1. PERSONAL DATA CONTROLLER, PROCESSORS AND DATA PROTECTION OFFICER
2. PRINCIPLES OF PERSONAL DATA PROCESSING
3. DATA SUBJECT’S RIGHTS
4. PURPOSES OF PROCESSING OF PERSONAL DATA
5. CATEGORIES OF PERSONAL DATA PROCESSED
6. LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
7. PROFILING AND MARKETING
8. THE USE OF „COOKIES“
10. IMPLEMENTING PROVISION
Personal Data Controller
Name of the controller: OÜ TLG Hotell
Company registration code: 10952552
Address: Sadama 11a, 10111 Tallinn, Estonia
Contacts: telephone +372 630 0808, e-mail firstname.lastname@example.org
Personal data ‘controller’ is a legal person which determines the purposes and means of the processing of personal data.
Personal Data Processors
Tallink Hotels’s data processors are the third parties with whom we may need to share personal information to help us provide services and products to you. Tallink Hotels’s data processors include:
• our subsidiaries or affiliates;
• our third party partners who process information on our behalf to help us run some of our internal business operations;
• law enforcement bodies in order to comply with any legal obligation.
Data Protection Officer
In order to ensure high level of personal data protection, Tallink Hotels has designated a Data Protection Officer (“DPO”) with expert knowledge of data protection law and practices. DPO assists Tallink Hotels in maintaining personal data protection compliance.
The DPO in Tallink Hotels serves as a contact point for data subjects in case of requests and/or questions related to personal data protection and personal data processing in Tallink Hotels. Data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights.
Tallink Hotels DPO’s contact details are:
Data Protection Officer
Sadama 5/7, 10111 Tallinn, Estonia
Tallink Hotels processes Your personal data in a fair and transparent manner and only when we are allowed to process Your personal data according to the law.
Tallink Hotels collects Your personal data for specified, explicit and legitimate purposes. We will not further process Your personal data in a manner that is incompatible with the initial purposes. When processing Your personal data for a purpose other than the initial purpose, we rely on the legal bases originating from the law (e.g. when receiving requests from courts or law enforcement authorities) or we ask for Your approval for processing Your personal data for a purpose other than for which You originally provided us with Your personal data.
Tallink Hotels is doing its best to ensure that personal data processed by Tallink Hotels is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We don’t process any redundant information about You.
Our aim in Tallink Hotels is to ensure that personal data shall be accurate and kept up to date where necessary. Tallink Hotels shall take every reasonable step to ensure that inaccurate personal data will be erased or corrected without delay. If the personal data should prove to be false, Tallink Hotels also gives You the possibility to correct and/or delete it. To do so, please write to: email@example.com
Tallink Hotels keeps Your personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality
Tallink Hotels normally does not process special categories of personal data (sensitive data such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health). Tallink Hotels only processes such type of personal data when there exists a legal basis for that, for example if we are obligated or allowed by law to process this kind of sensitive personal data. For example, we might process data concerning health when there occurs a need to give emergency aid or when you have asked us to help you due to your health condition.
Data protection by design and by default
When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data, Tallink Hotels takes into account the data subject’s right to personal data protection.
Respecting data subject’s rights is of importance to Tallink Hotels and therefore handled with special attention. When requested by the data subject, the information about that specific data subject will be provided by Tallink Hotels. Please note that we need you to prove who you are before we can help you with any request related to personal data.
This means that, when looking through Your request and in case of doubt, Tallink Hotels may ask additional information to be provided by You for data subject’s identification. We do this to be sure about the data subject’s identity and to ascertain that we provide the correct information to the right person.
If the purposes for which Tallink Hotels processes personal data do not or do no longer require the identification of a data subject, Tallink Hotels will not be obligated to maintain, acquire or process additional information in order to identify the data subject. Upon data subject’s request and if possible, Tallink Hotels will inform the data subject accordingly about this kind of processing.
Right of access by the data subject – You have the right to access Your personal data which is processed by Tallink Hotels. This enables You to be aware and verify which type of personal data and how Tallink Hotels processes about You. You can also turn to Tallink Hotels and ask for which purposes we process Your personal data if it remains unclear to You or You would like to ask additional questions from us. We aim to answer You as soon as possible but we try to do this no later than in one month. In more complex requests we might need to extend the answering time by a further two months. In the latter case, we will contact You about the extension of the answering period and explain You the reasons. To ask us questions related you data processing, please write to firstname.lastname@example.org.
