Terms and conditions of privacy and data processing

This document sets out the terms of processing personal data (within the meaning of Article 4 of the European Parliament and Council Regulation (EU) 2016/679, i.e. the General Data Protection Regulation) (Data Protection Terms) and an overview of the principles of personal data processing (Processing Overview) by a company belonging to the ALMIC group (ALMIC OÜ, registry code 10890199; ALMIC Service OÜ, registry code 16967916; ALMIC Holding OÜ, registry code 16936554) (hereinafter ALMIC).

ALMIC encounters personal data in several different ways and in different roles (as a controller and as a processor).

2.1.

As a controller, ALMIC obtains in its possession primarily those personal data that ALMIC's CLIENTS themselves transmit to ALMIC, primarily when establishing a CLIENT relationship (concluding a contract and registering a user account and registering a domain) and later when changing data. ALMIC also receives information based on the use of services (including when placing orders, billing for services and goods, communicating with ALMIC through various channels, using cookies and in other ways). This collects data about which services the user uses and how, and what the user's recent preferences, suggestions, problems have been. Information collected while the user is logged into the user account is associated with the user account. When collecting and processing personal data, ALMIC is limited to the minimum necessary to fulfill the purposes of personal data processing.

2.1.1.

Furthermore, as a controller, ALMIC encounters the personal data of its own employees and in certain cases representatives of other persons (e.g. cooperation partners) who are natural persons, as well as the data of those natural persons who approach ALMIC about becoming a CLIENT but for some reason do not become a CLIENT. In such case, these terms apply mutatis mutandis on the principle only to the extent that is relevant (for example, ALMIC applies the same security requirements, retention requirements and deadlines to this data, and ALMIC does not use this data for any other purpose than only to fulfill (employment) contractual relationships and according to the respective person's own wish and consent to communicate with the person (e.g. to reply to a letter). Additionally, ALMIC has the right to use this data to protect its own rights (e.g. in a court dispute with the respective person) or to fulfill an obligation arising from law.

2.2.

As a processor, ALMIC encounters primarily those personal data for which ALMIC's CLIENTS are controllers. Such data may be various personal data, the exact content of which is not (and cannot be) known to ALMIC (e.g. CLIENT files, databases, emails, etc. stored in ALMIC's infrastructure). The controller of such personal data is the CLIENT. Since ALMIC has no control over what data CLIENTS upload, collect or otherwise process in ALMIC's infrastructure, ALMIC is not responsible for such processing, but the respective CLIENT is. As a processor, ALMIC processes such personal data solely and strictly in accordance with the service agreement between ALMIC and the CLIENT and for the fulfillment of this agreement (ALMIC treats the service agreement between ALMIC and the CLIENT as a written agreement between the CLIENT as controller and ALMIC as processor within the meaning of Article 28 of the European Parliament and Council Regulation (EU) 2016/679, i.e. the General Data Protection Regulation). As a rule, the processing of such data by ALMIC is limited to storing this data and/or hosting the application through which the CLIENT itself processes data. In exceptional cases, data processing may consist of other operations, but in any case, the basis for performing these operations is an agreement between the controller and ALMIC.

The basis and purpose of ALMIC's processing of personal data arises primarily from concluding, fulfilling and providing services under agreements, consisting of the following:

3.1.

As a controller, ALMIC collects and processes personal data for concluding and fulfilling service agreements (including for providing the service).

3.1.1.

Such personal data are primarily name, personal identification code/date of birth, address and email, which are necessary for creating a CLIENT relationship (concluding a contract) and managing it (e.g. for establishing identity and right of representation when making transactions, sending invoices, contacting about service-related questions, notifying about changes, improvements, interruptions, etc.).

3.1.2.

Additionally, in the course of fulfilling the agreement, ALMIC acquires data about the CLIENT (e.g. communication language choice, CLIENT preferences in using the service, bank account data, CLIENT device data, purchase history of services and goods, advance payment data, debt data), the occurrence of which is caused by the CLIENT's own behavior (use of the service). ALMIC uses such data to provide, manage and make the use of the service as secure as possible for the CLIENT (e.g. enable detection of spam and malware) and convenient (e.g. does not repeatedly ask for language preference; if there is an obligation to refund, refunds the money sum to the same account from which the CLIENT paid; by using cookies, remembers the CLIENT's preferences by offering the user customized content, presenting more relevant search results to the user, etc.), or to improve the service substantially and qualitatively. The CLIENT has the right to change this data (including preferences) at any time, after which ALMIC proceeds from the changed data.

3.1.3.

Additionally, ALMIC occasionally collects data by offering CLIENTS the opportunity to voluntarily transmit data to ALMIC (e.g. in a feedback form), or CLIENTS submit data on their own initiative (e.g. a written question, complaint, etc.). The use of such data depends on the nature of this data, but failure to submit this data (e.g. not giving feedback) does not affect the provision of the service but is clearly voluntary, and in such case the basis for data processing is the person's consent, which may be expressed, for example, in the form of a CLIENT's question, request, suggestion, etc.

