Conditions of our services

Privacy policy
  1. Valid since 29.05.2023

    1. INTRODUCTION

    This Data Protection Policy explain the purposes and legal bases for which Delfi Meedia AS (hereinafter also Delfi Meedia or we) as the controller of personal data collects and otherwise processes the personal data of data subjects and the rights of data subjects are. In addition, we provide other mandatory information to ensure transparency. For the purposes of this Data Protection Policy, the Data Subject (hereinafter also you) is a subscriber to Delfi Meedia’s publication, a visitor or registered user of its websites (www.delfi.ee and its subdomains), a user of its sales environment (https://lehed.delfi.ee/), a participant of its campaign and any other natural person whose personal data we process.

    2. DATA CONTROLLER

    Delfi Meedia AS

    Registry code: 10586863

    Address: Narva mnt 13, 10151 Tallinn

    Contact details: 669 8080, info@delfi.ee

    Data protection officer: isikuandmed@delfi.ee

    3. PRINCIPLES OF PROCESSING PERSONAL DATA

    Delfi Meedia adheres to the following principles in the processing of personal data.

    3.1. Transparency– Delfi Meedia processes personal data in a lawful, fair and transparent manner.

    3.2. Purpose limitation– Delfi Meedia collects your personal data for precise and clearly defined and legitimate purposes. Changes in the purposes of processing may result from legislation or your consent. In any case, we will let you know beforehand.

    3.3. Data minimisation– Delfi Meedia ensures that the personal data which are being processed are adequate, relevant and limited to what is necessary for the purpose of their processing.

    3.4. Accuracy– Delfi Meedia ensures that your personal data are accurate and up-to-date. Personal data that are inaccurate from the point of view of processing will be deleted or corrected without delay.

    3.5. Storage limitation– upon retaining personal data, Delfi Meedia follows the need to process them, i.e. data that enable the identification of a natural person are retained for as long as it is necessary to achieve the purpose of processing. Upon determining the retention period, Delfi Meedia complies with the requirements of legislation and what has been agreed in binding contracts or determines the retention period on the basis of its legitimate interest.

    3.6. Integrityand confidentiality – Delfi Meedia processes your personal data in a manner that ensures their proper security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. Delfi Meedia keeps all personal data being processed confidential and protects personal data from unlawful access by third parties by implementing effective security measures, including technical and organisational measures.

    3.7. Data protection by design and by default– in developing, selecting and using products and services requiring the processing of personal data, Delfi Meedia takes into account the need to protect them. Delfi Meedia also implements appropriate technical and organisational measures to ensure that only personal data that are necessary to achieve the specific purpose of the processing are processed by default.

     4. PROCESSED PERSONAL DATA AND SOURCES OF THEIR COLLECTION

    Delfi Meedia mainly processes personal data that you provide to Delfi Meedia yourself or that are collected based on your actions when you use Delfi Meedia’s products, services or websites. Delfi Meedia processes the following types of personal data.

    4.1. Primary personal data, i.e. your full name and personal identification code.

    We receive this data from you when you use our services or products, for example, when you create a user account, order a digital or paper publication or participate in consumer games. We receive the personal identification code from you or the bank if you order the publication with an e-invoice standing order agreement, as such a service requires the processing of the personal identification code. Delfi Meedia needs personal identification codes for identification.

    4.2. Required user account data, i.e. your email address, screen name, and password.

    We receive this information from you when you register as a Delfi user.

    If you choose to authenticate a user with a third-party service provider, e.g. Facebook, Google or Apple, or if you choose to connect your user account with a social media account, we will receive certain personal data from these service providers. Depending on the configuration of the third-party service, this personal data may include your name, email address, language preferences and profile picture.

    4.3. Optional user account data, e. your profile picture, first and last name, contact phone number, date of birth, gender, place of residence, language of communication.

    We receive these data from you when you provide them to us.

    4.4. Contract data, i.e. the contract number, the data of the parties and the content of the contract.

    These data are generated automatically when you enter into a contract with us.

    4.5. Contact information, i.e. your phone number and email address.

    We receive these data from you when you use our services or products, for example, when you create a user account, order a digital or paper publication or participate in consumer games. In addition, we receive your phone number and/or email address when you participate in consumer games.

    In the event that Delfi reading rights are being shared with you, we will receive your email address from the person who shared the read access with you. When you share your reading rights, you will receive an automatic email from us with instructions on how to use your reading rights.

    4.6. Postal data, i.e. your postal address.

    We receive these data from you when you order a paper publication.

    4.7. Payment information, which is your bank account number and other payment details. In the case of a mobile payment, also your phone number.

    We receive this information from you when you order our products or services.

