Privacy Notice
- Introduction
1.1. By virtue of its field of activity, City Travel is considered as a tourist enterprise that, in its routine economic activity, uses personal data for the purpose of providing various tourist services, their device, organization and mediation. Our activities are based on the General Data Protection Regulation (GDPR), the ER Personal Data Protection Act (IKS), our own personal data protection strategy and other applicable data protection regulations. This privacy notice (hereinafter Privacy Notice) is addressed to the data subjects mentioned in the GDPR and IKS documents, or natural persons whose personal data are processed in the course of providing services.
1.2. We assume that you (the data subject) are aware of and care about the processing of your personal data, so we assure you that City Travel takes compliance with the rules regarding the processing of your data with complete seriousness. The Privacy Notice describes the principles used by City Travel and the practices in place as they relate to the entire chain of processing personal data from collection and use to exclusion in terms of ensuring the protection of personal data. The protection of personal data is our ongoing responsibility, so from time to time we review the Privacy Notice policy, check its compliance and update its content as necessary.
2. Data Protection Officer (DPO)
2.1. С целью соответствия требованиям по защите персональных данных на нашем предприятии City Travel OU (регистрационный код 12584093, юридический адрес ул. Нафта 1, Таллинн Харьюский уезд 10152), специалистом по защите данных назначен сотрудник:
address of DPO workplace: Nafta str. 1, Tallinn Harjumaa 10152
e-mail address: info@citytravel.ee.
3.Data collection
3.1. City Travel collects mainly personal data from its customers. These are the data required for the provision of the tourist services chosen by the customer; they may be specified within the framework of a particular tourist service and may vary depending on the means of transportation (e.g. bus, train, plane, ship) and the destination of the trip (within Estonia, within the EU and its equivalent countries, outside the EU). Usually, you will need a first and last name, a travel document/photo ID (for ID), a personal code (if no personal code is available, date of birth, gender, age), and contact information such as email address, phone number, and permanent residence address. When traveling outside the EU, the list of data may be extended depending on the legislation and requirements of the country of travel (e.g. passport data, nationality, visa, vaccinations, etc.). We use your personal data to fulfill the contract we have entered into and to provide you with travel services. We do not sell or transfer personal data to third parties, except to those to whom the data should be transferred in accordance with the law or for the performance of a service contract concluded with you.
3.1.1. Processing of personal data in the provision and mediation of accommodation services
When purchasing accommodation services, your data (name, surname, personal identification number and/or gender, date of birth, contact details) are needed to meet the requirements set for accommodation companies and to provide the service. The list of required personal data may vary from country to country depending on the requirements in force there. You need to know the details of those individuals who will be using the placement service and the time for which the service will be provided. As a general rule, accommodation providers are required to maintain a register of accommodated persons, in which customer data is entered in accordance with the law; it is passed on to law enforcement authorities upon request.
Depending on the nature of the service, we may also need specific personal data relating to the specifics of the accommodation services. For example, in case of certain mobility limitations, data on the need for aids (wheelchair, elevator, etc.) or (when meals are ordered together with the accommodation) in case of any food intolerance, data on a special diet are required.
When you purchase accommodation and rehabilitation services, we will also need data of a special kind in connection with the latter. That is, we become aware of the place and time of the restorative treatment and the content of the restorative treatment to the extent necessary to provide the specific restorative treatment service. In any case, we are talking about personal data of a special kind, which you yourself give to us in order to receive the service.
When selling accommodation and related services, if the best price is offered by wholesalers (including aggregators and consolidators), we will pass your data to the wholesaler (including aggregators and consolidators), who in turn will pass the data received to the business providing the specific accommodation or related services.
We require accommodation service providers and wholesalers (including aggregators and consolidators) to ensure that their processing of personal data complies with the GDPR. Any party engaged to provide the accommodation service may only use personal data for the purpose of fulfilling the contract. In the case of accommodation services, City Travel is not responsible for the processing of those data that are directly provided to the accommodation company.
