Privacy Policy for Hotel Guests

An attractive hotel with the best location in Pärnu. Villa Wesset is situated on a lively main street by the beach, only a few hundred meters from the shore and within walking distance of the city centre. The hotel was completed in 2007 and features 36 uniquely decorated rooms. The building’s historical background is evident in the old creaking stairs, stylish wooden arches, the open-plan lobby, and arched windows. On the ground floor there is an à la carte restaurant with a cosy interior and delicious dishes.

We implement the necessary technical, physical, and organizational security measures to protect your personal data from loss, destruction, and unauthorized access.

If you have any questions regarding the information provided in this privacy notice, please contact us: info@wesset.ee.

We collect the following data about you:

• personal data: such as first and last name, date of birth/personal identification code
• contact details: such as residential address, telephone number, e-mail address
• visitor card data: these are the data required by the Tourism Act for a guest of the accommodation establishment – e.g. nationality, the name, date of birth and nationality of the spouse or accompanying minor, time of service, etc.
• credit card data: such as card number, cardholder’s name, expiry date
• security camera recordings – in cases where you visit our accommodation or other premises where, for security reasons, video or other electronic/digital surveillance systems or devices are installed
• data on personal preferences: such as room category, view of the city, pet, etc.

Generally, we receive the data directly from you when you make a booking or inquiry via our website wesset.ee, by telephone or e-mail, or when you purchase services in person.

Your data is also provided to us by travel agencies, booking companies, and other entities that mediate accommodation services from which you have ordered accommodation and/or other services. In the event that we have not received the data directly from you, we will send you this privacy notice as soon as possible after receiving the data.

We use your data to provide the accommodation and/or other services you have ordered, to comply with the legal obligations imposed on us by applicable laws, and for general business purposes, such as:

• personal data – we need these data to verify your identity, which is essential to ensure the service is provided to the person who actually ordered it
• contact details – we need these data to contact you. Primarily, we will contact you by telephone or e-mail; however, in certain cases your residential address may also be required (e.g. if other means of communication are unavailable).
• visitor card data – we are obliged to request these data under the Tourism Act. The purpose is to mitigate risks, for example, those associated with illegal immigration.
• credit card data – we require these data in cases where, under our hotel’s internal regulations and the accommodation service contract, we have the right to hold a certain amount on your credit card for payment of the services ordered or to reimburse incurred expenses.
• data on personal preferences – if we request these data or if you voluntarily provide them to us, we use them to offer you a better service based on your preferences and interests.

If you do not provide us with the visitor card data, we will not be able to provide you with accommodation services.

In processing your data, we rely on various legal bases:

• the need to establish a contractual relationship with you or to fulfill a contract concluded with you
• your consent – if we process your personal data on the basis of your consent, please note that you have the right to withdraw your consent at any time
• the need to fulfill our legal obligations (e.g. completing and retaining the visitor card for 2 years)
• the need to pursue our legitimate interests, including managing the company and conducting general business activities; detecting legal violations and fraud
• the need to protect your or any other person’s vital interests (e.g. disclosing your data to emergency services in the event of an accident)
• other grounds permitted by law.

We do not share the data entrusted to us by you except in limited cases described below and when it is necessary to achieve the purposes set out in this privacy notice:

• Our affiliated companies: we may share your personal data with our affiliated companies, all of which are located in the European Union.
• Service providers: like many other companies, we may commission data processing services from reliable third-party service providers, such as IT and consulting services;
• Public authorities and government agencies: we may share data with authorities if we are legally obliged to do so or if sharing data is necessary to protect our rights;
• Professional advisors and others: we may share your data with professional advisors such as auditors, lawyers, accountants, and other consultants;
• Third parties in connection with corporate transactions: occasionally, we may share your data with third parties as part of a corporate transaction, for example, in the sale of the company or a part thereof to another company. This also includes corporate reorganizations, joint ventures, mergers, or other asset restructurings.

In the event that we share your data with any of the above, we ensure your data is protected by means of a data processing agreement between us and that party.

We do not store or transfer your personal data outside the European Economic Area or to countries for which there is no adequacy decision based on Article 25(6) of Directive 95/46/EC or Article 45(1) of Regulation (EU) 2016/679 (or its implementing act).

We retain your data only as long as it is necessary to achieve the various purposes of data processing.

The company follows these criteria for retaining personal data:

• as long as it is necessary to retain personal data for providing our services
• if an individual has a customer account or card with the company, we retain personal data for the entire duration of the account/card activity or as long as it is needed to provide services
• if the company has a legal, contractual, or similar obligation to retain personal data, then for as long as necessary to fulfill that obligation
• after the termination of the contractual relationship, we retain certain data for as long as the individual (data subject) or the company has the right to make claims against the other party under the contract

We retain visitor card data in accordance with the requirements of the Tourism Act for 2 years from the date the card is completed.

We retain credit card data only for as long as necessary to properly fulfill our accommodation service contract.

If you have given us consent to receive direct marketing materials, we will retain your contact data until you withdraw your consent.

As a data subject, you have the following rights:

1. The right to access your data – you have the right to know what data about you is stored and how it is processed.
2. The right to rectification – you have the right to request that your personal data be corrected if it is inaccurate.
3. The right to erasure (the “right to be forgotten”) – in certain cases you have the right to request that we delete your personal data (for example, if we no longer need it or if you withdraw your consent for data processing, etc.).
4. The right to restrict processing – in certain cases you have the right to object to or restrict the processing of your personal data for a period of time (for example, if you have raised an objection to data processing).
5. The right to object – depending on the circumstances, you have the right to object to the processing of your personal data if it is based on our legitimate or public interests. You may object to the processing of your data for direct marketing purposes at any time.
6. The right to data portability – you have the right to request the transfer of the data you provided to us in a machine-readable format. You may also request that the data be transferred directly to another responsible data controller, but only if it is technically feasible. This right applies only to data that we process on the basis of your consent or for the fulfillment of a contract with you.
7. Automated decision-making (including profiling) – if you have been informed that we engage in automated decision-making (including profiling) that produces legal effects or significantly affects you, you have the right to request that the decision is not based solely on automated processing.

If you have any questions regarding the information in this notice or wish to submit a request to exercise your data subject rights, please contact us at e-mail: info@wesset.ee.

We will do our best to address your requests and wishes promptly and free of charge, except where doing so would incur disproportionate costs. If you are not satisfied with our response, you may file a complaint with the Data Protection Inspectorate.