DATA PROTECTION POLICY
This document provides the data protection policy for AS Heal (“Fra Mare Thalasso Spa”), which sets out the ways in which Heal AS processes the personal data of its customers and other data subjects.
Processing within the meaning of this data protection policy is any activity or activities carried out with personal data or sets of personal data, whether automatically or otherwise, such as collection, storage, organization, classification, retention, adaptation or modification, extraction, consultation, use, disclosing by transmission or dissemination or otherwise making available, matching or combining, limiting, deleting or destroying; any activity involving personal data.
Customer satisfaction is a top priority for Heal AS. In order to ensure better customer service and to fulfill all contractual relations and legal obligations, Heal AS processes the personal data of its customers in accordance with the principles set forth in the data protection policy and applicable law. Proper processing of personal data guarantees accurate and prompt customer service by Heal AS and is therefore intended to ensure the well-being of our customers.
For the purposes of this data protection policy, personal data means any information relating to a data subject which may be used, directly or indirectly, to identify a person:
• personal data: such as first and last name, date of birth/personal identification number
• contact information: such as a home address, phone number, email address
• visitor card details: these are the data on the visitor of an accommodation establishment required by the Tourism Act – such as citizenship, name, date of birth and citizenship of the spouse, minor child, etc., to be accommodated together with the visitor, date of provision of accommodation service, etc.
• credit card details: such as card number, name of the owner, expiration date
• security camera recordings – when you visit our accommodation establishment or other premises that have video or other electronic surveillance systems or equipment for security reasons
• information about personal preferences: such as room category, city view, pet, etc.
• information about the health of the visitor when purchasing health services or treatment packages.
1. PERSONAL DATA CONTROLLER, AUTHORIZED PROCESSORS, AND THE DATA PROTECTION OFFICER
The personal data controller is the legal entity that determines the purposes and means of the processing of personal data.
Personal data controller: Heal AS
Company registry code: 10075401
Address: Ranna tee 2, 90403 Haapsalu, Estonia
Contacts: phone +372 4724600, e-mail firstname.lastname@example.org
Authorized processors of personal data
Authorized processors of personal data of Heal AS are third parties to whom we need to transfer personal information in order to provide our customers with better services and products. The authorized processors of personal data collected by Heal AS are:
• Authorized employees of Heal AS
• our partners who process personal data for the purposes we have set, based on instructions from us;
• law enforcement agencies to fulfill any legal obligation.
Data Protection Officer
In order to ensure the protection of personal data, Heal AS has appointed a Data Protection Officer (DPO) with specialist knowledge of personal data protection laws. The Data Protection Officer assists Heal AS in ensuring compliance with personal data protection requirements.
The Data Protection Officer of Heal AS will be the contact point for data subjects if they have queries and/or questions regarding the protection of personal data and the processing of personal data in Heal AS. Data subjects may contact the Data Protection Officer in all matters concerning the processing of their personal data and in the exercise of their rights.
Contact details of Data Protection Officer of Heal AS:
Data Protection Officer
Ranna tee 2, 90403 Haapsalu, Estonia
2. PRINCIPLES OF PROCESSING OF PERSONAL DATA
Heal AS will process your personal data in a fair and transparent manner and only if we are legally permitted to process your personal data.
Limitation of purpose
Heal AS collects your personal data for accurately and clearly defined and legitimate purposes. We will not process your personal data in a way that is incompatible with the above purposes. If your personal data are processed for purposes other than those for which they were originally provided, we rely on legal grounds (such as court or law enforcement inquiries) or ask for your permission to process your personal data for a purpose other than the purpose for which you originally provided your personal data to us. Heal AS will use its best efforts to ensure that the personal data processed by Heal AS is adequate, relevant, and limited to what is necessary for the purposes of the processing.
