1. Applicability of the Privacy Policy and general terms
1.1. This privacy policy (“Privacy Policy”) applies in all cases where Nunne Kvartal OÜ, the operator of Nunne Boutique Hotel and Âme Restaurant (hereinafter collectively referred to as the “Hotel”), processes personal data of natural persons (“Data Subject(s)”) in the conduct of its business as a data controller. As such, this Privacy Policy regulates the processing of personal data of the Hotel’s customers, visitors, as well as job applicants, and other potential new employees, where the Hotel processes such personal data as a data controller.
1.2. The protection of personal data and respect for the privacy of Data Subjects is essential to the Hotel, and the Hotel processes personal data with the utmost care. In order to ensure that all Data Subjects are aware of the rules on the processing of personal data, the Hotel hereby encourages all Data Subjects to carefully read this Privacy Policy.
1.3. The Privacy Policy is in effect as of the date indicated above. The Hotel reserves the right to unilaterally amend and supplement the Privacy Policy. Data Subjects shall be informed of any changes to the Privacy Policy by uploading the updated Privacy Policy on the Hotel’s website or otherwise.
1.4. The Hotel applies all applicable laws governing the processing of personal data, including the General Data Protection Regulation 2016/679 (“GDPR”). For the purposes of this Privacy Policy, the terms (controller, personal data, processing, etc.) shall be used in accordance with the GDPR and other relevant legislation.
2. Data controller and contact information
2.1. The controller of the personal data is Nunne Kvartal OÜ, which is a private limited company with registry code 12998104 and with a registered address of Nunne street 14, 10133, Harju County, Tallinn, the Republic of Estonia.
2.2. In case of any questions regarding the processing of personal data, please contact the Hotel by e-mail at andmekaitse-GDPR@nunne.ee.
3. Purposes of processing personal data and categories of personal data
3.1. The Hotel collects and processes the personal data of Data Subjects’ for the following purposes:
(a) where the Data Subject is a potential customer or customer of the Hotel (including the hotel or restaurant), the performance of the activities prior to providing the service and providing the service, including making reservations, communicating, sending notifications and dealing with any complaints;
(b) where the Data Subject is a customer of a hotel (including the hotel or restaurant), ensuring the quality of the service, which may include sending a survey on customer satisfaction with the aim of obtaining and analysing feedback and improving the service;
(c) sending marketing communications if prior consent has been obtained;
(d) protecting and ensuring the security of the property of the Hotel, as well as the guests and staff members of the Hotel, which is why there are video cameras on the Hotel’s premises;
(e) processing of personal data of job applicants and other potential new employees for the purpose of assessing their suitability for employment;
(f) to ensure the functionality of the website if the website visitor has accepted the respective cookies;
(g) to analyse the use of the website where the website visitor has accepted the respective cookies;
(h) displaying personalised advertisements if the website visitor has accepted the respective cookies;
(i) to comply with the Hotel’s obligations under applicable law – for example, the Hotel is required to request and retain certain information about the Hotel’s visitors; and
(j) to exercise the Hotel’s rights under applicable law and contracts with customers.
3.2. For each of the purposes set out above, we will list below the personal data that the Hotel collects and processes for these purposes.
3.3. For the purpose of carrying out the operations prior to the provision of the service and for the purpose of providing the service (see the purpose in section 3.1(a) above), the Hotel processes the following personal data:
(a) for each service, as a standard practice, the Data Subject’s contact data, such as name, e-mail address, and telephone number;
(b) in the case of hotel room reservations and accommodation, also reservation and accommodation data, such as dates, arrival and departure times, amount due, purpose of visit, booking channel, age range of visitors, room selection, payment details, residential address, other comments and information that the Data Subject may disclose;
(c) in the case of a reservation at a restaurant, also the reservation details, such as date and time, number of guests, other comments and information that the Data Subject may disclose;
(d) in the case of a reservation for a seminar room, the details of the reservation, such as the date and time, the amount due, and payment details;
(e) in the case of the purchase of a gift card, the amount of the gift card;
(f) any other data the processing of which is necessary for the provision of the service by the Hotel;
(g) where the booking is made through or in connection with a company related to the Data Subject, information relating to that company – including the title of the Data Subject’s position within that company.
3.4. For the purpose of ensuring the quality of the services (see the purpose in section 3.1(b) above), the Hotel processes the following personal data:
(a) contact information, such as name, e-mail address, telephone number; and
(b) information relating to the visit and the feedback given.
3.5. For the purpose of sending marketing communications (see the purpose in section 3.1(c) above), the Hotel processes the contact details of the Data Subject who has given his or her consent to the communications (e.g., e-mail address).
