Introduction

1.1. Based on its field of activity, Spa Tours OÜ can be treated as an accommodation company that uses personal data in its daily business activities to provide accommodation service. In our activities, we are guided by the General Personal Data Protection Regulation (GDPR), the Personal Data Protection Act (IKS), our data protection strategy and other established data protection norms. This privacy information (hereinafter Privacy Information) is addressed to the data subject specified in the GDPR and IKS regulations, i.e., natural persons whose personal data is processed for the provision of the service.

1.2. We assume that you (the Data Subjects) are aware of and care about the processing of your data, therefore we hereby confirm that SPA Tours OÜ takes the fulfilment of the rules established for the processing of your data extremely seriously. Privacy information describes the principles and practices used by SPA Tours OÜ, concerning the entire chain of personal data processing from the collection, and the use and deletion thereof, focusing on personal data protection. The protection of personal data is an ongoing responsibility, which is why we review the Privacy Policy from time to time, check its compliance with established requirements and, if necessary, update its content.

Data Protection Officer (DPO)

2.1. Our company SPA Tours OÜ, registration code 11693733, with the legal address Tallinna tn 15, Kuressaare, Saaremaa parish, Saaremaa, 93811, has designated a data protection specialist.

DPO workplace location: Randvere tee 11, Viimsi parish, Haabneeme, Harjumaa 74001
E-mail address: gdpr@spatallinn.ee

Data collection

3.1. SPA Tours OÜ collects personal data mainly from its customers and additionally from cooperation partners-tour operators, for the provision of hotel services in Tallinn Viimsi SPA, Meresuu SPA and Grand Rose SPA Hotel. As a rule, the data is necessary for the provision of the hotel service chosen by the customer and can always be specified within the framework of a specific service (e.g., accommodation service, seminar service, spa service, catering service). Normally, only the first and last name, as well as contact information i.e., e-mail address, and telephone number, are required for the initial provision of hotel services and the formalisation of the original reservation, to send the customer a confirmation of the reservation or, depending on the situation, to contact the customer.

When making the initial reservation and determining the price range, it’s necessary to know the age of the accompanying minors. Minors’ names are not required.

3.1.1. Data processing

SPA Tours OÜ processes the following personal data:

• personal data: name, date of birth, nationality
• contact details: address, email address, telephone numbers
• business customer contact information: name, language of communication
• reservation data: special requests/needs in connection with the provision of accommodation services
• data related to the use of services: e.g., information about the use, purchase and cancellation of services and data on the purchases made;
• payment data: payment card data, data on the selected payment method and payment behaviour (including payment delays).
• feedback data: satisfaction data and comments about services;
• “Cookie” data that allows you to map and remember various activities, actions and preferences related to you or your behaviour on our website. E.g., web browser type and version, IP address, length and time of web page visiting session, pages visited, and demographic information i.e., language preference and location.

3.1.2. Processing of personal data during the provision and mediation of accommodation services

As per § 24 of the Tourism Act, when checking into the hotel, the customer must personally fill in the visitor card, with the following personal data being entered for the provision of accommodation services: first and last name, date of birth, citizenship, residential address, and e-mail address. The name, date of birth and citizenship of the spouse/partner and any minor residing with the customer are also entered on the visitor’s card. If the client is not a citizen of Estonia, a member state of the European Union, the European Economic Area or Switzerland, or is not a foreigner living in Estonia based on a residence permit or right of residence, then in addition to the above-mentioned data, the type, number and country of issue of the travel document need to be entered on the visitor card.
The customer confirms the correctness of the provided data with their signature.
SPA Tours OÜ uses customers’ data to fulfil the requirements set for accommodation facilities and to provide a service. We do not sell or share personal data with third parties except unless required to share by law or to fulfil a service contract concluded between us.
As per the requirements of the accommodation facility, Tallinn Viimsi SPA, Meresuu SPA and Grand Rose SPA are obliged to keep a register of the persons accommodated, ensuring that the data required by law is entered and forwarded to law enforcement bodies upon request.

3.1.3. Special types of personal data
Depending on the content of the service, Tallinn Viimsi SPA, Meresuu SPA and Grand Rose SPA may also need special types of personal data concerning the specifics of the accommodation service. E.g., the presence of mobility aids (wheelchairs) in the case of certain disabilities, food intolerance to certain substances or data on special diets (if a catering service has been ordered in addition to the accommodation). In any case, it’s a matter of diverse types of personal data, which the customer provides to us to receive the service.
We only use the personal data provided by the travel agencies to Tallinn Viimsi SPA, Meresuu SPA and Grand Rose SPA for the provision of services (accommodation, catering) and the data is processed, stored, and destroyed as per the rules provided.