Copies – Tallink Hotels will provide a copy of Your data of upon Your request free of charge when You need it. For any further copies requested, Tallink Hotels may charge a fee based on actual costs if the requests from a data subject are of repetitive character. Tallink Hotels may refuse to disclose the data in a copy entirely or refuse to provide a copy when this disproportionately affects the rights and freedoms of other data subjects besides You and less strict measures cannot be taken.
Right to rectification – every data subject who notices that his/her personal data is not up-to-date, false or needs to be corrected can turn to Tallink Hotels and have this data rectified and corrected. You can also have Your incomplete personal data completed. Tallink Hotels will make sure this personal data will be corrected as soon as possible. In order to have this done, You are welcome to contact us by writing to the e-mail address email@example.com.
Right to erasure (“right to be forgotten”) – this right allows data subjects to have their personal data erased where one of the following grounds applies:
• the personal data are no longer necessary in relation to the purposes for which they were collected or processed;
• when the data subject withdraws consent;
• the data subject objects to the processing and there is no overriding legitimate interest for the processing;
• the personal data have been unlawfully processed;
• the personal data have to be erased in order to comply with a legal obligation or because the personal data was processed in relation to the offer of information society services (e.g. apps) to a child.
Right to erasure is not an absolute right and therefore Your request to have Your personal data erased may not mean that all of Your data will be erased after the request. Sometimes we are obligated by law to retain some data and in cases like this we might not be able to satisfy Your request to erasure. This can also be the case when we need to retain this data for the exercise or defence of legal claims.
Right to restriction of processing – when exercising this right, data subjects may “block” or suppress the processing of personal data by Tallink Hotels. As a result of that, Tallink Hotels may be permitted to only store the existing personal data but not further process it. Tallink Hotels restricts the processing of Your personal data upon Your request until the verification of accuracy or when You contest the accuracy of Your personal data. Tallink Hotels may also be obligated to restrict the processing of personal data, for example, when Tallink Hotels no longer needs it, but You require the data to establish, exercise or defend a legal claim.
Right to data portability – You may use the right to receive the personal data concerning You, which You have provided Tallink Hotels, in a structured, commonly used and machine-readable format. In exercising this right, You may use the right to have Your personal data transmitted directly from one controller to another, where it is technically feasible.
Right to object – You have the right to object, on grounds relating to Your particular situation, at any time to processing of personal data concerning You which is based on legitimate interest, including profiling. In that case, Tallink Hotels will no longer process the personal data unless Tallink Hotels has a legitimate grounds for the processing the personal data.
• Where Tallink Hotels processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing at any time and free of charge.
• Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by Tallink Hotels. In this case, Tallink Hotels stops processing Your personal data for marketing purposes but might not stop processing it for other lawful purposes.
The right to lodge a complaint with a supervisory authority – every data subject has the right to turn to a data protection supervisory authority with a complaint if the data subject considers that the processing of personal data relating to him or her infringes and is not in accordance with provisions foreseen by the data protection laws and GDPR. The national supervisory authority in Estonia is “Andmekaitse Inspektsioon”, in Finland “Tietosuojavaltuutettu”, in Latvia “Datu Valsts Inspekcija” and in Sweden “Datainspektionen”.
The right to withdraw consent – if the personal data processing is based on consent, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. Tallink Hotels will stop processing personal data if the sole basis for the processing is consent. If there exist other legal ground(s) for personal data processing (e.g. contract, legitimate interest) the processing may be continued based on this other legal ground.
Tallink Hotels processes personal data for several different purposes. In different cases Tallink Hotels processes personal data for purposes, which include:
• sale activities;
• marketing, direct marketing by profiling and for making sale and promo offers;
• data analytics for marketing purposes;
• booking and customer services;
• invoicing and related correspondence with customers;
• providing accommodation and additional services;
• legal purposes and legal obligations;
• receiving and handling client feedback;
• conducting surveys for customer feedback and service improvement;
• applying security measures and for solving incidents.
