Privacy policy – INF Ehitus

PRIVACY STATEMENT of AS INFORTAR Group:

AS EG EHITUS

OÜ INF EHITUS

OÜ INF INFRA

OÜ INF ENGINEERING

Valid from 28.03.2023.a.

INTRODUCTION

Thank you for reading this privacy notice. We value the privacy of our customers. Our aim is to explain to you in a transparent and understandable way how and on the basis of which principles we process our customers’ data. This Privacy Notice (“Privacy Notice”) applies to the following subsidiaries of AS Infortar (registered at 10139414): OÜ INF Engineering (registration code 16568470), AS EG Ehitus (registration code 11097051), OÜ INF Ehitus (registration code 16218639) and OÜ INF Infra (registration code 16421809). For the purposes of this Privacy Notice, the term “we” or “controller” means AS EG Ehitus, OÜ INF Engineering, OÜ INF Ehitus or OÜ INF Infra, respectively, depending on which of these companies you have contacted to order a product or service or to make other enquiries, or with which of these companies you have a contractual or other relationship. The controller of your personal data is AS EG Ehitus, OÜ INF Engineering, OÜ INF Ehitus or OÜ INF Infra, as the case may be.

This Privacy Notice describes our data processing principles and how we process personal data. Please read this Privacy Notice to understand how we may process your data.

If you have any specific questions about how we process your personal data or if you wish to submit any requests to exercise your rights in relation to the processing of your personal data, please contact us using the contact details in the “Contact” section below.

DEFINITIONS

“GDPR”	Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
“personal data”	Any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification code, location data, a network identifier or to one or more physical, physiological, genetic, mental, economic, cultural or social identifiers of that natural person.
“current legislation”	All applicable European Union legislation and all applicable legislation of the Republic of Estonia, including, but not limited to, national implementing legislation of the GDPR, in force at the time of the conclusion of the Data Processing Agreement or in force after the conclusion of the Data Processing Agreement; recommendations and guidance issued by supervisory authorities, including, but not limited to, the Estonian Data Protection Inspectorate, the European Data Protection Board and the European Working Party on the Protection of Individuals with regard to the Processing of Personal Data established under Article 29 of Directive 95/46/EC at the time of the conclusion of the Data Processing Agreement or after the conclusion of the Data Processing Agreement.
“data subject”	The natural person whose personal data we process.
“our”	OÜ INF Engineering (registered at 16568470, address Sadama tn 5, 10111), AS EG Ehitus (registered at 11097051, address Gaasi tn 5, 13816, Tallinn), OÜ INF Ehitus (registered at 16218639, address Sadama tn 5, 10111) or OÜ INF Infra (registered at 16421809, address Sadama tn 5, 10111), depending on which company you have signed a contract with or which company you have contacted for a product or service or other enquiry.
“processing”	An automated or non-automated operation or set of automated or non-automated operations on personal data or on sets of personal data, such as collection, recording, organisation, structuring, storage, adaptation and alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“controller”	A natural or legal person, public authority, agency or other body which alone or jointly with others determines the purposes and means of the processing of personal data. For the purposes of this Privacy Notice, a controller is OÜ INF Engineering, AS EG Ehitus, OÜ INF Ehitus or OÜ INF Infra.
“website”	the website of AS EG Ehitus https://www.ege.ee/ and its associated sub-domains or any other website to be used by AS EG Ehitus in the future or the website of OÜ INF Ehitus https://infehitus.ee/ and its associated sub-domains or any other website to be used by OÜ INF Ehitus in the future or the website of OÜ INF Infra https://infinfra.ee/ and its associated sub-domains or any other website to be used by OÜ INF Infra in the future.
“processor”	A natural or legal person, public authority, agency or other body that processes personal data on behalf of a controller.

WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?

The controller processes personal data primarily for the purposes of providing a service to its customers and partners and for the performance of contractual obligations on behalf of its customers and partners. Where the customer or cooperation partner of the controller is a data subject, the legal basis for the processing of personal data is Article 6(1)(b) GDPR – processing of personal data is necessary for the performance of a contract entered into with the data subject or for pre-contractual measures at the request of the data subject. If the customer or the cooperation partner is a legal person, we process the data of the representative of the customer or the cooperation partner which are necessary to establish the right of representation. We may also process personal data of data subjects provided by the customer or cooperation partner for the provision of a service to the customer or cooperation partner, in which case we will act as an authorised processor of personal data and the privacy policy of the customer or cooperation partner will apply.
The controller may also process personal data where it is necessary for compliance with a legal obligation to which the controller is subject. For example, where the controller is required to provide personal data by a court on the basis of a valid court order or judgment, or where the personal data are required to be provided by a law enforcement authority or other person on the basis of a valid regulation (e.g. an insurance company by law). Also, where the controller is under a duty to retain personal data, for example, under the Accounting Act or other applicable law. The legal basis for processing personal data in such cases is Article 6(1)(c) of the GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject.
In certain cases, the controller may also process personal data where this is necessary for the purposes of the legitimate interests pursued by the controller, unless such interests override the interests of the data subject or the fundamental rights and freedoms for which the personal data must be protected. The legal basis for the processing of personal data in such a case is Article 6(1)(f) GDPR.
The personal data that the controller may process include:
1. general data necessary for identification: name, personal identification number/date of birth, address, contact details;
2. data relating to the company: registration code of the legal person, name of the representative of the legal person, personal identification number/date of birth of the representative of the legal person, basis of the right of representation, position with the client legal person, contact details;
3. Information related to the use of the service: information on how our services are used, information on contracts entered into, enquiries about contracts, correspondence;
4. technical information: technical information that we may collect when you use our service (read more in the section on using cookies).