3.1.4.

ALMIC does not use personal data for non-contractual purposes, e.g. for sending advertising or other marketing activities, unless the respective persons have given clear consent to this with the possibility to withdraw this consent at any time.

3.1.5.

For clarification - ALMIC uses cookies and other technologies for data collection for the purposes and on the bases mentioned above. A cookie is a small piece of text that a visited website sends to the user's internet browser and which helps the website remember information about the user's visit. This can make the next visit easier and make the portal visited more useful. ALMIC uses several different types of cookies to operate its managed portals and products and services. This includes ALMIC's use of both temporary or session cookies and persistent cookies that are saved to the user's computer and do not disappear even after closing the web browser. To provide the best service, ALMIC uses both first-party or author's own cookies and third-party cookies (Google Analytics), which come, for example, from advertisements on other web pages located on the web page visited by the user. Cookies play an important role, as without them using the web would be significantly more inconvenient. The aforementioned cookies are also stored in the user's internet browser. The user can become familiar with the specific cookies used by ALMIC through their internet browser. The user can also set their internet browser to block the cookies used by ALMIC, including third-party cookies, or to show when a cookie is set. However, it should be kept in mind that when blocking cookies, services associated with the user account may not function correctly.

3.2.

As a processor, ALMIC processes personal data strictly on the basis of a service agreement concluded with the controller (CLIENT) (e.g. server service agreement) and for the provision of the service (e.g. for hosting data, hosting an application, etc.) for the fulfillment of this agreement. Under no circumstances does ALMIC as a processor process personal data under the CLIENT's responsibility on its own initiative in its own interests for non-contractual purposes (e.g. for sending advertising, etc.).

ALMIC provides access to user personal data only to its employees who have received appropriate training. The persons in question have the right to process personal data only to the extent necessary to achieve the purposes of personal data processing.

ALMIC does not share users' personal data with third-party companies, organizations and persons, except if ALMIC has the user's consent, it is a system administrator, manager or host and information sharing is unavoidable for fulfilling the agreement. ALMIC may involve authorized processors in personal data processing who provide sufficient guarantee that they will apply appropriate technical and organizational measures in such a way that CLIENT data processing complies with the requirements presented in relevant laws and the protection of the data subject's rights is guaranteed. If personal data are transmitted to a third country (i.e. not a European Union member state), ALMIC ensures sufficient protective measures for the protection of personal data. ALMIC may transmit or process personal data outside the borders of the European Union/European Economic Area if there is an agreement containing standard terms compliant with the General Data Protection Regulation, approved codes of conduct, certifications, etc., the country where the recipient is located has an adequate level of data protection according to the decision of the European Commission, the recipient is certified under the Privacy Shield data protection framework.

In individual cases, the purpose and basis of personal data processing may arise from law (e.g. retention of personal data under law for a certain period or transmission of data to an investigative body, tracking body, prosecutor's office, court, security body, Data Protection Inspectorate, Financial Supervision Authority, Consumer Protection and Technical Supervision Authority, Environmental Inspectorate, Police and Border Guard Board, Security Police Board and Tax and Customs Board at the compulsion of law). In such case, ALMIC is obliged to comply with the law.

ALMIC does everything to ensure that the collected personal data are correct, sufficient and relevant. CLIENTS have the right to change, clarify and correct their personal data at any time.

The CLIENT has the right to become familiar with personal data concerning them published, collected and processed when using the user account and services, as well as, where appropriate, if the information is incorrect, inaccurate or incomplete, ALMIC offers the user the opportunity to quickly change or update it, if necessary also delete it, unless ALMIC is obliged to retain this information for legal, business or legal purposes. The CLIENT also has the right to demand restriction of personal data processing.

The CLIENT has the opportunity at any time to demand transmission in machine-readable form or transmission to another service-providing company designated by the user of personal data related to them. In such case, ALMIC transmits the data within 60 (sixty) days, taking into account ALMIC's technical capabilities. ALMIC has the possibility to extend the aforementioned deadline for a compelling reason and (partially) refuse data delivery if there is a legal basis for this. Notwithstanding the above, ALMIC cannot guarantee or be responsible for whether another service provider to whom the CLIENT approaches with the received data and to whom delivery is requested is capable of receiving this personal data (in such form).

10.

ALMIC's goal is to maintain services in such a way that they protect existing information from accidental or malicious damage. Therefore, after the user has deleted information, ALMIC may not immediately delete all copies from active servers or remove information from backup systems. This is done if necessary after 60 days, except for those data for which the retention obligation arises from applicable legal norms and acts.

11.

