Data Protection Rules
Please read the Data Protection Rules carefully. EESTI VANAPABER OÜ, hereinafter “VANAPABER”, may make changes to the Data Protection Rules from time to time. Up-to-date data protection rules are published on VANAPABER’s website at www.eestivanapaber.ee.
If you have any questions or requests, please do not hesitate to contact VANAPABER’s staff.
Personal data is any information about an individual. The processing of personal data is any operation that involves the processing of personal data, such as the collection, storage, alteration, use, viewing, deletion or destruction of data.
A data subject is a natural person whose personal data is processed by VANAPABER. Data subjects may be, for example, natural persons that are Customers of VANAPABER, visitors to websites or other persons who contact VANAPABER. The data subject is also referred to in the Data Protection Rules as “You” or “Customer”.
The controller is the person who determines the purpose and means of the processing of personal data and is responsible for ensuring that the processing of personal data is lawful, and the rights of the data subjects are respected. For the purposes of Data Protection Rules, the controller of your personal data is EESTI VANAPABER OÜ or any other company belonging to the VANAPABER group, to which you specifically turn.
2. Objectives and legal bases for data processing
Personal data shall be processed on the basis of the consent of the data subject or the legitimate interest of the data controller. The data shall be processed for the following purposes:
- identification of the Customer for the purpose of performing and securing the contract
- communicating with the Customer for the purpose of performing and securing the contract
- responding to Customer inquiries and requests
- making direct marketing promotional offers to a client, subject to client consent
- conducting customer satisfaction surveys with your consent to VANAPABER, provided you have not prohibited us from sending customer satisfaction surveys to you
- preparing and sending invoices to the Customer
- managing and analysing customer base to improve availability, choice, quality, etc. of services, and make the best offers for Customers
- compliance with a legal obligation, such as an accounting obligation
3. Data to be processed
The main personal information that we process about you may include the following:
- first and last name
- personal identification number or date of birth
- details of the identity document
- bank account
- contact details (address, e-mail, phone number)
- other information related to the contract (time of concluding the contract, price, payment information or other information provided in the contract)
In case of representing a company or institution, EESTI VANAPABER OÜ also has the right to collect information about that company or institution and its activities.
In addition to basic data, information on marketing activities, Customer interactions and website views may also be processed.
EESTI VANAPABER OÜ has the right to record information about the consent and refusal given by data subjects regarding direct marketing activities.
4. Origin of data
Personal data is collected directly from the data subject, for example through various means of communication (telephone, e-mail) when the data subject registers on VANAPABER’s direct marketing list on VANAPABER’s website, when the data subject registers as part of marketing activities or otherwise.
Personal data may also be collected from other registers available to the data controller, including national databases, as well as from other companies in the VANAPABER group, with the legitimate interest of the data controller or with the consent of the data subject.
5. USING SECURITY CAMERAS
We use security cameras at VANAPABER’s sites to protect our Customers and property. Therefore, when you visit our sites, your image may be left on the recordings of our security cameras. VANAPABER’s security cameras record only video; sound is not recorded. When using security cameras, the area within their field of vision is always marked.
The legal basis for the use of security cameras and their recordings is VANAPABER’s legitimate interest in guaranteeing the safety of Customers and property.
Security camera recordings are kept for three months. Security camera recordings may be used only by VANAPABER’s personnel who need access to security camera recordings because of their duties.
You have the right to access and receive a copy of the recording on which you are visible. Please submit a request for a copy of the recording. Please submit your application using the contact details provided in the data protection rules. In your application, describe as precisely as possible the time (date, time) and the place where your image was recorded. VANAPAPER reserves the right to reject the application if your request would be prejudicial to the rights and freedoms of others.
6. VANAPABER’S WEBSITES AND SERVICES
VANAPABER enables its Customers to use content and online services that are of interest to them through the website. Via VANAPABER’s website, you can order personalised offers to your email address or request a quote.
