Controller of personal data
The controller of personal data is the Estonian Centre for Standardisation (Akadeeemia tee 21/6 Tallinn, registry code 80120020), hereinafter “Centre for Standardisation”.
What is personal data?
Personal data (hereinafter also “data”) is any data specifically or indirectly associated with you as an identified or identifiable physical person.
How do we receive your data?
We mostly receive information about you from you when you use our services and visit our website.
We also receive information about you from other service providers. In particular, such data are the data transmitted to us by providers of services you use, for example when using electronic means of payment or Mobil-ID or ID-card for logging in.
We can, if necessary, receive information about you from public registers and databases (for example E-Krediidiinfo).
Which data do we collect and process, and on what grounds?
The Centre for Standardisation collects personal data for specified, explicit and legitimate purposes, and does not further process it in a manner that is incompatible with those purposes. According to legislation, we collect and process personal data for the performance of a contract or ensuring the performance of the contract, based on consent or legitimate interest, or for the performance of a legal obligation arising from the law.
For the performance of a contract or ensuring the performance of the contract, we process personal data for the following purposes:
In relation to the sale of standards and related standards browsing services, we will process your data (e.g. name, personal identification code, document number), contact information (e.g. addresses, contact phones, e-mail address), information about your workplace, service-related data (purchased standards and services, newsletter subscriptions etc.) and billing details (e.g. account number, billing addresses).
For the provision of, registration to and participation in training, we will process your data (e.g. name), contact information (e.g. billing address, contact phone, e-mail address), information about your workplace and billing details (e.g. account number, billing addresses).
For the identification required for the provision of services, we will process your data (e.g. username, password, name, personal identification code, phone number and IP address for IP-based viewing services).
We can also process your data to respond to your queries related to our services.
Based on the data subject’s consent, we process the data for the following purposes:
For direct marketing and newsletters, we will process your data (e.g. name) and contact information (e.g. e-mail address).
Due to our legitimate interest, we process the data for the following purposes:
If you provide us with comments on the draft standards through the Public Commenting Portal, we will process your data (e.g. name, username) and contact information (e.g. e-mail address) for identifying the author of the comments.
For the development of our products and services, we may process your data (e.g. name, personal identification code), contact information (e.g. addresses, contact phones, e-mail address) and the information about the used service (purchased standards, payment methods etc., also selected services and newsletters etc.) and other information related to the use of services (website traffic, including data on the equipment and operating systems used for visiting the website).
In relation to customer relationships and complaints and resolution of disputes, we may, depending on the situation, process all of your data.
To ensure the functioning of our services, and to analyse or eliminate the malfunctions or failures occurred or to resolve the security incidents occurred, we may, depending on the situation, process all of your data.
Due to a legal obligation arising from the law, we process the data for the following purposes:
In relation to the obligation to keep separate accounts, we will process your data (e.g. name), contact information (e.g. addresses, contact phones, e-mail address), service-related data (e.g. purchased standards and services), billing details (e.g. account number, billing addresses).
We can also process your data in other cases provided for by law.
To whom do we provide your data?
If you pay for standards through electronic means of payment (bank link, credit card, Paypal), we will forward the details relating to your purchase to the respective payment service provider according to the payment method. Please note that in all of these cases, the payment transactions take place in the payment institution’s environment, and the Centre for Standardisation does not see or process the relevant usernames, credit card numbers, passwords etc.
If you order standards in paper format and wish to receive them, we will forward your information related to delivery to the relevant postal or courier service provider.
If you have provided us with comments on the draft standards through the Public Commenting Portal, we will forward your comments along with your data to other parties, in compliance with the applicable standardisation rules. It may also include the forwarding of your data to the European and international standardisation organisations located outside of Estonia.
To analyse and resolve errors in our IT systems for the services we provide you with, we may transfer your data to our partners who offer application or development support to our systems (IT maintenance and development partners, accounting software administrator etc.).
We also transfer the information about website traffic of the EVS website (evs.ee) to search engines and service providers of web analytics (e.g. Google Analytics)
In addition to the above, we may transfer your data to the following parties:
We will keep your data for as long as it is necessary to achieve the purpose of the processing.