    4.8. Surveillance camera data, i.e. a surveillance camera recording (without audio recording).

    We receive these data from you when you visit our office, as its entrances and the public area of customer service are equipped with a video surveillance system.

    4.9. Mobile app and website visit data, i.e. data generated as a result of visiting and using websites and mobile apps (depending on cookies or similar technologies, this may include cookie identifiers, IP addresses, device identifiers, etc.). Read more about this in our Cookie Policy.

    We receive these data from you when you visit our websites or use our mobile apps.

    4.10. Service consumption data, i.e. statistical data about the use of our products and services (in particular the consumption of online publications).

    We obtain these data from you when you consume our products.

    In addition to the above, Delfi Meedia also processes other personal data, which are further described in Section 5.

    5. PURPOSES AND LEGITIMATE BASIS FOR THE PROCESSING OF PERSONAL DATA

    We process your personal data for the following purposes and legal bases:

    5.1. Consent

    For the purposes described below, we need your consent for data processing. You have the right to withdraw your consent at any time. For this purpose, all commercial communications sent to you by email contain instructions on how to withdraw consent. You can also withdraw your consent for commercial communications by contacting Delfi Meedia’s customer service at 680 4444 or by sending an email to klienditugi@delfi.ee. You can withdraw your consent to the use of cookies from the cookie consent administrator at the bottom of the website.

    Withdrawal of consent does not affect the lawfulness of the processing of personal data carried out on the basis of consent prior to the withdrawal.

    The purpose of processing personal data Data categories
    Direct marketing of Delfi Meedia’s products and services. To this end, we send you commercial communications containing news or offers about our products or services. Contact information (your email address, phone number, postal information).
    Processing of personal data for analytical purposes in order to develop and improve Delfi Meedia’s websites and make services more accessible. For this purpose, we use analytical cookies and other web technologies on our websites. Mobile app and website visit data.
    Displaying personalised advertising on Delfi Meedia’s websites for marketing and sales purposes. For this purpose, we use marketing cookies and other web technologies on our websites. Mobile app and website visit data.
    Organising consumer games and campaigns for new, former and existing newspaper subscribers and website visitors. In the case of subscribers, the aim is to retain existing ones, acquire new ones and/or attract back former subscribers and update the contact details. Website visitors are provided with surveys, forecasts and voting on issues that are prominent in the media. Primary personal data (your name), contact details, postal address.

    5.2. Contract performance

    On this legal basis, we process your personal data if it is necessary for the performance of a contract concluded with you or for taking pre-contractual measures at your request. In other words, we are not able to enter into a contract with you or perform the contractual obligations we have entered into with you if we do not process your personal data. However, we only process personal data for this purpose without which it would be impossible to enter into or perform the contract.

    The purpose of processing personal data Data categories
    Establishment of a contractual relationship and performance of contractual obligations, i.e. provision of a service. For example, we deliver the publications you have ordered, assist and advise you if you have any questions about your orders, send invoices and process payments, and provide access to content on websites. Primary personal data, contact data, mandatory user account data, postal data, payment data, contract data.

    If you order a publication with an e-invoice standing order agreement, your personal identification code will be required to verify your identity when using this service.

    Postal data are necessary for the performance of the contract upon ordering paper products, otherwise it will not be possible to perform the contract, i.e. deliver the ordered publication.

    Your phone number is necessary for contract performance and ensuring performance of the contract, including the transmission of notifications in the event of service availability disruptions. We also process your phone number to send the ordered goods to a parcel terminal.

    5.3. Compliance with legal obligation

    On this legal basis, Delfi Meedia processes your personal data if the obligation to process the data arises from some legislation, i.e. the processing of the data is necessary to fulfil some of the legal obligations imposed on us.

    The purpose of processing personal data Data categories
    Accounting (including the preservation of accounting records). Primary personal data, contact data, payment data, contract data.
    Mandatory notification of public authorities and institutions and responding to their requests for information. All categories of data described in Section 4, depending on the content of the inquiry or notification.

    5.4. Legitimate interest

    For the purposes described below, we rely on legitimate interest as a legal basis for the processing of personal data. You have the right to ask for explanations about the processing of personal data based on a legitimate interest by sending a request to the email address specified in Section 2. You also have the right to object if you consider that the processing of your data for the purposes set out below violates your rights.

