• Printer
Privacy Policy 

PRIVACY POLICY

Privacy Policy of our company (hereinafter the Policy) refers to our commitment to handle the personal data of our employees, clients, stakeholders and other interested persons with the utmost care and to process these data according to the effective data protection provisions. This Policy helps us guarantee that we collect, record and process data in a manner that is fair, transparent and respects the individual rights of persons. The Policy sets the general basis on which our organisation processes the personal data of people. We monitor on a daily basis that our activities are always updated in terms of the law, employee awareness and technology by making sure that our hardware and software correspond to the development of technology. We also make sure that data subjects have as much control as possible over the processing of their data, and friendly regulations that respect the data subject are established in the company. The Policy is specified by the Privacy Notice, which you will find below.

 

 

PRIVACY NOTICE

 

1. Introduction

1.1. Our company is a travel undertaking that uses personal data in its day-to-day operations for the purpose of provision, arrangement, organisation and mediation of various travel and tourism services. In our activities, we follow the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act (PDPA), our own Privacy Policy and other established data protection rules. This Privacy Notice is aimed at the data subject specified in the GDPR and in the PDPA, i.e. at natural persons whose personal data are processed.

1.2. We understand that you (the Data Subject) are aware of and care about the processing of your personal data and therefore we herewith assure you that we take adherence to the rules established with regard to processing your data very seriously. The Privacy Notice describes the principles and practice used by our company regarding the entire chain of processing personal data from the collection and use to deletion, thereby focusing on the protection of personal data. We admit that the protection of personal data is an ongoing responsibility and therefore we revise the rules of the Privacy Notice from time to time, check its compliance with the established requirements and, where necessary, update its contents.

2. Data Protection Officer (DPO)

2.1. Our company Baltic Tours Ltd., registry code 10069352, legal address 5 Jõe Street Tallinn 10151, Estonia, has appointed the following person to ensure compliance with data protection requirements:

Name: Svea Lillepalu

Company: Baltic Tours Ltd

Address: 5 Jõe Street, Tallinn 10151, Estonia

Email: svea.lillepalu [at] baltictours.ee

Phone: +372 6 300 445

3. Collection of data

3.1. Our company mainly collects personal data from its customers who are natural persons. As a rule, these are data that are needed for the provision of travel and tourism services chosen by the customer and may be clarified in the framework of performance of a specific travel service and vary depending on the means of transport (bus, train, plane, ship) as well as the destination (a domestic trip, a trip within the territory of the EU and equivalent countries, a trip outside the EU). Thus, the requirements in countries and in respect of service providers are different, so the volume of personal data that must be collected for the provision of the service may also vary. Usually, in order to be able to travel, such data as the first name and surname, a travel/identity document with a photo that allows for identification of the person, the person’s gender and age as well as contact details such as the e-mail address, telephone number and address of the place of residence are required. Upon travelling outside the EU, the list of data may be longer due to the specific features of the country of destination (e.g. nationality, passport details. visa, vaccinations, etc.). We use your personal data in order to perform the contract between us and provide you with travel and tourism services. We do not sell your personal data to or share them with third parties, except those that we need to share them with in accordance with the law or for the purpose of performance of the contract concluded between you and us.

3.1.1. Processing of personal data in the course of provision and mediation of accommodation services

 

If you buy an accommodation service, your data (name, gender, personal identification code and/or date of birth) are required for complying with the requirements imposed on accommodation establishments as well as for provision of the service. The list of personal data may vary depending on requirements established in different countries. For that purpose it is necessary to know the data of the persons who will be using the accommodation service as well as the time when accommodation is needed. Generally, accommodation establishments are required to keep a register card of accommodated persons, which includes the data required by law and is sent to law enforcement agencies, where required.

 

Depending on the substance of the service, we may need personal data of various types owing to the characteristics of the accommodation service. For instance, it may be related to the need to have certain mobility aids (a wheelchair, lift, etc.) available in the case of a person with restricted mobility or special dietary data in the case of intolerance of certain substances (in the event where accommodation and food service have been ordered).

