Contact details of Tallink’s subsidiaris can be found here: www.tallinksilja.com/grupp-structure
1. PERSONAL DATA CONTROLLER, PROCESSORS AND DATA PROTECTION OFFICER
2. PRINCIPLES OF PERSONAL DATA PROCESSING
3. DATA SUBJECT’S RIGHTS
4. PURPOSES OF PROCESSING OF PERSONAL DATA
5. CATEGORIES OF PERSONAL DATA PROCESSED
6. LEGAL BASES FOR THE PROCESSING OF PERSONAL DATA
7. PROFILING AND MARKETING
8. THE USE OF „COOKIES“
10. IMPLEMENTING PROVISION
1. Personal data controller, processors and data protection officer
Personal Data Controller
Name of the controller: AS Tallink Grupp
Company registration code: 10238429
Address: Sadama 5/7, 10111 Tallinn, Estonia
Contacts: telephone +372 640 9810, e-post firstname.lastname@example.org
Personal data ‘controller’ is a legal person which determines the purposes and means of the processing of personal data.
Personal Data Processors
Tallink’s data processors are the third parties with whom we may need to share personal information to help us provide services and products to you. Tallink’s data processors include:
- our subsidiaries or affiliates;
- our third party partners who process information on our behalf to help us run some of our internal business operations;
- law enforcement bodies in order to comply with any legal obligation.
Data Protection Officer
In order to ensure high level of personal data protection, Tallink has designated a Data Protection Officer (“DPO”) with expert knowledge of data protection law and practices. DPO assists Tallink in maintaining personal data protection compliance.
The DPO in Tallink serves as a contact point for data subjects in case of requests and/or questions related to personal data protection and personal data processing in Tallink. Data subjects may contact the DPO with regard to all issues related to processing of their personal data and to the exercise of their rights.
Tallink DPO’s contact details are:
Data Protection Officer
Sadama 5/7, 10111 Tallinn, Estonia
2. Principles of personal data processing
Tallink processes Your personal data in a fair and transparent manner and only when we are allowed to process Your personal data according to the law. For example, Tallink customers may log into their Club One profile and have an overview about their personal data processed by Tallink, like name, e-mail, phone number and service preferences. Tallink aims to inform You as much as possible about Your personal data.
Tallink collects Your personal data for specified, explicit and legitimate purposes. We will not further process Your personal data in a manner that is incompatible with the initial purposes. When processing Your personal data for a purpose other than the initial purpose, we rely on the legal bases originating from the law (e.g. when receiving requests from courts or law enforcement authorities) or we ask for Your approval for processing Your personal data for a purpose other than for which You originally provided us with Your personal data.
Tallink is doing its best to ensure that personal data processed by Tallink is adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. We don’t process any redundant information about You.
Our aim in Tallink is to ensure that personal data shall be accurate and kept up to date where necessary. Tallink shall take every reasonable step to ensure that inaccurate personal data will be erased or corrected without delay. If the personal data should prove to be false, Tallink also gives You the possibility to correct and/or delete it. To do so, please write to: email@example.com.
Tallink keeps Your personal data in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.
Integrity and confidentiality
Tallink normally does not process special categories of personal data (sensitive data such as personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, data concerning health). Tallink only processes such type of personal data when there exists a legal basis for that, for example if we are obligated or allowed by law to process this kind of sensitive personal data. For example, we might process data concerning health when there occurs a need to give onboard emergency aid or when you have asked us to help you with boarding due to your health condition.
Data protection by design and by default
When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data, Tallink takes into account the data subject’s right to personal data protection.
3. Data subject’s rights
Respecting data subject’s rights is of importance to Tallink and therefore handled with special attention. When requested by the data subject, the information about that specific data subject will be provided by Tallink. Please note that we need you to prove who you are before we can help you with any request related to personal data.
This means that, when looking through Your request and in case of doubt, Tallink may ask additional information to be provided by You for data subject’s identification. We do this to be sure about the data subject’s identity and to ascertain that we provide the correct information to the right person.
If the purposes for which Tallink processes personal data do not or do no longer require the identification of a data subject, Tallink will not be obligated to maintain, acquire or process additional information in order to identify the data subject. Upon data subject’s request and if possible, Tallink will inform the data subject accordingly about this kind of processing.
Right of access by the data subject – You have the right to access Your personal data which is processed by Tallink. This enables You to be aware and verify which type of personal data and how Tallink processes about You. You can also turn to Tallink and ask for which purposes we process Your personal data if it remains unclear to You or You would like to ask additional questions from us. We aim to answer You as soon as possible but we try to do this no later than in one month. In more complex requests we might need to extend the answering time by a further two months. In the latter case, we will contact You about the extension of the answering period and explain You the reasons. To ask us questions related you data processing, please write to firstname.lastname@example.org.
