Eesti Consulting OÜ
Approved by Eesti Consulting OÜ Data Protection Officer and Management Board
Last Revised 27.05.2021
- General provisions and definitions
2. The terms listed below have the meanings assigned to them in the Regulation (EU) 2016/679 (General Data Protection Regulation) and the accompanying Policy:
Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
Controller means any natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by European Union or Member State law, the controller or the specific criteria for its nomination may be provided for by European Union or the other applicable law.
Processor means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
Data subject is an identified or identifiable natural person who can be identified, directly or indirectly, based on particular information representing personal data;
3. Eesti Consulting OÜ acknowledges the privacy of natural persons and makes efforts to protect them against any unlawful processing of their personal data. Eesti Consulting OÜ applies the relevant technical and organisational measures to protect the personal data of natural persons in accordance with the effective legislation.
- Processing of personal data
4. Eesti Consulting OÜ, in its capacity as controller/processor of personal data, processes personal data in a manner that ensures appropriate level of security, including protection against unauthorised or illegal processing and against accidental loss, destruction or damage, while applying suitable technical and / or organisational measures in compliance with the following principles:
(a) lawfully, fairly and in a transparent manner in relation to the data subject (“lawfulness, fairness and transparency”)
(b) data is collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (“appropriateness in the processing of personal data and purpose limitation”)
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (“data minimisation”)
(d) accurate and kept up to date
(e) limitation of the storage for periods not longer than necessary for the purposes for which they are processed (“storage limitation”)
(e) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (“integrity and confidentiality”).
5. Eesti Consulting OÜ processes personal data only if and to the extent at least one of the conditions listed below shall apply:
(a) Processing is required for the performance of an agreement with the Eesti Consulting OÜ under which the data subject is party or to undertake steps at the request of the data subject prior to the signing of an agreement with the Eesti Consulting OÜ.
(b) Processing is required for compliance with a legal obligation which applies to the Eesti Consulting OÜ in its capacity as controller/processor of personal data.
(c) the data subject has given consent for the processing of their personal data for one or more specific purposes. In the cases when personal data are processed solely on the grounds of consent, the data subject has the right to withdraw such consent at any time. Withdrawal of the consent of the data subject is not applicable in the cases when the processing of the data is based on the provisions of items “a” and “b” above.
6. Eesti Consulting OÜ, in its capacity as controller/processor, does not process personal data which reveal racial or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, and the processing of genetic data, biometric data solely for the purpose of identification of the natural person, data concerning health or data concerning sex life or sex orientation of the natural person unless the data subject have given an explicit consent for the processing of such data for one or more specific purposes.
- Purpose of personal data processing
10. Type of purpose
Eesti Consulting OÜ collect information from you when you register on our site, place an order, subscribe to a newsletter, respond to a survey, fill out a form, create an account or enter information on our site.
Eesti Consulting OÜ may use the information we collect from you when you register, make a purchase, sign up for our newsletter, respond to a survey or marketing communication, surf the website, use the apps, or use certain other site features in the following ways:
- To personalize your experience and to allow us to deliver the type of content and product offerings in which you are most interested.
- To improve our website or app in order to better serve you.
- To allow us to respond more accurately to your customer service requests.
- To quickly process your transactions.
- To send periodic emails regarding your order or other products and services.
- To follow up with them after correspondence (live chat, email or phone inquiries).
Based on your direct marketing preferences, we may send you marketing communications to inform you about our events or our partner events; to deliver targeted marketing; and to provide you with promotional offers based on your communication preferences. You can opt-out of our marketing communications at any time.
We will not use your personal information for purposes other than those purposes we have disclosed to you, without your permission.
Eesti Consulting OÜ may process the following data types – names, display names, e-mails,
IV. Rights of the data subjects (customers – natural persons whom the data relates to)
11. Right to information (in relation to the processing of the data subject’s personal data by the Eesti Consulting OÜ – the natural persons that are data subjects have the right to receive information* as to the Eesti Consulting OÜ as personal data controller/processor, as well as the processing of their personal data.
12. Right of access to own personal data – the data subjects have the right to receive from the Eesti Consulting OÜ confirmation as to whether personal data related to them are processed and if so, to be given access to the data and the following information: purpose of the processing; respective personal data categories; personal data recipients or categories of recipients, if any; the intention of the controller to transmit personal data to a third party (where applicable); personal data storage period; existence of the right to correct personal data, as well as the right to object against the processing of personal data; existence of automated decision making, including profiling (if any); information as to all rights that the data subject has; the right to file a complaint with the supervision authority.
13. Right to rectification of personal data (if data is not accurate) – the data subject has the right to request the Eesti Consulting OÜ to rectify, without undue delay, any incorrect data pertaining to the data subject.
14. Right to erasure of personal data (right “to be forgotten”) – the data subject may request from the Eesti Consulting OÜ to erase personal data, if any of the conditions listed below exist:
- Personal data are no longer needed for the purposes they have been collected for or processed otherwise;
- The data subject withdraws his / her consent, which data processing is solely based on, and no other legal grounds for the processing exist (processing due to regulatory obligation of the Eesti Consulting OÜ, an agreement signed with the Eesti Consulting OÜ);
- The data subject objects against the processing and no legal grounds for the processing exist that prevail.
- The personal data were processed unlawfully;
- The personal data should be erased in order to comply with a legal obligation under the European Union law or the other applicable law which apply to the Eesti Consulting OÜ in its capacity as personal data controller;
- The personal data have been collected in relation to the offering of information society services to children and consent was given by the holder of parental responsibilities for the child.