3.1.4. Sending the best offers and reminders
Tallinn Viimsi SPA, Meresuu SPA and Grand Rose SPA email customers, only with their consent, the best offers and reminders (e.g., additional sales, seasonal exclusive offers, invitations to events, etc.) to a pre-confirmed e-mail address. The customer can withdraw this consent at any time by sending an e-mail to: gdpr@spatallinn.ee.

We also send hotel-related and informational e-mails necessary for customers if the customer has purchased/made a reservation from us for the first time or if the customer’s employer has approved them as an authorised person of the company. These letters are of a confirmation nature so that the customer is aware of joining us.

Regarding the provision of the service, we have the right to send you a feedback e-mail if you have purchased/made a reservation with us or requested a service. We only send feedback emails to clarify service bottlenecks and to provide the best service. If a special situation/accident occurs in the hotel, we can also contact the customer or send a notification letter.

3.2. Our internet environments (websites, various social media channels, e.g., Facebook, Instagram), as well as many other similar environments, collect certain information automatically and save it in log files. This information may include the IP address, region, or general location of the Internet connection of the customer’s computer or device, the type of browser used, the operating system and other information related to the use, including the history of visited pages. Hotels use this information to make the hotel’s internet environment better, simpler, and more user-friendly. We may also use your IP address to diagnose problems on our server and to administer the website, analyse trends, monitor the activity of visitors on the page, as well as to collect more extensive demographic information to better understand the preferences of visitors to our web environments. Internet environments also use a “cookies” system.

3.3. If the customer has consented to receive newsletters and advertising or has participated in raffles or other campaigns organised or mediated by Spa Tours OÜ, we ask for the customer’s name and contact details. We use this data to send information about the services and goods offered by our company or about anything else that may be of interest to the customer. If the customer no longer wishes to receive the newsletter and direct mail, they can stop receiving them by clicking on the link below each newsletter and/or advertisement (“If you no longer want to receive letters from us, click here”) or by sending a notification to gdpr@spatallinn.ee.

3.4. When a customer orders and submits a reservation through the booking environment on the website, we need their contact information: first and last name, e-mail address, phone number and, in some cases, their residential address. This information is only needed to contact the customer, if necessary, regarding information about the order and its fulfilment. During the preparation of the order, we also ask the customer for information regarding payment for the order, such as credit card numbers or bank payment details. We use a secure online connection to protect your data.

When and how SPA Tours OÜ stores data

4.1. The customer data obtained through purchases is held for the period when the obligation to store data provided by law and the expiration date for submission to requirements apply, after which the personal data is deleted. Data is stored in one or more databases.

4.2. Visitor cards filled out by the customer with personal data are collected in the corresponding folder and kept in a separate locked cabinet in a locked room. The data can only be seen and used directly by the staff dealing with reservations. Visitor cards are kept in the archives for 5 years.

4.3. Group lists sent by travel agencies to SPA Tours OÜ are entered into the Hotellinx booking environment. Both e-mailed and printed lists are destroyed after the group leaves the hotel.

When and how Spa Tours OÜ uses the client’s personal data

5.1. The customer’s data is mainly used to provide the service to the customer as agreed.

5.2. Personal data is entered into the Hotellinx reservation environment and is also used to update the customer’s profile as per their preferences and needs, to better understand the customer’s wishes and to improve aspects of service provision. The booking environment Hotellinx has a general history where visitor data is stored for 2-5.5 years.

5.3. If the customer has given consent to receive newsletters, special advertisements, direct mail, etc. from Spa Tours OÜ, we will send the customer the requested information. It’s possible to opt out of such e-mails at any time (see point 3.3).

5.4. Personal data of customers is shared with service providers whose service is unavoidable for the fulfilment of concluded contracts and the provision of services (e.g., masseurs, and beauticians).

5.5. We may also share visitors’ data, if such a need arises, for the investigation of crimes, the fulfilment of court requirements, or the fulfilment of the vital needs of customers; in connection with a sale, purchase, merger, reorganisation, financing, liquidation, termination, or similar business-related action. In such cases, we confirm that we will take all necessary measures to ensure that the customer’s data is adequately protected.

