose of uniquely identifying a
natural person, data concerning health or data concerning a natural person's sex life or
Personal data breach – means a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, personal data
transmitted, stored or otherwise processed.
Customer – means a natural person whom the enterprise provides services and/or offers
goods in connection with its economic activity.
Third party – means a natural or legal person, public authority, agency or body other than
the data subject, controller, processor and persons who, under the direct authority of the
controller or processor, are authorised to process personal data.
Cooperation partner – means a natural person who is the supplier of the enterprise or an
employee/representative/contact person of another cooperation partner who is a legal
Visitor’s card data – data required in the Tourism Act on the visitor of an accommodation
establishment: name, date of birth, citizenship and address; the name, date of birth and
citizenship of the spouse or a minor accommodated together with him or her; the period of
provision of the accommodation services; if the visitor is not a citizen of Estonia, another
Member State of the European Economic Area or Switzerland or an alien residing in Estonia
on the basis of a residence permit or right of residence, the visitor’s card shall also set out
the type and number of his or her travel document and the state which issued it.
Profiling – means any form of automated processing of personal data consisting of the use
of personal data to evaluate certain personal aspects relating to a natural person, in
particular to analyse or predict aspects concerning that natural persons performance at
work, economic situation, health, personal preferences, interests, reliability, behaviour,
location or movements.
Processing – means any operation or set of operations which is performed on personal data
or on sets of personal data, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure
or destruction. Processing may either be manual or with the use of automated systems such
as IT systems.
Contractor – means a natural person (i.e not a company) with whom the company has
concluded a contract for services; this also includes the members of management bodies of
Controller – means the person who determines the purposes and means of the processing
of personal data. Upon determining the controller, answering the following questions may be
– Who decides which personal data are retained?
– Who decides for which purposes personal data are used?
– Who decides in which manner the personal data are processed?
If a person decides him or herself on the processing of personal data in his or her possession
and is responsible therefor, that person is the controller.
Processor – means a person who processes personal data on behalf of the controller. If
personal data are in the possession of a person or the person processes personal data but
the person is not authorised to decide on the processing thereof i.e the person processes
data following the instructions of the controller, that person is the processor. A processor
may be e.g a service provider (e.g provider of wage calculation service).
1. CATEGORIES OF PERSONAL DATA
1.1 Employees and contractors
The company processes data on its employees, applicants for jobs and positions (e.g
members of the management board) and contractors as well as former employees and
Such personal data include the following:
Personal data such as the name, date of birth, bank account details, close relatives, data
on social media accounts, visa/passport/ID card data or copy of the relevant document;
Contact details such as the address and telephone number, e-mail address;
Personnel file data, including: terms of employment relationship, training data,
assessment of performance at work, promotions, personal development plans,
behaviour and disciplinary data, location of work, salary data, bank account details and
taxable person’s number and personal ID code;
Data of employment history / application data such as education and previous career
Data on family members such as dates of birth and names of children (these are
relevant e.g in case the person applies for parental leave);
Data of memberships in trade union;
Data relating to performance at work e.g annual review of salary of employees,
psychometric tests etc.
Special categories of personal data: medical data such as medical certificates and
The above list is not exhaustive but includes the most frequently collected, used or otherwise
processed personal data.
The company also processes the personal data of its customers. Such personal data may
include the following:
Personal data such as the name, date of birth/personal ID code;
Contact details such as the address and telephone number, e-mail address;
Visitor’s card data;
Credit card information such as the number, term of validity of the credit card and CVV
Data on personal preferences such as […].
Special categories of personal data:
1.3 Cooperation partners
The company processes the personal data of its cooperation partners. Such personal data
may include the following:
Personal data such as the name, title, position, work-related identification numbers,
department, business unit (also contact details collected for training/inspection);
Contact details such as the e-mail address, telephone numbers and location of work;
Tax information such as VAT/taxable person’s numbers.
