Privacy policy

Privacy policy

1. 1. General Provisions

1.1. The present privacy policy regulates main principles that concern collection, processing and storage of personal data. Personal data is collected, processed and stored by the personal data controller Meriton Hotels AS (hereinafter – “the data processor”).

1.2. The data subject within the meaning of the privacy policy is the customer or another natural person whose personal data is processed by the data processor.

1.3. The customer within the meaning of the privacy policy is any person who buys goods of services on the website of the data processor.

1.4. The data processor observes principles of processing of data stated in legal instruments, and among other the data processor processes personal data lawfully, fairly and securely. The data processor is able to confirm that personal data is processed in accordance with provisions of legal instruments.

2. 2. Collection, processing, and storage of personal data

2.1. Personal data that the data processor collects, processes and stores is collected electronically, mainly through the website and e-mail.

2.2. By sharing his or her personal data the data subject provides to the data processor the right to collect, organise, use for the purpose stated in the privacy policy such personal data which the data subject shares with the data processor directly or indirectly by buying goods or services on the website.

2.3. The data subject is responsible for assurance of precision, correctness and completeness of data submitted by him or her. Deliberate submission of incorrect data is deemed a breach of the privacy policy. The data subject is obliged to immediately inform the data processor of changes in the submitted data.

2.4. The data processor is not responsible for damage caused to the data subject or third persons which results from submission of incorrect data by the data subject.

3. Processing of personal data of customers

3.1. The data processor can process the following personal data of the data subject:

3.1.1. Name and surname;

3.1.2. Date of birth;

3.1.3. Telephone number;

3.1.4. E-mail address;

3.1.5. Address of delivery;

3.1.6. Type of mean of payment;

3.2. In addition to the above provisions, the data processor has the right to collect data regarding the customer which is available in public registers.

3.3. The legal basis for processing of personal data is subsections (a), (b), (c) and (f) of Article 6(1) of the General Data Protection Regulation: a), b), c) ja f):

1. 1. (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
2. 2. (b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
3. 3. (c) processing is necessary for compliance with a legal obligation to which the controller is subject;
4. 4. (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

3.4. Processing of personal data in accordance with the goal of processing:

3.4.1. Goal of processing – security and safety

Maximum period of storage of personal data – according to the periods stated in the law

3.4.2. Goal of processing – processing of an order

Maximum period of storage of personal data – 3 months

3.4.3. Goal of processing – assurance of functioning of services of the web shpo

Maximum period of storage of personal data – 3 months

3.4.4. Goal of processing – customer relations management

Maximum period of storage of personal data – 1 month

3.4.5. Goal of processing – financial activities, bookkeeping

Maximum period of storage of personal data – according to the periods stated in the law

3.4.6. Goal of processing – marketing

Maximum period of storage of personal data – 3 months

3.5. The data processor has the right to share personal data of customers with third persons. Such third persons can include, for example, authorised data processors, bookkeepers, transport and courier companies, providers of transfer services. The data processor is the personal data controller. AThe data processor forwards personal data required for making payments to the authorised processor Maksekeskus AS.

3.6. The data processor processes and stores personal data of the data subject applying organisational and technical measures which ensure protection of personal data from accidental or unlawful destruction, change, disclosure, or any other illegal processing.

3.7. . The data processor stores data of data subjects for a period that depends on the goal of processing, however, such period shall not exceed 7 years.

4. Rights of the data subject

4.1. The data subject has the right to get access to his or her personal data, and to familiarise himself or herself with such data.

4.2. The data subject has the right to receive information regarding processing of his or her personal data.

4.3. The data subject has the right to supplement or correct inaccurate data.

4.4. If the data processor processes personal data of the data subject on the basis of consent of the data subject, the data subject has the right to withdraw such consent at any time.

4.5. The data subject for the purpose of exercise of his or her rights can contact the customer support service of the web store at the address pastry.meriton.tallinn@parkinn.com.

4.6. The data subject for the purpose of protection of his or her rights can submit a complaint to the Data Protection Inspectorate.

5. Concluding Provisions

5.1. The present terms and conditions of data protection were prepared in accordance with the Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), with the Personal Data Protection Act of the Republic of Estonia, and with legal instruments of the Republic of Estonia and the European Union.

5.2. The data processor has the right to partially or fully amend the terms and conditions of data protection, notifying data subjects thereof via website www.cafemademoiselle.ee kaudu.