OTP OÜ
PRIVACY NOTICE
1. Introduction
1.1. OTP OÜ is a travel company that uses personal data in its daily operations for the purpose of providing, arranging, organising and mediating various travel and tourism services. In our activities, we comply with the General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act (PDPA), our own Data Protection Strategy and other established data protection rules. This Privacy Notice is directed at data subjects as defined in the GDPR and PDPA, i.e. natural persons whose personal data is processed for the purpose of providing the service.
1.2. We assume that you (Data Subjects) are aware of and care about the processing of your personal data, and therefore we guarantee that OTP OÜ takes compliance with the rules regarding the processing of your data very seriously. The Privacy Notice explains the principles and practices applied by OTP OÜ with regard to the entire processing chain from collection to use and deletion of personal data, thereby focusing on the protection of personal data. The protection of personal data is a continuous responsibility, and therefore we periodically review the rules of the Privacy Notice, check compliance with the established requirements and update its content as necessary.
2. Data Protection Officer (DPO)
2.1. OTP OÜ, with registered address at Harju maakond, Kesklinna linnaosa, Viru väljak 2, 3rd floor, Tallinn / Estonia, has appointed a specialist to ensure compliance with data protection requirements:
The DPO can be reached at: Harju maakond, Kesklinna linnaosa, Viru väljak 2, 3rd floor, Tallinn / Estonia
3. Data Collection
3.1. OTP OÜ collects personal data primarily from its customers. As a rule, these are data necessary for the provision of travel and tourism services chosen by the customer, which may be clarified within the framework of the fulfilment of a specific travel service and may vary depending on the means of transport (e.g. bus, train, aircraft, ship) and the destination (domestic travel, travel within the EU and equivalent countries, travel outside the EU). Generally, travelling requires a name and surname, a photo travel/identity document identifying the person, a personal identification code (in the absence of this information, date of birth, gender and age) and contact details such as e-mail address, phone number and residential address. For travel outside the EU, the list of data may be longer depending on the laws and requirements of the destination country (e.g. nationality, passport details, visa, vaccination, etc.). We use your personal data to fulfil the contract between us and to provide you with travel and tourism services. We do not sell or share your personal data with third parties, except where required by law or for the purpose of fulfilling the service contract entered into with you.
3.1.1. Processing of Personal Data in the Provision and Mediation of Accommodation Services
If you purchase an accommodation service, your data (your name, ID number and/or gender, date of birth, contact details) is necessary for fulfilling the obligations placed on accommodation establishments and for the provision of the service. The list of personal data may vary according to the requirements established in different countries. For this purpose, it is necessary to know the data of the persons who will use the accommodation service and the time when the accommodation is needed. In general, accommodation establishments are obliged to keep a register of guests containing the data required by law and to disclose such data to law enforcement authorities when required.
Depending on the content of the service, we may need various types of personal data due to the specific nature of the accommodation service. For example, situations may arise such as the need for specific mobility aids (wheelchair, lift, etc.) for a person with limited mobility, or special dietary information for a person with intolerance to certain substances (in the case of a meal order in addition to the accommodation service).
If you purchase accommodation and medical rehabilitation services, we will also need special personal data related to the relevant medical rehabilitation. In this way, we will learn about the location and time of the medical rehabilitation and the content of the medical rehabilitation to the extent necessary for the provision of the specific medical rehabilitation service. In any case, such data can be classified as special category data that you provide to us in order to receive the service.
During the sale of accommodation services and related services, if the best price is offered by a wholesaler (including aggregators and consolidators), we will transfer your data to the wholesaler of the services (including aggregators and consolidators), who will in turn transfer the data to the specific provider of the accommodation service or related services.
We require accommodation service providers and wholesalers (including aggregators and consolidators) to process personal data in accordance with the GDPR. Each party involved in the provision of the accommodation service may only use personal data for the purpose of fulfilling the contract. Upon provision of accommodation services, OTP OÜ is not responsible for the processing of data provided on-site at the accommodation establishment.
