In this privacy policy (the ’Privacy Policy’), we describe how Smart Hotel OÜ (the ’Company’) processes the personal data of its employees, customers or people who otherwise cooperate with the Company, and what measures we take to protect personal data.

Personal data is processed in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679) and other national and European privacy laws and regulations (collectively, the ’Data Protection Act’). The Company has physical, technical and organizational measures in place to protect personal data from unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or unauthorized access.


This privacy policy applies to all personal data we process as a controller.

The company processes, for example, personal data of employees, temporary workers, self-employed persons, job and position candidates, supplier contacts, customers and guests and other partners.


The purpose of this privacy policy is to explain what personal information we process and how and why we do that. In addition, this privacy policy describes our obligations and responsibilities regarding data protection.


For the purposes of this Privacy Policy, the following definitions apply:

EEA – the European Economic Area

GDPR – is the EU General Data Protection Regulation (EU) 2016/679), the implementation of which starts on 25 May 2018.

Personal data is any data and information related to a natural person or a person and which enables the identification of this person. A person is identifiable if his or her identity can be identified to a reasonable extent on the basis of the data without a disproportionate effort. The identification may be based, for example, on a name, personal identification number, location information, network identifier or physical, physiological, genetic, mental, economic, cultural, or social identifier, or a combination of such identifiers.

Specific categories of personal data include personal data revealing a person’s racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, as well as genetic data, biometric data used for unique identification, health data or data on a person’s sexual life and sexual orientation.

“Personal data breach” means a security breach resulting in the unintentional or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, personal data which are transmitted, stored, or otherwise processed.

Customer is a natural person to whom the company provides services and / or goods in connection with its economic activities.

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller or the processor and persons who may process personal data under the direct authority of the controller or the processor.

Cooperation partner – a natural person who is an employee / representative / contact person of a company’s supplier or other legal person of cooperation partner.

Visitor card data – data required by the Tourism Act about the visitor of the accommodation establishment: name, date of birth, citizenship and address; the name, date of birth and nationality of the spouse and minor accommodated with him or her; time of provision of accommodation service; if it is not a citizen of Estonia, EEA Contracting State or of Switzerland or an alien residing in Estonia on the basis of a residence permit or right of residence, then also: the type and number of the travel document and the issuing country.

“Profile analysis” means any automated processing of personal data involving the use of personal data to assess certain personal aspects of a natural person, in particular to analyse or predict aspects relating to that person’s performance, financial situation, health, personal preferences, interests, reliability, behaviour, location or movement.

“Processing” means an operation or set of operations on personal data, such as collecting, documenting, organizing, structuring, storing, adapting and modifying, querying, reading, using, transmitting, distributing or otherwise making available, disclosing, merging or aggregating, restricting, deleting or destruction. Processing can be done manually or using automated systems, such as IT systems.

Contractor is a natural person (i.e. not a company) with whom the company has concluded an employment contract (contract of rendering service), including members of the company’s management bodies.

The controller is the person who decides why and how (i.e. for what purposes and in what ways) personal data are processed. The following questions may be helpful in identifying the controller.

– Who decides what personal data is stored?

– Who decides for what purposes personal data is used?

– Who decides how personal data is processed?

If a person decides on the processing of personal data in his or her possession and is responsible for them, he or she is the controller.

Authorized processor is a person who processes personal data on behalf of the controller. If personal data are in the possession or processing of a person but he or she does not have the power to decide on their processing, i.e. he or she processes them in accordance with the instructions of the controller, that person is an authorized processor. The authorized processor may be, for example, a service provider (for example, a payroll service provider).


3.1 Employees and contractors

The company processes data on its employees, on positions, candidates for positions (e.g. members of the management board) and employees as well as former employees and former contractors.

Such personal data includes the following:

  • personal data, such as name, date of birth, bank account details, visa / passport / ID card details or a copy of the relevant document;
  • contact details, such as address and telephone number, e-mail address;
  • personnel file data, including: employment conditions, training data, performance appraisals / evaluations, promotions, personal development plans, behavioural and disciplinary data, job location, salary data, bank account data, taxpayer number and personal identification number;
  • employment history / candidacy data, e.g. education and previous employment history;
  • details of family members such as dates of birth and names of the children (these are relevant, for example, if the person is applying for parental leave);
  • performance-related data such as annual salary reviews of employees, etc.
  • special types of personal data: medical certificates and medical records;

3.2 Customers

The company also processes the personal data of its customers. Such personal data may include:

  • personal data such as name, date of birth / personal identification number;
  • contact details such as address and telephone number, e-mail address;
  • visitor card data;
  • credit card details such as card number, expiration date, CVV;
  • security camera recordings in areas covered by video surveillance.

