The Companies are subject to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter ‘General Data Protection Regulation’).
We process personal data only for the purpose of providing products and services to our clients and ensuring the proper operation of all the functions of all their means of work.
1. WHOSE DATA DO WE PROCESS?
We process the personal data of our employees, representatives and contact persons of clients and, if necessary, users of the Companies’ means of work (more information is available in section 2 ‘Controller’).
The Companies also process data on behalf of their clients who are controllers (more information is available under heading ‘Processor’). Data subjects whose data is processed by the Companies are also referred to as ‘natural persons’ in this Privacy Notice.
If the Companies determine the purposes, means and extent of processing of personal data, they are the controller.
2.1. Purpose and legal basis of processing.
We only process the personal data of representatives of clients to perform Our contractual obligations and provide high quality services to Our clients. The legal basis for processing is Our legitimate interest, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market; and/or the performance of a contract concluded with a data subject or the taking of pre-contractual measures as requested by a data subject to ensure the proper provision of Our services or the sale of goods. We only process the personal data of job applicants to assess their competence and suitability. If data is processed for said purpose, the legal basis for processing is legitimate interest or the data subject’s consent, as the case might be.
2.2. How do We collect data?
We generally collect personal data directly from data subjects, which means representatives of clients, natural persons and employees of corporate customers who buy and use Our products and services as well as job applicants, Our employees, subcontractors and so on.
2.3. Categories of personal data being processed.
The Companies do not process special categories of personal data, for example sensitive personal data. We process the following personal data:
- Contact details, including name, address, phone number, IP address and e-mail address;
- Date of birth, age and gender and/or personal identification code, client number;
- Employment data, including employer, title, post and professional preferences;
- Financial data, including credit card or PayPal data;
- User operations in connection with e-mails sent to the Companies and information contained therein and accompanied thereby;
- Other personal data which Our current or potential clients have made publicly available or available only to Us in third-party social networks such as LinkedIn, Facebook and others.
2.4. Sharing of personal data.
2.4.1. Within Our group.
We are interested in providing the best possible user experience and service to Our end-users. Therefore it is possible that We will share personal data to e‑resident store OÜ.
2.4.2. Outside Our group.
188.8.131.52 Cooperation partners and business partners.
We may share certain categories of personal data with Our cooperation and business partners if it is necessary for providing Our services, lawful and in compliance with the applicable personal data protection law. In that case We may share personal data only in connection with providing products or services to Our clients. The legal basis for such processing of personal data is Our legitimate interest.
We share personal data that is required for payment processing, with our authorized data processor.
In cases provided by law, the police, the Tax Board and other authorities may require Us to disclose certain categories of personal data. The Companies provide the personal data of natural persons to authorities only in compliance with applicable law. In that case, the legal basis for processing of personal data is the performance of an obligation arising from the law.
3. RIGHTS OF DATA SUBJECTS.
3.1. Marketing messages.
The Sunny Companies generally do not offer their products and services to new clients by way of mass posting and/or mass messages. However, if at times it is deemed necessary to send messages to a target client group or to current clients, you can always opt out by:
- following the unsubscription instructions in the footer of each message, or
- contacting us at the e-mail address email@example.com.
3.2. General rights.
Data subjects have the right to request access to, rectification or erasure of their personal data or restriction of processing and to object to processing as well as the right to data portability. Data subjects also have the right to lodge a complaint with a supervisory authority.
- The right to rectification means the data subject’s right to the rectification of inaccurate personal data concerning him or her without undue delay.
- The right to erasure means the data subject’s right to the erasure of personal data concerning him or her without undue delay, provided certain additional requirements are met.
- In certain cases the data subject has the right to restrict the processing of his or her personal data.
- The data subject has the right of access to personal data which We retain concerning him or her and which he or she has provided to Us, and the right to transmit this data to another controller if it is technically feasible and the processing is based on consent or on a contract and carried out by automated means.
- The data subject has the right to object, on grounds relating to his or her particular situation, at any time to processing of his or her personal data which is based on the relevant provisions of law, including profiling based on those provisions.
- Unless otherwise provided by law, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
- Where the processing of personal data is based on the data subject’s consent, the data subject has the right to withdraw the consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal.
Should you choose to exercise those rights, We kindly ask you to contact Us at the address firstname.lastname@example.org.
