top of page

Privacy statement

This is a report on the processing of personal data in accordance with the EU General Data Protection Regulation (679/2016). 


Going Nowhere resort  

Business ID: 3289369-1

Contacts regarding data protection matters 

Anu Maatraiva

040 8231 206

In all questions related to the processing of personal data and in situations related to exercising one's own rights, the registrant is advised to contact the data protection officer. 


Basis and purpose of personal data processing 

The legal basis for processing personal data is: 

- Consent given by the registrant to the processing of personal data 

- Contractual relationship between the registered and the controller 

- Fulfillment of the legal obligations of the registrar

- Customer relationship management and development

- taking care of reservations

- payment, payment control and collection

- marketing of the data controller's products and services

- development of the data controller's business and related customer service development



Regular data sources 

The processed personal data is regularly obtained from the following sources: 

- From registered self 


Personal data to be processed 

The registrar collects only such personal data from the registrants that are relevant and necessary for the purposes described in this privacy statement.

The following information is processed about the registered: 

customer information

reservation information

essential information related to managing the customer relationship

other additional information provided by the customer himself


Disclosure of personal data 

Personal data will not be disclosed to outsiders, unless the law imposes an obligation to do so. Information can therefore exceptionally be disclosed, for example, to the authorities as required by law. 

Transfers of personal data to third countries 

Personal data is not transferred outside the EU and the European Economic Area. 

Protection of personal data 

The controller processes personal data in a way that aims to ensure appropriate security of personal data, including protection against unauthorized processing and accidental loss, destruction or damage. 

The controller uses appropriate technical and organizational safeguards to ensure this goal, including the use of firewalls, encryption technologies and secure device spaces, appropriate access control, careful management of user IDs in information systems, and instructing personnel involved in the processing of personal data. 

Based on the Employment Contracts Act (55/2001) and the confidentiality agreements that supplement them, all employees who process personal data have a duty of confidentiality regarding matters related to the processing of registered personal data. 

Data retention period 

The controller processes personal data for 12 months. At the end of this period, the data controller will delete or anonymize the data within one (1) month in accordance with its deletion processes. 

The controller may have an obligation to process some of the personal data included in the register longer than stated above in order to comply with legislation or official requirements. 


Personal data is not used for profiling or other automatic decision-making. 

Rights of the registrant 

The right to access personal data 

The registered person has the right to receive confirmation as to whether personal data concerning him or her is being processed, and if processed, the right to receive a copy of his/her personal data. 

Right to rectification 

The registered person has the right to request that inaccurate and incorrect personal data concerning him be corrected. The registered person also has the right to have incomplete personal information completed by submitting the necessary additional information. 

Right to erasure 

The registered person has the right to request the deletion of personal data concerning him/her, if 

a. personal data are no longer needed for the purposes for which they were collected; 

b. the data subject withdraws the consent on which the processing of personal data was based, and there is no other legal basis for the processing; or 

c. personal data has been processed illegally. 

Right to restriction of processing 

The registrant has the right to restrict the processing of personal data concerning himself, if 

a. the data subject denies the accuracy of his personal data;

b. the processing is against the law, and the data subject objects to the deletion of his personal data and instead demands the restriction of their use; or 

c. the controller no longer needs the personal data for the original purposes of the processing, but the data subject needs them to prepare, present or defend a legal claim. 

Right to object

The registered person has the right to object to the processing of personal data concerning him at any time on grounds related to his personal special situation. 

The controller may no longer process the data subject's personal data, unless the controller can demonstrate that there is a significantly important and justified reason for the processing that overrides the interests, rights and freedoms of the data subject, or if it is necessary to prepare, present or defend a legal claim._cc781905-5cde-3194 -bb3b-136bad5cf58d_

If personal data is processed for direct marketing, the data subject has the right at any time to object to the processing of personal data concerning him for such marketing, including profiling when it is related to such direct marketing. 

Right to withdraw consent 

The registered person has the right to withdraw his consent to the processing at any time without affecting the legality of the processing carried out prior to this consent. 

The right to transfer data from one system to another 

The registered person has the right to receive the personal data concerning him and that he has provided himself in a structured, commonly used and machine-readable format and the right to transfer the data in question to another controller. 

The right to lodge a complaint with the supervisory authority 

The national supervisory authority for personal data matters is the Office of the Data Protection Commissioner operating in conjunction with the Ministry of Justice. You have the right to submit your case to the supervisory authority if you consider that the processing of personal data concerning you violates the relevant legislation. 

Changing Privacy Policy 

The controller is constantly developing its operations and may therefore have to change and update its data protection policies as necessary. The changes may also be based on changes in the legislation on data protection. 

If the changes contain new purposes for the processing of personal data or otherwise change significantly, the controller will notify them in advance and, if necessary, request consent. 

Any questions?

If there's something that puzzled you, contact us either by e-mail or by using the link below!

bottom of page