1.2. An authorised processor is a person who processes personal data on behalf of and under contract with a controller and to the extent specified in the contract. An authorised processor is a partner of Impact Day providing services to Impact Day. Impact Day will contract and verify the reliability of such parties in accordance with data protection requirements. Impact Day may also act as an authorised processor, but in such a situation, the data processing principles of the controller will apply in the first instance.
1.3. A Data Subject is an identifiable natural person whose personal data is processed by Impact Day (hereinafter also referred to as Customer or you). This may be, for example, a person with whom Impact Day has entered into a contract or a person who has expressed a wish to enter into a contract with Impact Day. It may also be a person treated as a Data Subject on the basis set out in the Contract, whose data has been provided to Impact Day by the Customer.
1.4. Personal data are any information relating to a data subject which makes it possible to identify that data subject, directly or indirectly.
1.5. Processing of personal data is any activity that relates to personal data.
1.6. The Contract is a rental contract between Impact Day and the Customer.
2. CONTACT DATA
2.1. Impact Day can be contacted by e-mail at firstname.lastname@example.org for questions regarding the processing of personal data.
3. THE BASIS AND PURPOSES FOR PROCESSING PERSONAL DATA
3.1. Impact Day processes personal data on the following bases and for the following purposes:
3.1.1. Conclusion and performance of the contract – On these grounds, we will process the data contained in the request for conclusion of the contract and will conclude the contract. On these grounds, we will also perform our obligations under the contract.
3.1.2. Consent – Consent is given voluntarily by ticking a box when filling in the online form and signing the contract. On the basis of consent we will be able to send you offers and newsletters. Consent can be withdrawn at any time by notifying us by email at email@example.com
3.1.3.Legitimate interest – A legitimate interest is a business interest of Impact Day where we process data to improve our service and protect our interests. Where we have a legitimate interest, we may process your personal data for the following purposes:
- To ensure a trusted customer relationship and prevent fraud;
- Drafting, presenting and defending legal claims;
- To handle customer complaints;
- For the purposes of customer base management and marketing (except for sending direct marketing offers to natural persons, unless consent has been given);
- To organise campaigns and satisfaction surveys;
- For information security purposes;
- To develop and improve IT solutions;
- For organisational purposes, e.g. due to internal management and audits.
3.1.4. Fulfilling legal obligations (for example, obligations related to accounting).
4. THE COMPOSITION OF PERSONAL DATA
4.1. Impact Day collects the following personal data:
4.1.1. Personal data disclosed by the Data Subject and the person treated as such, to the controller – first name and surname, date of birth or personal identification number, address where the smart mailbox is to be installed, e-mail address, telephone number, payment method information and invoicing information.
4.1.2. Personal data generated in the course of the conclusion and performance of the contract (for example, the data set out in clause 4.1.1. if included in the contract);
4.1.3. Personal data generated in the course of regular communication (for example, the content of a request sent to us by a Data Subject);
4.1.4. Data that is manifestly disclosed by the Data Subject (for example, data disclosed by the Data Subject on Impact Day’s social media accounts);
4.1.5. Data generated by the use of the self-service portal;
4.1.7. Data received from cooperation partners, authorised processors or joint controllers.
5. DATA TRANSMISSION
5.1. Impact Day does not transfer personal data to third parties. Except in the following cases:
5.1.1. Impact Day may transfer personal data to companies that have concluded a contract with Impact Day to provide a service (for example, to a courier company or other transport company that has concluded a contract with the data subject).
5.1.2. Impact Day may transfer personal data in the case of a legal obligation. For example, court judgments and inquiries from competent authorities (courts, notaries, enforcement agents, prosecutors, police, etc.).
