The Data Protection Policy provides an overview of the following:
- Our values and general principles of personal data processing;
- Our role as a data processor;
- The personal data processed by us;
- The purposes of processing personal data;
- The legal basis for processing personal data;
- Your rights regarding personal data;
- Principles of using cookies;
- Implemented security measures for personal data;
- Actions to be taken in the event of a personal data breach;
- Principles of disclosing personal data;
- Retention of personal data;
- Availability of the Data Protection Policy.
1. Our values and general principles of personal data processing
We carefully and diligently comply with all requirements established by legislation regarding the processing of personal data. Compliance with these requirements is not a one-time formal activity for us but an integral part of our daily operations. We understand the importance of protecting personal data and acknowledge that, due to the nature of our business, we collect and retain more personal data than an average business. Therefore, we take great care in protecting your personal data.
Our main values and principles of personal data processing can be summarized as follows:
(1) We respect your right to the protection of your personal data and handle your personal data with care.
(2) We maintain the confidentiality of your personal data and implement various measures (physical, technical, organizational) to protect and mitigate risks associated with personal data.
(3) We process your personal data lawfully and in the minimum necessary scope.
(4) We establish clear purposes for the processing of personal data and process personal data only for those purposes.
(5) We regularly and comprehensively analyze the risks associated with the processing of personal data and keep the risks reasonably under control. We monitor future trends to ensure the protection of personal data under our care in the future.
(6) We only disclose personal data to our trusted partners who need the data to provide services to us, ultimately benefiting the quality of services provided to you. We regulate the principles of personal data processing in contracts with our partners.
(7) We retain personal data only for as long as required by applicable laws or contracts, or as necessary for our business operations. Upon termination of retention, we permanently erase personal data.
(8) We educate our staff on the requirements of personal data protection and ensure that each member of our staff understands the need and content of the requirements for processing personal data.
2. Our role as a data processor – joint data processors
Your personal data is processed by the hotel operator Haga Home OÜ, from whom you wish to purchase accommodation or other additional services.
Oma Korterid OÜ
Reg. kood: 16409820
Aadress: Pärnu mnt 105, 11312 Tallinn, Harju maakond, Eesti
In addition to processing personal data as a joint data processor, we may also process your personal data as an authorized data processor. As an authorized data processor, we process personal data mainly when we receive your personal data from our contractual partner who has a legal basis to transfer the data to us for processing. Our role changes from an authorized data processor to a joint data processor as soon as you provide us with your personal data directly.
3. What personal data do we process?
We process the following personal data:
(1) Personal information, such as name, date of birth, nationality, and the name, date of birth, and nationality of any accompanying minor staying with you.
(2) Contact information, such as address, email address, and phone numbers.
(3) Contact details of business client representatives, such as name, job title, and preferred language of communication.
(4) Reservation details, including reservations made by you at our hotel, including information about your preferences and choices, such as room type and desired services.
(5) Data related to your use of our services, such as information about the use, purchase, and cancellation of services, and data about purchases made at our hotels.
(6) Payment and financial data, such as account number, payment card information, and information about the selected payment method and payment behavior (including payment delays).
(7) Data related to participation in loyalty programs and their use.
(8) Consent/decline to receive our direct marketing communications.
(9) Feedback data provided to us, such as satisfaction ratings and comments about our services.
(10) Data related to participation in campaigns, such as participation information and awarded prizes.
(11) Communication data, such as data collected via email, social media, messaging, etc.
(12) Cookie data, which allows us to map and remember various activities, actions, and preferences related to you or your behavior on our website. This may include the type and version of the web browser, IP address, duration and time of website visit sessions, visited pages, and demographic information such as language preference and location.
(12) „Küpsiste“ andmed, mis võimaldavad Meil kaardistada ja meelde jätta erinevaid tegevusi, toiminguid ja eelistusi, mis on seotud Teiega või Teie käitumisega Meie veebilehel. Näiteks veebilehitseja tüüp ja versioon, IP-aadress, veebilehe külastamise sessiooni pikkus ja aeg, külastatud lehed ning demograafiline teave, nagu kasutatava keele eelistus ja asukoht.
4. For what purposes do we process personal data?
We process your personal data for the following purposes:
(1) To fulfill the contract between you and us, including contract preparation and conclusion, exercise of rights arising from the contract, and fulfillment of obligations arising from the contract.
(2) To comply with legal obligations and fulfill legal rights and obligations (such as the requirement to complete and retain a guest card, accounting obligations).
(3) To maintain and develop our relationship with you, including making reservations.
(4) To develop our business and customer service, including facilitating the use of our website, tracking and analyzing choices and preferences related to accommodation and dining.
