€ (EUR)
English
Consent to the processing of Personal Data
Data Protection Policy
Tripsider.com OU
Registered address: Harju maakond, Tallinn, Kesklinna linnaosa, Pille tn 7/5-13, 10135
Contact address: Harju maakond, Tallinn, Kesklinna linnaosa, Pille tn 7/5-13, 10135
Policy prepared by: |
Data Protection Officer |
Approved by board/management on: |
15.03.2019 |
Policy became operational on: |
15.03.2019 |
Next review date: |
31.01.2023 |
Content
7. Personal data processing for different categories of data subjects 8
7.1. Data processing for the employment relationship and company’s business activity 8
7.1.2. Lawful basis for personal data processing 8
7.1.3. Personal data processed by Tripsider.com 9
7.1.6. Telecommunications and internet for employees 11
7.2. Data processing for the business relationship (third party vendors, suppliers and partners) 11
7.2.1. Lawful basis for personal data processing 11
7.2.2. Personal data processed by Tripsider.com 12
7.2.3. Special categories of personal data (sensitive personal data) 12
7.2.4. Processing of personal data relating to criminal convictions and offences 12
7.3. Data processing for the customer relationship 13
7.3.1. Data processing for a customer contractual relationship (service providing) 13
7.3.2. Data processing for advertising purposes 13
7.3.3. Lawful basis for personal data processing 13
7.3.4. Personal data processed by Tripsider.com 14
7.3.5. Special categories of personal data (sensitive personal data) 15
7.3.6. Processing of personal data relating to criminal convictions and offences 15
7.3.8. User data and internet 16
8. Children’s personal data 16
9. Rights of the data subject 16
9.3. Right to rectification 18
9.4. Right to erasure (‘right to be forgotten’) 18
9.5. Right to restrict processing 19
9.6. Right to data portability 20
9.8. Rights related to automated decision making including profiling 21
10. Transfer to third parties 22
11. International transfer of personal data 22
12. Disclosing data for other reasons 23
13.2. The possible consequences of a personal data breach 23
13.3. Notification of data breach to supervisory authority and communication to data subject 24
13.4. Internal report of a personal data breach to DPO 24
15.1. Records of processing activities by Tripsider.com as a data controller 25
15.1. Records of processing activities by Tripsider.com as a data processor 25
17. Power of supervisory authority and possible fines 27
17.1. Power of supervisory authority 27
17.2. Fines set up in the GDPR 27
17.4. Enforcement notes for Estonia 28
18. Monitoring and Revising the Data Protection Policy 28
Annex I. Access to Personal Data request form 30
Annex II. Internal report of a personal data breach form 33
Annex III. Controller’s processing activities records 38
Annex IV. Processor’s processing activities records 39
Annex V. Example of Declaration of acceptance of Personal Data Protection requirements 40
Introduction
This Data Protection Policy sets out the policy which Tripsider.com group (hereinafter Tripsider.com) has adopted in order to facilitate compliance with the General Data Protection Regulations (the "GDPR") when we establish and manage customer and business relationships and execute transactions, etc.
The GDPR regulates the processing of personal data.
Personal data is defined as any information relating to an identified or identifiable natural person (‘data subject’). An identifiable natural person is one who can be identified, directly or indirectly.
It applies to all data that the company holds relating to identifiable individuals, even if that information technically falls outside of the GDPR. This can include:
names of individuals;
an identification number;
location data;
an online identifier;
email addresses;
telephone numbers;
one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; and
any other information relating to individuals
Processing covers any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
The General Data Protection Regulations are underpinned by six important principles. These say that personal data must:
Be processed fairly and lawfully (‘lawfulness, fairness and transparency’)
Be obtained only for specific, lawful purposes (‘purpose limitation’)
Be adequate, relevant and not excessive (‘data minimisation’)
Be accurate and kept up to date (‘accuracy’)
Not be held for any longer than necessary (‘storage limitation’)
Be protected in appropriate ways (‘integrity and confidentiality’)
Tripsider.com as a controller of personal data is responsible for compliance with the GDPR principles set above.