The time limits for the retention of data or criteria for setting deadlines are set out in the table below:
Until the withdrawal of consent
|Data entered into and stored by you on your user account on the EVS website (evs.ee) (including system access records)||Until the deletion of the account from the system|
|Information about purchased standards, licences and rights of use||Up to seven years after the termination of the licence agreement or the right of use.|
|Accounting information||According to the Accounting Act (usually seven years)|
|Information about comments on standards through the Public Commenting Portal||Data is stored in the system until the commentary is dealt with according to the standardisation procedures, then according to the rules for participation in the standardisation. We may keep your name with the comments forever.|
|Information about correspondence with you||Up to seven years|
|Data to be processed based on consent|
We may process your data for somewhat longer than the above mentioned times – in particular, the time it takes to complete the deletion or anonymisation of the data.
If the Centre for Standardisation wishes to keep your data for longer than is necessary for the collection, the Centre for Standardisation will anonymise personal data in such a way that the data subject is no longer identifiable.
We use organisational, physical and IT security measures to ensure the integrity, availability and confidentiality of data. These measures include instruction of employees and the protection of, information, IT infrastructure, company’s internal and public networks, office buildings and technical devices.
Requirements related to confidentiality and the protection of data apply to our employees for whom training courses on personal data protection are organised, and they are responsible for complying with the requirements.
Our cooperation partners are obliged to ensure the compliance of their employees with the same rules as ourselves, and the employees are responsible for complying with the requirements of personal data usage.
The right of access to your data
You have the right, at any time, to ask us for the information we process about you, and access your data that is used by the Centre for Standardisation. You also have the right to be informed about the purpose of data processing and the retention periods, and if and to whom we will forward your data. You can access the data collected through the EVS website (evs.ee), by logging in to your account and viewing the data stored about you from the “My Account” section. If you would like to receive a complete overview of the data collected about you, then submit a signed statement to firstname.lastname@example.org or at our customer service. We have the right to respond to such queries within 30 days.
The right to correct personal data
If you have discovered inaccurate personal data when accessing your data, or if your personal data has changed, you can always correct them in the EVS system (evs.ee), by logging in to your account and making the corresponding changes therein. You can send us your request for correction to email@example.com or submit it to our customer service on the spot. We will correct your data at the first opportunity.
The right to be forgotten
In some cases, you are entitled to request the deletion of your data. This applies especially to the processing of data on the grounds of consent and legitimate interest. It includes, for example, data that is related to the consumption of services, communication of various notices etc. If we use your data for purposes for which the deletion of data is not allowed due to contractual or legal reasons, then requesting the deletion of such data is not possible. You can cancel the notifications or the subscribed information services at any time by logging into your account and cancelling the relevant options. You can also notify us of such wish or request the deletion of personal data to a greater extent by submitting a signed statement to firstname.lastname@example.org.
The right to submit objections
You have the right to object, at any time, to any action regarding the processing of your data that is conducted on the grounds of legitimate interest, i.e. without your express consent. This right cannot be used in a situation where we are required to compile, submit or defend a legal claim. If you have any objections to the data processing, please contact us at email@example.com.
The right to restrict the processing of your data
In some cases, you have the option of restricting the processing of personal data by explicitly informing us. This right can only be exercised in the following cases:
If you wish to use such right, send us a notice with the reasons to firstname.lastname@example.org.
The right to transfer data
You have the right to receive your data or have it transferred directly to another service provider, in a machine-readable format. Please note that the Centre for Standardisation cannot guarantee that the other service providers have the capacity to receive the data in such format.
Unlike the right to access your data, you are entitled to receive personal data in machine-readable format only for the data that we have in a structured, commonly used and machine-readable format. Such right only applies to the data that the Centre for Standardisation uses for the performance of the contract, or on the basis of consent, and only by automated means to the extent that does not restrict the privacy rights of third parties.
If you would like to receive your data from us in machine-readable format, then submit a signed statement to email@example.com or at our customer service. We will send your data at the first opportunity.
The right to turn to the Centre for Standardisation or a supervisory authority and a court
If you would like to receive additional information about the use of your personal data or assistance with exercising your rights or if you are concerned that the Centre for Standardisation has handled your data with negligence, you can always contact our customer service at + 372 6 055 050 or at firstname.lastname@example.org.
You are always entitled to contact the Estonian Data Protection Inspectorate at www.aki.ee or the court to protect your privacy rights and personal data.
The Centre for Standardisation has the right to update, clarify and supplement these principles for the processing of customer data at any time, in the light of amendments in legislation and standardisation rules or changes in our services.