Home»Privacy Statement

Privacy statement

Principles for the processing of customer data in the Estonian Centre for Standardisation

Controller of personal data

The controller of personal data is the Estonian Centre for Standardisation (Akadeeemia tee 21/6 Tallinn, registry code 80120020), hereinafter “Centre for Standardisation”.

What is personal data?

Personal data (hereinafter also “data”) is any data specifically or indirectly associated with you as an identified or identifiable natural person.

How do we receive your data?

We mostly receive information about you from you when you use our services and visit our website.

We also receive information about you from other service providers. In particular, such data are the data transmitted to us by providers of services you use, for example when using electronic means of payment or Mobil-ID or ID-card for logging in.

We can, if necessary, receive information about you from public registers and databases (for example E-Krediidiinfo).

Which data do we collect and process, and on what grounds?

The Centre for Standardisation collects personal data for specified, explicit and legitimate purposes, and does not further process it in a manner that is incompatible with those purposes. According to legislation, we collect and process personal data for the performance of a contract or ensuring the performance of the contract, based on consent or legitimate interest, or for the performance of a legal obligation arising from the law.

For the performance of a contract or ensuring the performance of the contract, we process personal data for the following purposes:

In relation to the sale of standards and related standards browsing services, we will process your data (e.g. name, personal identification code, document number), contact information (e.g. addresses, contact phones, e-mail address), information about your workplace, service-related data (purchased standards and services, newsletter subscriptions etc.) and billing details (e.g. account number, billing addresses).

For the provision of, registration to and participation in training, we will process your data (e.g. name), contact information (e.g. billing address, contact phone, e-mail address), information about your workplace and billing details (e.g. account number, billing addresses).

For the identification required for the provision of services, we will process your data (e.g. username, password, name, personal identification code, phone number and IP address for IP-based viewing services).

We can also process your data to respond to your queries related to our services.

Based on the data subject’s consent, we process the data for the following purposes:

For direct marketing and newsletters, we will process your data (e.g. name) and contact information (e.g. e-mail address).

Due to our legitimate interest, we process the data for the following purposes:

If you provide us with comments on the draft standards through the Public Commenting Portal, we will process your data (e.g. name, username) and contact information (e.g. e-mail address) for identifying the author of the comments.

For the development of our products and services, we may process your data (e.g. name, personal identification code), contact information (e.g. addresses, contact phones, e-mail address) and the information about the used service (purchased standards, payment methods etc., also selected services and newsletters etc.) and other information related to the use of services (website traffic, including data on the equipment and operating systems used for visiting the website).

In relation to customer relationships and complaints and resolution of disputes, we may, depending on the situation, process all of your data.

To ensure the functioning of our services, and to analyse or eliminate the malfunctions or failures occurred or to resolve the security incidents occurred, we may, depending on the situation, process all of your data.

Due to a legal obligation arising from the law, we process the data for the following purposes:

In relation to the obligation to keep separate accounts, we will process your data (e.g. name), contact information (e.g. addresses, contact phones, e-mail address), service-related data (e.g. purchased standards and services), billing details (e.g. account number, billing addresses).

We can also process your data in other cases provided for by law.

To whom do we provide your data?

If you pay for standards through electronic means of payment (bank link, credit card, Paypal), we will forward the details relating to your purchase to the respective payment service provider according to the payment method. Please note that in all of these cases, the payment transactions take place in the payment institution’s environment, and the Centre for Standardisation does not see or process the relevant usernames, credit card numbers, passwords etc.

If you order standards in paper format and wish to receive them, we will forward your information related to delivery to the relevant postal or courier service provider.

If you have provided us with comments on the draft standards through the Public Commenting Portal, we will forward your comments along with your data to other parties, in compliance with the applicable standardisation rules. It may also include the forwarding of your data to the European and international standardisation organisations located outside of Estonia.

To analyse and resolve errors in our IT systems for the services we provide you with, we may transfer your data to our partners who offer application or development support to our systems (IT maintenance and development partners, accounting software administrator etc.).

We also transfer the information about website traffic of the EVS website (evs.ee) to search engines and service providers of web analytics (e.g. Google Analytics)

In addition to the above, we may transfer your data to the following parties:

  • our professional advisers such as auditors or consultants;
  • contractual (authorised persons) or legal representative (guardians) of a data subject;
  • another data controller (e.g. in the implementation of the right to transfer data) based on the request from the data subject;
  • debt collectors (debt collection agencies) and new creditors in the event of the assignment of the right of the claim;
  • billing centres (drawing up and issuing of invoices, processing of e-invoices);
  • state register, in compliance with the law;
  • state agencies for conducting court procedure or criminal proceedings, also for exercising state supervision and in other cases arising from acts on the bases thereof and pursuant thereto.

How long will we keep your data?

We will keep your data for as long as it is necessary to achieve the purpose of the processing.