 

If you buy accommodation and medical rehabilitation services, we also need special personal data related to respective medical rehabilitation. In this way we learn about the place and time of medical rehabilitation as well as the substance of medical rehabilitation to the extent that it is required for providing the specific medical rehabilitation service. In any case such data can be classified as data of a special type, which you provide us with in order to receive the service.

 

Upon sale of the accommodation service and related services, where the best price has been offered by a wholesaler, we transfer your data to the wholesaler of the services who will, in turn, transfer the data to the specific provider of the accommodation service or of the related services.

 

We require that the accommodation service providers as well as the wholesalers process personal data in accordance with the GDPR. Each person used for the provision of the accommodation service is allowed to use personal data solely for the purpose of performing the contract.

 

3.1.2. Processing of personal data in the course of provision and mediation of conference services

 

In the course of provision of conference services we process personal data, above all, for performance of the conference service contract, e.g. we register participants and issue invoices (name, personal identification code, telephone, e-mail ...), organise translation services, organise photographer and operator services (photographs), organise and edit video transmissions, organise the making and distribution of memorabilia and publications (incl. name tags), organise dining (information on allergies and special diets, which constitute personal data of a special type). In the course of organising cultural and leisure time programmes, we also process personal data required for organising these (name, time of the programme, person’s preferences regarding various programmes), organising the accommodation (in the case of accommodation services see clause 3.1.1) and organising transport between the accommodation establishments and the venue of the conference (people's names, time of transport, place of accommodation and conference).

 

We require that our service providers process personal data in compliance with the GDPR. Each person used for the provision of the conference service is allowed to use personal data solely for the purpose of performing the contract.

 

3.1.3. Processing personal data in the course of provision and mediation of guide, guide/interpreter and tour manager services

 

To provide guide, guide/interpreter and tour manager services, we need from you such personal data as your name, personal identification code, time of provision of the service, the language pair and destinations that you will visit. In the course of provision of tour manager services, information on the personal data of a special type may be disclosed (e.g. the need for a wheelchair in the case of restricted mobility, the data of children and people accompanying you). Depending on the destination and the country of destination, your personal data may need to be transferred to a respective authority of the destination or the country of destination, where required.

 

If you have bought the guide, guide/interpreter and tour manager service mediation service from us, we usually transfer the data to the wholesaler of guide, guide/interpreter and tour manager services who, in turn, transfers the data to a provider of the specific service.

 

We require that our service providers process personal data in compliance with the GDPR. Each person used in providing guide, guide/interpreter and tour manager services may use personal data solely for performing the contract.

 

3.1.4. Provision and mediation of passenger carriage services

 

In order to provide passenger carrier services, we need from you such personal data as your name, personal identification code, details of the travel document, contact details, ... as well as service-related data. In the course of provision of passenger carriage services, information on the personal data of a special type may be disclosed (e.g. the need for a wheelchair in the case of restricted mobility, the data of children and people accompanying you). The law obligates the service provider to forward personal data to law enforcement agencies.

 

We require that our service providers process personal data in compliance with the GDPR. Each party used in the provision of the accommodation service is allowed to use personal data solely for the purpose of performing the contract.

 

3.1.5. Provision and mediation of visa services

 

In order to provide the visa service, we need from you such personal data as your name, personal identification code, details of your valid travel document, the country of destination, the preferable term of validity of the visa, the reason for visiting the country of destination, and other compulsory data requested by the country that you wish to visit.

 

We require that our service providers process personal data in compliance with the GDPR. Each person used for the provision of the service is allowed to use personal data solely for the purpose of performing the contract.

 

3.1.6. Mediation of a travel-related insurance service

To provide a travel-related insurance service mediation service we need such personal data as your name, personal identification code, place of residence, contact details, etc. In the course of performance of a respective contract, we may also learn information about your illness or that of your family member (insured event, travel disruption insurance), accident and medical expenses as well as personal data disclosed due to other unforeseeable insured events.

 

As a rule, we transfer the personal data to the insurer whom we require to process personal data in compliance with the GDPR.

