In the data protection policy, We explain and describe the procedures for processing the personal data of a client (hereinafter “You”) in Metropol Hotels. Metropol Hotel and Metropol Spa Hotel consists of the parent company Haveli Invest OÜ (hereinafter “We”).
In the data protection policy, We give You an overview of the following:
(1) our values and general principles in the processing of personal data (article 1);
(2) our role as a processor of personal data (article 2);
(3) personal data processed by Us (article 3);
(4) the objectives of the processing of personal data (article 4);
(5) the legal basis for the processing of personal data (article 5);
(6) your rights relating to personal data (article 6);
(7) the principles of using “cookies” (article 7);
(8) the applicable personal data security measures (article 8);
(9) What to do in the case of a personal data breach (article 9);
(10) the principles for the disclosure of personal data (article 10);
(11) the safekeeping of personal data (article 11);
1. General principles and values that We adhere to when processing personal data
We attentively and carefully follow all the requirements for the processing of personal data established by law. Compliance with the requirements is not formal one-time action for Us, but a substantive daily activity that is integrated into all Our activities. We understand the importance of protecting personal data and know that deriving from our field of activity, We collect and safe keep more personal information than the average enterprise. Therefore, We are very careful with regard to the protection of Your personal data.
Our major values and principles in the processing of personal data can be briefly summarised in the following:
(1) We respect Your right to the protection of Your personal data and We take the safety of Your personal data seriously.
(2) We maintain the confidentiality of Your personal data and implement various measures (physical, technical, organisational) to protect the personal data and to mitigate risks.
(3) We process your personal data in the legal manner and minimum necessary amount.
(4) We set clear goals for the processing of personal data and process personal data for these purposes only.
(5) We regularly and comprehensively analyse the risks associated with the processing of personal data and We keep the risks reasonably under control. We keep track of future trends in order to ensure that personal data under Our care is also protected in the future.
(6) We only transfer personal data to Our good contractors in order for Our contractors to provide Us with the service that is ultimately needed to provide You with a high-quality service. We regulate the principles of processing personal data in contractual agreements concluded with Our contractors.
(7) We only retain personal data for as long as required by law or contracts or necessary for Our business activities. At the end of the safekeeping period, We shall delete the personal data permanently.
(8) We introduce personal data protection requirements to Our personnel and make sure that every member of Our personnel understands the necessity and content of the requirements for the processing of personal data.
2. Our role as a processor of personal data – co-accountable processors
Your personal information is processed by the company Haveli Invest OÜ hotels: Metropol Hotel and Metropol Spa Hotel, where You wish to stay or purchase some other service, as co-accountable processors.
We process personal data as a co-accountable, especially if We have received personal data directly from You (for example, filling in Our hotel’s visitor card or by “cookies”).
In addition to the processing as a co-accountable, We can process Your personal data as an authorised processor. As an authorised processor, We process personal data especially when We have received Your personal information from Our contractor, who has a legal basis for forwarding the data for processing to Us. Our role changes from an authorised processor to co-accountable as soon as You have provided Us with your personal data Yourself.
3. Which personal data do We process?
We process Your following personal data:
(1) personal data, such as name, date of birth, citizenship; name, date of birth and nationality of the minor staying with You;
(2) contact details, e.g. address, e-mail address, telephone numbers;
(3) the contact person data of the business client, e.g., name, title, communication language;
(4) bookings data, i.e. Your bookings made in our hotel, i.e. data about Your wishes and choices in Our hotel, such as a smoke-free room or table, the floor of the room and the desired services;
(5) Data related to the use of Our services, e.g. information on the use, purchase and cancellation of services and data on purchases made in Our hotels;
(6) Payment and financial data, e.g. account number, payment card data, data of the selected payment method and payment behaviour (including payment delays);
(7) data on the membership and use of the loyalty programme;
(8) agreement/refusal to receive Our marketing messages;
(9) feedback data to Us, such as Your satisfaction data and comments about Our services;
(10) participation data in campaigns, e.g. participation information and rewards won;
(11) communication data, for example, data collected through e-mail, data collected through social media, data forwarded by messages, etc.;
(12) “cookies” data, that allows us to map and remember the various actions, operations and preferences related to You or Your behaviour on our web page. E.g. the type and version of the web browser, IP address, the length and time of the web page visit session, the pages visited, and demographic information, such as the preference and location of the language being used.
4. For what purpose do We process personal data?
We process Your personal data for the following purposes:
(1) To fulfil the Agreement concluded between You and Us, incl. to prepare and conclude the agreement, to exercise rights arising from an agreement and to fulfil obligations arising from an agreement;
(2) For the realisation of rights and fulfilment of obligations arising from legislation (e.g. requirement for the visitor’s card to be filled in and maintained, for the performance of accounting obligations);
(3) To maintain and develop Your relationship with You, including making bookings;
(4) To develop our business operations and customer service, including facilitating the use of Our web page, monitoring and analysing accommodation and food choices and wishes;
(5) To advertise Our products and services;
(6) In our loyalty program-related activities, including registration of preferences.
