The Three Sisters has only 23 rooms, but each one is unique
The Three Sisters Hotel (hereinafter “we”) values the privacy of every client (hereinafter “you”) very highly. In this privacy statement, we explain what data we collect about you, why we do this and what we do with your data. We use all necessary technical, physical and organizational security measures to protect your personal data from loss, destruction and unauthorized access.
As a rule, we receive data directly from you when you place a booking or inquiry via our website, telephone or e-mail, or purchase services directly on-site. Your data are also forwarded to us by travel agents, booking agents and other persons mediating accommodation services, when you have ordered our accommodation and/or other services from them. If we have not received data directly from you, we will issue the privacy statement to you at first opportunity after receiving the data.
We collect the following data about you:
- personal information: such as first name and surname, date of birth / personal ID code, citizenship, document (passport/ID card) data or a copy of the relevant document. We need these data to identify you, which in turn is necessary to ensure that services are provided to the person who actually ordered them
- contact information: such as home address, telephone number, e-mail address. We need these data to contact you. First and foremost, we contact you by telephone or e-mail, but using the home address may also be necessary under certain circumstances (e.g. if you cannot be contacted via other means). We use contact data for sending confirmation letters, offering extra services (transfer, flowers in the room, tour guide, etc.) which are related to the client's booking, and for sending prior and follow-up letters. Prior letters are intended as a reminder of the booking. Follow-up letters are intended for receiving feedback
- data of the visitor’s card: these are data on a visitor of an accommodation establishment required pursuant to the Tourism Act - e.g. citizenship, name, date of birth and citizenship of spouse and underage visitor to be accommodated with the visitor, time of providing accommodation service, etc. We are obligated to collect these data pursuant to the Tourism Act. The aim is to prevent dangers involved in e.g. illegal immigration. If you do not provide us with data for the visitor's card then we cannot provide accommodation services to you
- credit card data: card number, name of owner, term of validity. We need these data to ensure the booking. Pursuant to the terms of cancellation, we recommend to notify us of a cancelled booking in writing 48 hours before the arrival to avoid the cancellation fee (100% of the price of room for the first night). The hotel has the right to withhold a certain amount from your credit card for payment for services you ordered. In case of a debt, the hotel has the right to deduct the corresponding amount from the credit card
- security camera recordings – if you visit our accommodation establishment or other rooms equipped with video or other electronic or digital surveillance systems or equipment for safety reasons
- data concerning personal preferences: such as various food preferences and allergies (gluten intolerance, lactose intolerance, vegan diet etc.), restaurant bookings, various cultural programmes (ordering tours). If we collect these data or if you voluntarily disclose these data to us then we use them in order to provide better services to you based on your wishes and interests
- in the case of ordering parking service, the registration number of the vehicle is required
- in case of ordering transfer services, we require: the arrival time and date of the ship/flight/bus, name of trip, name of at least one passenger (the name goes on the sign used to receive the persons ordering transfer service). For airport transfer, we also need the flight number.
Your data are processed on various legal basis:
- your consent, upon filling in the visitor’s card
- the need to form a contractual relationship with you or perform one concluded with you
- the need to perform our legal obligations (e.g. filling a visitor’s card and preserving it for 2 years)
- the need to enforce our justified interests, incl. company management and running the business; discovering law infringements and frauds
- the need to protect the crucial interests of you or any other person (e.g. disclosing your data to an emergency worker in the case of an accident)
- other basis provided by the law.
1.5.5 the need to protect the crucial interests of you or any other person (e.g. disclosing your data to an emergency worker in the case of an accident)
We shall not disclose data entrusted to us by you, except in limited cases described below and if necessary for achieving the purposes described in this privacy statement:
- service providers: like many other companies, we may order data processing services from reliable third service providers such as IT maintenance and hotel management software, customer communication and accounting programmes, and consulting service companies.
- all our other partners who take part in organizing extra services you ordered (tour guides, restaurants, transfer companies, spa centres, other hotels, travel agencies and others)
- all company staff who take part in providing accommodation and additional services.
- public authority figures and government agencies: we may share data with companies when we are required by the law to share data or sharing data is necessary to protect our rights;
- professional consultants and others: we may share your data with professional consultants such as auditors, lawyers, accountants and other persons providing consulting services;
- our subsidiaries and affiliates: we may share your personal data with our subsidiaries or affiliates, all of which are located in the EU.
- third persons in connection with company transactions: We may share your data with third persons from time to time in the scope of a corporate transaction, such as the sale of a company or its part to another company. Also in the scope of reorganizing, merging, joint venture or another repossession of the company’s assets or shares.
If we share your data with the above persons then we ensure the protection of your data with a data processing contract to be concluded between us and such a person.
We do not preserve or forward your personal data outside the European Economic Area or to any countries, for which a decision of sufficient protection has not been made pursuant to the Directive 95/46/EC, Article 25, Section 6, or its successor, the Regulation (EU) 2016/679, Article 45, Section 1.
We preserve your data as long as it is necessary for various purposes of data processing.
In preserving personal data, the company shall be guided by the following criteria:
- as long as personal data need to be preserved for providing its services. We preserve credit card data only until the proper performance of the accommodation service contract concluded between us.
- if a person has a customer account or customer card with the company then we preserve personal data for the duration of activity of the account/card or as long as necessary for providing services to the person
- if the company has a statutory, contractual or similar obligation to preserve the person’s data then as long as it is necessary to perform this obligation. We preserve the data of the visitor’s card for 2 years after filling the card pursuant to the requirements of the Tourism Act.
- after the end of a contractual relationship, we preserve certain data as long as the person (data subject) or company has the right to issue contractual claims against the other party.
If you have given us your consent to forward direct marketing materials then we preserve your contact data until you withdraw your consent.
As a data subject, you have the following rights:
- Right to review data – you have the right to know which data are preserved for you and how they are processed.
- Right to amend data – you have the right to request that your personal data are amended if they are incorrect.
- Right to delete data (“right to be forgotten”) – in certain cases, you have the right to demand that we delete your personal data (e.g. if we no longer need them, you withdraw the consent given to us for processing data, etc.).
- Right to restrict processing – in certain cases, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. if you have objected to data processing).
- Right to object – depending on the specific situation, you have the right to object to the processing of your data if the processing of your data is carried out based on our justified interest or public interest. Processing of data for the purpose of direct marketing may be objected to at any time.
- Right to transfer data – you have the right to demand that we transfer data you have forwarded to us to yourself in computer-readable form. You may also request the transfer of data directly to another chief processor, but only if this is technically viable. The right of transfer applies only to data which we process on the basis of your consent or to perform a contract concluded with you.
- Making automated decisions (incl. profile analysis) - if we have informed you that we carry out decisions based on automated processing (incl. profile analysis) which results in legal consequences that concern you or has a significant impact on you, then you may demand that a decision not be made based on automated processing alone.
We do our best to address your petitions and request in a timely manner and without a fee, except in cases when it would result in disproportionate expenses. If you are dissatisfied with an answer we give then you may issue a complaint to the Estonian Data Protection Inspectorate.
The data protection contact of 3S GROUP OÜ can be contacted at: firstname.lastname@example.org