 

3.1.7. Provision or mediation of a means of transport rental service

 

In order to provide or mediate a means of transport rental service, we need from you such personal data as your name, personal identification code, place of residence, contact details, to the required extent the details of a document certifying the right to drive a vehicle of the respective category, credit card details, etc. In the course of performance of the contract we may learn, among other things, information on your preferences in choosing carious cars, the names of the persons travelling in the car, and the times and routes of the rides. We would like to point out that the things that you forget in the car may also contain information about you.

 

In the case of mediation of a means of transport rental service, we transfer the submitted personal data to the provider of the specific means of transport rental service and require that the service provider comply with the GDPR when processing personal data.

 

3.2. Our online environment baltictours.eu as well as many other similar environments gather certain information automatically and record it in log files. The information may contain the IP address, region or general location where your computer or another device is connected to the Internet, the type of browser used, the operating system and other uses. We use this information to make our online environments better, simpler and more user friendly. We can also use your IP address to diagnose problems in our server and to administer the website, analyse trends and monitor site visitors, as well as gather demographic information more extensively in order to better understand the preferences of the visitors of our online environments.

3.3. If you have granted consent to receive newsletters and advertisements or you participate in lotteries of other campaigns organised or mediated by us, we ask for your name and contact details. We use this information to send you information about the services and goods provided by us and anything else that you might be interested in. We will not contract you more than four (4) times a month. Every now and then our newsletter may contain links to other online environments. Our company is not responsible for the content or privacy policy of those environments. If you no longer wish to receive the newsletter or direct messages, you can unsubscribe by clicking on the opt-out or unsubscribe link at the end of any newsletter and/or advertisement.

3.4. If you wish to place an order via our online environment, we need contact details like your name, e-mail address and in some cases your place of residence and contact details. This information is required only for the purpose of contacting you regarding your order and performance of the contract made or to be made with you. We share your personal data with the businesses that are directly involved in providing you with the service. We do not share your personal data with anyone else. At the time of placing the order we also ask you for information regarding payment for the order, such as your credit card number or bank payment details. Thereby we use a secure online connection to protect your personal data.

4. When and how our company keeps data

4.1. The data collected about you via your purchases are kept by our company until the expiry of the deadline for submission of claims set forth by law, after which the personal data are deleted. The data are kept in a single database or in multiple databases administered by a third party located in the Republic of Estonia. Said third party does not have access to the data and it does not use your personal data for any other purpose besides retention and backup.

5. When and how our company uses your personal data

5.1. Your personal data are used mainly for providing you with a service with your consent.

5.2. Your personal data are also used for updating the online environment according to your preferences, interests and needs, and in order to know your wishes and preferences better and improve the aspects of provision of the services of our online environments.

5.3. If you have granted approval to receive newsletters, special advertisements, direct messages, etc., from us, we send you the requested information. You can still opt out of such e-mail messages.

5.4. Your personal data are shared with the service providers whose service is indispensable for the purpose of performance of the concluded contracts and provision of the services.

5.5. We can also share your personal data when such need arises from investigation of criminal offences, compliance with judicial demands, fulfilment of your vital needs or an act related to sales, purchase, merger, reorganisation, financing, liquidation, winding up or a similar business-related act. In such events we take any and all measures necessary to sufficiently protect your personal data.

5.6. Upon gathering information necessary to participate in lotteries and other similar endeavours, the obtained personal data are used to contact you in the event of a win. Where the prize has been put up by another contracting partner, your personal data are sent to the partner so the partner can contact the winner. As a rule, the prerequisite for participating in such a prize game includes granting consent to the use of your personal data for other purposes; therefore, we ask you to carefully read the terms and conditions of the prize game before you agree to participate.

6. Transfer of personal data outside the EU or equivalent regions

6.1. We are located in the Republic of Estonia, which is a member state of the European Union. The personal data that we collect are processed mainly in the Republic of Estonia. If data need to be transferred outside the European Union or equivalent territories during the provision of a service for the purpose of performance of the contract, Article 45 of the GDPR requires that the level of protection guaranteed to the personal data be at least the same as in the territory of the EU. This is to inform you that our company does not have any other legal means besides contractual ones to give such a guarantee, which means that we are able to obtain confirmations regarding the sufficiency of the respective level of protection from those businesses with whom it is possible to conclude contracts and negotiate contract terms and conditions as well as to obligate such businesses to guarantee the respective level of protection themselves, but we are not in any way able to guarantee the sufficiency or GDPR compliance of such measures (read more here).