Copies – Tallink will provide a copy of Your data of upon Your request free of charge when You need it. For any further copies requested, Tallink may charge a fee based on actual costs if the requests from a data subject are of repetitive character. Tallink may refuse to disclose the data in a copy entirely or refuse to provide a copy when this disproportionately affects the rights and freedoms of other data subjects besides You and less strict measures cannot be taken.
Right to rectification – every data subject who notices that his/her personal data is not up-to-date, false or needs to be corrected can turn to Tallink and have this data rectified and corrected. You can also have Your incomplete personal data completed. Tallink will make sure this personal data will be corrected as soon as possible. In order to have this done, You are welcome to contact us by writing to the e-mail address email@example.com. In some cases correct Your data by yourself (for instance, personal data can be rectified and updated by data subject herself/himself in Club One client profiles online).
Right to erasure (“right to be forgotten”) – this right allows data subjects to have their personal data erased where one of the following grounds applies:
- the personal data are no longer necessary in relation to the purposes for which they were collected or processed;
- when the data subject withdraws consent;
- the data subject objects to the processing and there is no overriding legitimate interest for the processing;
- the personal data have been unlawfully processed;
- the personal data have to be erased in order to comply with a legal obligation or because the personal data was processed in relation to the offer of information society services (e.g. apps) to a child.
Right to erasure is not an absolute right and therefore Your request to have Your personal data erased may not mean that all of Your data will be erased after the request. Sometimes we are obligated by law to retain some data and in cases like this we might not be able to satisfy Your request to erasure. This can also be the case when we need to retain this data for the exercise or defence of legal claims.
Right to restriction of processing – when exercising this right, data subjects may “block” or suppress the processing of personal data by Tallink. As a result of that, Tallink may be permitted to only store the existing personal data but not further process it. Tallink restricts the processing of Your personal data upon Your request until the verification of accuracy or when You contest the accuracy of Your personal data. Tallink may also be obligated to restrict the processing of personal data, for example, when Tallink no longer needs it, but You require the data to establish, exercise or defend a legal claim.
Right to data portability – You may use the right to receive the personal data concerning You, which You have provided Tallink, in a structured, commonly used and machine-readable format. In exercising this right, You may use the right to have Your personal data transmitted directly from one controller to another, where it is technically feasible.
Right to object – You have the right to object, on grounds relating to Your particular situation, at any time to processing of personal data concerning You which is based on legitimate interest, including profiling. In that case, Tallink will no longer process the personal data unless Tallink has a legitimate grounds for the processing the personal data.
- Where Tallink processes personal data for direct marketing purposes, the data subject has the right to object at any time to processing of personal data concerning him or her for such marketing, which includes profiling to the extent that it is related to such direct marketing at any time and free of charge..
- Where the data subject objects to processing for direct marketing purposes, the personal data shall no longer be processed for such purposes by Tallink. In this case, Tallink stops processing Your personal data for marketing purposes but might not stop processing it for other lawful purposes.
The right to lodge a complaint with a supervisory authority – every data subject has the right to turn to a data protection supervisory authority with a complaint if the data subject considers that the processing of personal data relating to him or her infringes and is not in accordance with provisions foreseen by the data protection laws and GDPR. The national supervisory authority in Estonia is “Andmekaitse Inspektsioon”, in Finland “Tietosuojavaltuutettu”, in Latvia “Datu Valsts Inspekcija” and in Sweden “Datainspektionen”.
The right to withdraw consent – if the personal data processing is based on consent, the data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. Tallink will stop processing personal data if the sole basis for the processing is consent. If there exist other legal ground(s) for personal data processing (e.g. contract, legitimate interest) the processing may be continued based on this other legal ground.
4. Purposes of processing of personal data
Tallink processes personal data for several different purposes. In different cases Tallink processes personal data for purposes, which include:
- sale activities;
- marketing, direct marketing by profiling and for making sale and promo offers;
- data analytics for marketing purposes;
- booking and customer services;
- invoicing and related correspondence with customers;
- providing travel and taxi services;
- legal purposes and legal obligations, e.g. drawing up passenger lists according to maritime law, and complying with statutory requirements originating from applicable laws;
- receiving and handling client feedback;
- conducting surveys for customer feedback and service improvement;
- applying security measures and for solving incidents on board.