3.6. For the purpose of protecting and ensuring the security of the property of the Hotel as well as the guests and staff members of the Hotel (see the purpose in section 3.1(d) above), the Hotel processes video images from security cameras. The security cameras only record images and do not record sound. The security cameras are located in public areas and workrooms of the Hotel’s premises – both inside the Hotel (including the SPA common area) and outside on the Hotel’s external walls. However, there are no security cameras in the guest rooms, toilets, showers or other private areas. Areas within the view of security cameras are marked with signs.
3.7. For the purpose of assessing the suitability for employment of job applicants and new potential employees (see the purpose in section 3.1(e) above), the Hotel processes the personal data of the relevant person, such as: name, e-mail, telephone number, address, CV, education, work experience, skills and other published data of the relevant person, as well as other personal data available from public sources.
3.8. For the purpose of ensuring the functionality of the Website (see the purpose in section 3.1(f) above), the Hotel processes data collected via cookies, such as information about the device used to visit the website.
3.9. For the purpose of analysing the use of the Website (see the purpose in section 3.1(g) above), the Hotel processes data collected via cookies, such as IP address, information about the device used to visit the website and data about the use of the website.
3.10. For the purpose of displaying personalised advertisements (see the purpose in section 3.1(h) above), the Hotel processes data collected via cookies, such as the history of web browsing, information about the visit to the Hotel’s website and IP address.
3.11. For the purpose of complying with the Hotel’s obligations under applicable law (see the purpose in section 3.1(i) above), the Hotel processes any personal data in accordance with a legal obligation that the Hotel is required to fulfil under applicable law. In this respect, the Hotel is obliged under the Tourism Act, as an accommodation service provider, to register the visitor staying at the Hotel, usually on the basis of a travel document or identity card or other relevant document, and therefore the Hotel processes the data contained in the respective document. If the guest is a citizen of Estonia, another contracting state of the European Economic Area or Switzerland, or an alien residing in Estonia on the basis of a residence permit or right of residence, the Hotel is obliged to process (including store) the following data: name, date of birth, citizenship, country of residence, period of provision of the accommodation services, purpose of the travel and number of minors staying with the guest. If the visitor is a national of another country, the Hotel is also required to process (including store) the following personal data of the visitor: type and number of the travel document and the country of issue.
3.12. For the purpose of exercising the Hotel’s rights under applicable law and contracts with its customers (see the purpose in paragraph 3.1(j) above), the Hotel processes any personal data in accordance with the right that the Hotel exercises.
4. How personal data is collected
4.1. The Hotel may collect or receive personal data through its website, social media channels or customer service. Sometimes the Hotel receives personal data directly (e.g., when the Data Subject as a guest does a check in or a check out, or if the Data Subject contacts the Hotel) and sometimes the Hotel collects data automatically (e.g., by using cookies to understand how the website is used).
4.2. In certain cases, the Hotel may also receive personal data from third parties, such as travel booking platforms, travel agencies and/or bank card providers or other parties.
4.3. In certain cases, the provision of personal data is optional for the Data Subject – for example, if a customer arrives at a restaurant without a reservation and a free table is available, the Hotel does not need to process his or her personal data. However, in many situations, the provision of personal data is mandatory under the applicable legislation (e.g., the Hotel is obliged to collect data on guests staying at the Hotel), as well as in certain cases for the purposes of entering into and performing a relevant contract – for example, the Hotel needs to know how many nights a guest will stay at the Hotel, etc. Therefore, as a general rule, if the Data Subject does not provide personal data, the Hotel will not be able to provide services to him/her.
5. Legal basis for processing personal data
5.1. According to applicable law, there must be an appropriate legal basis for the processing of personal data. For each of the aforementioned purposes of processing, an explanation below is provided of the legal basis for the processing of personal data for that purpose.
5.2. Where the Hotel processes personal data for the purposes of carrying out operations prior to the provision of a service or for the provision of a service (see the purpose in section 3.1(a) above), the legal basis is the taking of pre-contractual measures in accordance with the Data Subject’s request or the contract with the Data Subject for the provision of the relevant service (Article 6(1)(b) of the GDPR).
5.3. In cases where the Hotel processes personal data for the purpose of ensuring the quality of the services (see the purpose in section 3.1(b) above), the legal basis for the processing of personal data is the legitimate interest of the Hotel as data controller pursuant to Article 6(1)(f) of the GDPR. The legitimate interest of the Hotel is to ensure a high quality of the services provided, for which it is essential to collect, process, and analyse the feedback of the persons who have visited or are visiting the Hotel.