Abbreviations
‘CTO’ means Chief Technology Officer;
‘DPI’ means Data Protection Inspectorate;
‘DPO’ means Data Protection Officer;
‘EEA’ means European Economic Area;
‘EU’ means European Union;
‘GDPR’ means General Data Protection Regulations.
Terms and Definitions
‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;
‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
‘Personal data breach’ means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
‘Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;
‘Recipient’ means a natural or legal person, public authority, agency or another body, to which the personal data are disclosed, whether a third party or not. However, public authorities which may receive personal data in the framework of a particular inquiry in accordance with Union or Member State law shall not be regarded as recipients; the processing of those data by those public authorities shall be in compliance with the applicable data protection rules according to the purposes of the processing;
‘Restriction of processing’ means the marking of stored personal data with the aim of limiting their processing in the future;
‘Supervisory authority’ means an independent public authority which is established by a Member State to be responsible for monitoring the application of the GDPR, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union;
‘Third party’ means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data;
1. Scope
This policy applies to:
the offices of Tripsider.com;
all staff and volunteers of Tripsider.com; and
all contractors, suppliers and other people (authorised persons) working on behalf of the Tripsider.com.
A copy of this Policy will be supplied to each such person mentioned above. The requirements set out in this Policy are mandatory unless otherwise stated and must be followed by all persons involved in the data processing activities. It is the responsibility of each such person to acquaint themselves with the requirements of this Policy. Failure to comply with this Policy may constitute a serious disciplinary offence and could result in dismissal.
2. Purpose
Tripsider.com processes personal data in various situations and in relation to various categories of individual. This Policy deals with personal data collected in the context of the establishment and management of our customer relationships and the execution of transactions on the instructions of our customers and as well as with personal data of individuals who are employees, contractors and partners of Tripsider.com. The individuals to whom personal data relate, whether customers or otherwise, are known as "data subjects".
The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) is responsible for enforcement of the GDPR and has published a range of guidance on data protection issues, all of which is available on the Inspectorate's website at http://www.aki.ee/en.
3. Policy Statement
Our principal obligations under the GDPR include:
respect individuals’ rights;
processing personal data lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);
collecting personal data for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes (‘purpose limitation’);
ensuring that personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
ensuring that personal data are accurate and, where necessary, kept up to date; every reasonable step will be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
ensuring that personal data are kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; (‘storage limitation’);
ensuring that personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
provide training and support for staff and volunteers who handle personal data, so that they can act confidently and consistently; and
responding appropriately when data subjects seek to exercise their statutory rights of access, correction and objection.
This Policy is supplementary to our other published policies.
4. Data protection risks
This policy helps to protect Tripsider.com from some very real data security risks, including:
Breaches of confidentiality. For instance, information being given out inappropriately.
Failing to offer choice. For instance, all individuals should be free to choose how the company uses personal data relating to them.
Failing to comply with the GDPR principles. For instance, collect or transfer personal data without data subject’s consent.
Reputational damage. For instance, the company could suffer if hackers successfully gained access to personal data.
Financial damage. For instance, fines imposed by the supervisory authority.
5. General staff guidelines
The only people able to access data covered by this policy should be those who need it for their work.
Data should not be shared informally. When access to confidential information is required, employees/authorised persons can request it from their line managers.
Tripsider.com will provide training to all employees to help them understand their responsibilities when handling data.
Persons, whom this policy apply to, should keep all data secure, by taking sensible precautions and following the guidelines below.
In particular, strong passwords must be used and they should never be shared.
Data should not be disclosed to unauthorised people, either within the company or externally.
Persons, whom this policy apply to, should sign the Declaration of acceptance of Personal Data Protection requirements set by this Data Protection Policy.
6. Responsibilities
Everyone who works for or with Tripsider.com has some responsibility for ensuring data is collected, stored and handled appropriately.
Each department that handles personal data must ensure that it is handled and processed in line with this policy and data protection principles.
However, the following people have key areas of responsibility:
The Board of Directors is ultimately responsible for ensuring that Tripsider.com meets its legal obligations.