2. PURPOSES OF DATA PROCESSING
The company processes personal data for the purposes the personal data have been
The personal data of employees is processed e.g for the following purposes:
Performance of employer’s obligations provided for in the Employment Contracts Act;
Management of wages and benefits;
Management of personnel activities, performance and talent;
We process the personal data of customers and cooperation partners e.g for the following
Performance of the obligations of an accommodation establishment provided for in the
Tourism Act (e.g filling out the visitor’s card and retention thereof within 2 years;
Preparation of contracts entered into with customers/cooperation partners and
Marketing and public relations;
Improvement of the company’s products and services;
Research and statistical analysis;
Development of the company’s business strategy;
Prevention and detection of unlawful and/or criminal behaviour towards the company or
our customers and employees.
From time to time we may also process personal data for other reasons. The company
attempts to ensure the notification of people about the purposes of processing their personal
data at the time of receipt of the personal data. If it is not possible or reasonable, we shall
attempt to notify people upon first opportunity after receipt of personal data or processing
thereof in another manner.
The company performs profiling with regard to different people (e.g employees, contractors,
applicants for jobs or positions but also customers). The company engages in the following
The company processes such data, provided that: a) it is explicitly allowed with the law; b) it
is necessary for entry into or performance of a contract or c) the person has submitted a
consent therefor as required.
If we make automated decisions, including profiling, we shall notify people of the applied
logic and of the importance of such processing and the estimated consequences for the data
4. RIGHTS OF DATA SUBJECT
People have certain rights relating to their personal data based on the Data Protection Act.
4.1. Right to access his or her data – you have the right to know which data is preserved on
you and how the data are processed.
4.2. Right to rectification of data – you have the right to request the rectification of your
personal data if the data are incorrect.
4.3. Right to erasure of data („right to be forgotten“) – in certain cases you have the right to
request that we erase your personal data (e.g if we no longer need the data, you withdraw
the consent submitted to us for data processing etc).
4.4. Right to restrict processing – in certain cases you have the right to prohibit or restrict the
processing of your personal data for certain time (e.g if you have stated an objection to the
4.5. Right to state objections – based on the specific situation you have the right to state
objections regarding the processing of your personal data if the processing of your data is
based on our legitimate interest or public interest. Objections to processing of data for the
purposes of direct marketing may be stated at any time.
4.6 Right to transfer of data – if data processing is based on a person’s consent or a contract
entered into with the company and data processing is automated, the person has the right to
receive personal data which he or she has submitted to the controller in a structured, general
format and in typewritten form and the right to transfer the data to another controller. The
person also has the right to request the company to transfer the data directly to another
controller if it is technically possible.
4.7. Making automated decisions (including profiling) – if we have notified you that we
perform decision-making based on automated processing (including profiling), which is
accompanied by legal consequences concerning you or which has a significant effect on you,
you have the right to request for the decision not to be made based on only automated
The procedure of rights and requests of a data subject explains how the requests relating to
the aforesaid rights can be submitted and how the company manages such requests.
5.1 Security measures
The company has established physical, technical and organisational measures for the
protection of personal data against unlawful or unauthorised destruction, loss, amendment,
disclosure, acquisition or unauthorised access thereto.
The company applies the following physical data security measures:
documents on paper containing personal data are kept in locked rooms and cabinets to
which only certain employees have access for the performance of their official duties;
data processing rooms and IT systems have sufficient protection against fire,
overheating, water, power-fluctuations and power cuts;
The company applies the following technical security measures:
All the work computers are protected with a password screensaver after the employee
It has been ensured that the IT-system does not enable new entry attempts and locks
the user after the number of failed entry attempts exceeds a certain limit;
It has been ensured that especially threatened systems (e.g laptops, smartphones) have
been sufficiently protected (by applying encrypting or other measures);
As organisational security measures we apply:
Access to important IT systems and rooms has been regulated;
Roles and profiles have been determined for all the IT system users;
It has been determined which data can be accessed by which users and the access
rights correspond to the needs arising from the official duties of an employee;
It has been ensured that access rights shall be cancelled after the employee has left the
It has been ensured that without an authorisation there is no entry from public spaces
into spaces used for processing personal data;
Visiting procedure has been prepared for the visitors of the company (i.e not the visitors
of public spaces) and the visitors’ data, times of arrival and departure shall be registered
upon arrival and departure;
The spaces where the computers enabling access to the IT system and the spaces
where documents containing personal data are kept are under surveillance also after the
working time has ended;
5.2 Personal data breaches
The company deals with personal data breaches according to the provisions of the reaction
procedure to breaches of personal data. Instructions concerning the detection of personal
data breaches and the notification thereof can be found in the reaction procedure to
breaches of personal data.