5.4. The Hotel will only send marketing communications (see the purpose in section 3.1(c) above) if the recipient of the communication has given the Hotel prior consent, which is the relevant legal basis for the processing of personal data (Article 6(1)(a) of the GDPR). If a person does not give consent or if a person who has given prior consent withdraws consent, no marketing communications will be sent to that person.
5.5. The legal basis for the filming with security cameras (see the purpose in section 3.1(d) above) is the legitimate interest of the Hotel as a data controller pursuant to Article 6(1)(f) of the GDPR. The legitimate interest of the Hotel is to ensure the protection and security of the guests and staff members of the Hotel, as well as of its property. This includes the interest in identifying the perpetrator of a possible offence (e.g., theft), in securing evidence of the offense, and in exercising appropriate rights in any proceedings.
5.6. Where the Hotel processes the personal data of job applicants and potential employees for the purpose of assessing their suitability for employment (see the purpose in section 3.1(e) above), the legal basis is the following:
(a) if the person applies for employment with the Hotel himself/herself, the legal basis for the processing is his/her request for pre-contractual measures in accordance with Article 6(1)(b) of the GDPR;
(b) where the Hotel itself is actively seeking a potential new employee, the legal basis for the processing of personal data is the legitimate interest of the Hotel (Article 6(1)(f) GDPR). The Hotel’s legitimate interest is to find new employees;
(c) if the person has not been recruited but the Hotel wishes to retain his/her personal data after one year of the recruitment process, the Hotel will do so only with the consent of the person concerned (Article 6(1)(a) GDPR).
5.7. Where the Hotel processes personal data via cookies for the purposes of ensuring the functionality of the website, analysing the usage of the website and displaying personalised advertisements (see the purposes above in sections 3.1(f)- 3.1(h)), the legal basis for the processing of personal data for each purpose is the consent of the website visitor (Article 6(1)(a) of the GDPR). If an individual does not give consent or if a person who has previously given consent withdraws consent, no personal data will be processed for the purposes concerned.
5.8. Where the Hotel processes personal data for the purpose of fulfilling the Hotel’s obligations (see the purpose in section 3.1(i) above), the legal basis for the processing is Article 6(1)(c) of the GDPR and the corresponding legal obligation. As an accommodation service provider, the obligation to process data arises from § 24 of the Tourism Act.
5.9. Where the Hotel processes personal data for the purpose of exercising the Hotel’s rights under applicable law and under contracts with its customers (see the purpose in section 3.1(j) above), the legal basis is the legitimate interest of the Hotel as a data controller (Article 6(1)(f) of the GDPR). The legitimate interest of the Hotel is to protect and enforce its rights as it sees fit.
6. Disclosing of personal data to third parties
6.1. The Hotel may transfer or make the personal data accessible to third parties in the following cases:
(a) Service providers who provide the Hotel with IT services used by the Hotel in the course of its business and professional activities. These service providers may change from time to time but, for example, the Hotel currently uses Mews (Mews Systems B.V.), a provider of reservation software with headquarters in the European Union (the Netherlands). In addition, the Hotel currently uses a Sharepoint solution (Microsoft) for data storage, which is based in the European Union in Ireland and headquartered in the USA. In addition, DinnerBooking is used which is a restaurant reservation system headquartered in Denmark.
(b) Persons providing accounting services.
(c) Other service providers that provide services to the Hotel.
(d) To another company in the same group as the Hotel, if necessary for any of the purposes set out in Privacy Policy.
6.2. All third parties to whom the Hotel transfers personal data shall ensure the protection of personal data as provided for by the legislation governing the protection of personal data, including the GDPR. In the event that personal data is transferred outside the European Economic Area, appropriate safeguards shall be implemented to ensure the security of the personal data and the protection of the Data Subject’s rights under this Privacy Policy and the GDPR. Such safeguards may include, for example, the application of standard data protection clauses adopted by the European Commission.
6.3. In addition to the parties listed, the Hotel is also entitled to disclose personal data to third parties in cases provided for by law.
7. How long the data is stored
7.1. The Hotel only processes and stores personal data for as long as it is necessary to fulfil the purpose for which it is processed – once the purpose has ceased, the personal data will be erased or anonymised.
7.2. The personal data of the Data Subject shall be stored on the basis of the following principles:
(a) Personal data processed for the purpose of carrying out operations prior to the provision of the service and for the purpose of the provision of the service (see the purpose in section 3.1(a) above) – if the Hotel provides a service to the Data Subject, the processing of personal data for this purpose will cease upon the expiry of the respective contractual obligations; if the Data Subject contacts the Hotel for the provision of the service but the provision of the service is not agreed upon, the data will be deleted one year after the contact.
(b) Personal data processed for quality assurance purposes (see the purpose in section 3.1(b) above) – the data will be erased or made anonymous three years after the feedback was received.
