Privacy Policy

1. General provisions 
1.1. This Privacy Policy governs the principles of collection, processing and storage of personal data. Personal data are collected and stored by the controller of personal data, Espak Haldus OÜ (hereinafter referred to as the Data Processor).

1.2. For the purposes of the Privacy Policy, a data subject is a customer or other natural person whose personal data are processed by a data processor.

1.3. For the purposes of the Privacy Policy, a customer is anyone who purchases goods or services from the Data Processor’s website.

1.4. The Data Processor shall follow the principles of data processing provided by legislation, and, among other things, processes personal data legally, fairly
and securely. The Data Processor is able to confirm that personal data have been processed in accordance with the legislation.

2. Collection, processing and storage of personal data

2.1. The personal data collected, processed and stored by the Data Processor are collected electronically, mainly via the website and e-mail.

2.2. By sharing his personal data, the data subject grants the Data Processor the right to collect, organize, use and manage personal data for the purposes defined in the privacy policy, which the data subject shares directly or indirectly with the Data Processor when purchasing goods or services on the website.

2.3. The data subject is responsible for ensuring that the data provided by him or her is accurate, correct and complete. Knowingly providing false information is considered a violation of this Privacy Policy. The data subject is obliged to immediately notify the Data Processor of any changes in the submitted data.

2.4. The Data Processor shall not be liable for any damage caused to the data subject or third parties caused by the submission of false data by the data
subject.

3. Processing of customers’ personal data

3.1. 3 The Data Processor may process the following personal data of the data subject:

3.1.1. Full name;

3.1.2. Date of birth;

3.1.3. Phone number;

3.1.4. Email address;

3.1.5. Delivery address;

3.1.6. Billing account number:

3.1.7. Payment card details;

3.2. In addition to the above, the Data Processor has the right to collect data about the customer that is available in public registers.

3.3. The legal basis for the processing of personal data is Article 6 (1) (a), (b), (c) and (f) of the General Data Protection Regulation (GDPR): a) the data subject has given consent to the processing of their personal data for one or more specific purposes; b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; c) The processing of personal data is necessary for compliance with a legal obligation to which the Data Processor is subject; (f) the processing of personal data is necessary in the legitimate interest of the Data Processor or of a third party, unless such interest outweighs the interests of the data subject or the fundamental rights and freedoms for which personal data must be protected, in particular where the data subject is a child.

3.4. Processing of personal data according to the purpose of the processing:

3.4.1. Purpose of processing – security and safety Maximum period of storage of personal data – in accordance with the deadlines specified by law

3.4.2. Purpose of processing – order processing Maximum storage period of personal data – 3 years

3.4.3. Purpose of processing – ensuring the functioning of the services of the e-shop Maximum period of storage of personal data – 3 years

3.4.4. Purpose of processing – customer administration Maximum storage period of personal data – 5 years

3.4.5. Purpose of processing – financial activities, accounting Maximum period of storage of personal data – in accordance with the legal deadlines

3.4.6. Purpose of processing: marketing Maximum storage period of personal data: 3 years

3.5. The Data Processor has the right to share the personal data of customers with third parties, such as authorized data processors, accountants, transport and courier companies, companies providing transfer services. The Data Processor is the controller of personal data.

3.6. When processing and storing personal data of the data subject, the Data Processor shall implement organizational and technical measures to ensure the protection of personal data against accidental or unlawful destruction, alteration, disclosure and any other unlawful processing.

3.7. The Data Processor shall retain the data of the data subjects depending on the purpose of the processing, but not longer than 5 years.

4. Rights of a data subject

4.1. The data subject has the right to access and inspect his or her personal data.

4.2. The data subject has the right to receive information about the processing of his or her personal data.

4.3. The data subject has the right to supplement or correct inaccurate data.

4.4. If the data processor processes the personal data of the data subject on the basis of the data subject’s consent, the data subject has the right to withdraw the consent at any time.

4.5. The data subject can turn to the following address to exercise his or her rights: hostel@espak.ee

4.6. In order to protect his or her rights, a data subject can submit a complaint to the Data Protection Inspectorate.

5. Final provisions

5.1. These data protection conditions have been prepared in accordance with Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act of the
Republic of Estonia and the legislation of the Republic of Estonia and the European Union.

5.2. The Data Processor has the right to change the terms and conditions of data protection in part or in full by notifying the data subjects of the changes via the website www.espakhostel.ee/en