DATA PROTECTION POLICY
Valid since 1 May 2022
The purpose of the Data Protection Policy is to notify the natural persons whose personal data are processed by Ekspress Meedia of how and for what purpose their personal data are collected and used.
AS Ekspress Meedia (Ekspress Meedia, hereinafter also: we) processes the personal data of data subjects in accordance with the principles set out in the Data Protection Policy and in the legislation applicable to the processing of personal data.
Data subject (hereinafter also: you) in terms of the Data Protection Policy is a natural person whose personal data are processed by Ekspress Meedia. Among other things, a Data Subject is, for example, a subscriber to a publication by Ekspress Meedia, a visitor of the website, a user of the sales platform, a registered user of the website, a candidate for a job, a participant of a campaign.
Personal data are data which identify or allow the identification of a natural person, such as the name and contact details of the person.
Personal data processing is any automated or non-automated operation or set of operations, including collection, storage and transfer of personal data or sets of personal data.
The purpose of the Data Protection Policy is to explain the principles of processing personal data, including the types of personal data collected by Ekspress Meedia and the purpose of collection, and the rights of the data subjects with regard to the processing of their personal data by Ekspress Meedia.
Ekspress Meedia has the right to change the Data Protection Policy if necessary (e.g. due to changes to legislation or the data processing procedure).
2. PROCESSORS OF PERSONAL DATA
The controller is a legal person who determines the purposes and means of processing the personal data.
Controller: AS Ekspress Meedia
Registry code: 10586863
Address: Narva mnt 13, 10151 Tallinn
Contacts: 669 8080, firstname.lastname@example.org
As a rule, Ekspress Meedia will not disclose personal data to third parties. However, this may be required if the obligation to disclose the data arises from legislation or is necessary for the performance of a contract. Also, when the data subject has given permission to do so.
The processor of personal data is a natural or legal person, a public authority, an institution or any other organisation that processes personal data on behalf of the controller (Ekspress Meedia). Ekspress Meedia may authorise the processors to use the personal data. Processors are cooperation partners of Ekspress Media who process data, among other things:
- to provide a service;
- to maintain a structured database of subscribers;
- for service and marketing purposes, except where the person has decided otherwise or has later withdrawn his or her consent, by notifying thereof in a form which permits written reproduction;
- to fulfil legal obligations (e.g. transmission of data to a research organisation).
Processors process personal data for the performance of the tasks given by Ekspress Meedia.
For creating an account at EkspressKonto and logging in, you can use the tools provided by third parties, such as Apple ID, Google, Facebook. In this case, the personal data concerning you will only be transmitted with your consent.
3. PERSONAL DATA PROCESSING AT EKSPRESS MEEDIA, AND THE PRINCIPLES OF PROCESSING
In processing personal data, Ekspress Meedia always complies with the following principles:
Transparency – Ekspress Meedia processes personal data in a fair and transparent manner and only when permitted by law.
Purpose limitation – Ekspress Meedia collects your personal data for specific, explicit and legitimate purposes. The purposes of processing may change due to legislation or your authorisation. In any case, we will notify you thereof in advance.
Data minimisation – Ekspress Meedia ensures that the personal data processed are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Accuracy – Ekspress Meedia ensures that your personal data are accurate and relevant. We will delete or correct inaccurate personal data at the first opportunity.
Storage limitation – in storing personal data, Ekspress Meedia observes the need for processing the personal data, i.e. the data that allow identification of a natural person are stored until it is necessary to achieve the purpose of the processing. In determining the storage period, Ekspress Meedia complies with legal requirements, the limits agreed in binding contracts or the deadlines necessary for the performance of legal obligations.
Integrity and confidentiality – Ekspress Meedia processes your personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing. Ekspress Meedia maintains the confidentiality of all personal data disclosed to us and protects personal data from unlawful disclosure to third parties by implementing effective security measures, including information technology, technical and organisational measures.
Data protection by design and by default – in developing, selecting and using products and services which require the processing of personal data, Ekspress Meedia considers the need to protect the personal data.
4. PROCESSED PERSONAL DATA AND THE PURPOSES OF PROCESSING
Ekspress Meedia only processes personal data for the purposes stated herein.
Ekspress Meedia mainly processes the personal data that you provide to it (e.g. name, contact information, user name) or that are collected on the basis of your activities when you use the products, services or websites of Ekspress Meedia.
We process your personal data primarily for providing you with the service, newsletters or offers, and for creating news stories.
In doing so, we mainly process the following types of data concerning you:
- Basic personal data such as first name and family name and personal identification code, for the performance and enforcement of a contract.
If the customer has ordered a publication by subscribing to an e-invoice standing order agreement, the identification code of the customer is required, among other things.
- Additional personal data for other personal identification purposes, such as information on education, professional experience and personal characteristics when applying for a job.
- Contact information, such as the address of the place of residence, e-mail address and telephone number, are necessary for the performance of a contract. They are also used for direct marketing purposes, if the data subject has consented.
The address of the place of residence is necessary for the performance of a contract signed for ordering products on paper; otherwise it will not be possible to perform the contract, i.e. to deliver the order.
E-mail address is necessary for the performance and enforcement of a contract and for invoicing.