Our goal at Heal AS is to ensure that your personal data is accurate and, where necessary, up to date. Heal AS will take all reasonable steps to ensure that inaccurate personal data is deleted or rectified without delay. In the event of inaccurate personal data, Heal AS will give you the opportunity to correct and/or delete the data. To do this, write to email@example.com
Restriction on retention
Heal AS will retain your personal data in a form that permits the identification of data subjects for as long as is necessary for the purposes for which the personal data are processed.
• if a company has a statutory, contractual, or similar obligation to retain personal information, as long as it is necessary to fulfill such an obligation
• after the termination of the contractual relationship, we retain certain information for as long as the person (data subject) or the company is entitled to submit claims against the other party under the contract.
• visitor card data will be retained for 2 years from the date of completion of the card in accordance with the requirements of the Tourism Act.
• credit card information will be retained only as long as the contract of accommodation service between us is properly enforced.
• if you have given us consent for the provision of direct marketing materials, we will retain your contact information until you have withdrawn your consent.
Reliability and confidentiality
Heal AS will process special categories of personal data only if there is a legal basis to do so, and if we have an obligation or permission to process this type of sensitive personal information in accordance with the law. For example, we may process health-related data in the provision of treatment services and/or treatment packages and when you need first aid or if you have asked us to assist you in relation to your medical condition.
When developing, designing, selecting, and using applications, services, and products based on personal data processing or for processing personal data, Heal AS respects the right of the data subject to the protection of personal data.
3. RIGHTS OF THE DATA SUBJECT
Respect for the rights of the data subject is important to Heal AS and is therefore given special attention. Heal AS will only respond to a data subject’s request for personal data if the data subject has been able to prove his or her identity.
This means that if you are in doubt when dealing with your inquiry, Heal AS may ask you to provide additional information to identify the data subject. We do this to be sure of the identity of the data subject and to ensure that we provide the right data to the right person.
If the purposes for which Heal AS processes personal data do not require or no longer require the identification of the data subject, Heal AS shall not be obliged to store, collect or process additional data in order to identify the data subject. At the request of the data subject, and where possible, Heal AS shall duly inform the data subject of such processing.
Data Subject Access – You have the right to access your personal data and additional information processed by Heal AS. You may contact Heal AS and ask for what purpose we process your personal data. We will try to answer your questions as soon as possible, but we will try to do so within at least one month. For more complex queries, it may be necessary to extend the response time by an additional two months. In this case, we will contact you to extend the response period and explain the reasons for this. To do this, write to AKS@framare.ee
Copies – If required, Heal AS will provide a free copy upon request. In the case of additional copies, Heal AS may charge a fee based on the actual cost, if the data subject’s requests are repetitive in nature. If you submit your application electronically and unless otherwise requested by you, Heal AS will submit the information in a common electronic format. Heal AS may refuse to disclose information in the copy or to provide a copy, if it would disproportionately affect the rights and freedoms of other data subjects and less stringent measures cannot be taken.
Right to rectification – Any data subject who discovers that their personal data is out of date, incorrect or in need of rectification may contact Heal AS for correction or rectification. Heal AS ensures that personal data is corrected as soon as possible. For that purpose you can contact us by writing to firstname.lastname@example.org
Right to deletion – This right allows data subjects to request the deletion of their personal data if:
• personal data are no longer necessary for the purpose for which they were collected or processed;
• the data subject withdraws his or her consent;
• the data subject refuses the processing, and there is no overriding legitimate interest in the processing;
• unlawful processing of personal data;
The right of deletion is not an absolute right, and therefore your request for deletion of personal data may not mean that all your personal data will be deleted upon receipt of the request. Sometimes we have a legal obligation to retain some data, and in that case, we may not be able to comply with your request. The same can happen when we need to store the relevant data in order to fulfill or protect legal requirements.
Right to restrict processing – In exercising this right, data subjects may “block” or prohibit the processing of personal data by Heal AS. As a result, Heal AS may only be allowed to retain the existing personal data, but not process it further. At your request, Heal AS will limit the processing of your personal data until the verification of the accuracy of your personal data or until you dispute the accuracy of your personal data. Also, Heal AS may be required to restrict the processing of personal data, for example, when it is no longer needed by Heal AS, but you need the data to file, enforce, or defend a legal claim.