6. DISCLOSURE OF PERSONAL DATA
The company may from time to time disclose personal data to third persons or enable their
access to personal data processed in the company (e.g if the law enforcement agency or
Data Protection Inspectorate submits a valid requirement for access to personal data).
The company may share personal data also: a) with a person belonging into the same group
with another company (e.g parent company and subsidiaries, final beneficiary of the group
and the subsidiaries thereof); b) with other chosen parties, including business partners,
suppliers and contractors; c) with other parties if we sell or purchase other companies or
assets (i.e upon making transactions), or d) if the company has a legal obligation to disclose
personal data (it includes exchange of information with other companies and organisations to
If the company enters into contracts with other parties for processing personal data on behalf
of the company, it shall ensure the presence of appropriate contractual security measures for
the protection of personal data, by applying inter alia data protection standard clauses, which
have been developed for adding into contracts to be concluded with persons who process
data on behalf of the company.
The company discloses personal data or grants access thereto for the following categories of
people for the purposes explained below:
Providers of communication services – for organising the call and data communication
services of employees;
Providers of wages calculation service – for keeping the wages calculation of
Providers of occupational health services – for organising the occupational health of
Recruitment agencies – for finding new employees/contractors;
Marketing undertakings – for performing direct marketing to customers specified by the
Insurance brokers and insurance providers – for making travel, accident etc insurance of
employees of the company;
7. RETENTION OF DATA
The company shall retain personal data only until the retention of such personal data is
considered necessary for the purposes the personal data were collected. Personal data shall
be retained according to relevant acts and the company’s principles.
Upon retention of personal data the company shall proceed from the following criteria:
For how long the personal data need to be retained in order to provide its services
If the person has a customer account or loyal customer card with the company, we retain
the personal data during the entire time the account/card is active or for as long the data
are necessary for the provision of services to the person
If the company has an obligation arising from the law or a contractual obligation or similar
to retain personal data, the data shall be retained for as long as it is necessary for the
performance of such obligation
After termination of a contractual relationship we shall retain certain data for as long as a
person (data subject) or the company is entitled to file claims to the other party based on
Visitor’s card data shall be retained according to the requirements of the Tourism Act for 2
years after filling out the card.
Written documents of an employment contract shall be retained according to the
requirements of Employment Contracts Act for 10 years after termination of an
Credit card data shall be retained until the implementation of the accommodation service
contract between us as required.
More specific criteria shall be set out in the company’s register of personal data.
8. TRANSFER OF DATA OUTSIDE EEA
From time to time the company may have the need to transfer personal data outside EEA.
Such transfer shall be according to the applicable Data Protection Act 1 . The company shall
1 GDPR Articles 45-49 provide when and on which conditions the transfer of data is permitted. According to
GDPR Article 45 transfer of personal data to a third country may take place where the Commission has decided adopt reasonable measures to ensure that personal data shall be treated in a secure manner
The company transfers personal data to the following locations outside the EEA for the
purposes specified below by applying the following measures for the protection of personal
The company is responsible for the processing of personal data. General responsibility for
who shall determine the main contact person in connection with i) processing the personal
data of employees and contractors of the company; ii) processing the personal data of
customers and cooperation partners and iii) security of personal data processed in the
All the employees of the company in contact with the processing of personal data shall be
10. ASSOCIATED RULES AND PROCEDURES
– Reaction procedure to personal data breaches
– Data protection standard clauses to data processing contracts
– Procedure of rights and requests of a data subject
– Privacy notice (for employees, customers)
– Register of personal data