3.1.2. Provision and Mediation of Passenger Transport Services
To provide passenger transport services, we need your personal data such as your name, ID number, travel document details, e-mail address, phone number and service-related data. During the provision of passenger transport services, special category personal data may be disclosed (e.g. the need for a wheelchair for persons with limited mobility, data of children and persons accompanying them). The law places the service provider under an obligation to transmit personal data to law enforcement authorities.
If you have purchased a passenger transport mediation service from us, we generally transfer the collected data to the passenger transport service provider or the agent of the passenger transport service provider, who will in turn transfer the data to the provider of the specific service.
During the provision of passenger transport services, OTP OÜ is not responsible for the processing of data provided directly to the carrier.
We require our service providers to process personal data in accordance with the GDPR. Each party involved in the provision of the accommodation service may only use personal data for the purpose of fulfilling the contract.
3.1.3. Processing of Personal Data During Package Travel Mediation
If you purchase a package tour, your data (name, personal identification code and/or gender, date of birth, contact details) is necessary for complying with the requirements set by the tour operator and for providing the service. The list of personal data may vary depending on the requirements established in different countries. For this purpose, it is necessary to know the data of the persons who will use the travel service and the time of travel.
Depending on the content of the service, we may need various types of personal data due to the specific nature of the passenger transport service or accommodation service. For example, situations may arise such as the need for specific mobility aids (wheelchair, lift, etc.) for a person with limited mobility, or special nutritional information for a person with intolerance to certain substances (in the case of a meal order outside the accommodation).
Upon the sale of package travel and related services, we transfer your data to the tour operator, who will in turn transfer the data to the specific providers of the passenger transport service, accommodation service or related services.
Upon provision of passenger transport services, OTP OÜ is not responsible for the processing of data provided directly to the tour operator.
We require tour operators to process personal data in accordance with the GDPR. Each party involved in the provision of the travel service may only use personal data for the purpose of fulfilling the contract.
3.1.4. Processing of Personal Data in the Provision and Mediation of Conference Services
In the process of providing conference services, we process personal data primarily for the purpose of fulfilling the conference service contract, for example we register participants and issue invoices (name, personal identification code, date of birth, phone, e-mail, address), organise translation services, organise photographer and operator services (photos), organise and conduct video broadcasts, organise the preparation and distribution of souvenirs and publications (including name tags), organise meals (information about allergies and special diets, which constitute special category personal data). During the organisation of cultural and leisure programmes, personal data necessary for their organisation (name, programme time, preferences related to various programmes), organisation of accommodation services (see clause 3.1.1 for accommodation services) and organisation of transportation between accommodation establishments and the conference venue (names of persons, time of transport, place of accommodation and conference venue) are processed. The list of personal data may vary according to the requirements established in different countries.
OTP OÜ is not responsible for the processing of data provided directly to the service provider during the provision of conference services.
We require our service providers to process personal data in accordance with the GDPR. Each party involved in the provision of the conference service may only use personal data for the purpose of fulfilling the contract.
3.1.5. Provision and Mediation of Guide, Guide/Interpreter and Tour Manager Services
To provide guide, guide/interpreter and tour manager services, we need your personal data such as your name, ID number, the time at which the service is to be provided, the language pair and the places you will visit. During the provision of tour manager services, special category personal data may be disclosed (e.g. the need for a wheelchair for persons with limited mobility, data of children and persons accompanying them). Depending on the destination and country of destination, it may be necessary to transfer your personal data to the relevant authorities of the destination or country of destination where required.
If you have purchased a guide, guide/interpreter and tour manager services mediation service from us, we generally transfer the data to the wholesaler of guide, guide/interpreter and tour manager services (including aggregators and consolidators), who will in turn transfer the data to the provider of the specific service.
We require our service providers to process personal data in accordance with the GDPR. Each person involved in the provision of guide, guide/interpreter and tour manager services may only use personal data for the purpose of fulfilling the contract.
3.1.6. Provision and Mediation of Visa Application Services
To provide the visa application service, we need personal data from you such as your name, ID number, details of your valid travel document, your country of destination, the preferred validity period of the visa, your reason for visiting the country of destination and other mandatory data required by the country you wish to visit.
We require our service providers to process personal data in accordance with the GDPR. Each party involved in the provision of the service may only use personal data for the purpose of fulfilling the contract.
