PRIVACY POLICY for hotel guests

WASA AS (hereinafter ‘we’) highly values the privacy of every client (hereinafter ‘you’). In this privacy notice, we will describe the kind of information we collect about you, why we do so and what we do with the collected data.

We implement the necessary information technology, physical, technical and organisational safety measures to protect your personal data against loss, destruction and unauthorised access. The purpose of security activities is the implementation of the appropriate level upon the protection of information, risk management and prevention of threats. The employees of Wasa are required to protect the personal data of clients and keep them confidential, and they are responsible for compliance with this requirement.

What data do we gather about you, who do we need your data and who provides it?
We use your data to provide you the accommodation you have booked and/or other services you have requested, and to fulfil the obligations imposed on us by the regulations governing our activities. We also use it for general business purposes.

We collect the following data about you:

  • personal data: your first and family names, date of birth and personal identification code. These data enable us to identify you, which is important to ensure that the service is provided to the person who has ordered it.
  • contact details: such as home address, phone number, e-mail address. we need these details to contact you. First and foremost, we contact you by phone or e-mail, but in certain cases it may be necessary to use your home address (e.g. in case we cannot reach you by other means).
  • Visitor’s card information – based on the Tourism Act of Estonia, users of accommodation services are required to provide certain information such as citizenship as well as the names, dates of birth and citizenship of a spouse or minor accommodated with the visitor, and the period of provision of the accommodation services, etc. We have an obligation to request these data pursuant to the Tourism Act. The aim is to avoid any danger stemming from illegal immigration, for example. If you refuse to provide any information regarding the visitor’s card, we are unable to provide you with accommodation.
  • credit card data: such as card number, name of the owner, period of validity. We need this information to withhold a certain amount of money from your credit card to cover the cost of services or other expenses incurred by you, as is our right according to our internal regulations and the accommodation contract.
  • security camera footage: if you visit our accommodation facilities or other rooms that for security reasons have been equipped with video or other electronic or digital surveillance systems or devices.
  • Data about personal preferences: e.g. room type, with or without a city view, etc. If we ask for these data or in case you choose to disclose such data to us, we use them to provide you with a better service based on your wishes and interests.
  • upon the provision of treatment and rehabilitation services, we collect data about the health status of the guest. The health data of a person is considered sensitive personal data. We process this data when providing treatment and rehabilitation to alleviate your discomfort, prevent the deterioration of your health or the exacerbation of a disease and to restore your health.

In general, we obtain this information directly from you when you make a reservation or query through our website at, by phone or e-mail or when you purchase our services in person at our facilities.

Your data is also transmitted to us by travel agents, reservation agencies and other accommodation agents with whom you have booked your accommodation and/or other services for a stay with us.

On what legal basis do we process the data?
When processing your data, we do so while complying with a variety of legal bases.

  • requirement to enter into a contractual relationship with you and performing that contract
  • your consent – if we use your consent to process your data, know that you have the right to withdraw your consent at any time
  • requirement to meet obligations arising from legal acts (e.g. visitor’s cards and storing that information for two years)
  • necessity to justifiably operate in the interests of our company, including managing the company, undertaking general business operations, investigating breaches of the law and fraud
  • necessity to protect our clients’ lives or anyone else’s (e.g. by disclosing information about you to emergency workers in case of an accident)
  • other situations in accordance with the law

Who do we share your data with?
We only share any data you have provided us with in the cases described below and when required in order to achieve the objectives described in this privacy notice:

  • Affiliated companies – we may share your personal data with our affiliates located in the European Union.
  • Service providers: like many other companies, we can order data processing services from trusted third-party service providers such as IT, marketing and consulting services;
  • Public authorities and government bodies – we may share our data with such authorities when we are required by law to share our data or when it is necessary to protect our rights;
  • Professional consultants and other – we may share your data with professional consultants, e.g. auditors, lawyers, accountants and other consulting service providers;
  • Third parties in connection with corporate deals: Occasionally we may share your data with third parties when closing corporate deals, e.g. when selling the company or a part of it to another business. This also applies to the process of restructuring the company, the creation of a joint venture, a merger or any other situation where company assets are transferred.

If we share your data with the above mentioned parties, we guarantee the protection of your data in our data-processing agreement between us and the other party.

How long do we keep your data?
We retain your data for as long as it is needed to achieve various data-processing objectives. We take the following criteria into account when storing personal data:

  • we will store the data for as long as it is needed to provide our services
  • if a person has a user account or a membership card tied to the company, we will store their data for as long as the account/card is valid or for as long as such data is needed to provide services to them
  • if the company has a statutory, contractual or similar obligation to store personal data, we will store the personal data as long as it is necessary to perform such an obligation
  • after the termination of a contractual relationship, we will retain certain data for as long as the data subject or company has the right to make claims against the other party under a contract

According to the Tourism Act of Estonia, visitor’s cards have to be preserved for two years as of the date they were filled in.

Credit card information is only retained until the accommodation contract between us and the client expires or is terminated.

If you have given us consent to send you marketing materials, we will store your contact information until you withdraw your consent.

What are your rights regarding your data?
As a data subject, you have the following rights:

  • Right of access – you have the right to know what data are stored about you and how they are processed.
  • Right to rectification – you have the right to request the rectification of your personal data if they are incorrect.
  • Right to erasure (‘right to be forgotten’) - in certain cases you have the right to request your personal data be erased (for example, if we no longer need them or you withdraw your consent for processing the data, etc.).
  • Right to restricted processing – in certain cases, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. when you have filed an objection in relation to data processing).
  • Right to object – on grounds relating to your particular situation, you have the right to object to the processing of your personal data when processing is based on our legitimate interest or in the public interest. You can object to the data processing done for direct marketing purposes at any time.
  • Right to the transmission of data – you have the right to require the transmission of data to you in machine-readable form. You also have the right to demand the data be transferred to another data controller, but only if this is technically possible. The transfer right applies only to the data that we process with your consent or the data we process pursuant to the contract with you.
  • Automated decision-making (including profiling) – in a situation where we have notified you that we are making decisions based solely on automated processing (including profiling), which produces legal effects concerning you or significantly affects you, you may demand that decisions not be made solely on the basis of automated processing.

Protection of rights and contact details

If you have any questions about personal data processing, please send an e-mail to or call us on +3724450755.

 When you use our website or reserve our services, you confirm that you have read and agree to our privacy notice.

We have the right to change our privacy policy from time to time and we provide information about this on our website.  We hope that you will read the changes we make in the notice from time to time.