5. Categories of personal data processed
The personal data processed by Tallink includes data subject’s:
- name and surname;
- date of birth;
- nationality and sex;
- address, phone number, e-mail address and other contact data;
- credit card, loyalty card (Club One) and customer’s account numbers information;
- data about purchases and services offered by Tallink, including data related to goods/services and quantities thereof;
- travel, sales and accommodation data, including the date and time;
- customers’ health data (only when Tallink customers provide us with this data or it is necessary in order to protect the vital interests of the data subjects);
- other personal data voluntarily revealed to Tallink by data subjects (e.g. personal data provided to Tallink by customers in customer feedback forms).
6. Legal bases for the processing of personal data
Tallink processes personal data on several legal bases which are the following.
Tallink may process Your personal data on the basis of Your consent. For instance, for sending You the Tallink newsletter, Tallink first asks for Your consent for subscription and after You have subscribed, Your consent serves as a legal basis for sending the newsletter to You.
In relation to information society services (e.g. shopping in Tallink webshop or using Tallink apps) data protection regulations set stricter rules and conditions to child’s consent. Where child is below the age of 13 years or below another age laid down in the applicable law, such processing shall be considered lawful only if that consent is given by the child’s parent or the holder of parental responsibility over the child.
Tallink may process personal data if the processing is necessary for the performance of a contract. For instance, Tallink processes Your personal data for billing purposes when You use our Pre-Order service in order to fulfil a contract with You and deliver You the goods You have ordered.
Tallink may process personal data if the processing is necessary for compliance with a legal obligation. For instance, Tallink has the legal obligation to collect certain personal data from the passengers, like name, gender, nationality and date of birth to draw up a list of the persons on board. Therefore, Tallink processes passengers’ personal data and draws up a list to fulfil the legal obligation originating from law.
Tallink may process personal data if the processing is necessary in order to protect the vital interests of the data subject or of another natural person. For example, Tallink personnel might need to forward data subject’s health data to hospital in case somebody unexpectedly falls ill within Tallink premises to provide the necessary medical care and protect our customers and employees’ health the best possible way.
Tallink may process personal data if the processing is necessary for the purposes of the legitimate interests. For example, if You have booked a trip with us, we can send You customer satisfaction surveys after the trip to improve the quality of our service.
7. Profiling and marketing
Profiling in Tallink represents itself of any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a data subject. In Tallink, profiling may be carried out, for instance, to analyse or predict aspects concerning customer's personal preferences, interests, behaviour, location or movements. As a result of profiling, Tallink is determined to make offers, for the best services and goods to Tallink customers on the basis of a consent, contract or legitimate interest in order to satisfy all the needs of Tallink’s customers.
Tallink may use different ways of profiling. For making offers, Tallink distinguishes receivers of the offers for example on the ground of travel behaviour, language, citizenship and place of residence (to send the offer in an understandable language and to target customers in particular region), age (to make an offer most suitable for certain age group), previous travels and purchases (to send offers about the travel route, way of travelling and products customer prefers the most).
Where personal data is processed for the purposes of direct marketing, data subjects may “opt-out” from having his or her personal data used for such purposes and exercise the right to object to processing for direct marketing purposes. For example, if Tallink sends You a newsletter with different offers and You no longer wish to receive them in the future, You have always the chance to opt-out from receiving these offers. Customers are welcomed to express their wish to receive these offers again in the future after withdrawal of such offers.
Tallink may send advertisements or display them on Tallink website to its customers regarding its own services or those of its subsidiaries, or customer satisfaction questionnaires for the purpose of improving service quality, or the offers of other business partners. Customers may refuse to receive such advertisements, questionnaires and offers at any time by informing Tallink via links for automated refusals.
8. The use of „Cookies“
When Tallink customers are using Tallink services, Tallink and external service providers and partners may send cookies or similar technology to user’s computer to enhance and develop user’s online experience. However, You can also set your browser settings in such a way that it informs You when you receive a cookie or automatically declines to accept it. Therefore, You can decide for yourself whether You wish to accept cookies or not. At the same time, please be aware that some Tallink website features or services may not function properly without cookies.
Tallink’s website may also use various tracking and analytics tools to gather information, analyze and measure the use of the site or the effectiveness of Tallink’s communications or advertising, i.e. how Tallink’s communication reaches to customers.
Tallink keeps all personal data revealed to it strictly confidential and protects customers’ and employees’ personal data from illegitimately falling into the hands of third parties by applying effective IT security measures.
Tallink uses safeguards which take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons. These measures include inter alia appropriate IT, technical and organisational data protection measures, pseudonymisation and anonymization. Such measures are put in place to ensure that by default personal data are not made accessible to an indefinite number of persons where there is no will for that and to ensure personal data protection in general. In addition, when using CCTV, Tallink displays signs, which are visible and readable to data subjects.
10. Implementing provision