The Data Protection Officer is responsible for:
Monitoring compliance with the GDPR and other Union or Member State data protection provisions.
Keeping the Board updated about data protection responsibilities, risks and issues.
Monitoring compliance with the policies of the controller or processor in relation to the protection of personal data.
Reviewing all data protection procedures and related policies, in line with an agreed schedule.
Providing advice where requested as regards the data protection impact assessment and monitor its performance.
Arranging data protection training and advice for the people covered by this policy.
Handling data protection questions from staff and anyone else covered by this policy.
Dealing with requests from individuals to see the data Tripsider.com holds about them (also called ‘subject access requests’).
Checking and approving any contracts or agreements with third parties that may handle the company’s sensitive data.
Keeping controller’s and processor’s processing activities records up to date.
Cooperating with the supervisory authority and act as the contact point on issues relating to processing and to consult, where appropriate, with regard to any other matter.
If you have any questions about this Policy or application in particular circumstances, you should consult the Data Protection Officer.
The CTO is responsible for:
Ensuring all systems, services and equipment used for storing data meet acceptable security standards.
Performing regular checks and scans to ensure security hardware and software is functioning properly.
Evaluating any third-party services, the company is considering using to store or process data (e.g. cloud computing services).
The Marketing Team is responsible for:
Approving any data protection statements attached to communications such as emails and letters.
Addressing any data protection queries from journalists or media outlets like newspapers.
Where necessary, working with other staff to ensure marketing initiatives abide by data protection principles.
7. Personal data processing for different categories of data subjects
7.1. Data processing for the employment relationship and company’s business activity
In employment relationships, personal data can be processed if needed to initiate, carry out and terminate the employment agreement. When initiating an employment relationship, the applicants’ personal data can be processed. If the candidate is rejected, his/her data must be deleted in observance of the required retention period, unless the applicant has agreed to remain on file for a future selection process. Consent is also needed to use the data for further application processes or before sharing the application with other Tripsider.com group companies.
In the existing employment relationship, data processing must always relate to the purpose of the employment agreement if none of the following circumstances for authorised data processing apply.
If it should be necessary during the application procedure to collect information on an applicant from a third party, the requirements of the corresponding national laws have to be observed. In cases of doubt, consent must be obtained from the data subject.
There must be legal authorisation to process personal data that is related to the employment relationship but was not originally part of performance of the employment agreement. This can include legal requirements, collective regulations with employee representatives, consent of the employee, or the legitimate interest of the company.
As a part of data protection knowledge base for the relevant employees Tripsider.com uses ‘Guidelines for human resources employees: personal data in employment relationships’ published on the DPI’s website http://www.aki.ee/et/eraelu-kaitse/juhised.
7.1.2. Lawful basis for personal data processing
7.1.2.1. Data processing pursuant to legal authorisation
The processing of personal employee data is also permitted if national legislation requests, requires or authorises this. The type and extent of data processing must be necessary for the legally authorised data processing activity, and must comply with the relevant statutory provisions. If there is some legal flexibility, the interests of the employee that merit protection must be taken into consideration.
The following legislative acts comprises a legal basis of the processing some of the personal data: the Employment Contracts Act (Töölepingu seadus), the Health Insurance Act (Ravikindlustuse seadus) and/or Occupational Health and Safety Act (Töötervishoiu ja tööohutuse seadus), Commercial Code in Estonia (Äriseadustik).
7.1.2.2. Collective agreements on data processing
If a data processing activity exceeds the purposes of fulfilling a contract, it may be permissible if authorised through a collective agreement. Collective agreements are pay scale agreements or agreements between employers and employee representatives, within the scope allowed under the Estonian Employment Contracts Act. The agreements must cover the specific purpose of the intended data processing activity, and must be drawn up within the parameters of national data protection legislation.
