Dorpat OÜ (hereinafter ‘we’) highly values the privacy of every client (hereinafter ‘you’). In this privacy notice, we will describe the kind of information we collect about you, why we do so and what we do with the data.
- Who are we?
- What kind of information do we collect about you and where do we obtain this information?
- Why do we need data about you? What happens if you do not provide any information?
- What kind of legal basis do we have for processing your data?
- Who do we share your data with?
- How long do we retain your data for?
- What are your rights regarding your data?
Who are we?
The historical name Dorpat covers Tartu’s largest hotel (with 205 rooms) as well as a spacious a la carte restaurant and a wellness-spa.
We implement the necessary technical, physical and organisational security measures to protect your personal data from data theft, loss and unauthorised access.
Should you have any questions regarding this privacy notice, please contact us by e-mail at email@example.com.
What kind of information do we collect about you and where do we obtain this information?
We collect the following kinds of information:
- Personal data, e.g. first and last name, date of birth and personal identification code.
- Contact information, e.g. home address, phone number and e-mail address.
- Visitor’s card information – based on the Tourism Act of Estonia, users of accommodation services are required to provide certain information such as citizenship as well as the names, dates of birth and citizenship of a spouse or minor accommodated with the visitor, and the period of provision of the accommodation services, etc.
- Credit card information, e.g. credit card number, the name of the cardholder and period of validity.
- Security camera footage – only in situations where you visit our accommodation facilities or other rooms that for security reasons have been equipped with video, electronic or digital surveillance systems or devices.
- Information concerning personal preferences, e.g. room type, with or without a city view, pets, etc.
In general, we obtain this information directly from you when you make a reservation or query through our website at www.dorpat.ee, by phone or e-mail or when you purchase our services in person at our facilities.
In addition, travel and booking businesses and other accommodation provision-related people may disclose your information to us if you have used their services to purchase accommodation or other services from us. In situations where we have not obtained your data from you directly, we will send you a privacy notice as soon as possible.
Why do we need data about you? What happens if you do not provide any information?
We use your information to provide accommodation and the other services you have purchased, as well as to meet obligations arising from regulatory legal acts and to pursue our general business objectives. For example:
- Personal data – this information is required for identification purposes in order to provide the service to the person who actually purchased it.
- Contact information – we need this information to contact you. First and foremost, we try to contact you by phone or e-mail, but in certain cases it may be necessary to use your home address (if we cannot reach you by other means).
- Visitor’s card information – we are required by law to seek this information, based on the Tourism Act of Estonia. The aim is to avoid any danger stemming from illegal immigration, for example
- Credit card information – we need this information to withhold a certain amount of money from your credit card to cover the cost of services or other expenses incurred by you, as is our right according to our internal regulations and the accommodation contract.
- Information concerning personal preferences – should we ask for this kind of information or should you volunteer it, we will use it to provide you with the best service, keeping your wishes and requests in mind
If you refuse to provide any information regarding the visitor’s card, we are unable to provide you with accommodation.
What kind of legal basis do we have for processing your data?
When processing your data, we do so while complying with a variety of legal bases.
- Requirement to enter into a contractual relationship with you and performing that contract
- Your consent – if we use your consent to process your data, know that you have the right to withdraw your consent at any time.
- Requirement to meet obligations arising from legal acts (e.g. visitor’s cards and storing that information for two years)
- Necessity to justifiably operate in the interests of our company, including managing the company, undertaking general business operations, investigating breaches of the law and fraud
- Necessity to protect our clients’ lives or anyone else’s (e.g. by disclosing information about you to emergency workers in case of an accident)
- Other situations in accordance with the law
Who do we share your data with?
We only share any data you have provided us with in the cases described below and when required in order to achieve the objectives described in this privacy notice:
- Affiliated companies – we may share your personal data with our affiliates located in the European Union.
- Service providers – we may purchase data-processing services (e.g. IT and consultation services) from trustworthy third-party service providers.
- Public authorities and government bodies – we may share our data with such authorities when we are required by law to share our data or when it is necessary to protect our rights.
- Professional consultants and other – we may share your data with professional consultants, e.g. auditors, lawyers, accountants and other consulting service providers.
- Third parties in connection with corporate deals: Occasionally we may share your data with third parties when closing corporate deals, e.g. when selling the company or a part of it to another business. This also applies to the process of restructuring the company, the creation of a joint venture, a merger or any other situation where company assets are transferred.
If we share your information with the above-mentioned parties, we will ensure that your data are protected by a data processing agreement entered to by us and the party in question.
We will not store your information nor send it outside of the European Economic Area or to countries that, according to Article 25 (6) of Directive 95/46/EC or Article 45 (1) of Regulation (EU) 2016/679, do not ensure an adequate level of data protection.
How long do we retain your data for?
We retain your data for as long as it is needed to achieve various data-processing objectives.
We take the following criteria into account when storing personal data:
- We store the data as long as it is needed to provide our services.
- If a person has a user account or a membership card tied to us, we will store their information for as long as the account/card is valid or for as long as such information is needed to provide services to them.
- If we have an obligation imposed by law, a contractual obligation or other such commitments to retain a client’s data, we will retain it until the obligation is met.
- After the termination of a contractual relationship, we will retain certain data for as long as the data subject or company has the right to make claims against the other party under a contract.
According to the Tourism Act of Estonia, visitor’s cards have to be preserved for two years as of the date they were filled in.
Credit card information is only retained until the accommodation contract between us and the client expires or is terminated.
If you have given us consent to send you marketing materials, we will store your contact information until you withdraw your consent.
What are your rights regarding your data?
As a data subject you have the following rights:
- Right to access – you have the right to know what information is being stored about you and how it is being processed.
- Right to data correction – you have the right to demand the correction of any inaccurate data.
- Right to data deletion (so-called right to being forgotten) – in certain cases, you have the right to demand the deletion of your personal data (when we no longer need it, when you withdraw your consent, etc.).
- Right to restricted processing – in certain cases, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. when you have filed an objection in relation to data processing).
- Right to file objections – depending on specific situations, you have the right to file objections in relation to your data being processed when your data is processed based on our justified interest or public interest. You can object to data processing done for direct marketing purposes at any time.
- Right to data transfer – you have the right to demand that we transfer to you in a machine-readable format the information we have collected about you. You also have the right to demand the data be transferred to another data controller, but only if this is technically possible. The right to transfer applies only to data that we process with your consent or in order to meet our contractual obligations.
- Automated decisions (incl. profile analysis) – in a situation where we notify you that we are making automated decisions based on data processing (incl. profile analysis) which results in legal consequences for you or significantly affects you, you have the right to demand that decisions not be made solely on the basis of automated processing.
Should you have any questions regarding this privacy notice or wish to forward a request to exercise your rights as a data subject, please contact us by e-mail at firstname.lastname@example.org.
We will do our best to address your requests and wishes in a timely manner and without any fees, unless disproportionate costs are incurred. If you are not satisfied with our response, you have the option to turn to the Estonian Data Protection Inspectorate.
Soola 6, Tartu 51004
Telephone: +372 733 7180
Last edited: 20 January 2022