5.6. When collecting the information necessary to participate in sweepstakes and other similar events, the obtained contact data is used to be able to contact the customer in the event of a win. As a rule, a prerequisite for participation in prize games is consent to the use of a person’s contact data for other purposes, so we ask customers to carefully familiarise themselves with the conditions of the prize game before participating in it.

5.7. Spa Tours OÜ is the controller of personal data and forwards the personal data necessary for making payments to the authorised processor Maksekeskus AS.

Rights of the data subject

6.1. Privacy information is intended to provide the customer with the information that Spa Tours OÜ has collected about them and the use thereof. If the customer has questions about personal data or wants access to their data, please contact the e-mail address: Spa gdpr@spatallinn.ee.

The data subject has the following rights to their data:

• The right to access personal data – the right to know what data we stored about you and how we process it, including the right to know the purpose of the processing and the persons to whom we disclose personal data, if necessary.
• The right to the rectification of personal data – the right to request the correction of insufficient, incomplete, and incorrect personal data.
• The right to withdraw the consent given for the processing of personal data – You have the right, at any time, to withdraw the consent given to us for the processing of personal data.
• Please note that the withdrawal of consent does not affect the lawfulness of processing based on consent before the withdrawal.
• The right to the deletion of personal data (“right to be forgotten”) – You have the right to request that we delete your data (e.g. if you withdraw your consent for the processing of personal data or if the personal data is no longer needed for the purpose for which it was collected). We have the right to refuse to delete personal data if the processing of personal data is necessary to fulfil our legal obligation, to exercise the right to freedom of speech and information, and to prepare, present or defend legal claims.
• The right to the restriction of processing – You have the right to prohibit or restrict the processing of your data for a certain period in certain cases (e.g. if you have objected to the processing of your data).
• The right to object – You have the right to object to the processing of your data if the processing of your data is based on our legitimate interest or public interest or for marketing purposes.
• The right to file a complaint – You have the right to file a complaint with the Data Protection Inspectorate (www.aki.ee) regarding the processing of personal data.

Customer data security

7.1. To protect personal data and personally identifiable information that the customer enters in our online environment, we use physical, technical, and administrative protection measures. In this way, we regularly update and assess the protection technologies used. Our internet networks are protected by firewalls and intrusion detection software. Access to customers’ data is limited only to those employees who need such information to provide you with the agreed service or on other legal grounds.

7.2. We use adequate measures to protect your data, and our activities are subject to the relevant information security legislation, but we consider it necessary to point out that no website or database is completely secure, i.e., so-called hack-proof. Protect yourself and help us prevent computer crimes by being careful and protecting your passwords. Our internet environment does not use spyware. If you suspect that your account has been hacked, please contact us without delay.

7.3. Spa Tours OÜ trains its employees to achieve greater awareness of the importance and necessity of personal data protection. Our commitment is also expressed in the company’s internal regulations that directly affect employees, in which data protection provisions are embedded.

Changing and supplementing privacy information

8. Like every organisation, Spa Tours OÜ certainly changes in time and space, so it’s only right to assume that there may be a need to change and supplement the Privacy Information in the future. Due to the above, we announce that we have the right to change and supplement the content of the Privacy Notice at any time without notifying you. We will publish the changes on the website.

Employee Privacy Information

9. Employees’ privacy information is prepared as a separate document and is available only to employees of Spa Tours OÜ.

Questions, complaints

10.1. If your data has changed or if you have any further questions about your data, please do not hesitate to contact us. We will respond within the legal deadline. However, be prepared that, to protect personal data, we may ask you for more detailed information to identify you before answering the questions. For the agreements underlying the processing of personal data to adequately ensure the rights of the Data Subjects, we reserve the right to demand that the document certifying the right of representation of the Data Subject, submitted during or after the performance of the legal relationship between the parties (among other aspects in connection with data processing), and which is drawn up outside our accommodation, is notarized or equivalently proven. We must ensure that the Data Subject agrees to the transfer of information and that the information goes only to the right person or organisation. In most cases, we’ll correct or delete any inaccuracies you discover. In some cases, we can also refuse your request in whole or in part, if the law allows or requires us to do so.

10.2. For questions and complaints, please contact the data protection specialist at the e-mail address: gdpr@spatallinn.ee.
We’ll respond to the request submitted by the client as soon as possible, but within 30 days at the latest.