Privacy Info

Principles of the Estonian Centre for Standardisation and Accreditation for the processing of personal data
General

The following principles provide an overview and describe the processing of personal data by the Estonian Centre for Standardisation and Accreditation (NGO).

The principles do not address the processing of personal data arising from an employment relationship.

Data controller

The controller of the personal data is the Estonian Centre for Standardisation and Accreditation (NPO) (Akadeemia tee 21/6, Tallinn, registry code 80120020), hereinafter the ‘Association’.

What is considered personal data?

Personal data (hereinafter also the ‘data’) is data that is specifically or indirectly associated with you as an identified or identifiable natural person.  

Personal data does not include information from which no natural person can be reasonably identified, i.e. anonymous information or personal data that has been rendered anonymous in such a way that the person is not or no longer identifiable (unidentified or anonymised information). The processing principles do not apply to such information.

Nor do these principles apply to the processing of data of a legal person (company, association, organisation).

How do we receive your data? 

We mainly receive data about you from you, for example, when you:

  • send us inquiries and requests for information or write to us for other reasons;
  • participate in the in standardisation process;
  • are a representative of an accredited body or a body applying for accreditation, or you are a representative of a professionally competent measurer;
  • have a contractual relationship with us, either as a client or as a contractor;
  • visit our websites at www.evs.ee or www.eak.ee or the standards commenting portal at https://komport.evs.ee;
  • apply to work for us;
  • use any of our other services.

We also receive some data from other service providers. In particular, such data includes, for example, data transmitted to us by service providers when logging in with a Mobile ID, Smart ID or ID card, or when using electronic payment channels. We may also receive data about you from our clients, for example, if your employer is one of our clients. Personal data may also be contained in correspondence, documents or other information provided to us by others.

If necessary, we may also obtain data about you from public registers and databases (such as the Commercial Register, E-Krediidiinfo, etc.).

On what basis and what data do we collect and process?

We collect and process personal data for clearly specified and legitimate purposes and do not subsequently process it in a way that is incompatible with those purposes.

Pursuant to legislation, we collect and process personal data either for the performance and enforcement of a contract, on the basis of consent, on the basis of legitimate interest or to comply with a legal obligation.

We will only use the personal data collected to carry out our activities and provide our services. In no case will we sell your personal data to third parties or transfer it for purposes that are incompatible with the original purpose for which it was collected.

To whom do we transfer your data?

If you pay us via electronic means of payment (bank link, credit card, Paypal) or if we settle with you, we will transfer your details (name, bank or means of payment) to the relevant payment service provider (Swedbank, SEB, LHV, Luminor, PayPal) according to the payment method. We would like to point out that in all the cases mentioned above, payments are made in the payment intermediaries’ environments and the user IDs of the banks, full credit card numbers, passwords for the environments, etc. are not seen or processed by the Estonian Centre for Standardisation and Accreditation.

If you order standards in paper format and want them delivered, or if you want accreditation documents on paper, we will forward your delivery details to the relevant postal service provider.

In order to analyse and correct errors in our IT systems in connection with the services we provide to you, we may submit your data to partners who provide operational or development support for our systems (IT maintenance and development partners, accounting software and document management system maintainers, etc.).

Further information on the transmission of data related to specific uses is also provided in the following chapters. In addition to the above, we may transfer your data to the following:

  • our professional advisers, such as auditors, accreditation assessors or consultants;
  • legal representative of a data subject (guardians);
  • on the basis of a data subject’s request to another data controller (e.g. when implementing the right to data portability);
  • debt collectors (debt collection agencies) and, in the case of assignment, new creditors;
  • invoice centres (invoicing and issuing, e-invoice processing);
  • national registers in accordance with the law;
  • and in other cases provided for by law, on the grounds and in accordance with the procedures laid down therein.
How long do we store your data? 

We will store your data for as long as necessary to achieve the purpose of the processing.

The retention period depends on the type of data and can sometimes be quite long. Certain data relating to participation in standardisation or accreditation may be retained in perpetuity or transferred to the National Archives for retention in perpetuity.

For more detailed information on data retention periods, see the information on uses below.

We may also process your data for slightly longer than the time limits set out above – in particular, by the time it takes to complete the deletion or anonymisation.