4. SECURITY AND RETENTION PERIOD OF DATA.
4.1. Security of personal data.
The secure storage of data is the highest priority for the Companies. We have done everything possible to avoid unauthorised access to and disclosure, loss or other unlawful processing of data. We protect the confidentiality and integrity of personal data and We ensure access to data in compliance with applicable law. To protect personal data collected and processed by Us, We have taken reasonable and sufficient organisational measures and set technical and physical restrictions. The measures applied depend on the category of personal data and the possible effects of its disclosure.
4.2. Storage and retention of information containing personal data.
The storage and retention of all data retained by the Companies (including personal data) takes place on the territory of the Republic of Estonia either in Our own servers and/or under a contract in servers of verified cooperation partners. We and Our cooperation partners have taken high level technical, physical and organisational measures necessary to ensure security:
- Verified physical and system based access only by persons with relevant authorisation;
- Making of back-up copies;
- Keeping of user logs, if necessary;
- Use of firewalls to avoid unwanted access;
- Constant monitoring for making security updates;
- Non-disclosure agreement with all employees using the systems.
The work organisation of controllers and processors is set up so that the work computers of employees are only used to carry out the process of providing the service of data processing. Processed data is stored in file servers with the highest level of security, which can only be accessed by those liable for and carrying out the processing.
4.3. Retention period – how long do We retain your personal data?
The Companies retain personal data only for as long as necessary to achieve the purpose for which the data was collected. The retention period also depends on the need to reply to data subjects’ enquiries, solve problems and comply with requirements for document retention arising from the law. When We no longer need personal data and the law does not require the retention thereof, We erase the data without delay.
5. COMPANIES AS CONTROLLERS OR PROCESSORS.
5.1 Provision of services.
The Companies provide various services to their clients. Generally, the provision of such services entails the processing of (personal) data obtained from Our clients (for example, accounting and wage data which may also contain personal data or personal data of private persons or employees of companies who buy Our services, which is retained in the economic software used by Us or in databases in file servers). In that case We only process data for the purposes determined by Our clients and the controller is Us or Our client.
The Companies are mostly processors of personal data and We process personal data only on behalf of Our client and under the client’s instructions. The relationship between and the rights and obligations of the processor and controller (meaning the Companies and their clients) are also determined, if necessary, in a personal data processing agreement. Where the Companies are the controller, We strictly comply with the requirements arising from Regulation 2016/679 of the European Parliament and of the Council.
5.2. Obligations of the Companies as the processor and the client as the controller.
Where the controller is Our client, the legal basis for the processing of personal data shall be determined by the client. The controller is also required to assess and manage the risks involved in the processing of personal data and perform duties related to notifying data subjects. As the processor, the Companies perform a significant portion of the controller’s duties since Our services are part of personal data processing, the compliance of which with the law must be ensured by the controller. If the Companies process personal data on behalf of their clients (meaning as the processor), We operate in compliance with applicable provisions of law that govern the operation of processors.
The Companies and the client who is the controller shall cooperate to ensure the prescribed protection of data subjects. If necessary, We provide the client with information necessary for compliance with the applicable personal data protection law.
6. SUBCONTRACTORS AND EXPORT OF PERSONAL DATA.
We use subcontractors for the processing of personal data but We do not export personal data outside the European Union. For example, our contractual subcontractors are Estonian providers of cloud computing services and other IT services. The Companies enter into a data processing agreement with each and every subcontractor and verify the compliance with the terms and conditions of contract in order to protect personal data and perform their obligations toward their clients.
If you would like more information about the possible use of subcontractors in the provision of services to you, We kindly ask you to contact Us as set out under ‘Contact Details’.
7. AMENDMENTS TO NOTICE.
For the purpose of increasing security or complying with amendments to law, the Companies may amend or adapt this Privacy Notice at any time. Should We do so, We shall publish the revised Notice here with a new version date. We may notify of significant changes in Our Privacy Notice and privacy principles before they take effect by way of e‑mail, announcement on Our website and/or on Our social media sites. Nevertheless, please visit this site from time to time to keep up to date with minor changes in the Privacy Notice.
8. OUR CONTACT DETAILS.
We value your feedback, opinions and suggestions. If you have any problems, comments or questions, please contact Us at the address email@example.com. You can also contact Us through regular mail at the address Järvevana tee 9-40, Tallinn 11314, Estonia.