(5) For advertising our goods and services.
(6) For activities related to our loyalty program, including registering benefits.
5. On what legal basis do we process personal data?
We process personal data in accordance with the requirements of the applicable laws in Estonia.
Primarily, we process personal data to fulfill the contract with you (points 4(1) and 4(6) of the data protection policy), to comply with legal obligations (point 4(2) of the data protection policy), based on your consent (point 4(5) of the data protection policy), and based on our legitimate interests (points 4(3) and 4(4) of the data protection policy).
6. What are your rights regarding personal data?
You have the following rights regarding your personal data:
(1) Right to access personal data – the right to know what data we store about you and how we process it, including information about the purpose of processing, recipients of personal data, information about automated decision-making, and the right to receive copies of your personal data.
(2) Right to rectification of personal data – the right to request correction of inadequate, incomplete, or inaccurate personal data.
(3) Right to withdraw consent for processing personal data – you have the right to withdraw your consent for processing personal data at any time. Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal.
(4) Right to erasure of personal data (“right to be forgotten”) – you have the right to request the erasure of your personal data (for example, if you withdraw your consent for processing personal data or if the personal data is no longer necessary for the purposes for which it was collected). We have the right to refuse erasure of personal data if the processing is necessary to fulfill our legal obligations, exercise freedom of speech and information, establish, exercise, or defend legal claims, or serve public interest.
(5) Right to restriction of processing – you have the right to restrict or limit the processing of your personal data in certain cases (for example, if you have objected to the processing of personal data).
(6) Right to object – you have the right to object to the processing of your personal data when the processing is based on our legitimate interests or public interest, or for marketing purposes. In the case of objection to the processing of personal data for direct marketing purposes, we will respond promptly.
(7) Right to data portability – if the processing of your personal data is based on your consent and is carried out by automated means, you have the right to receive the personal data concerning you, which you have provided to us as the data controller, in a structured, commonly used, and machine-readable format, and you have the right to transmit this data to another data controller. You also have the right to request that we transmit the personal data directly to another data controller, if technically feasible.
(8) Right to lodge complaints – you have the right to lodge complaints regarding the processing of your personal data by us with the Data Protection Inspectorate (www.aki.ee).
If you wish to exercise your rights regarding personal data or have any questions regarding the Data Protection Policy, please submit a relevant request to us by email at firstname.lastname@example.org. We will respond to your request by email usually within one month. Please note that before we can provide you with the requested information about your personal data, we need to verify your identity.
We use “cookies” on our website, and you can agree to them when deciding to use our website. “Cookies” help us improve the services we provide and make them more convenient for you.
We collect data on how you interact with our website and/or application. Additionally, we gather information from your computer or device, such as your IP address, the web browser you use, and language settings. We use this data for statistical purposes to improve our websites and applications and to display personalized content for you.
If you prefer that your personal data is not processed on the website, you can activate the private browsing feature in your web browser.
8. What security measures do we implement for personal data?
We implement various measures (physical, technical, organizational) to protect personal data from unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition, or unauthorized access.
We have restricted access to personal data for our employees and authorized personnel. Only those individuals who need access for performing their tasks can access personal data.
We only use authorized processors who have provided us with sufficient guarantees and who we believe are capable of processing personal data securely. We enter into written agreements with all our authorized processors to ensure that each authorized processor implements adequate protection measures for personal data.
9. What to do in case of personal data breaches?
Please inform us immediately of any known personal data breaches or threats of such breaches at email@example.com. We take the topic of personal data security very seriously and will respond promptly to any potential breach.
10. To whom do we disclose personal data?
We disclose your personal data or provide access to them to government agencies or supervisory authorities if we have a legal obligation to do so.
We disclose your personal data to our authorized processors as well as to individuals who have a legal right to access personal data. We generally process personal data within the European Economic Area (including EU countries, Norway, Iceland, and Liechtenstein). In the event that we need to transfer personal data outside the European Economic Area, the transfer will be carried out in accordance with the requirements of the General Data Protection Regulation.
11. How long do we retain personal data?
We retain personal data for as long as it is mandatory or permitted by applicable laws or necessary to achieve the purposes stated in the Data Protection Policy. For example, we retain personal data processed for legal obligations for as long as the respective legal obligation is valid (e.g., the obligation set forth in the Accounting Act for 7 years). We retain personal data related to contract performance and disputes until the expiration of the claim period.
After the expiration of the retention period for personal data, we permanently delete the data.
12. Validity and accessibility of the Data Protection Policy
The Data Protection Policy is accessible on our website at https://www.hagahome.me/.
Please note that we may change the Data Protection Policy from time to time.