    The purpose of processing personal data Data categories
    Preparing and making sales offers to current or former customers who have ordered a similar product. Primary personal data, contact data, postal data, order data.
    Telephone sales of Delfi Meedia products and services. Primary personal data (name), contact data (phone number), order data.
    Recording of sales calls with the aim of improving the quality of service and resolving potential disputes. Primary personal details (name), contact details (phone number), call record.
    Recording customer service calls and correspondence with the aim of ensuring quality customer service and solving emerging problems. Primary personal data, contact information, content of communication.
    Use of security cameras at the entrances to the Delfi Meedia office and in the public area of customer service for the protection of persons and property. Surveillance camera data.
    Provision of personalized services related to the user account. For example, if we know where our readers live, then we can recommend news in this area. Optional user account data, mobile app and web visit data, service consumption data.
    Improvement of services. We see the opening of emails sent to you and the activity of clicking on the links in the content. In the case of notification letters, this is necessary to ensure that the customer has received the information sent. In the case of marketing emails, opening the link shows the necessity, purposefulness and timeliness of the topic included in the letter. Contact details (email address):
    Profiling of data subjects by combining personal data to make direct marketing decisions and offer products that match the profile. We do this primarily by taking into account your past history of service consumption, age, address and gender, in order to map the target audience to whom to offer publications targeted specifically to that target group. Service consumption data, optional user account data.
    Providing basic services through the website. For this purpose, we process your personal data that we have collected through technical cookies (necessary for the provision of the service) and other web technologies. If we do not use such cookies and other web technologies, we will not be able to correctly display website pages to you and provide you with services through them.

    These are cookies and other web technologies for which we are not required to obtain consent by law, but as we process a limited amount of your personal data, we rely on a legitimate interest in such data processing.

    Website visit data.
    Ensuring the accuracy of the customer base. We store the personal identification code received by transfer from the bank with your data in order to ensure the correct provision of the service (e.g. to avoid confusion of orders in case of namesakes). Primary personal data (personal identification code)
    Conducting surveys and asking for feedback on our products and services in order to improve the quality of our products, services and customer service and to determine customer expectations. Contact information (email address), feedback given.
    When collecting material for journalistic purposes, we may save and store the information and materials related to the completion of the article both on our own premises and by means of communication (email, telephone, etc.) and, if necessary, use these recordings as evidence in the event of claims against us. Personal data related to the content created by the journalist.

    5.5 Processing of personal data for journalistic purposes

    According to § 4 of the Personal Data Protection Act, personal data may be processed for journalistic purposes without the consent of the data subject, in particular disclosed in the media, if there is public interest therefor and this is in accordance with the principles of journalism ethics. At the same time, it is our duty to ensure that the disclosure of personal data does cause excessive damage to your rights.

    The purpose of processing personal data Data categories
    Compilation and publication of news stories. Personal data related to the content created by the journalist.

    6. PROFILING

    Delfi Meedia profiles your personal data in order to offer its products by combining personal data to make direct marketing decisions. We do this primarily by taking into account your history of service consumption, age, address and gender, in order to map the target audience to whom to offer publications targeted specifically to that target group.

    Ads are targeted by grouping visitor behaviour and creating audiences based on such behaviour with the help of external partners.

    Behavioural habits are grouped based on user activity – viewing web pages, viewing galleries, answering questions, subscriptions, etc. The membership in Delfi Meedia’s target groups is not saved, and the target groups of an individual are not identified, because the information is grouped.

    You have the right to object to the use of your personal data for profiling purposes. To do this, please send a corresponding request using the contact details provided in Section 10 (rights of the data subject).

    7. RETENTION PERIODS FOR PERSONAL DATA

    Delfi Meedia stores data only for as long as it is necessary to achieve the purpose of the processing. For different data, this means different retention periods. For example:

    • we retain personal data necessary for accounting purposes for seven years in accordance with the law;
    • we retain personal data provided on the basis of consent until the withdrawal of consent;
    • we retail contact details of former customers for three years;
    • inactive accounts are deleted after 12 months.
    • customer data that are not linked to any order in the customer database are deleted after 30 days;
    • requests relating to personal data are kept for three years;
    • customer requests are retained for two years;
    • surveillance camera footage is retained for two weeks.

    You can learn about more detailed retention periods if you contact us using the contact details provided in Section 10 (rights of the data subject).

    8. RECIPIENTS AND TRANSFER OF DATA TO THIRD COUNTRIES

    Delfi Meedia does not generally disclose personal data to third parties. In some cases, however, it is unavoidable. We have classified data recipients into three categories:

    • Independent controllers (e.g. banks and payment service providers, auditors, lawyers, public authorities);
    • Joint controllers (for example, social media platform operators);
    • Authorised processors. The authorised processor of personal data is a person who processes personal data on behalf of the controller (Delfi Meedia). Delfi Meedia engages the processor, inter alia, for the following purposes:
      • for the purpose of providing a service (for example, hosting a server);
      • maintenance of an organised database of subscribers;
      • for service and marketing purposes.

    A full list of data recipients can be found here.