If the Estonian Centre for Standardisation and Accreditation wishes to keep your data longer than is necessary for the purpose for which it was collected, the Estonian Centre for Standardisation and Accreditation will anonymise the personal data so that the data subject is no longer identifiable.

Processing of personal data on the Association's websites
Processing of personal data on the www.evs.ee, komport.evs.ee and kampaania.evs.ee websites

The information in this chapter specifies the processing of personal data on the www.evs.ee, kampaania.evs.ee and https://komport.evs.ee websites.

Use of cookies on websites: 

Information about the cookies used on the www.evs.ee website can be found by opening the cookie settings  in the bottom left corner of the website. Among other things, detailed information about the cookies used on the site, their categories, and the purpose for which they are used and how they are stored is displayed in the cookie settings. You can also change your consent or opt-out of cookies in the settings.

The standards commenting portal at https://komport.evs.ee only uses the following cookies necessary for the functioning of the portal.


  Cookie                                                                                                                                         
  
  Purpose                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              
  Retention period

  Asp.Net_SessionId

  Identifying user session on the server

  Session

 .Nop.Authentication
  Identifying logged-in user 
  In case of session or   ‘remember me’ option for 14   days

  lang

  Remembering the user’s language choice

  Session

The https://kampaania.evs.ee portal only uses the following cookies necessary for the functioning of the portal.

  Cookie

  Purpose

  Retention period

  Wordpress_sec *

  Retention of authentication information. Only used if user is with administrative rights

  Session

  wordpress_logged_in_[hash]:

  Identifying logged-in user 

  Session

  wp-settings-{time}-[UID]

  To set up the configuration of web page views

  1 year

  wordpress_test_cookie

  A cookie for testing portal cookies. Doesn’t contain personal information

  Session

What personal data do we collect when you visit our website and for what purposes?

In the course of your use of the website, we collect various types of information that is necessary to provide you with services related to the website, to ensure the operation of the website, and to resolve incidents related to the website.

If you use the website without having a user account or without logging in to a user account, we will store information about the IP address and technical information about the devices used to visit the website.

If you have a user account on the www.evs.ee website, we process personal data for the purpose of providing services related to the account (including the performance of various contractual obligations). In connection with the use of the account, in addition to the above, we store and process information about you that you have entered into the user account yourself (account details such as name, email address, password, invoicing and delivery addresses), as well as store IP addresses for using the account. If you have purchased services from us, we will retain data related to the service, including data on the means of payment used to pay for the service (NB: we do not keep the full credit card numbers).

If you have consented to receive newsletters from us on the www.evs.ee website, we will process personal data (e.g. name) and contact details (e.g. email address) for the purposes of direct marketing and sending newsletters. You can withdraw your consent to receive the www.evs.ee newsletters at any time by withdrawing the corresponding option in your account on the website.

We may also send you important communications concerning your account or services due to our legitimate interest.

We store the information related to the user account collected in the course of using the website until the user account is deleted. An application for deletion can be submitted from the website via your account or by submitting a corresponding signed application to us. Please note that if the account is deleted, we will no longer be able to guarantee that the standards and services acquired through the account will be available in the future.

To whom and for what purposes do we transfer your data when you visit the website?

On certain www.evs.ee subpages (registration, placing an order for an anonymous browsing service, request for information and inquiry forms), we use the Google ReCAPTCHA service to help distinguish between human users of the website and web robots. To do this, when you browse websites that contain the ReCAPTCHA element, we transmit information to Google about the choices and movements you make on the website. More information about Google ReCAPTCHA can be found here: reCAPTCHA (google.com).

For the purpose of determining the user’s location for correct tax calculation during the ordering process, we transfer your IP address to MaxMind, Inc., the geolocation service provider.

We use the services of Usercentrics A/S (Cookiebot) to manage cookies and cookie-related consents on the website.

When visiting the kampaania.evs.ee website, we store the IP address and technical information about the devices used for visiting. kampaania.evs.ee website is located on the server of Zone Media OÜ, as a result of which we transmit the above-mentioned information related to the use of the website to Zone Media OÜ.

The komport.evs.ee website does not transfer your data to any external party.