3.1.7. Mediation of Travel-Related Insurance Services
To provide the mediation service of travel-related insurance, we need personal data such as your name, ID number, place of residence, e-mail address and phone number. During the fulfilment of the relevant contract, we may also obtain information about personal data disclosed due to the illnesses of you or your family members (insured event, travel interruption insurance), accidents and medical expenses and other unforeseeable insured events.
We transfer personal data to the insurer who must process personal data in accordance with the GDPR.
3.1.8. Provision or Mediation of Vehicle Rental Services
To provide or mediate vehicle rental services, we need personal data such as your name, ID number, place of residence, contact details, details of a document certifying the right to drive a vehicle of the relevant category to the extent necessary, credit card details, etc. During the fulfilment of the contract, we may learn information such as your preferences in choosing various vehicles, the names of the persons travelling in the vehicle, travel times and routes. We would like to point out that items left behind in the vehicle may also contain information about you, and in this context OTP OÜ is not responsible for the use of such data.
In the case of the provision or mediation of a vehicle rental service, we transfer the provided personal data to the provider of the specific vehicle rental service and require the service provider to comply with the GDPR when processing personal data. OTP OÜ is not responsible for the processing of data you provide on-site to the provider of the vehicle rental service.
If you have purchased a vehicle rental mediation service from us, we generally transfer the data necessary for booking the service to the agent of the rental service, who will in turn transfer the collected data to the provider of the specific service.
3.1.9. Processing of Personal Data in the Provision and Mediation of Credit
In order to provide and mediate credit to you, we need the following personal data: name and surname, personal identification code, place of residence, contact details, personal identity document number, employer information. The provision and mediation of credit is preceded by an assessment of your creditworthiness and payment behaviour. In this process, we need details and information about your income and expenses and information about how well you have fulfilled your obligations to date. We may need other data to assess your creditworthiness; in such a case, we will request this data additionally (e.g. if not visible in the income account statement, etc.). Your creditworthiness may be assessed automatically. If you do not allow this, you may request a review of the decision from an authorised employee of OTP OÜ. If you report your expenses in the form of an account statement, we may also learn personal data that characterises your habits. The processing of such data is limited to viewing and storage only, unless the content provides information about your solvency. If you send your account statement as a general summary rather than a grouped summary, we will ensure the confidentiality of any possible information about your private life disclosed in the account statement.
If you use a credit mediation service, we will send the relevant data to our credit partner, who is the joint controller of your personal data. In the case of service mediation, we require the actual provider of the service to process personal data in accordance with the GDPR. Each party involved in the provision of the service may only use personal data for the purpose of fulfilling the contract.
3.1.10. Processing of Personal Data in the Case of Loyalty Cards
Loyalty cards are a customer discount system created by OTP OÜ that allows loyal customers to benefit from various travel services at discounted prices, free of charge or more easily compared to persons who do not have such cards. We request various personal data from you for the issuance and use of the cards. First and foremost, we need your personal data such as your name, personal identification number, place of residence, phone number and e-mail address. When you use the card, we may collect data about your travels and travel habits through which you have obtained certain discounts (bonus points) in accordance with the terms and conditions of use of the relevant card. The added value of the cards is the discounts provided at our business partners. When you make purchases from our business partners, your data is collected and processed by our business partners in connection with these purchases. By presenting the discount card to one of our business partners, we wish to emphasise that you are providing your identification details to the relevant establishment and that this establishment is the controller responsible for the processing of such personal data. We collect this data primarily to identify your purchasing habits, to offer you products and services that we think may interest you, and to offer you discounts at our business partners where you can make purchases. Your personal data is also used for various statistical purposes, in particular to determine sales rates and return rates of products and services. In this way, we can decide which business partner is worth cooperating with. All personal data collected in the manner described above is stored and processed by a joint controller or authorised processor who provides us with the relevant information technology solution. We require joint controllers and authorised processors to process personal data in accordance with the GDPR. Each party involved in the provision of the service may only use personal data for the purpose of fulfilling the contract.