6.2. However, if we cannot reach an agreement with the respective service provider regarding the compliance of the level of protection of personal data with the requirements of the GDPR, we warn you that the level of protection of personal data in the respective country of destination is not at the same good level as that of the GDPR and explain that we do not have any means to in any way guarantee the high level of protection of personal data regarding the country of destination. If you wish to receive a service at such destination despite such a warning, we will obtain your separate consent that we are allowed to transfer your personal data to such country of destination.

 

7. Rights of data subjects

 

7.1. The Privacy Notice is meant to inform you what information our company collects about you and how it is used. If you have questions regarding your personal data, please contact us by e-mail svea.lillepalu [at] baltictours.ee or use the postal address indicated above.

 

7.2. If you would like to learn whether our company processes your personal data, access your personal data, review your personal data, correct or delete or restrict the processing of your personal data, withdraw your consents or submit an objection to the processing of your personal data, please send us an e-mail to svea.lillepalu [at] baltictours.ee or send a letter to the postal address indicated above.

7.3. You are entitled to the transfer of your personal data. We allow you to gain possession of your data in machine-readable format or have them forwarded directly to another service provider. However, we cannot guarantee that the other service provider is able to receive your personal data. The right to transfer data is restricted with the structured data submitted by you to use in a commonly used and machine-readable format; the right only applies to the data we use for the performance of a contract entered into with you or on the basis of consent, and only automatically and in the exercise of the relevant right, and we must also consider the rights of third parties to privacy. In order to exercise this right, please contact us by e-mail svea.lillepalu [at] baltictours.ee or using the postal address indicated above.

Read more about the rights of the data subject here.

8. Security of your data

8.1. In order to protect the personal data and information that allows for identification which you enter in our online environment, we use physical, technical and administrative protection measures. We regularly update and test our protection technologies. Our online networks are protected by firewalls and intrusion detection software. Access to your personal data is available only to the employees who need it for the purpose of providing you with the agreed service or on another legal ground (read more here).

8.2. We take reasonable measures to protect your personal data and our activity is subject to relevant information security legislation, but we would like to point out that no website or database is fully secure or hack proof. Protect yourself and help us prevent computer crime by protecting and safeguarding your passwords very carefully. Our online environment does not use spyware. If you suspect that your account has been hacked, contact us immediately.

8.3. In addition to this, we train our staff in order to attain a high level of awareness of the importance and need for protection of personal data. Our dedication is also manifested in internal rules that contain data protection provisions.

9. Amendment and revision of the Privacy Notice

9.1. As any organisation, our company also changes in time and space, which means that presumably the Privacy Notice will need to be amended and revised at one point in the future. For this reason we reserve the right to amend and revise the Privacy Notice at any time without informing you about it in advance. We publish the amendments on the same Privacy Notice website. We can inform you by e-mail about any major amendments in the Privacy Notice, but the safest choice is to regularly visit the Privacy Notice website in order to read the updated and effective terms and conditions.

10. Employee Privacy Notice

10.1. The Employee Privacy Notice is a separate document that is available exclusively to staff.

11. Questions, complaints

11.1. If your personal data have changed, inform us. If you have any additional questions about your personal data, contact us. We will reply immediately within the term prescribed by law. At the same time, be prepared that we may ask for more detailed information from you in order to identify you before answering the questions. We must be certain that information is transferred only to the right person. In most chases we correct or delete any inaccuracy that you have detected. In some cases we can fully or partially refuse to grant your request if the law allows for it or requires it.

11.2. If you find that your personal data have been handled in breach of the Privacy Notice or carelessly or if you have any questions, you always have the right to contact and inform our Data Protection Officer about this by e-mail svea.lillepalu [at] baltictours.ee or using the postal address indicated above.

11.3. You always have the right to contact the Data Protection Inspectorate or the court for the protection of your privacy rights and data. The Data Protection Inspectorate is a state authority that can be contacted for consultation or assistance in all issues relating to personal data protection.




Last update on 21. June 2018