3.1.2. Processing of personal data in the provision and mediation of transportation services
In order to provide the transportation service, we need the following data: first and last name, flight document data, e-mail address, telephone number and service-related data. In the case of transportation services, special data may also become known (e.g. in the case of mobility impairments, the need for a wheelchair, and in the case of children, data on accompanying persons). In accordance with legal acts, the service provider is obliged to transfer personal data to law enforcement authorities.
When you purchase a transportation intermediary service from us, we usually pass the collected data to the company providing the transportation service or to the intermediary of the companies providing the transportation service, which in turn passes the data on to the specific carrier.
In the case of transportation services, City Travel is not responsible for the processing of those data that are directly provided to the carrier.
We require service providers to ensure that their processing of personal data complies with the GDPR. Any party engaged to provide transportation services may use personal data only for the purpose of performing the contract.
3.1.3. Processing of personal data when brokering package tours
When you purchase a package tour, your data (first and last name, personal code and/or gender, date of birth, contact details) is needed to meet the requirements for tour operators and travel agents and to provide the service. The list of personal data may vary depending on the requirements of the country of residence. You need the details of the persons who will be using the travel service and the period of travel.
Depending on the content of the service, personal data of a special kind may also be required, which relate to the specifics of the transportation or accommodation services. For example, in case of certain mobility limitations, auxiliary aids (wheelchair, elevator, etc.) may be necessary or (when meals are ordered together with the accommodation) in case of any food intolerance, data on a special diet is required.
When selling a package tour and related services, we pass your data to the travel organizer, who in turn passes it on to specific companies that directly provide transportation and accommodation or other related services.
In the case of travel organization services, City Travel is not responsible for the processing of the data that are directly provided to the travel organizer.
We require travel organizers to ensure that their processing of personal data complies with the GDPR. Any party engaged to provide travel services may only use personal data for the purpose of fulfilling the contract.
3.1.4. Processing of personal data in mediation of travel insurance services
For the travel insurance mediation service, we need the following data: first and last name, personal identification number, place of residence, e-mail address and telephone number. During the execution of the respective contract, we may learn, among other things, about your illness or the illness of a member of your family (insured event, travel disruption insurance), an accident and the cost of treatment, as well as personal data that has become known due to other unforeseen insured events.
We transfer the personal data provided to the insurer, from whom we require that its processing of personal data complies with .
3.1.5. Processing of personal data in the course of mediation of vehicle rental service
In order to provide or mediate the vehicle rental service, we need the following data: name and surname, personal identification number, place of residence, contact details, the required amount of data of the document confirming the right to drive a vehicle of the relevant category, credit card details, etc. During the execution of the contract, among other things, we may become aware of your preferences when choosing different vehicles, the persons who will be in the vehicle, the time and trajectories of your travels. Please note that the items left in the car may also contain data about you, in which case City Travel is not responsible for the use of this data.
When providing or brokering a vehicle rental service, we transfer the submitted personal data to the specific company providing the rental service, from which we require that its processing of personal data complies with the GDPR. When providing vehicle rental services, City Travel is not responsible for the processing of data that is directly provided to the company providing the rental service.
When you purchase an intermediary vehicle rental service from us to book a service, we generally pass the required data to the rental service intermediary, who in turn passes the collected data to the specific service provider.
3.1.6. Processing of personal data in the course of service and credit intermediation
For lending or credit mediation service we need your following data: name and surname, personal identification number, place of residence, contact details, identity document number, employment details. Your creditworthiness and repayment practices are assessed before a decision is made to grant or broker a loan. It requires data about your income and expenses, as well as how you have previously fulfilled your credit obligations. We may need other data from you for the credit assessment, in which case we will ask you (e.g. if your income is not reflected in the form of bank transfers, etc.). Be forewarned that your credit score may be assessed in an automated process. If you disagree with it, you can ask us to have the decision made reviewed by an authorized City Travel employee. When you provide data about your expenses in the form of bank statements, we may also become aware of personal data that characterizes your habits. The processing of these data is limited to seeing and storing them, unless their content gives an indication of your ability to pay. If you provide your bank statement in general (unsorted) form, information about your personal life that may have become known will be kept confidential.