Processing of personal data on the www.eak.ee website

In the course of your use of the www.eak.ee website, we collect information that is necessary to provide you with services related to the website, to ensure the operation of the website, and to respond to incidents related to the website. In particular, this information includes the IP address, the time the website was visited, and technical information about the devices used to access the website.

The www.eak.ee website does not use cookies.

The EAK website is hosted on the server of Zone Media OÜ, which is why we transfer the above-mentioned information related to the use of the website to Zone Media OÜ.

Third-party websites and social media channels

The www.evs.ee, komport.evs.ee, and www.eak.ee websites contain links to external websites. Please note that if you click on a link to an external website, you will be taken to a website that is not under our control and is not subject to our principles for the processing of personal data. These websites may independently collect information about you (including personal data). If this is the case, we encourage you to read the privacy policy of the specific website and make your choices about those websites.

On our social media channels (Facebook, LinkedIn, YouTube), your personal data will be processed by the providers of the respective platforms in accordance with the privacy policy of the relevant platform.

Processing of personal data in connection with participation in standardisation activities

If you are involved in standardisation as an expert or member of a standardisation committee, we will keep your details such as your name and contact details for the purposes of organization of standardisation under the Product Conformity Act.

Data relating to the drafting of a specific standard may be retained for up to 25 years from the date of withdrawal of the standard in certain cases, while certain standardisation committee documents, such as committee membership documents and committee meeting minutes, are retained in perpetuity according to the Archives Act.

If you provide us with comments on draft standards via the standards commenting portal, we will process your personal data (e.g. name, username) and contact details (e.g. email address) to identify the author of the comments and, if necessary, contact the author.

If you have submitted comments on a European or international standard, we may pass on your comments, together with your details, to other parties (in particular the drafters of standard) in accordance with the applicable standardisation rules. This may also include submitting your data to the European standardisation organisations CEN and Cenelec, based outside Estonia, and the international standardisation organisations ISO and IEC, registered in Switzerland. If you participate as an expert in European or international standardisation, we will forward your details (name, contact details) to the relevant European or international standardisation organisations.

In addition, if you have been involved in standardisation as a drafter or interpreter, we will process your data, such as your name and contact details, under the Copyright Act. In relation to copyright, we keep the data for the duration of the copyright and, in certain cases, for up to 7 years after the expiry of the copyright.

Processing of personal data in connection with the purchase of standards and standards-related services

In connection with the sale of standards and reading services related to standards, we process your personal data (e.g. name, personal identification code, document number), contact data (e.g. addresses, contact telephones, email address), data about your place of work, service data (purchased standards and services, ordered newsletters, etc.), and invoice data (e.g. invoice number, addresses). We process this data for the performance of a contract. As a general rule, we store this data for 7 years after the end of the contract or until the standard right of use expires.

We store the data related to the services in your www.evs.ee account until the account is deleted.

We may also process your data to respond to your inquiries relating to our services.

Processing of personal data for the purposes of accreditation and attestation of competence

If you are associated with an accredited body or professionally competent measurer, we process your personal data for the purpose of providing the accreditation or competence attestation service to provide public service under the Product Conformity Act and for the performance of an accreditation or competence attestation contract.

In particular, this includes the data contained in the application for accreditation or for the attestation of competence (name, contact details), the data contained in the documents submitted to us or to be drawn up in the course of the accreditation or the attestation of competence (names, contact details, job details, etc.).

Personal data collected during the accreditation process will be retained for 15 years, data collected during the attestation of competence for 6 years.

If you act as an Estonian Accreditation Centre assessor or expert, we will process your name, contact details, and information about your competences and qualifications. As a rule, we store the relevant data for 15 years from the date of your last appointment as an assessor.

If you are a member of an accreditation council or participate in the work of an accreditation technical committee, we will store your name and contact details for the purposes of organising the work of the accreditation council or technical committee. Certain accreditation council or technical committee documents, such as minutes of meetings, are kept permanently.

Processing of personal data in connection with the provision of training courses

In connection with the provision of training courses, registration for training courses, and participation in training courses, we process your personal data (e.g. name), contact data (e.g. billing address, contact telephone, email address), data about your place of work, and invoice data (e.g. billing account number, billing addresses).