Right to transfer data – You may exercise the right to obtain personal information about you that you have provided to Heal AS in a structured, common, and machine-readable form. In exercising this right, you may exercise the right to have your personal data transferred directly from one administrator to another, where technically possible.
Right to file objections – You have the right to object at any time to the processing, including profiling, of personal data relating to you based on a legitimate interest in your situation. In such a case, Heal AS will cease processing your personal data unless there are compelling legitimate reasons for Heal AS to process the personal data.
Where Heal AS processes personal data for the purposes of direct marketing, the data subject shall have the right at any time to object to the processing of personal data relating to him or her in connection with such marketing, which shall include profiling at any time and free of charge. If the data subject objects to the processing of personal data for direct marketing purposes, Heal AS will no longer process personal data for such purposes. In this case, Heal AS will stop processing your personal data for marketing purposes, but may not terminate the processing for other legitimate purposes.
Right to file a complaint with the supervisory authority – all data subjects have the right to complain to the data protection supervisor if the data subject considers that the processing of personal data relating to him or her is in breach of data protection law and general data protection rules. In Estonia, the national supervisory authority is the Data Protection Inspectorate.
Right to withdraw consent – where the processing of personal data is based on consent, the data subject shall have the right to withdraw his or her consent at any time. Withdrawal of the consent shall not affect the lawfulness of the processing prior to the withdrawal of the consent. The data subject shall be notified thereof before giving the consent. Heal AS will discontinue processing of personal data if consent is the sole basis for such processing. Where there are other legal grounds (e.g., a contract, a legitimate interest) for the processing of personal data, the processing may continue on another appropriate legal basis.
4. PURPOSES OF PROCESSING OF PERSONAL DATA
Heal AS processes personal data for many different purposes. Heal AS processes personal data for a variety of purposes, which include:
• sales activities;
• marketing, direct marketing by profiling and making sales and promotional offers;
• data analysis for marketing purposes;
• booking and customer service;
• settlement and appropriate correspondence with clients;
• accommodation and provision of related services;
• medical services;
• legal purposes and legal obligations;
• receiving and handling customer feedback;
• conducting surveys to receive customer feedback and improve service;
• implementation of security measures and resolution of incidents.
5. CATEGORIES OF PERSONAL DATA TO BE PROCESSED
The data processed by Heal AS include the data subject’s:
• name and surname;
• date of birth;
• nationality and gender;
• address, telephone number, e-mail address, and other contact details;
• credit card, loyalty card, and customer account numbers;
• details of purchases and services provided by Heal AS, including details of goods/services and their quantities;
• sales and accommodation information, including dates and times;
• customer health information (only if such information is provided to us by Heal AS customers or if it is necessary to protect the vital interests of data subjects);
• other data voluntarily disclosed by data subjects to Heal AS (e.g., personal data disclosed to customers by Heal AS on customer feedback forms).
6. LEGAL BASIS FOR THE PROCESSING OF PERSONAL DATA
Heal AS processes personal data for a variety of legal purposes, which are set out below.
Heal AS may process your personal data with your consent. For example, to send you a Heal AS newsletter, Heal AS will first ask for your consent to receive the newsletters, and if you have consented, your consent will be deemed to be the legal basis for sending you the newsletter.
With regard to information society services, data protection regulations provide for stricter rules and conditions for children’s consent. If the child is under the age of 13, or under the age determined in the applicable law, the processing will only be considered lawful if the consent has been given by the parent or the person having parental responsibility for the child.
Heal AS may process personal data if such processing is necessary for the performance of the contract. For example, Heal AS will process your personal data for billing purposes when you use our pre-order service to fulfill the contract concluded with you and deliver to you the goods you have ordered.