When you use an intermediary credit service, we transfer the relevant data to our partner company as a credit organization, which is jointly and severally liable from the point of view of processing your personal data. In the case of mediation, we require service providers to ensure that their processing of personal data complies with the GDPR. Any party engaged to provide the service may only use personal data for the purpose of performing the contract.
3.1.7. Sending the best proposals and attention letters
Only with your consent do we send you the best travel offers and other e-mails (e.g. additional sales, congratulations, invitations to events, etc. offers) to a pre-agreed e-mail address. You may withdraw your prior consent at any time by clicking on Unsubscribe at the bottom of the email or by emailing us at info@citytravel.ee.
We will also send you an informational email/notification when you make your first purchase from us, receive a customer card from us, or your employer approves you as an authorized person. These letters are confirmatory in nature. We send you emails about bonus points and customer card expiry as newsletters.
In connection with the provision of services, we have the right to send you letters requesting feedback when you have purchased a service from us or requested a quote for a service. We send such letters solely for the purpose of clarifying bottlenecks and improving the quality of customer service. When there is a natural disaster or emergency, we may also send you a letter or contact you to make sure you are okay and to see if there is anything we can do to help.
3.2. Our web pages www.citytravel.ee, communication platforms and various social networks (Facebook, Instagram), as well as many other similar channels, collect certain information automatically by storing it in log files. This information may include your IP address, the region or location where your computer or device is accessing the Internet, browser type, operating system information, and other information about your Internet use, including your browsing history. City Travel uses this information to make our own websites better, easier to use and more user friendly. We may use your IP address to diagnose server problems and administer the Sites, analyze trends, monitor visitor actions on the Sites, and to gather more comprehensive demographic information to better know the preferences of visitors to our Sites. The Sites use a cookie system.
3.3. If you wish to receive our newsletters and advertisements, or participate in raffles we organize or mediate or other campaigns, we will ask for your name and contact information. We use this information to send you information about our services/goods or anything else that may be of interest to you. News compilations may sometimes contain hyperlinks to other internet sites. City Travel is not responsible for their content or privacy policy. If you no longer wish to receive news compilations, you can opt-out by clicking on the hyperlink at the bottom of each news compilation and/or advertisement (opt-out or unsubscribe) or by notifying us at info@citytravel.ee.
3.4. If you wish to place an order using our website, we will need your contact details (first name, last name, personal identification number, date of birth, flight document details, e-mail address, telephone number and in some cases your place of residence). This information is only necessary for the purpose of contacting you with regard to your order and the fulfillment of the contract concluded or to be concluded. We share your personal data with businesses that are directly related to providing you with the service. We do not pass on your contact details to anyone else. When placing your order, we will also ask you for payment details for your order, such as credit card number or bank payment details. In doing so, we use a secure online connection so that your data is protected.
4. When and how City Travel stores data
4.1. The data collected about you and obtained in connection with your purchases will be stored by City Travel for the period of mandatory data retention stipulated by law and until the expiry of the claim period, after which the personal data will be destroyed. The data is stored in one or more databases administered by a third party that is located in the European Union or a signatory to the Agreement on the European Economic Area. No said third party has access to the data and uses your personal data for storage and backup purposes only.
5. When and how City Travel uses your personal data
5.1. Your personal data is mainly used as agreed with you to provide services to you.
5.2. Personal data is also used to update our websites according to your preferences, interests, needs, and to better understand your wants and preferences and to improve the delivery of City Travel services via the Internet.
5.3 If you have consented to receive newsletters, special promotional material, direct mailings, etc. from us, we will send you this information. You have the option to opt out of such emails (see section 3.3).
5.4. Your personal data will be passed on to service providers when this is unavoidable for the fulfillment of concluded contracts and the provision of services.
5.5. We may transfer your personal data when we need to do so to investigate crime, to pursue legal claims, to cover your necessities of life, or in connection with the sale, purchase, merger, reorganization, financing, liquidation, winding up or similar business-related activities. In these cases, we assure you that we will take all necessary steps to ensure that your personal data is adequately protected.
