Personal data protection in My City Hotel
The wellbeing of our visitors and employees is very important for us. Thus we collect only the data that is necessary to fulfil our legal obligations and to offer better customer service. We respect highly the privacy of other people and strictly guarantee the confidentiality of personal data.
We take necessary technical and organizational measures to protect your personal data from being lost, distributed, destroyed or accessed without authorization.
If you have any questions about the information contained in the privacy notice, please contact Killu Maidla, the hotel manager, at firstname.lastname@example.org.
What kind of data do we collect about you and from who do we get it?
We collect the following data about you:
- the data of a visitor’s card, i.e. the data about accommodation establishment’s visitor prescribed by the Tourism Act (the first name and family name, date of birth, citizenship, residential address). Of those visitors who are not the citizens of EU member states we also ask for the passport details;
- the dates of stay and the room number;
- contact information, such as phone number, e-mail address;
- credit card information, such as card number, owner’s name, expiration date;
- recordings of security cameras – in case you visit publicly used rooms in our hotel where video cameras or other electronic or digital surveillance systems or devices are installed in order to furnish security;
- data about your personal preferences (e.g. a room with a king-size bed, a room with windows looking at the yard, a room upstairs or downstairs).
Usually we collect the data directly from you while you are making an online reservation, submitting a request via our website or contacting the hotel. We also collect the data concerning our visitors from our partners through whom you have made the reservation.
Why do we need your data?
We use your data to provide you with accommodation services and/or other services you have ordered from us. We also use the data to carry out our legal obligations that regulate our operation.
We don’t use your data for marketing purposes if we haven’t asked for or received your consent.
- Data of a visitor’s card – we are obliged to ask for these data pursuant to the Tourism Act. The purpose of this is to reduce the risk of illegal immigration.
- Contact information – we need these data to contact you in order to follow the contract between you and us. As a rule, we send you an e-mail before your arrival that has your dates of stay set out and some information about the hotel. We will send you another e-mail to ask for your feedback after you have checked out.
- Credit card information – we use these data to charge your card in order to pay for services you have subscribed to or compensate for your other costs, if we are entitled to it as per the accommodation services contract.
- Information about your personal preferences – in case we ask for the data or you give these voluntarily, then we’ll use it to provide you better services that are more in line with your preferences and interests.
- We also collect data about the services you have subscribed to, used and paid for in My City Hotel.
What is our legal basis for processing your data?
We have several legal grounds for processing your data:
- in order to enter into contract with you or to follow the contract (to fill the order);
- in order to exercise our legal obligations (e.g filling out visitor’s card and retaining it for 2 years, and keeping accounting records for 7 years);
- in order to establish our legitimate interests, such as running the company, carrying out our business operations, and discovering frauds and other breaches of law;
- in order to protect your or any other person’s vital interests (e.g by making your personal data available to ambulance personnel in cases of emergency);
The employees of My City Hotel who have access to the visitors’ data are aware of personal data protection principles as well as of the obligation to treat these data as confidential. If they infringe these principles, they will be held liable for their misbehaviour.
Who do we share your data with?
We don’t share the data you have provided to us with any third parties, but for the following exceptions and when the sharing is necessary to achieve the goals set out in this privacy notice.
- Service providers: just like other companies, we can subcontract data processing services from reliable third-party service providers, e.g. IT and counselling services.
- Public authorities and governmental institutions: we may share your data with these institutions to comply with laws or in order to safeguard our rights.
- Professional advisors, etc.: we may share your data with professional advisers, such as auditors and accountants.
In case we share your data with aforementioned parties, we guarantee the protection of your data by signing a data processing agreement between us and such parties.
We will not retain or transmit your personal data neither to countries outside European Economic Area nor to countries that are not designated as providing an adequate level of protection for personal data, under Article 25(6) of Directive 95/46/EC or under Article 45(1) of Regulation (EU) 2016/679.
How long do we retain your data?
We preserve the data of a visitor’s card for two years as of the date they were filled in (according to the Tourism Act).
Accounting records shall be preserved for seven years as of issuing the document (according to the Accounting Act).
Credit card information shall be preserved for 30 days as of checking out of the hotel (requirement implemented by international card associations).
If you have given us permission to send you direct marketing materials, then we’ll retain your contact information until you withdraw your consent.
What are your rights in respect of your personal data?
You as a data subject have the following rights:
- Right of access – you have the right to know which data concerning you are being retained and how these are being processed.
- Right to rectification – you have the right to request rectification of your personal data, in case these are incorrect.
- Right to erasure (’right to be forgotten’) – in some cases you have the right to obtain the erasure of personal data concerning you.
- Right to data portability – you have the right to receive your personal data that you have provided to us in a readable format. You may obtain the transmission of those data directly to another controller, but only if it is technically feasible. The right to data portability applies only to those data which we process based on you consent or in order to perform the contract with you.
If you have any questions with regard to this notice or if you would like to apply a request to perform your rights of data subject, then contact us by e-mail at email@example.com.
We will do our best to address your requests in timely manner and free of charge, unless this would impose disproportionate costs upon us. If you are not satisfied with the answer we have given you, then you are entitled to lodge a complaint with the Data Protection Inspectorate.