3.1.11. Sending the Best Travel Offers and Reminders
We send the best travel offers and reminders (e.g. follow-up sales, greetings, invitations and other similar offers) only to a pre-approved e-mail address, with your consent, by e-mail. You may withdraw this consent at any time by clicking the Unsubscribe link in the footer or by writing to
[email protected] and
[email protected].
We also send you informational e-mail messages when you make your first purchase from us, when you receive our loyal customer card, or when your employer appoints you as the authorised person of your company. These messages are for confirmation purposes so that you know you have subscribed to us. Regarding other informational letters, we also send you notifications about bonus points and the expiry of your loyal customer card.
In connection with the provision of the service, we have the right to send you a feedback e-mail when you make a purchase from us or request an offer related to a service. We send feedback e-mails only for the purpose of identifying service failures and providing the best service. In the event of a natural disaster or emergency, we may contact you to find out if you are well and to see if we can assist you.
3.2. Automatic Data Collection
Our online environments www.onlinetourismpartner.com and www.booking2cyprus.com, various social media channels (Facebook, Instagram, Twitter) and many other similar environments automatically collect certain information and record it in their log files. This information may include the IP address to which your computer or other device is connected to the Internet, the region or general location, the type of browser used, the operating system and other usage information. OTP OÜ uses this information to make its online environments better, simpler and more user-friendly. We may also use your IP address to diagnose problems with OTP OÜ's server and manage the website, analyse trends, track site visitors and collect demographic information more comprehensively to better understand the preferences of visitors to our online environments. Our online environments use cookies.
3.3. Newsletters and Competitions
If you have agreed to receive newsletters and advertisements, or if you participate in draws of other campaigns organised or mediated by us, we ask for your name and contact details. We use this information to send you information about the services and products we offer and other topics that may interest you. Our newsletters may occasionally contain links to other online environments. OTP OÜ is not responsible for the content or privacy policy of these environments. If you no longer wish to receive the newsletter or direct messages, you can unsubscribe by clicking the cancel or unsubscribe link at the end of any newsletter and/or advertisement, or by writing to
[email protected] and
[email protected].
3.4. Online Orders
If you wish to place an order through our online environment, we need your contact details such as your name, ID number, date of birth, travel document details, e-mail address, phone number and, in some cases, residential address. This information is necessary only to contact you regarding your order and for the purpose of fulfilling the contract concluded or to be concluded with you. We share your personal data with businesses directly involved in providing the service to you. We do not share your personal data with anyone else. When placing an order, we also ask for information related to the payment of the order, such as your credit card number or bank payment details. In this way, we use a secure online connection to protect your personal data.
4. Data Retention Period and Method
4.1. Data collected about you through your purchases is retained by OTP OÜ for the period required by law and until the expiry of claims, after which personal data is deleted. The data is stored in a single database or multiple databases managed by a third party located in the European Union or a country included in the European Economic Area. These third parties cannot access the data and do not use your personal data for any purpose other than storage and backup.
5. Duration and Method of Use of Your Personal Data by OTP OÜ
5.1. Your personal data is used primarily to provide services to you with your consent.
5.2. Your personal data is also used to update the online environment according to your preferences, interests and needs, to better understand your wishes and preferences, and to improve the quality of service provision in OTP OÜ's online environments.
5.3. If you have agreed to receive newsletters, special advertisements, direct messages, etc. from us, we will send you the information you have requested. You may cancel such e-mail messages (see clause 3.3).
5.4. Your personal data is shared with service providers who are indispensable for the fulfilment of concluded contracts and the provision of services.
5.5. We may also share your personal data in the event of needs arising from the investigation of criminal offences, compliance with judicial requests, meeting your vital needs, or actions related to sale, purchase, merger, restructuring, financing, liquidation, termination or similar commercial activities. In such cases, we take all necessary measures to adequately protect your personal data.
5.6. After collecting the necessary information to participate in draws and other similar events, the contact details obtained are used to contact you in the event of winning. If the prize is awarded by another contractual partner, your contact details will be sent to the partner so that the partner can contact the winner. As a rule, participation in such a prize game is conditional on your permission for the use of your contact details for other purposes; therefore, we kindly ask you to carefully read the terms and conditions of the prize game before agreeing to participate.