    Delfi Meedia does not transfer your personal data outside the European Union or the European Economic Area, as well as to a third country or international organisation whose level of data protection has not been assessed as adequate by the European Commission. However, if necessary, such a transfer of personal data will only take place if there is an appropriate legal basis and we will take appropriate safeguards. In this case, the transfer of data to third countries is generally carried out on the basis of standard contractual clauses adopted by the European Commission.

    You have the right to receive additional information about the transfer of your data by means of a data access request, if you contact us using the contact details provided in Section 10 (rights of the data subject).

    9. JOINT CONTROLLERS

    According to the General Data Protection Regulation, two or more controllers are joint controllers if they jointly determine the purposes and means of the processing of personal data.

    The joint controller of Delfi Meedia with regard to the mandatory and optional data of the user account and the subscriber’s personal data (main personal data) is AS Õhtuleht Kirjastus. In connection with the processing of these data, you can contact both Delfi Meedia and Õhtuleht Kirjastus, whose data protection policy can be found here.

    The joint controller of Delfi Meedia is Meta Platforms Ireland Ltd (the operator of the social media platform Facebook) for certain Facebook products, such as Facebook Login and various Facebook interfaces. Delfi Meedia has entered into an agreement with Meta Platforms Ireland Ltd in accordance with Article 26 of the General Data Protection Regulation (GDPR) in order to determine the fulfilment of the respective obligations regarding joint controlling under the GDPR.

    Therefore, we inform you that further information on how Meta Platforms Ireland Ltd processes personal data (information required by Article 13 (1) (a) and (b) of GDPR), including information on the legal basis on which Meta Platforms Ireland Ltd relies and on how to exercise the rights of the data subject in relation to Meta Platforms Ireland Ltd can be found in the Privacy Policy.

    The joint controller of Delfi Meedia is Google Ireland Ltd with regard to certain Google services, such as Google Analytics. A respective data processing agreement has been concluded between Delfi Meedia and Google Ireland Ltd. Further information on how Google Ireland Ltd processes personal data and how to exercise the rights of data subjects vis-à-vis Google can be found in the Privacy Policy.

    If you use an Apple account to sign in to our services, Apple Distribution International Ltd. is the joint controller. Apple’s privacy policy can be found here.

    10. RIGHTS OF THE DATA SUBJECT

    Delfi Meedia attaches great importance to the right to privacy of data subjects. Please note that the rights of the data subject do not apply in full to personal data published in the media, as the media company processes this data for journalistic purposes, exercising the right to freedom of expression and information.

    Your rights as a data subject are as follows:

    • Right of access. You have the right to know whether your personal data are being processed, what the purpose of the processing is and the categories of personal data concerned. To whom the data are disclosed (in particular recipients in third countries), how long the data are stored, and what your rights are regarding rectification, erasure and restriction of processing.
    • Rectification or supplementing data. You have the right to request the correction of your personal data if they are incorrect or incomplete.
    • Deleting data. In certain cases and if you wish, you can exercise the right to be forgotten, i.e. ask us to delete your personal data. We will delete your data unless there is another legal basis for processing your personal data, such as a legal obligation.
    • Restriction of data processing. In certain cases, you have the right to restrict the processing of your personal data for a certain period of time (e.g. if you have objected to the processing of your personal data).
    • Objection to the processing ofyour personal data if Delfi Meedia uses your personal data for purposes such as profiling or direct marketing. When an objection is submitted, Delfi Meedia must stop processing your personal data, unless Delfi Meedia can prove that your personal data are being processed for a compelling legitimate reason that overrides your interests, rights and freedoms or if the processing is necessary for the establishment, exercise or defence of legal claims.
    • Transfer of personal data.If the processing of your personal data is based on your consent or on a contract entered into with us and the data are processed by automated means, you have the right to receive your personal data that you have provided to us in a structured, commonly used and machine-readable format. You also have the right to request that we transfer the data directly to another service provider, if this is technically feasible.
    • Revoking the consent. If personal data are processed on the basis of your consent, you have the right to withdraw this consent at any time. For this purpose, all commercial communications sent to you by email contain instructions on how to withdraw consent. You can also withdraw your consent for commercial communications by sending an email to the address of Delfi Meedia klienditugi@delfi.ee or by calling customer service at 680 4444.
    • Right to turn to Delfi Meedia, a supervisory authority or a court. If you wish to exercise any of the aforementioned rights, please send us a notice to the email address isikuandmed@delfi.ee. If you find that your rights have been violated, you have the right to turn to the Data Protection Inspectorate and/or a court. The contact details of the Data Protection Inspectorate are available at aki.ee.

    11. PROVISION ON APPLICATION

    Delfi Meedia regularly reviews this Data Protection Policy and applies it in accordance with changes in the processing of personal data.