Telephone number is necessary for the performance and enforcement of a contract, including for the transmission of messages in case of the unavailability of the service.
- Payment details, such as your bank account number, are necessary for the provision of the service.
- Surveillance camera recordings. Entrances and the public customer service area are equipped with a video surveillance system.
Ekspress Media can see whether the e-mail messages sent to customers are opened and how actively the links in the messages are clicked. This is necessary to ensure that the customer has received the information sent. Opening the link shows the necessity, purpose and relevance of the subject matter contained in it.
When collecting material for journalistic purposes, we record the information transmitted both in our own premises and by means of communication (e-mail, telephone, etc.) and, if necessary, use these recordings as evidence.
You have the right to obtain access to the personal data held about you (see section 9 for more details). However, please bear in mind that the processing of certain personal data is a prerequisite for the provision of a service to you. For example, if you do not provide us with your basic personal data or contact details, we will not be able to provide you with the service or deliver the publications you have ordered.
5. LEGAL GROUNDS FOR PROCESSING PERSONAL DATA
Ekspress Meedia may process personal data on the following legal grounds:
Performance of a contract – we rely on this legal ground to establish a contractual relationship and to comply with the terms and conditions agreed with our customers and partners. For example, we deliver the publications that you have ordered, and help and advise the customer, issue invoices or other important information and give access to the content of the website.
Legal obligation – we rely on this legal ground to fulfil our legal obligations. For example, in order to respond to requests from law enforcement authorities or keep accounting records.
Consent – we rely on consent to process personal data in order to send you promotional materials, such as newsletters and offers, or to display targeted advertisements if you have allowed advertising cookies. Consent is also used as a legal basis for participation in consumer games and campaigns.
Public interest – we rely on processing personal data in the public interest in our core business, i.e. in the preparation of news stories.
Legitimate interest – we rely on this legal basis for the preparation and issue of sales offers, as well as for the use of surveillance cameras on our territory to ensure the protection of persons and property. Sales calls are also recorded on the basis of legitimate interest in order to improve the quality of the service or to resolve any disputes that may arise.
Ekspress Meedia may profile your personal data to provide its products by combining personal data for making direct marketing decisions. We do this primarily by taking into account your previous service use history, age, address and gender, to map the target group to which we offer specifically targeted promotions.
You have the right to object to the use of your personal data for profiling purposes.
To target advertising, visitor behaviour patterns are summarised and target groups are identified on this basis with the help of external partners (the list of processors authorised by Ekspress Meedia can be found here).
Behaviour patterns are summarised according to user activity – viewing pages, viewing galleries, answering questions, ordering, etc. Membership in any target groups of Ekspress Meedia is not recorded, nor can individuals be identified in target groups because the information is summarised.
7. PERSONAL DATA RETENTION
Ekspress Meedia only retains the personal data until this is necessary for achievement of the purpose for which the personal data are processed or until the end of the limitation period for claims arising from the law and until the legal deadline for the retention of a document.
For different data, this means different retention periods. For example:
- we retain the contact details for customers until this is necessary for the provision of personalised services under a contract;
- we retain the personal data necessary for accounting purposes for 7 years as required by law;
- we retain the personal data provided on the basis of consent until the consent is withdrawn;
- we retain the contact details of former clients for three years;
- passive EkspressKonto accounts will be deleted after 18 months;
- customer data that is not linked to any orders in the customer database will be deleted after 30 days;
- personal data requests are retained for 5 years;
- customer inquiries are retained for 2 years.
8. RIGHTS OF THE DATA SUBJECT
Ekspress Meedia places high value on the right of the data subjects to privacy. Please note that the rights of the data subject do not apply in full to the personal data published in the media because the media company processes such data for journalistic purposes by exercising the right to freedom of expression and information.
Your rights as a data subject are as follows:
- Right of access to your personal data processed by Ekspress Meedia about you.
- Right to rectification or supplementation of personal data if your personal data are not up-to-date, are inaccurate or need to be corrected.
- Right to erasure. In certain cases and if you want, you can use the right to be forgotten. We will delete your data unless there is another legal ground for processing the personal data, such as a legal obligation.
- Right to restriction of processing. If you wish to restrict or prohibit the processing of your personal data, Ekspress Meedia will only continue to process your personal data for the purposes of retention, if required by other legal grounds.
- Right to object to the processing of your personal data if Ekspress Meedia uses your personal data for profiling or direct marketing, for example.
- Right to data portability if you wish to have the personal data you have transmitted to Ekspress Meedia to be transmitted to another controller in a machine-readable format. Express Meedia can do so if the transmission is technically possible.
- Right to withdraw consent. If your personal data are processed based on your consent, you have the right to withdraw the consent at any time. For this purpose, all promotional notifications sent to your e-mail address contain instructions for opting out. You can also withdraw your consent given to promotional notifications by sending an e-mail to Ekspress Meedia to email@example.com.
- Right to contact a supervisory authority. You have the right to lodge a complaint about the processing of the personal data concerning you with the Estonian Data Protection Inspectorate.
9. IMPLEMENTING PROVISION
Ekspress Meedia regularly reviews the data protection policy and applies the policy in accordance with any changes in the processing of personal data.
In any questions concerning the data protection policy or the processing of personal data, feel free to contact us at firstname.lastname@example.org.