We use cookies on our website. You can read about the cookie policy here.

3.3 Cooperation partners

The company processes the personal data of its cooperation partners. Such personal data may include:

  • Personal details of partners’ representatives and contact persons, such as name, title, position, occupational identification numbers, department, business unit (incl. contact details collected for training / inspection);
  • contact information, such as email address, phone numbers, and work location;

The company processes personal data for the purposes for which the personal data was collected.

We process personal data of the employees for the following purposes, for example:

  • fulfilment of the employer’s obligations provided for the company in the Employment Contracts Act;
  • payroll and benefits management;
  • management of personnel activities, performance and talent;
  • internal audits;

We process the personal data of customers and partners, e.g., for the following reasons:

  • fulfilment of the obligations of the accommodation establishment provided for in the Tourism Act (e.g. filling in and maintaining the visitor card during the 2nd year);
  • preparation of the agreement concluded with the client / cooperation partner and its fulfilment;
  • marketing, and public relations;
  • improving the company’s products and services;
  • developing the company’s business strategy;
  • Ensuring the protection and security of the property of the Company, of our customers and employees, including the prevention and detection of illegal and / or criminal behaviour towards the Company or our customers and employees.


Under the Data Protection Act, people have certain rights regarding their personal data.

5.1. Right of access – You have the right to know what data is stored about you and how it is processed.

5.2. Right to rectify data – You have the right to request the rectification of your personal data in case it is incorrect.

5.3. Right to delete data (“right to be forgotten”) – in certain cases you have the right to request that we delete your personal data (e.g. if we no longer need it, you withdraw your consent to the processing of data, etc.).

5.4. Right to restrict processing – In certain cases, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. if you have objected to the processing).

5.5. Right to object – Depending on the specific situation, you have the right to object to the processing of your personal data if the processing of your data is in our legitimate interest or in the public interest. Objections to the processing of personal data for direct marketing purposes may be raised at any time.

5.6 Right to transfer data – If the processing of personal data is based on a person’s consent or a contract with a company and the data is processed automatically, then the person has the right to receive personal data concerning him or her which he or she has submitted to the controller, in a structured, publicly available format and in a machine-readable form, and the right to transfer such data to another controller. He also has the right to require the company to transfer the data directly to another controller, if technically feasible.


The company may from time to time disclose personal data to third parties or have access to personal data processed by them in the company (for example, if a law enforcement authority or the Data Protection Inspectorate submits a valid request for access to personal data).

An undertaking may also share personal data: (a) with a person belonging to the same group as another undertaking (e.g. parent undertaking and subsidiaries, ultimate beneficiary of the group and its subsidiaries); (b) with other selected parties, including business partners, suppliers and contractors; (c) with other parties when we sell or buy other businesses or assets (i.e. in transactions); or (d) when a business has a legal obligation to disclose personal information (this includes exchanging information with other businesses and organizations to prevent fraud).

Where a company enters into agreements with other parties to process personal data on behalf of the company, it shall ensure that appropriate contractual safeguards are in place to protect personal data.


The company shall retain personal data only for as long as the retention of such personal data is deemed necessary for the purposes for which the personal data were collected. Personal data are stored in accordance with relevant laws and company policies.

The company follows the following criteria when storing personal data:

  • how long it is necessary to retain personal data in order to provide our services
  • if the person has a customer account or customer card with the company, we retain personal data for the entire period of account / card activity or as long as they are needed to provide services to the person
  • if the company has a legal, contractual, or other similar obligation to retain personal data as long as it is necessary to fulfil such obligation
  • after the termination of the contractual relationship, we retain certain data for as long as the person (data subject) or the company itself has the right to file claims against the other party under the contract

Some examples:

  • In accordance with the requirements of the Tourism Act, we store visitor card data for 2 years from the completion of the card.
  • In accordance with the requirements of the Employment Contracts Act, we keep written documents of the employment contract for 10 years after the termination of the employment contract.
  • We store credit card data until the proper performance of the accommodation service agreement between us.


The company is responsible for the processing of personal data. The overall responsibility for compliance with this privacy policy within the company rests with the company’s management, who determines the main contact regarding (i) the processing of personal data of the company’s employees and employees; (ii) the processing of personal data of customers and partners; and (iii) the security of personal data processed in the company.

All employees of the Company who are exposed to the processing of personal data are required to comply with the most up-to-date published version of this Privacy Policy.

If you have any questions concerning the information in this Privacy Policy or would like to apply for data subject rights, please contact us at:

Date: 05.05.2020