We consider the REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL when describing data protection terms.
We use security measures in our work related to serving SPS Grupp OÜ customers and handling personal data related to employees.
The data protection terms apply to all persons who use the company’s server and network solutions, website, submit inquiries about our services, or interact with SPS Grupp OÜ in other ways.
SPS Grupp OÜ processes the data of its employees, clients, and contact persons who have expressed a desire for contractual obligations or confirmed that they have read our data protection terms and have agreed to these terms.
Definitions
Personal data – is information about a person or natural person (data subject) by which they can be directly or indirectly identified: name, personal identification code, location data, network identifiers (characteristics that help identify a specific person in a communication network), as well as physical, economic, cultural, and any other identifiable characteristics and their combinations.
Processing of personal data – is any operation performed on data: collection, organization, storage, alteration, reading, use, transmission, combination, deletion, etc.
Identification of the Controller and Processor
SPS Grupp OÜ is the controller of personal data – when processing personal data of its employees, website visitors, customer representatives, and developing its service. SPS Grupp OÜ’s processors are cooperation partners who provide services to SPS Grupp OÜ.
The processor must handle personal data on behalf of and on the instructions of the controller in accordance with all applicable regulations.
The processor has the right to perform processing operations only with respect to those personal data and to the extent that the controller has authorized the processor.
SPS Grupp OÜ is the processor of personal data entered/transmitted by its clients into SPS Grupp OÜ’s business software (e.g., clients’ client data). In this situation, the controller of personal data is the respective SPS Grupp OÜ client.
Purposes and Bases for Processing Personal Data
When collecting customer data, we limit ourselves to the minimum necessary to fulfill the purposes related to service provision and better customer service.
The basis for processing personal data is the conclusion of a contract, legitimate interest, or the consent of the individual.
SPS Grupp OÜ does not distribute, transmit, modify, or use in any way not disclosed at the time of collection the personal data entrusted to us, except if there is an agreement with the person or if the need for disclosure arises from the legislation of the respective country.
SPS Grupp OÜ collects personal data for:
- identifying the person;
- fulfilling employee work duties and obligations arising from law (e.g., data transmitted to the tax authority, data transmitted to the occupational health doctor, etc.);
- preparing a client contract and/or invoice;
- fulfilling the terms of the contract concluded with the client;
- contacting the person for service provision;
- for the purpose of customer retention or resolving issues.
SPS Grupp OÜ undertakes to protect the personal data and privacy of employees and customers.
Access to personal data in the company is only available to individuals who need it for processing personal data.
The personal data we collect may include the following:
- Your name;
- Your personal identification code;
- Your phone number;
- Your email address;
- Your address;
- Your company name and your position;
- Your account details;
- The text of your inquiry;
- Other data necessary for providing the service.
The categories of personal data processed may differ depending on the agreement between SPS Grupp OÜ and the employment contract, law, or client.
Data Retention
We retain personal data as long as necessary to achieve the purposes for which the data was collected. The retention period also depends on legal requirements for document retention.
Personal data related to SPS Grupp OÜ transactions are retained for at least seven (7) years from the end of the financial year due to the obligation to prove transactions under the Accounting Act.
Employee-related data is retained for at least 10 years after the termination of the employment contract, and occupational health data for at least 55 years in accordance with the legal requirements of the Republic of Estonia.
Personal data of service clients is retained for at least seven (7) years after the termination of the client relationship or employment relationship in case there is a need to defend one’s rights in a dispute with the data subject or client or for other legal claims.
How We Share and Disclose Information
Personal data processed by SPS Grupp OÜ may be transferred without the person’s consent only to an institution or person who has a justified need or direct legal right (such as a court or pre-trial investigator).
We may transfer your data for processing to third parties who help us provide and manage Services and who provide services related to customer inquiry management. These persons may include, for example, transport companies, property managers, etc.
In all cases, we only provide the data processor with the necessary data to perform a specific task or provide a specific service.
Collection of Visitor Information on the Website
The SPS Grupp OÜ website uses cookies. Cookie information is collected to obtain statistics on the number of users, as well as information about the geographical location of our users, to customize the content and service of the website.
Security of Personal Data
SPS Grupp OÜ implements necessary technical, physical (confidential documents are stored locked) and organizational security measures (confidentiality agreements with personnel) to protect client and employee personal data from loss and illegal processing.
SPS Grupp OÜ has established clear and mandatory requirements for all persons who process personal data on behalf of and on the instructions of the company and has made these known.
SPS Grupp OÜ follows the requirements of ISO 27001:2013 standard (information security management system, ISMS) or requirements of a similar level when processing Personal Data.
Notification of Personal Data Breach or Violation to the Data Subject
If the breach is likely to result in a high risk to the rights and freedoms of individuals, the controller must also notify the data subject without undue delay.
The purpose of the notification is to enable the data subject to take necessary precautions to mitigate the risk, in addition to the data processor.
In the notice, we provide information about the nature of the personal data breach, as well as recommendations to mitigate possible adverse effects.
The notice to the person includes:
- a clear and simple explanation of the nature of the personal data breach;
- the name and contact details of the SPS Grupp OÜ contact person;
- a description of the possible consequences of the personal data breach;
- a description of measures to address the personal data breach.
Data Subject Rights
Right to rectification – the right of the data subject to request that inaccurate or incomplete personal data concerning them be rectified without undue delay.
Right to erasure – the right of the data subject to request that their personal data be erased without undue delay if certain additional conditions are met.
If there is no (longer) legal basis for processing, disclosing, or allowing access to personal data, one can request the cessation of use or deletion of data, cessation of disclosure of data or access to data. To do this, a request that enables identification of the person should be submitted.
The request will not be fulfilled if:
- it may harm the rights and freedoms of another person;
- it may hinder the provision or non-provision of a service;
- it may hinder the work of law enforcement agencies;
- it is not technically necessary and/or possible;
- the applicant’s person is not legally connected to the data;
- the applicant’s person cannot be identified.
Right to restrict processing – the right of the data subject to temporarily or permanently restrict the processing of all or part of their personal data in certain cases.
Right of access – the right to be informed about personal data and to request access to personal data that we process about you.
If the basis for processing personal data is the consent of the data subject, the data subject has the right to withdraw this consent at any time by notifying via email, without affecting the lawfulness of processing based on consent before its withdrawal.
Data Protection Terms and Changes
The data subject confirms these data protection terms with consent in a form that can be reproduced (e.g., as an attachment to a contract, etc.).
SPS Grupp OÜ reserves the right to change, add, or remove data protection terms if necessary. The currently valid data protection terms are on the SPS Grupp website https://spsgrupp.ee/andmekaitsetingimused/
If you find that SPS Grupp OÜ has violated your rights in processing personal data, please notify us by letter to our public email address. Disputes are resolved through negotiations. You also have the right (for example, if an agreement is not reached) to contact the Data Protection Inspectorate (https://www.aki.ee/et, email: info@aki.ee) or the competent court.
Data Protection Terms are valid from 08.12.2021.