For the purpose of introducing trainings and events, we display information about upcoming trainings on the kampania.evs.ee website. You can get to the mentioned website through the links provided in our social media channels, as well as via newsletters or the evs.ee website. On the kampaania.evs.ee website it’s possible to let us know via the website form if you want to participate in one of the advertised trainings. In this case, we will keep your name and email address to fulfill the contract in order to contact you when the training opens. We keep the data transmitted through the form until the training or event takes place or, if the training or event does not take place, until this fact becomes clear.

Processing of personal data in connection with job applications

If you apply to work for us, we will keep the information about you as the candidate that you provided to us in your application documents. Also, information you have provided us with in correspondence relating to your application. We may also obtain additional information about you in connection with your application from other public sources. Examples of such information include name, email address, telephone number, address, gender, date of birth, personal website, photograph, current employer, educational background, work experience, language skills, IT skills, possible start date, salary expectations or other information relevant to the position.

Only employees of the Association involved in the recruitment process will have access to the application documents. We do not disclose candidates’ personal data to third parties or transfer it outside the European Union or the European Economic Area. As an exception, we may transfer candidates’ personal data to parties who conduct additional ability tests or background checks as part of the recruitment process. In this case, only relevant and necessary information about the candidate (e.g. the candidate’s name and contact details, personal identification code for background checks) will be communicated to third parties.

In order to settle any legal disputes that may arise during the recruitment process and to make offers to successful candidates, we will store personal data for 1 year from the end of the recruitment process.

With the candidate’s consent, we may keep personal data relating to the candidate’s application for a longer period in order to propose the candidate for a future competition.

Data processing for accounting and tax purposes

If you have purchased services from us, sold services to us, or had a contractual relationship with us, we will process your data in connection with our legal obligation to keep accounting and tax records. In this context, we process your data such as name, personal identification code, contact data (e.g. addresses, contact telephones, email address), service or contract data (e.g. purchased standards, service information, fees paid, etc.), invoice data (e.g. billing account number, billing addresses), data related to the identification of the user’s country of destination (address, IP address, payment instrument data, etc.).

We may disclose this information to various public authorities, such as tax authorities, as well as to our auditors and accounting software support provider, where required by law.

As a rule, we store this data for 7 years, in some cases longer.

Processing of personal data when you write to us, submit a request for information, a request for clarification or a complaint

If you write to us or submit a request for information or clarification, we will use your personal data primarily to respond to you. If we need to make inquiries from someone else in order to respond to you, we will disclose your personal data only to the minimum extent necessary.

We may also use your correspondence with us to assess the quality of our work internally.

If you file an accreditation complaint or appeal with us, we will process your personal data in order to respond to you or to contact you in order to establish further facts. We keep the complainant’s details strictly confidential. Complaints and appeals relating to accreditation are kept for 10 years.

We store correspondence with private individuals for 7 years. Documents that have exceeded this time limit should normally be destroyed.

Processing of personal data in other cases

We may also process personal data in other cases not described above. In particular for the following uses.

In the context of the development of our products and services, we may process your personal data (e.g. name, personal identification code), contact data (e.g. addresses, contact telephone numbers, email address) and data relating to the service used (standards purchased, payment methods, etc., selected services and newsletters, etc.), and other data relating to the use of the service (data relating to visits to our website, including data relating to the devices, and operating systems used to visit our website) for legitimate interests. We use anonymous information collected about website traffic to improve the evs.ee website user experience. 

For the purposes of client relations and complaint and dispute resolution, we may process any of your data, depending on the circumstances.

We may process any of your data on the basis of legitimate interest, as the case may be, in order to ensure the functioning of our services and to analyse or remedy any malfunctions or failures or to respond to security incidents.

How do we ensure the secure processing of your data?

We use the organisational, physical, and IT security measures necessary to ensure the integrity, manageability, and confidentiality of data. These measures include guidance and protection of employees and information, IT infrastructure, internal, and public networks, as well as office buildings and technical equipment.

We use right of access management to access data. We make the effort to implement security measures designed to achieve an appropriate level of data protection and thereby prevent the disclosure of personal data to unauthorised persons.

Our employees are subject to data confidentiality and data protection requirements.

What are your rights in relation to personal data?