15. Right to limitation of processing by the Eesti Consulting OÜ or by the personal data processor – specific conditions are required to be in place for that right to be exercised, namely:
- Accuracy / up to date nature of the data is disputed by the data subject. In this case the limitation of the processing is over a period allowing the Eesti Consulting OÜ to check the accuracy of the personal data;
- The processing is unlawful, but the data subjects do not wish their personal data to be erased, but rather require limitation of their use;
- The Eesti Consulting OÜ no longer needs such personal data for processing purposes, but the data subject requires them for establishing, exercising or defending legal claims;
- The data subject has objected to the processing while awaiting a check to be performed whether the Eesti Consulting OÜ ‘s legal grounds prevail over the interests of the data subject.
16. Right to transferability (data portability) of the personal data between the various controllers – the data subjects have the right to receive personal data pertaining to them, which they have provided to the Eesti Consulting OÜ in a structured, widely used and machine readable format and have the right to transfer such data to another controller without hindrance by the Eesti Consulting OÜ to which personal data has been provided, when processing is based on consent or contractual obligation and the processing is automated. When exercising the right to transferability the data subject has the right to receive also direct transfer of the personal data from the Eesti Consulting OÜ to another controller, where technically feasible.
17. Right to object against the processing of their personal data – data subjects have the right to object before the Eesti Consulting OÜ against the processing of their personal data, whereby the Eesti Consulting OÜ shall cease such processing, unless Eesti Consulting OÜ is able to prove that compelling legitimate grounds for the processing exist that override the interests, rights and freedoms of the data subject, or for the establishment, exercising or defence of legal claims. In case of objection against the processing of personal data for direct marketing purposes the Eesti Consulting OÜ shall cease such processing forthwith.
18. The data subject also has the right not to be subject to decision based solely on automated processing, including profiling, which ensues legal consequences for the data subject or significantly affects the data subject otherwise.
19. Right to defence through judicial or administrative procedure if the data subject’s rights have been breached – if the data subjects decide that their right to personal data protection and privacy has been violated, they may file a complaint with the relevant supervision authority – or to file a claim with the court to defend their rights.
V. Disclosure of personal data
20. Eesti Consulting OÜ may disclose the personal data to the following categories of persons:
- The persons whom the data relate to, namely: persons using Eesti Consulting OÜ services or products, or persons filing a request to use Eesti Consulting OÜ services, as well as persons who are party to Eesti Consulting OÜ and / or other transactions and contractual relations with the Eesti Consulting OÜ;
- Persons that have right to access to personal data by virtue of law or another regulation;
- Persons as to whom the right to disclosure is stipulated in an agreement signed with the Eesti Consulting OÜ.
VI. Exercise the rights
21. (1) In exercising their right to access natural persons have the right to request from Eesti Consulting OÜ at any time:
1. Confirmation as to whether data related to them are processed by the Eesti Consulting OÜ, the purpose of the processing, the data category and recipients of such data or the categories of recipients’ data is disclosed to;
2. To send them a message in an understandable format, containing the personal data subject to processing and any information available as to the source of such data;
3. Information as to the logic of any automated processing of personal data pertaining to natural persons, at least in the case of automated decisions under the provisions of the General Data Protection Regulation
(2) Upon request Eesti Consulting OÜ provides the information under paragraph 1 free of charge.
(3) Natural persons have the right to request at any time that Eesti Consulting OÜ:
1. erases, rectifies or blocks their personal data the processing of which is not compliant with the requirements of the effective legislation
2. notifies the third parties to which the personal data of the natural persons have been disclosed as to any erasure, rectification or blocking in accordance with item 1 above, except when this proves to be impossible or would involve a disproportionate effort.
22. (1) Natural persons exercise their rights by filing a written request (by e-mail) to the Eesti Consulting OÜ, containing as a minimum the following information:
- name, personal ID number, address and other data allowing identification of the respective natural person;
- description of the request;
- Signature, date, correspondence address and telephone number.
(2) The filing of the request is free of charge.
(3) Upon filing of a request by an authorised person, the notarised power of attorney must be attached to the request.
(4) In case of death of the natural person, his / her rights are exercised by his / her heirs and certificate of heirs shall be attached to the request.
23. The Eesti Consulting OÜ shall review and pronounce on the request within 1 month as of its filing. This period may be extended by further two months, if necessary. The Eesti Consulting OÜ informs the data subject as to any such extension within 1 month as of receipt of the request, stating the reasons for the delay. When the data subject files a request by electronic means, the information is provided electronically, if possible, unless the data subject has requested otherwise.
24. The Eesti Consulting OÜ provides an answer to the requesting person taking into account their preferred form for the provision of the information (orally or in writing – as a hard copy of electronically).
25. Where data do not exist or their provision is forbidden by law, access of the requesting party to such data is refused.
26. If the requesting party is not satisfied with the response received and / or believes that their rights related to personal data protection were violated, they are entitled to exercise their right to defence.
VII. Information for the data subject:
Contact details with Eesti Consulting OÜ:
- Address: Pärnu mnt 41a/303, Kesklinna linnaosa, 10119 Tallinn Estonia
- Manager: Paweł Krok
- E-mail: email@example.com
- Telephone: +44 2081 900 412
- Internet site: eesticonsulting.ee
Contact details with Data Protection Officer (Response person for GDPR):
Name: Paweł Krok