6. Transfer of Personal Data Outside the EU/UK or Equivalent Regions
6.1. OTP OÜ is located in the Republic of Estonia, one of the member states of the European Union. The personal data we collect is processed primarily in the Republic of Estonia and at the registered addresses of third parties. When it is necessary to transfer data outside the European Union or equivalent regions during the provision of a service for the purpose of fulfilling the contract, Article 45 of the GDPR requires that the level of protection guaranteed for personal data be at least equivalent to that within the EU. We inform you that our company has no other legal means outside the contract to provide such a guarantee, i.e. we can obtain confirmation from businesses with which we can contract and negotiate the terms of the contract regarding the adequacy of the relevant level of protection, but we cannot compel these businesses to guarantee the relevant level of protection themselves, nor can we in any way guarantee the adequacy of such measures or their compliance with the GDPR.
6.2. However, if we are unable to reach an agreement with the relevant service provider on the compliance of the level of personal data protection with GDPR requirements, we inform you that the level of personal data protection in the relevant destination country is not the same as under the GDPR and that we cannot in any way guarantee a high level of protection for personal data relating to the destination country. If you still wish to receive services at this destination, by purchasing the trip you confirm that you have given us permission to transfer your personal data to this destination country.
6.3. We will never send more personal data to a service provider outside the EU than the minimum level required to confirm the service, or more than you would have had to provide to them if you had ordered the same service directly from them, i.e. without using our services.
7. Rights of the Data Subject
7.1. This Privacy Notice has been prepared to inform you of what information OTP OÜ collects about you and how this information is used. If you have any questions about your personal data, please contact us by e-mail at
[email protected] and
[email protected].
7.2. If you wish to find out whether OTP OÜ processes your personal data or to access your personal data, please contact us by sending an e-mail to
[email protected] and
[email protected].
For more information about the rights of the data subject, please refer to the relevant section.
8. Security of Your Data
8.1. We use physical, technical and administrative protective measures to protect the personal data you enter in our online environment and information that can be used for identification purposes. We regularly update and test our protective technologies. Our online networks are protected by firewalls and intrusion detection software. Access to your personal data is provided only by employees who need this data to provide you with the agreed service or for another legal reason.
8.2. We take adequate measures to protect your personal data and our activities are subject to relevant information security legislation; however, we wish to point out that no website or database is completely secure or protected against hacking. Protect yourself and help us prevent computer crime by protecting and storing your passwords very carefully. No spyware is used in our online environment. If you suspect that your account has been hacked, please contact us immediately.
8.3. OTP OÜ trains its staff to achieve a higher level of awareness of the importance and necessity of protecting personal data. Our commitment in this regard is also reflected in our internal rules containing data protection provisions.
9. Modification and Revision of the Privacy Notice
9.1. Like any organisation, OTP OÜ changes over time and space, which means that the Privacy Notice will need to be modified and revised at some point in the future. For this reason, we reserve the right to modify and revise the Privacy Notice at any time without notice to you. We will publish the changes on the OTP OÜ Privacy Notice website. We may inform you by e-mail about significant changes to the Privacy Notice; however, the safest option is to regularly visit the Privacy Notice website to read the updated and current terms and conditions (https://www.onlinetourismpartner.com; and https://www.booking2cyprus.com).
10. Employee Privacy Notice
10.1. The Employee Privacy Notice is a separate document made available exclusively to the staff of OTP OÜ.
11. Questions and Complaints
11.1. If your personal data changes, please notify us. If you have any other questions about your personal data, please contact us. We will respond to you within the period provided by law. At the same time, please note that we may ask you for more detailed information to identify you before answering your questions. In order to ensure that the contracts forming the basis for the processing of personal data adequately safeguard the rights of data subjects, we reserve the right to request that a document confirming the right of representation of the data subject, submitted during or after the fulfilment of the legal relationship between the parties (including in connection with data processing) and drawn up outside our travel agency, be notarised or certified in an equivalent manner. We must ensure that the data subject has consented to the sending of information and that the information is transferred only to the correct person or entity. In most cases, we will correct or delete the inaccuracies you have identified. In some cases, where permitted or required by law, we may refuse your request in whole or in part.
www.onlinetourismpartner.com | www.booking2cyprus.com