The time limits for the retention of data or criteria for setting deadlines are set out in the table below:

Data

Retention period

Data entered into and stored by you on your user account on the EVS website (evs.ee) (including system access records)

Until the deletion of the account from the system

Information about purchased standards, licences and rights of use

Up to seven years after the termination of the licence agreement or the right of use.

Accounting information

According to the Accounting Act (usually seven years)

Information about comments on standards through the Public Commenting Portal

Data is stored in the system until the commentary is dealt with according to the standardisation procedures, then according to the rules for participation in the standardisation. We may keep your name with the comments forever.

Information about correspondence with you

Up to seven years

Data to be processed based on consent

Until the withdrawal of consent

We may process your data for somewhat longer than the above mentioned times – in particular, the time it takes to complete the deletion or anonymisation of the data.

If the Centre for Standardisation wishes to keep your data for longer than is necessary for the collection, the Centre for Standardisation will anonymise personal data in such a way that the data subject is no longer identifiable.

How do we ensure secure processing of your data?

We use organisational, physical and IT security measures to ensure the integrity, availability and confidentiality of data. These measures include instruction of employees and the protection of, information, IT infrastructure, company’s internal and public networks, office buildings and technical devices.

Requirements related to confidentiality and the protection of data apply to our employees for whom training courses on personal data protection are organised, and they are responsible for complying with the requirements.

Our cooperation partners are obliged to ensure the compliance of their employees with the same rules as ourselves, and the employees are responsible for complying with the requirements of personal data usage.

What are your rights in relation to your personal data?

The right of access to your data

You have the right, at any time, to ask us for the information we process about you, and access your data that is used by the Centre for Standardisation. You also have the right to be informed about the purpose of data processing and the retention periods, and if and to whom we will forward your data. You can access the data collected through the EVS website (evs.ee), by logging in to your account and viewing the data stored about you from the “My Account” section. If you would like to receive a complete overview of the data collected about you, then submit a signed statement to info(at)evs.ee or at our customer service. We have the right to respond to such queries within 30 days.

The right to correct personal data

If you have discovered inaccurate personal data when accessing your data, or if your personal data has changed, you can always correct them in the EVS system (evs.ee), by logging in to your account and making the corresponding changes therein. You can send us your request for correction to info(at)evs.ee or submit it to our customer service on the spot. We will correct your data at the first opportunity.

The right to be forgotten

In some cases, you are entitled to request the deletion of your data. This applies especially to the processing of data on the grounds of consent and legitimate interest. It includes, for example, data that is related to the consumption of services, communication of various notices etc. If we use your data for purposes for which the deletion of data is not allowed due to contractual or legal reasons, then requesting the deletion of such data is not possible. You can cancel the notifications or the subscribed information services at any time by logging into your account and cancelling the relevant options. You can also notify us of such wish or request the deletion of personal data to a greater extent by submitting a signed statement to info(at)evs.ee.

The right to submit objections

You have the right to object, at any time, to any action regarding the processing of your data that is conducted on the grounds of legitimate interest, i.e. without your express consent. This right cannot be used in a situation where we are required to compile, submit or defend a legal claim. If you have any objections to the data processing, please contact us at info(at)evs.ee.

The right to restrict the processing of your data

In some cases, you have the option of restricting the processing of personal data by explicitly informing us. This right can only be exercised in the following cases:

  • to verify the accuracy of personal data when you have challenged their accuracy;
  • processing your data is illegal, but you do not want to delete them;
  • we no longer need your data for processing; however, you need personal data for compiling, submitting or defending a legal claim;
  • you have filed an objection for processing your data on our legitimate interest and wish to limit the processing of the data in question until a decision has been made.

If you wish to use such right, send us a notice with the reasons to info(at)evs.ee.

The right to transfer data

You have the right to receive your data or have it transferred directly to another service provider, in a machine-readable format. Please note that the Centre for Standardisation cannot guarantee that the other service providers have the capacity to receive the data in such format.

Unlike the right to access your data, you are entitled to receive personal data in machine-readable format only for the data that we have in a structured, commonly used and machine-readable format. Such right only applies to the data that the Centre for Standardisation uses for the performance of the contract, or on the basis of consent, and only by automated means to the extent that does not restrict the privacy rights of third parties.

If you would like to receive your data from us in machine-readable format, then submit a signed statement to info(at)evs.ee or at our customer service. We will send your data at the first opportunity.

The right to turn to the Centre for Standardisation or a supervisory authority and a court

If you would like to receive additional information about the use of your personal data or assistance with exercising your rights or if you are concerned that the Centre for Standardisation has handled your data with negligence, you can always contact our customer service at + 372 6 055 050 or at info(at)evs.ee.

You are always entitled to contact the Estonian Data Protection Inspectorate at www.aki.ee or the court to protect your privacy rights and personal data.

Other conditions

The Centre for Standardisation has the right to update, clarify and supplement these principles for the processing of customer data at any time, in the light of amendments in legislation and standardisation rules or changes in our services.

These principles will come into force on 25 May 2018.

Print