(c) For the purpose of sending marketing communications (see the purpose in section 3.1(c) above), the Hotel processes personal data until the recipient withdraws his or her consent. This means that if an individual opts out of receiving marketing communications, the Hotel will no longer send such communications to that individual.
(d) The Hotel will generally keep security camera recordings (see the purpose in section 3.1(d) above) for 30 calendar days. In the event that the recording shows an offence or other act that may give rise to proceedings or a claim, the Hotel may retain the recording for longer.
(e) The personal data of job applicants and new potential employees (see the purpose in section 3.1(e) above) will be deleted one year after the end of the recruitment process, unless an employment (or other) contract is concluded with that person. Alternatively, if consent is taken from the individual for a longer period, the data will be kept until the consent is withdrawn (but in any case, for no longer than three years).
(f) Cookies for the purpose of providing website functionality (see the purpose in section 3.1(f) above) will be retained for a maximum of two years or until the consent is withdrawn by the website visitor (whichever occurs first);
(g) Cookies for the purpose of analysing the use of the website (see the purpose in section 3.1(g) above) will be retained for up to two years or until the Data Subject withdraws his or her consent (whichever occurs earlier);
(h) Cookies for displaying of personalised advertisements (see the purpose in section 3.1(h) above) will be retained for up to two years or until the Data Subject withdraws consent (whichever occurs first);
(i) The period of retention of Personal Data retained for the purpose of complying with the Hotel’s obligations under applicable law (see the purpose in section 3.1(i) above) will depend on the specific legal obligation that the Hotel is required to comply with. In the event that the Hotel, as the accommodation service provider, is obliged to retain personal data of guests staying at the Hotel, the relevant personal data will be retained for a period of two years from the date of registration. Under the Accounting Act, accounting documents (including the personal data contained therein) are kept for 7 years from the end of the relevant financial year.
(j) For the purpose of exercising the Hotel’s rights under applicable law and under contracts with customers (see the purpose in section 3.1(j) above), the Hotel will retain personal data for a maximum period of three years.
8. Data Subject’s rights
8.1. The Data Subject has the right to contact the Hotel at any time with a simple and free-form request in writing to the email address andmekaitse-GDPR@nunne.ee regarding personal data relating to him or her and:
(a) request access to the personal data;
(b) request rectification of the personal data;
(c) request the erasure of personal data;
(d) restrict the processing of personal data;
(e) object to the processing of personal data;
(f) request the transfer of personal data;
(g) request that no decision based on automated processing be taken in relation to the data subject (if such decisions are taken); and
(h) withdraw consent of the processing of personal data (where the Data Subject has consented to the processing of personal data).
8.2. The Data Subject shall at all times have the right to lodge a complaint with the Hotel (at the e-mail address above) or with the supervisory authority (Data Protection Inspectorate – for further information: https://www.aki.ee/et; Tatari 39, Tallinn 10134; e-mail: info@aki.ee).
9. Cookies
9.1. Hotel uses cookies on its website. Cookies are small blocks of textual data that are stored in the user’s web browser or device when visiting the website. Some cookies are first-party cookies and are linked to the website, but third-party cookies are also used (e.g., cookies from a booking service provider).
9.2. Cookies are generally used to make the website visitor’s experience as smooth and convenient as possible and to collect statistical data about website visits. More specifically, the following cookies are used:
(a) Strictly Necessary Cookies – cookies that are essential for the visitor to be able to use the website. Such cookies are used, for example, to protect the website from unauthorised commands from malicious websites, to enable secure https connections, etc. Without them, the Website would not function. As a general rule, such cookies are kept for 1-2 years. These cookies do not generally collect any personal data.
(b) Functionality cookies – cookies that enable the Website to function as intended. For example, we use session cookies that allow us to remember choices a visitor makes (e.g., cookie acceptance) and to recognize a visitor between sessions. Such cookies are usually stored until the end of the session of the website visit.
(c) Analytical cookies – cookies used to analyse the visit and use of the Website. As a general rule, such cookies are kept for 1-2 years.
(d) Marketing cookies – cookies used for the purpose of displaying personalised advertisements. As a general rule, such cookies are kept for 1-2 years.
9.3. In relation to cookies, the website visitor has the right to:
(a) refuse the use of cookies by not giving consent or by withdrawing consent;
(b) refuse the use of cookies by selecting the appropriate settings in the browser;
(c) delete cookies already stored on his/her device.
9.4. However, strictly necessary cookies will be used in any case without the visitor’s consent, as without them the use of the website is not possible. It is possible to use the website without the use of other cookies, but in this case the website may not be able to function fully and as intended.