7.1.2.3. Consent to data processing
Employee data can be processed upon consent of the person concerned. Declarations of consent must be submitted voluntarily. Involuntary consent is void. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In certain circumstances, consent may be given verbally, in which case it must be properly documented. In the event of informed, voluntary provision of data by the relevant party, consent can be assumed if national laws do not require express consent. Before giving consent, the data subject must be informed about the identity of Tripsider.com as a data controller, the purposes of data processing and any third parties or categories of third parties to whom the data might be transmitted.
7.1.2.4. Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary to enforce a legitimate interest of the Tripsider.com. Legitimate interests are generally of a legal (e.g. filing, enforcing or defending against legal claims) or financial (e.g. valuation of companies) nature.
Personal data may not be processed based on a legitimate interest if, in individual cases, there is evidence that the interests of the employee merit protection. Before data is processed, it must be determined whether there are interests that merit protection.
Control measures that require processing of employee data can be taken only if there is a legal obligation to do so or there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of the company in performing the control measure (e.g. compliance with legal provisions and internal company rules) must be weighed against any interests meriting protection that the employee affected by the measure may have in its exclusion, and cannot be performed unless appropriate. The legitimate interest of the company and any interests of the employee meriting protection must be identified and documented before any measures are taken. Moreover, any additional requirements under national law (e.g. rights of co-determination for the employee representatives and information rights of the data subjects) must be taken into account.
7.1.3. Personal data processed by Tripsider.com
Tripsider.com processes the following personal data:
Board of Directors records: These may include:
name, address and contact details of each member of the Board of Directors and secretary;
records in relation to appointments to the Board;
Minutes of Board of Directors meetings and correspondence to the Board which may include references to particular individuals.
Format: manual record (personal file within filing system) and/or computer record (database).
Purpose: keeping a record of Board appointments, documenting decisions made by the Board, compliance with the Commercial Code.
Staff records (including volunteers, contractors): These may include:
name, address and contact details, personal identification code;
original records of application and appointment;
record of appointments to promotion posts;
details of approved absences (career breaks, parental leave, study leave etc.);
details of work record (CV, qualifications, classes taught, subjects etc.);
details of complaints and/or grievances including consultations or competency discussions, action/improvement/evaluation plans and record of progress;
health data of employees;
e-mail messages.
Note: a record of grievances may be maintained which is distinct from and separate to individual personnel files.
Format: manual record (personal file within filing system) and/or computer record (database).
Purpose: to facilitate the payment of staff, to facilitate pension payments in the future, a record of promotions made, compliance with the Employment Contracts Act, the Health Insurance Act and/or Occupational Health and Safety Act.
7.1.4. Special categories of personal data (sensitive personal data) and processing of personal data relating to criminal convictions and offences
Sensitive personal data is defined as personal data consisting of information as to:
physical or mental health or condition;
racial or ethnic origin;
political opinion;
religious or philosophical beliefs;
trade union membership;
genetic data, and biometric data where processed to uniquely identify an individual;
sex life or sexual orientation.
Sensitive personal data can be processed only under certain conditions. Tripsider.com does not seek to collect or process personal data identified from b) to g) in the list above. Tripsider.com’s employees should not collect or process sensitive personal data for specified purposes and should delete them if they become aware that we have collected them, except with the approval of the Data Protection Officer given on the basis of an assessment of the requirements of the GDPR.
Tripsider.com may process personal data regarding the employee’s health to perform its duties under the Estonian Employment Contracts Act and/or Health Insurance Act.
Data that relates to a crime can be processed only under special requirements under national law.
7.1.5. Automated decisions
Where personal data is processed automatically as a part of the employment relationship, and specific personal details are evaluated (e.g. as part of personnel selection or the evaluation of skills profiles), this automatic processing should not be the sole basis for the final decision taking.
If at any time Tripsider.com will use such approach of automated decision, this automated processing cannot be the sole basis for decisions that would have negative consequences or significant problems for the affected employee or contractor. To avoid erroneous decisions, the automated process must ensure that a natural person evaluates the content of the situation, and that this evaluation is the basis for the decision. The data subject will also be informed of the facts and results of automated individual decisions and the possibility to respond.