5. On what legal basis do We process personal data?
We process personal data in accordance with the requirements of the current legislation in Estonia.
We mainly process personal data for the execution of the contracts concluded with You (Data Protection Policy articles 4(1) and 4(6)), fulfilling legal compliance (Data Protection Policy article 4(2)), based on Your consent (Data Protection Policy article 4(5)) and based on Our legitimate interest (Data Protection Policy articles 4(3) and 4(4)).
6. What are Your rights relating to personal data?
You have the following rights related to Your personal data:
(1) Right to familiarise Yourself with personal data – the right to know which personal data We store about You and how We Process them, incl. the right to know the purpose of processing, persons to whom We disclose the data, information regarding automated decision-making and the right to get copies of personal data.
(2) Right to correct personal data – the right to request insufficient, incomplete and incorrect personal data to be corrected.
(3) Right to withdraw the consent given for the processing of personal data – You have the right to withdraw the consent given to Us for the processing of personal data at any time. Please note that withdrawing consent shall have no impact on the lawfulness of the processing that has occurred before the withdrawal.
(4) Right to the erasure of personal data (‘the right to be forgotten’) – You have the right to demand that We erase Your personal data (e.g. You withdraw the consent given to process personal data or personal data is no longer needed for the purposes for which they were collected). We have the right to refuse to erase personal data when the processing of personal data is necessary to fulfil Our legal obligations, to exercise the right to freedom of expression and information, to the establishment, exercising or defence of legal claims or if it is in the public interest.
(5) Right to the restriction of processing – In certain cases, You have the right to forbid or restrict the processing of Your personal data for a limited time (e.g. You have objected to the processing of personal data).
(6) Right to object – You have the right, to object to Us processing Your personal data if the processing of Your personal data is performed due to our legitimate interest or in the public interest or for marketing purposes. In response to the objection to the processing of personal data for direct marketing purposes, We respond promptly.
(7) Right to data portability – If the processing of Your personal data is based on Your consent and Your personal data is processed automatically, then You have the right to obtain the personal data about You that You have presented to Us as the controller, in a structured, commonly used format and in machine-readable form and You have the right to transfer personal data to another controller. In addition, You have the right to demand that We transmit personal data directly to another controller when it is technically feasible.
(8) Right to complain – You have a right to lodge a complaint about Us with the Estonian Data Protection Inspectorate in connection with personal data processing (www.aki.ee).
For more information about Your rights, see Section 3 of the general regulation of Personal Data Protection.
If You would like to exercise Your right in relation to personal data or to inquire about the Data Protection Terms, please submit a corresponding request to Us via e-mail at email@example.com. We shall generally respond to Your application via e-mail no later than within one month. Please note that before We can issue You the information that You have requested about Your personal data, we have to verify Your identity.
We use ‘cookies’ on Our website that You can accept if You choose to use Our website. ‘Cookies’ help Us to improve the services offered to You and make these more convenient.
We collect data on how You communicate with Our website and/or Our application. In addition to this, We collect information from Your computer or device, such as the IP address, the browser You are using, and language settings. We use this data for statistical purposes to improve Our web pages and applications and to display custom content to You.
If You prefer Your personal data not to be processed on the website, You can activate the private browsing feature of Your web browser.
8. Which personal data security measures do We implement?
We implement various measures (physical, technical, organisational) to protect personal data from illegal or unauthorised destruction, loss, alteration, disclosure, acquisition or unauthorised access to them.
We have set access restrictions to personal data to Our employees and Our authorised employees. Personal data is only accessible to persons who need access to perform their duties.
We only use those authorised processors that have provided Us with sufficient collateral and whose ability to process personal information securely We trust. We conclude written contracts with all of Our authorised processors to ensure that each one of Our authorised processors implements sufficient safeguards with respect to personal data.
9. What do You do in the case of a personal data breach?
Please inform Us immediately of any personal data breach or threat of a breach at firstname.lastname@example.org. We take the subject of personal data security very seriously and respond immediately to any possible case of a breach.
10. Who do We disclose personal information to?
We will disclose Your personal data or give access to personal data to the authorities or supervisory institutions if We have the respective legal obligation.
We shall disclose Your personal data to Our authorised processors, as well as to persons who have a legal right to receive personal data.
As a rule, We process personal data within the European Economic Area (in addition to the EU countries Norway, Iceland and Liechtenstein). In the case that We need to forward personal data outside the EEA the transfer shall proceed in accordance with the requirements of the General Regulation on the Protection of Personal Data.
11. For how long will We keep personal data?
We shall safe keep personal data for as long as it is required or permitted according to legislation or necessary for the purposes set out in the Data Protection policy terms.
For instance, personal data processed for the purpose of a legal obligation will be retained for as long as the corresponding legal obligation is valid (e.g., 7 years set in the accounting law). We safe keep personal data relating to the fulfilment of the agreement and disputes until the claim expires.
At the end of the personal data safekeeping period, We shall delete the personal data permanently.
The Data Protection Policy is available on Our hotels’ website at https://www.metropol.ee/.
Please note that from time to time We may change the Data Protection Policy. We will notify You of the changes at a reasonable time in advance.