The personal data processed by Tallink Hotels includes data subject’s:
• name and surname;
• date of birth;
• nationality and sex;
• address, phone number, e-mail address and other contact data;
• credit card, loyalty card (Club One) and customer’s account numbers information;
• data about purchases and services offered by Tallink Hotels, including data related to goods/services and quantities thereof;
• sales and accommodation data, including the date and time;
• customers’ health data (only when Tallink Hotels customers provide us with this data or it is necessary in order to protect the vital interests of the data subjects);
• other personal data voluntarily revealed to Tallink Hotels by data subjects (e.g. personal data provided to Tallink Hotels by customers in customer feedback forms).
Tallink Hotels processes personal data on several legal bases which are the following.
Tallink Hotels may process Your personal data on the basis of Your consent. For instance, for sending You the Tallink Hotels newsletter, Tallink Hotels first asks for Your consent for subscription and after You have subscribed, Your consent serves as a legal basis for sending the newsletter to You.
In relation to information society services data protection regulations set stricter rules and conditions to child’s consent. Where child is below the age of 13 years or below another age laid down in the applicable law, such processing shall be considered lawful only if that consent is given by the child’s parent or the holder of parental responsibility over the child.
Tallink Hotels may process personal data if the processing is necessary for the performance of a contract. For instance, Tallink Hotels processes Your personal data for billing purposes when You use our Pre-Order service in order to fulfil a contract with You and deliver You the goods You have ordered.
Tallink Hotels may process personal data if the processing is necessary for compliance with a legal obligation. For instance, Tallink Hotels has the legal obligation to collect certain personal data from the hotel guests, like name, citizenship, travel document number and date of birth.
Tallink Hotels may process personal data if the processing is necessary in order to protect the vital interests of the data subject or of another natural person. For example, Tallink Hotels personnel might need to forward data subject’s health data to hospital in case somebody unexpectedly falls ill within Tallink Hotels premises to provide the necessary medical care and protect our customers health the best possible way.
Tallink Hotels may process personal data if the processing is necessary for the purposes of the legitimate interests. For example, if You have booked an accommodation with us, we can send You customer satisfaction surveys after the accommodation to improve the quality of our service.
Profiling in Tallink Hotels represents itself of any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject. In Tallink Hotels, profiling may be carried out, for instance, to analyse or predict aspects concerning customer’s personal preferences, interests, behaviour, location or movements. As a result of profiling, Tallink Hotels is determined to make offers, for the best services and goods to Tallink Hotels customers on the basis of a consent, contract or legitimate interest in order to satisfy all the needs of Tallink Hotels’s customers.
Tallink Hotels may use different ways of profiling. For making offers, Tallink Hotels distinguishes receivers of the offers for example on the ground of travel behaviour, language, citizenship and place of residence (to send the offer in an understandable language and to target customers in particular region), age (to make an offer most suitable for certain age group), previous accommodations and purchases (to send offers and products customer prefers the most).
Where personal data is processed for the purposes of direct marketing, data subjects may “opt-out” from having his or her personal data used for such purposes and exercise the right to object to processing for direct marketing purposes. For example, if Tallink Hotels sends You a newsletter with different offers and You no longer wish to receive them in the future, You have always the chance to opt-out from receiving these offers. Customers are welcomed to express their wish to receive these offers again in the future after withdrawal of such offers.
Tallink Hotels may send advertisements or display them on Tallink Hotels website to its customers regarding its services, or customer satisfaction questionnaires for the purpose of improving service quality, or the offers of other business partners. Customers may refuse to receive such advertisements, questionnaires and offers at any time by informing Tallink Hotels via links for automated refusals.
Tallink Hotels keeps all personal data revealed to it strictly confidential and protects customers’ and employees’ personal data from illegitimately falling into the hands of third parties by applying effective IT security measures.
Tallink Hotels uses safeguards which take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons. These measures include inter alia appropriate IT, technical and organisational data protection measures, pseudonymisation and anonymization. Such measures are put in place to ensure that by default personal data are not made accessible to an indefinite number of persons where there is no will for that and to ensure personal data protection in general. In addition, when using CCTV, Tallink Hotels displays signs, which are visible and readable to data subjects.