5.1.3. Impact Day may transfer data if they are necessary to ensure the performance of the contract.
5.1.4. As a rule, Impact Day does not transfer personal data outside the European Economic Community. Impact Day may transfer personal data outside the European Economic Community only if it is in compliance with the EU General Data Protection Regulation, which means that when transferring personal data outside the European Economic Community, we will implement additional safeguards such as contracting under model clauses approved by the European Commission or other appropriate measures. A copy of the implemented safeguards can be obtained at firstname.lastname@example.org.
6. OBTAINING AND STORING DATA
6.1. Impact Day obtains the data from the Customer (in which case Impact Day is the Data Controller) or the data is provided to Impact Day by a courier or other company that has obtained the Customer’s data from the Customer in the course of entering into a contract (in which case Impact Day is the Joint controller or Authorised processor).
6.2. Impact Day, as the Data Controller, will store the data collected during the pre-contractual negotiations until the moment when the fact of the conclusion of the contract becomes clear. If the contract is not concluded, Impact Day will delete the personal data within three months of becoming aware of the fact that the contract is not concluded.
6.3. Personal data collected in the course of the performance of the contract will be stored until the performance or termination of the contract or until the expiry of the claims related to the contract, whichever is the later. Impact Day shall store personal data for a maximum period of 3 years on the basis of a 3-year limitation period for claims, except where the circumstances do not justify the choice of a 10-year retention period and except to the extent that a longer retention period is required by the obligation to keep accounting records.
6.4. The data received by Impact Day in its capacity as an authorised processor shall be kept by Impact Day for the period of time specified by the controller.
6.5. Subject to legal requirements, Impact Day may also retain data for longer periods, but to no greater extent and for no longer than is necessary to comply with the law. For example, we keep documents necessary for accounting purposes for up to 7 years.
7. DATA SECURITY
7.1. Organisationally, access to the personal data collected by Impact Day is restricted to authorised persons who are contractually bound to Impact Day or to members of the management body, where the processing is necessary for the performance of their duties. Employees and members of the management body who do not carry out day-to-day tasks requiring the processing of personal data do not have access to personal data and are prohibited from processing the data.
7.2. Authorised processors may only process personal data transferred to them if this is necessary for the conclusion or performance of a contract.
8. RIGHTS OF THE DATA SUBJECT
8.1. The Data Subject has the right at any time to make a request about the disclosure of the data collected about him or her and to be informed of the data collected and processed about him or her, and, in the event of inaccurate data, the Data Subject has the right to request their rectification.
8.3. In cases where the data controller has processed the data solely on the basis of consent or where the controller no longer has a valid legal basis for processing the personal data, the Data Subject has the right to request the erasure of all data.
8.4. The Data Subject has the right to object to the processing of his or her personal data, for example where the processing is based on the legitimate interest of the Controller.
8.5. The Data Subject has the right to data transferability, i.e. the right to request that his or her data be transferred to another controller, if the personal data are processed in the performance of a contract with the Data Subject and the transfer of personal data is technically feasible.
8.6. The Data Subject has the right to turn to the Data Protection Inspectorate or a court at any time. Contact the Data Protection Inspectorate: https://www.aki.ee, email@example.com.
8.7. If the Data Subject has suffered damage as a result of the processing of the data, the Data Subject has the right to claim compensation.
8.8. The Data Subject has the right to lodge a complaint or a claim with Impact Day. For complaints, questions or claims regarding the processing of personal data, please contact firstname.lastname@example.org.
9.2. The Customer has the right to refuse all or part of the cookies by configuring their web browser and cookie settings accordingly.
9.3. The Impact Day website uses Google Analytics cookies to analyse customer behaviour on the website. The data collected during this process is anonymous and individual website users are not identified.
9.4. In order to maintain the functionality of the impactday.ee website, impactday.ee also uses session cookies. Temporary information collected during this process will be deleted when you close your browser.
9.5. You can disable cookies by following the instructions in the “help” function of your web browser. When disabling functional cookies, please note that not all website functions may work correctly.
9.6. You can also find more information on how cookies work or how to disable cookies at www.allaboutcookies.org.