5.6. When collecting information required to participate in lotteries and similar events, the contact details obtained are used so that you can be contacted if you win. If the prize was exhibited by any of our partner companies, your contact details are passed on to them for contacting the winner. As a general rule, a precondition for participation in such prize draws is that you agree to use the contact details you receive for other purposes; therefore, please read the terms and conditions carefully before participating in the prize draws.
6. Transfer of personal data outside the EU or equivalent regions
6.1. City Travel is located in the Republic of Estonia, a member of the European Union. The personal data we collect is processed mainly in the Republic of Estonia and at the registered offices of third parties. When the provision of services for the performance of a contract requires the transfer of data outside the EU or equivalent territories, Article 45 of the GDPR stipulates the need to guarantee there the protection of personal data at a level not lower than within the EU. We are notified that our company has no legal means of this guarantee other than through agreements. This means that from those companies with whom we can enter into contracts and negotiate their terms and conditions, we can obtain confirmation of the adequacy of the relevant protection and oblige them to guarantee the relevant protection, but we can in no way guarantee the sufficiency of this measure and its compliance with the requirements of the GDPR.
6.2. If it is not possible to reach an agreement with the company providing the service to ensure that the level of protection of personal data in the respective country complies with the GDPR, we will warn you that the level of data protection in the respective country does not comply with the GDPR, explaining that we do not have any possibility to guarantee a high level of protection of your personal data in that particular country. If you still wish to purchase services in that particular destination despite this warning, purchase travel will confirm that we may transfer your personal data to that destination country.
6.3. We never share more personal data with service providers outside the EU than is minimally necessary to validate a particular service, and never beyond what you would provide if you were to order the same service directly from the service provider, i.e. without using our service.
7. Rights of the data subject
7.1. A privacy notice is provided to let you know what information City Travel collects about you and how it is used. If you have any questions regarding your personal data, please contact us at info@citytravel.ee.
7.2. If you would like to know whether City Travel processes your personal data or would like access to your personal data, please contact us at info@citytravel.ee.
8. Security of your data
8.1. We use physical, technical and administrative measures to protect the personal data and personally identifiable information you enter on our websites. We regularly update and test the technologies we use. Our networks are protected by firewalls and intrusion-detecting software. Access to your personal data is restricted: it is only available to those of our employees who need it to provide the service you have agreed with us or on other legitimate grounds.
8.2. We use sufficient measures to protect your personal data, our activities are subject to information security legislation, but it should be noted that no website or database is absolutely secure or guaranteed against hacking. Protect yourself and help us prevent computer crime by being very careful to keep and protect your passwords. Our sites do not use spyware (Spyware). If you suspect your account has been hacked, please contact without delay.
8.3. In order to increase employees’ awareness of the importance and necessity of personal data protection, City Travel provides regular training. Our commitment is also expressed in the internal rules of the company that directly concern employees and include data protection regulations.
9. Modifying and enhancing the privacy notice
9.1. Like any organization, City Travel is changing in time and space, so it can be assumed that changes and improvements will need to be made to the privacy notice in the future as well. Therefore, please be advised that we have the right to make changes and additions to the privacy notice at any time without notifying you. We post changes on the appropriate tab on the website.
10. Privacy notice to employees
10.1. The Privacy Notice for Employees is written in a separate document and is only available to City Travel employees.
11. Questions, complaints
11.1. If your personal data has changed, please contact us. If you have any questions about your personal data, be sure to contact us. We will respond within the legal time limit. However, please be aware that, as part of the protection of personal data, we may ask for more precise information to identify you before answering questions. In order to ensure that the contracts underlying the processing of personal data sufficiently safeguard the rights of the data subjects, we reserve the right to require that a document confirming the right to represent the data subject and presented during or after the execution of the legal relationship of the parties (including in connection with the processing of data), but executed outside of our company, be notarized or in another equivalent manner. We need to be sure that the data subject consents to the transfer of information and that the information will only get into the hands of the right person or organization. In most cases, we make corrections or erase every inaccuracy you discover. On occasion, we may deny your request in whole or in part if the law allows or requires us to do so.
11.2. For questions and complaints, please contact info@citytravel.ee. We will respond to your letter at the earliest opportunity within 30 days of receipt.