Heal AS may process personal data if such processing is necessary to fulfill a legal obligation. For example, Heal AS has a legal obligation to collect certain personal information from hotel guests such as name, nationality, travel document number, date of birth in order to compile a list of persons on board. Therefore, Heal AS processes the personal data of its guests and compiles a list to fulfill its legal obligation under the law.
Heal AS may process personal data if such processing is necessary to protect the vital interests of the data subject or another natural person. For example, Heal AS employees may need to transfer the data subject’s health information to the hospital if someone suddenly falls ill in the territory of Heal AS in order to provide them with the medical care they need and to protect the health of our clients in the best possible way.
Heal AS may process personal data if such processing is necessary for a legitimate interest. For example, if you have booked accommodations with us, we may send you customer satisfaction questionnaires after the accommodation to improve the quality of our service.
7. PROFILING AND MARKETING
Profiling means any form of automated processing of personal data by Heal AS, which includes the use of personal data to evaluate certain personal aspects related to the data subject. In Heal AS, profiling may be performed, for example, to analyze or predict aspects of a customer’s personal preferences, interests, behaviors, location, or movements. As a result of profiling, Heal AS will provide its clients with the best services and goods based on consent, contract, or legal interest to meet all the needs of Fra Mare Thalasso Spa clients.
Heal AS can use different profiling methods. For bidding purposes, Heal AS distinguishes between bidders based on travel habits, language, nationality and place of residence (to send the offer in understandable language and to target customers in a specific area), age (to make the best offer for a specific age group), previous accommodation and purchases ( to send offers based on what customers prefer).
Where personal data are processed for direct marketing purposes, data subjects may “opt-out” of their personal data for such purposes and exercise their right to object to the use of personal data for direct marketing purposes. For example, if Heal AS sends you a newsletter containing various offers, and you do not wish to receive them in the future, you will always have the opportunity to opt-out of receiving such offers. After opting out of such offers, customers may show interest in getting offers again in the future.
Heal AS may send or submit advertisements for its services, customer satisfaction questionnaires to improve the quality of its services or offers from other business partners on the Heal AS website. Customers may at any time refuse to receive such advertisements, questionnaires, or offers by notifying Heal AS via automated refusal links.
8. USE OF “COOKIES”
Cookies are files that collect technical information about the user’s computer, browser, and website, such as which pages and in what order the user has visited. Heal AS uses purely technical cookies (e.g., for statistical purposes) and cookies that are able to identify guest users, enable and personalize visitor registration and website navigation, and measure and analyze user habits. Cookies allow a website to remember information related to the data subject’s visit, such as preferred language and other settings.
When Heal AS customers use the services of Heal AS, Heal AS, and external service providers or partners, may send cookies or other similar technology to the user’s computer to enhance and develop the user’s Internet experience. However, you can configure your browser settings so that the browser notifies you that you have received cookies or will automatically reject them. This allows you to decide whether or not you accept cookies. However, please be aware that some features or services on this website may not function properly without cookies.
The Heal AS website may use various analytical tools to gather information, analyze and measure website usage or the effectiveness of Heal AS communication or advertising, such as how Heal AS communications reach customers.
9. PROTECTION MEASURES
Heal AS will keep all personal information disclosed to it strictly confidential and will protect the personal data of its customers and employees against unauthorized access to third parties by implementing effective IT security measures.
Heal AS uses protection measures that take into account the nature, scope, context, and purposes of the processing of personal data and the threat to the rights and freedoms of natural persons. These measures include, but are not limited to, appropriate IT, technical and organizational data protection measures, pseudonymization and anonymization. Such measures shall be taken to ensure that personal data are not made available by default to an unlimited number of persons unless they so request and to ensure the general protection of personal data.
10. IMPLEMENTING PROVISION
Heal AS reserves the right to make changes to these data protection terms and conditions in the light of changes in legislation and practices related to the technology that guarantees the level of protection of personal data. Therefore, this data protection policy will be reviewed on a regular basis and, if necessary, amended. Changes to the data protection policy will be published on the website of Heal AS.