Right to access your data

You have the right to ask us at any time what data we process about you and to access your personal data held by the Association. You also have the right to be informed about the purposes for which we process your data, the retention periods, and whether and to whom we transfer your data. The data collected through the www.evs.ee website can be accessed to a very large extent by logging in to your account and checking what data is stored about you in the ‘My Account’ section. If you would like to have a full overview of the data we have collected about you, please submit a digitally signed application to privacy@evs.ee, in writing to Akadeemia tee 21/6, Tallinn, Estonia or to our client service. We are entitled to respond to such inquiries within 30 days. In the case of large or complex inquiries, we may extend the response time, in which case we will inform you in good time of the need for an extension.

Right to rectify personal data

If you have accessed your data and discovered incorrect information or if your personal data has changed, you can always change it yourself by logging into your account at www.evs.ee and making the appropriate changes. You can also let us know if you wish to make a change by sending an email to privacy@evs.ee, by writing to Akadeemia tee 21/6, Tallinn, Estonia or by visiting our client service. We will correct your data as soon as possible.

Right to be forgotten

In certain cases, you have the right to request the deletion of your personal data. This is in particular the case for data processing based on consent and legitimate interest. This includes, for example, data relating to the consumption of services, data relating to the transmission of various communications, etc. If we use your personal data for purposes for which deletion of the data is not permitted before the expiry of the time limit, either by contract or by law, deletion cannot be requested. To opt out of receiving newsletters or subscribed information services, you can withdraw your consent at any time by logging in to your account and unsubscribing. You may also notify us of this request or request the deletion of a larger amount of personal data by sending us a signed request by email to privacy@evs.eeor in writingto the address Akadeemia tee 21/6, Tallinn, Estonia. The www.evs.ee account deletion request can also be submitted via the corresponding option in the ‘User Information’ section of the account.

Right to object

You have the right to object, at any time, to the processing of personal data concerning you by us on the basis of a legitimate interest. This right cannot be exercised in situations where we need to prepare, submit or defend a legal claim. If you object to the processing of your data, please let us know by sending an email to privacy@evs.ee.

Right to restrict data processing concerning you

In certain cases, you have the possibility to restrict the processing of personal data by explicitly informing us. This right can only be exercised in the following cases:

  • to verify the accuracy of personal data if you have contested its accuracy;
  • if the processing of your data is unlawful but you do not want it deleted;
  • we no longer need your data for processing, but you need the data to prepare, submit or defend a legal claim;
  • you have filed an objection to the processing of your data on the basis of our legitimate interest and you wish to restrict the processing of your data pending our decision.

If you would like to exercise this right, please send us a letter stating your reasons to the e-mail address  privacy@evs.ee.

Right to data portability

You have the right to receive your personal data from us in machine-readable form or to have it transmitted directly to another service provider. Please note that the Estonian Centre for Standardisation and Accreditation cannot guarantee that other service providers will be able to accept personal data in the form in which we provide it.

Contrary to the right of access, you have the right to receive personal data in machine-readable form only in the case of data which we hold in a structured, commonly used format and in machine-readable form and which is used by the Estonian Centre for Standardisation and Accreditation for the performance of a contract or by automated means on the basis of consent, to the extent that this does not infringe the privacy of third parties.

If you would like us to provide you with your personal data in machine-readable form, please submit a signed request to privacy@evs.ee or to our client service. We will send the data to you as soon as possible.

Right to turn to the Association or supervisory authority or court

If you want more information about the use of your personal data or assistance in exercising your rights, or if you suspect that the Association has handled your personal data in a negligent manner, you can always contact us at + 372 605 5050 or send an email to privacy@evs.ee.

In addition, you always have the right to contact the Data Protection Inspectorate (www.aki.ee) or file a claim with court to protect your privacy rights and data.

Changes to the Privacy Notice

We update this Privacy Notice regularly, as necessary and as circumstances change. We encourage you to visit our website regularly to keep up to date with the latest version of this Privacy Notice. We may also notify you of the most significant changes to the Privacy Notice by email or otherwise.

Contact details

For any questions, concerns or suggestions concerning the processing of personal data, please contact us at:

MTÜ Eesti Standardimis- ja Akrediteerimiskeskus

Akadeemia tee 21/6, Tallinn, Estonia

privacy@evs.ee

 

Last updated:  04.04.2024