7.1.6. Telecommunications and internet for employees
Telephone equipment, email addresses and internet along with internal social networks are provided by the company primarily for work-related assignments. They are a tool and a company resource. They can be used within the applicable legal regulations and internal company policies. In the event of authorised use for private purposes, the laws on secrecy of telecommunications and the relevant national telecommunication laws must be observed if applicable.
There will be no general monitoring of telephone and e-mail communications or internet use. To defend against attacks on the IT infrastructure or individual users, protective measures will be implemented for the connections to the Tripsider.com 's network that block technically harmful content or that analyse the attack patterns. For security reasons, the use of telephone equipment, e-mail addresses, the internet and internal social networks can be logged for a temporary period. Evaluations of this data from a specific person will be made only in a concrete, justified case of suspected violations of laws or policies of the Tripsider.com. The evaluations can be conducted only by investigating departments while ensuring that the principle of proportionality is met. The relevant national laws must be observed in the same manner as the company’s policies.
7.2. Data processing for the business relationship (third party vendors, suppliers and partners)
Personal data of the relevant third party vendors, suppliers and partners can be processed in order to establish, execute and terminate a contract. This also includes advisory services for the partner under the contract if this is related to the contractual purpose. Prior to a contract – during the contract initiation phase – personal data can be processed to prepare bids or purchase orders or to fulfil other requests of the prospect that relate to contract conclusion. Third party vendors, suppliers and partners can be contacted during the contract preparation process using the information that they have provided. Any restrictions requested by the third party vendors, suppliers and partners must be complied with.
7.2.1. Lawful basis for personal data processing
7.2.1.1. Data processing pursuant to legal authorization
The processing of personal data is also permitted if national legislation requests, requires or allows this. The type and extent of data processing must be necessary for the legally authorized data processing activity, and must comply with the relevant statutory provisions.
7.2.1.2. Consent to data processing
Data can be processed following consent by the data subject. Before giving consent, the data subject must be informed about the identity of Tripsider.com as a data controller, the purposes of data processing and any third parties or categories of third parties to whom the data might be transmitted. The declaration of consent must be obtained in writing or electronically for the purposes of documentation. In some circumstances, such as telephone conversations, consent can be given verbally. The granting of consent must be documented.
7.2.1.3. Data processing pursuant to legitimate interest
Personal data can also be processed if it is necessary for a legitimate interest of the Tripsider.com. Legitimate interests are generally of a legal or commercial nature (e.g. avoiding breaches of contract). Personal data may not be processed for the purposes of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject merit protection, and that this takes precedence. Before data is processed, it is necessary to determine whether there are interests that merit protection.
7.2.2. Personal data processed by Tripsider.com
Tripsider.com processes the following personal data:
Third party vendors’, suppliers’ and partners’ records: These may include:
name, address and contact details of third party vendors, suppliers and partners who are natural persons;
name, position, address and contact details of employees or contact persons of the third party vendors, suppliers and partners who are legal persons;
records of appointments or documents of authorisation of signature;
communication between Tripsider.com and party third vendors, suppliers and partners;
due diligence records on third party vendors, suppliers and partners, where applicable.
Format: manual record (personal file within filing system) and/or computer record (database).
Purpose: establish, execute and terminate a contract.
7.2.3. Special categories of personal data (sensitive personal data)
Tripsider.com does not seek to collect or process personal data identified by the GDPR as "sensitive" for business relationship purposes. Tripsider.com’s employees should not collect or process sensitive personal data for specified purposes and should delete them if they become aware that we have collected them, except with the approval of the Data Protection Officer given on the basis of an assessment of the requirements of the GDPR. Sensitive personal data is defined as personal data consisting of information as to:
physical or mental health or condition;
racial or ethnic origin;
political opinion;
religious or philosophical beliefs;
trade union membership;
genetic data, and biometric data where processed to uniquely identify an individual;
sex life or sexual orientation.
If at any time Tripsider.com will need to process such sensitive personal data in the future due to the changes in the purposes of data processing, the processing will be carried out in accordance with the principles set out in the GDPR.