When you submit a request through VANAPABER’s website, we will only process the information you provided to us when you submitted your request. When you submit an inquiry to us, we will only process your personal information to respond to your inquiry. When using e-services, the personal data processed may include the following personal data:
- first and last name,
- postal address and postal code
- contact details (e.g., email address and/or phone number)
- any other information you provide to VANAPABER when using the e-services
- information about your hardware and software (type of browser, operating system)
- IP address
- times of visiting VANAPABER’s website
- the address of the webpage that directs you to VANAPABER’s website
VANAPABER’s websites may also include links to third party websites. VANAPABER is not responsible for the content and security of third party websites and use of third party websites is at your own risk.
7. Transmission and disclosure of data and taking them out of the EU and EEA
The data controller may transfer personal data of the data subject to third parties for the purposes described below. If so, the third party processing the data on behalf of the data controller may process them only in accordance with the terms of the contract, in accordance with written instructions, and only for the purposes described herein. Access to data for the purpose of processing them shall be restricted to persons who have access to them in accordance with the tasks assigned to them.
The data controller may transfer personal data to third parties for processing. Tasks assigned to third parties include the acquisition and maintenance of databases and software, as well as data processing services, marketing services and other marketing activities.
In the event of a total or partial sale or other organizational change of the data processor, the data processor may transfer personal data to the purchaser of the enterprise and their consultants as required by law.
Personal data is stored on servers located in the European Economic Area.
8. Data security
Paper data shall be stored in locked premises.
Electronic data or databases are protected by firewalls, passwords, and other technical aids.
Databases and backups are in a locked online environment.
The data controller shall ensure that only those data controllers who, in the performance of their duties, need to have access to personal data have access to them.
9. Record keeping
The data controller shall store the data in accordance with the procedure prescribed by law.
When storing personal data, we respect the following deadlines:
- we will retain the information collected for the purpose of concluding the purchase invoice or delivery note for as long as necessary for the performance of the contract or for a period of 7 years after termination
- we keep the original accounting records for 7 years
- we will keep recordings of security cameras for a maximum of 3 months
- we store data collected on websites for 1 year
- information obtained through cookies on websites is stored for 540 days
Upon expiry of the retention period, personal data stored on paper shall be destroyed and electronic personal data deleted. If you would like more information on which retention periods apply to you, please contact us.
10. Rights of the data subject
VANAPABER guarantees data subjects all the rights under applicable law. You have the following rights regarding the processing of your personal data:
- Right of access. The data subject shall have the right to obtain from the data controller confirmation that the data controller is processing the personal data of the data subject. It is also possible to access this data. The data controller may ask the data subject to specify his or her query, inter alia, to specify the level of detail of the originating data.
- Correction of data. The data subject shall have the right to demand from the data controller the rectification or correction of personal data concerning him or her which is inaccurate or incorrect.
- The right to delete data. The data subject shall have the right to demand from the data controller the deletion of personal data concerning him or her, and the data controller shall have the obligation to delete such data if the basis for retaining the data is missing or obsolete or has previously been withdrawn.
- Restriction of data processing. In the cases provided by law, the data subject has the right to request the data controller to restrict the processing of personal data concerning him or her.
- The right to data portability. In the cases provided for by law, the data subject may request the transfer of personal data concerning him or her in a readable and accessible manner to himself or another data controller without any hindrance by the existing data controller.
- Right to refuse to allow the use of personal data for direct marketing. The data subject shall have the right to object to the use of his or her personal data for direct marketing purposes. Where the data subject’s right to process the data is based on the unambiguous consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time.
In some cases, the data subject may have access to his or her personal data and the ability to amend them.
EESTI VANAPABER OÜ
Jalaka 60b, 50109 Tartu
Phone: 740 0510,
Contact details of VANAPABER’s Data Protection Officer are:
Phone: 740 0510,
VANAPABER responds to a data subject’s request by immediately taking measures to protect the data subject if necessary. VANAPABER shall respond to the data subject’s request within one month from the request.
The data subject has the right to lodge a complaint to the Data Protection Inspectorate regarding violations.