ALMIC has adopted modern technical and organizational security measures to protect personal data (both as a controller and as a processor) from unlawful access, deletion, modification, disclosure, destruction or other violation. For this purpose, we apply appropriate technical and organizational security measures to our services and infrastructure (hosting areas, servers, network devices, portals, etc.) to ensure a level of security corresponding to the threat. Corresponding measures are established by ALMIC's internal security regulations, including, as appropriate, the following:

pseudonymization and encryption of personal data included in confidential information;
ability to ensure the continuous privacy, integrity, availability and resilience of systems and services processing personal data included in confidential information;
ability to restore timely availability and access to personal data included in confidential information in case of a physical or technical incident;
procedure for regular testing and evaluation of the effectiveness of technical and organizational measures to ensure the security of personal data processing included in confidential information.

12.

ALMIC notifies the user of significant security risks, including theft of data related to the user and intrusion into ALMIC's possessions. ALMIC also notifies the Data Protection Inspectorate of the relevant circumstances. ALMIC also takes necessary measures to mitigate the consequences of the situation that has arisen and to reduce analogous risks.

13.

Registration and use of user accounts on ALMIC's portals and provision of services is not possible without personal data processing. ALMIC ensures that personal data processing takes place in accordance with applicable legal norms and acts.

14.

Upon termination of the CLIENT relationship, ALMIC is entitled to delete all data collected and stored about the user, except those data for which the retention obligation arises from applicable legal norms and acts. The CLIENT has the right to demand that ALMIC delete the data within sixty (60) days. It is possible that complete deletion of personal data by ALMIC is not possible for fulfilling contractual or legal obligations, and in such case and to such extent ALMIC is not obliged to delete personal data.

15.

ALMIC has the right to purposefully process the respective data not deleted also after the end of the CLIENT relationship, but still strictly in accordance with these rules and legal acts.

16.

For a compelling reason, ALMIC has the right to extend the aforementioned deadline, and in such case ALMIC justifies the extension of the deadline and its basis (e.g. it is not possible to delete the data, or deletion requires unreasonable effort, in which case ALMIC explains this circumstance to the CLIENT). In this respect, ALMIC reserves the right (but not the obligation) to retain those communication data and correspondence with the CLIENT, of which ALMIC itself is one party, for three (3) years, for protecting its own rights in any later possible disputes.

17.

If a longer retention period arises from law, ALMIC does not have to justify this otherwise than by reference to the relevant law, e.g.:

17.1.

ALMIC has the right and obligation to retain contract documents concluded with the CLIENT (including contract annexes and orders submitted under the contract, payment data) for the period stipulated in the Accounting Act;

17.2.

ALMIC has the right and obligation to retain data referred to in § 1111 paragraph 3 of the Electronic Communications Act for one year from the time of communication if these have been created or processed during the provision of the communications service.

17.3.

ALMIC has the right and obligation to retain content identified as terrorist content and removed or with restricted access described in https://almic.ee/abi-ja-juhendid/lepingute-uldtingimused (General Terms of Contracts) section 16.7 and related logs and other necessary data to fulfill obligations arising from Regulation (EU) 2021/784 and to respond to approaches from competent authorities or court instances for up to six (6) months from the removal of content or blocking of access, unless applicable law provides for a longer retention period. Access to removed content and related data is provided only to the competent authority and court instances and ALMIC's authorized employees to the extent necessary to fulfill the aforementioned purposes.

18.

In certain cases, one must also take into account the rules established by third parties, e.g. in connection with domains, ALMIC is an .ee accredited registry maintainer, which is obliged to refer to the principles of personal data use established by the Estonian Internet Foundation (hereinafter: EIS) and .ee domain rules, which also apply to CLIENTS in connection with domain services. EIS rules can be found at the link: https://www.internet.ee/domeenid/eis-i-isikuandmete-kasutamise-alused.

19.

ALMIC regularly reviews these terms, bringing them into compliance with new established legal norms and acts. When changing terms, ALMIC does not reduce CLIENTS' rights without CLIENTS' own consent. ALMIC notifies CLIENTS of changes to terms in advance a reasonable time before the changes enter into force. ALMIC notifies active CLIENTS if new terms begin to apply to them.

20.

The CLIENT has the right at any time to submit objections regarding a personal data processing operation. Upon submission of such an objection, ALMIC considers the CLIENT's legal interests and stops the relevant data processing if possible. If the objection is related to data whose processing is necessary and in ALMIC's assessment lawful (e.g. retention or transmission to fulfill an obligation arising from law), ALMIC may refuse to fulfill the objections.

21.

If a person finds that ALMIC has violated their rights in personal data processing, they have the right to submit a corresponding complaint and/or objection to the Data Protection Inspectorate (https://www.aki.ee/et) or to court.

22.

For all questions related to personal data processing, you can contact our data protection specialist at: andmekaitse@almic.ee.