Depending on the legal relationship between you and the controller, the controller may process the following data about you:

Purpose	Personal data to be collected	Legal basis
Provision of services or sale of products to natural persons	Contact and identification details: name, personal identification number/date of birth, e-mail address, telephone number, address; Terms and conditions of the contract and service information: Facts related to the service ordered (e.g. information related to the challenge or emergency for which the order was placed; information about the energy consuming property and equipment (address, area, property rights related to the property, description of the equipment, ownership or use rights of the person, etc.); information about energy consumption (quantity, location); characteristics of the place of energy consumption; price of the services ordered; information about the products sold; Payment information: Information on the payment method used, information on the payment obligation and its fulfilment, information on the amounts due to the person and their payment, bank details.	Article 6(1)(b) GDPR
Provision of services and sale of products to legal persons	Contact details of the representative of the legal person: name, registration code, e-mail address, telephone number; Basis for representation: position/position in the legal person, basis for representation;	Article 6(1)(f) GDPR
Ensuring security	Security camera recordings: read the separate chapter on the use of security cameras.	Article 6(1)(f) GDPR
Sending offers and newsletters	Contact details: name, email address Consent:consent to send offers.	Article 6(1)(a) GDPR
Website offer	Data collected through cookies (see separate chapter on the use of cookies)	Article 6(1)(f) or 6(1)(a) of the GDPR.

WHEN AND FOR WHAT PURPOSES DO WE PROCESS PERSONAL DATA?
1. The controller shall not retain personal data for longer than is necessary for the purposes for which the personal data are processed or required by applicable law. The controller shall apply the following retention periods:
  1. Documents, the personal data contained therein, which must be kept in accordance with the legislation on the keeping of accounting records, are kept for 7 years under the Accounting Act;
  2. personal data relating to the conclusion of a contract, the longer retention period of which does not result from applicable law, we will, as a general rule, retain for as long as they are necessary for the performance of the contract during the term of the contract, also for up to 3 years after the expiry of the contract pursuant to our legitimate GDPR under Article 6(1)(f) of the GDPR based on the limitation period under the General Civil Code;
  3. we will keep the data collected on the basis of consent until consent is withdrawn.
2. For detailed information on the retention periods for personal data relating to you, please contact us using the contact details in the “Contact” section below.
USE OF SECURITY CAMERAS
1. The controller uses surveillance equipment (cameras) on its own premises and on the premises it manages, in particular for the protection of persons and property, to ensure security, to prevent and deal with security incidents and to manage work processes.
2. A sign on the use of security cameras is placed in the security camera monitoring area. The surveillance equipment consists of cameras installed on the premises, which record the territory 24 hours a day (24/7), the security cameras are stationary and do not record sound.
3. Security cameras are not used in places where the data subject may have a expectation of privacy – for example, changing rooms, toilets.
4. The controller shall not disclose the recordings made by the security cameras to third parties, unless this is necessary for the investigation by authorised persons of offences or other incidents that have been committed. For example, in the event of theft, the controller may transfer the recording to the Police and Border Guard Board. The controller may also transfer the recordings to other third parties under applicable law (for example, to a court on the basis of a court order, to an insurance company if required under applicable law, etc.).
5. The controller shall keep the recordings from the security cameras for a maximum period of 1-2 months from the date of the recording, unless, during that period, proceedings have been initiated to investigate an offence or other incident committed during the same period which requires the recordings to be kept for a longer retention period. Recordings from some cameras may also be erased earlier.
TRANSFERS OF PERSONAL DATA AND USE OF PROCESSORS
1. The controller shall not disclose personal data to third parties except where it has a legal right to do so under applicable law.
2. The controller may use processors to process personal data. Processors of the controller who may process personal data in limited cases are, for example, IT service providers (server service providers, IT software developers) or other support service providers. The controller will only use as processors cooperation partners whose reliability the controller is satisfied with and who have undertaken to process personal data in accordance with applicable law.
3. Personal data may also be transferred by the controller in connection with legal transactions, such as the transformation of a business, sale or other transaction. In such cases, we may transfer personal data to the transaction partner and to legal advisors (law firms, accountancy firms).
4. The data controller may also transfer personal data in connection with applicable legal requirements, for example, if we are required to provide personal data by a court pursuant to an applicable court order or judgment, or if we are required to provide personal data by an investigative authority pursuant to applicable law.
5. As a rule, the controller does not transfer personal data outside the European Economic Area. Where we do, we implement appropriate security measures and enter into a contract with our service provider for the transfer of the data that complies with the standard contractual clauses adopted by the European Commission. The standard contractual clauses can be found at https://eur-lex.europa.eu/legalcontent/LV/ALL/?uri=CELEX%3A32010D0087.

MISSIONS

The data controller uses cookies on its website. Cookies are small text files that contain information stored on your computer and are used for tracking or identification purposes.
Cookies can be divided according to their expiry date into temporary cookies, which are deleted after the web browser is closed, and persistent cookies, which are permanently stored on the user’s device for the period specified in the cookie and are activated each time the user visits the website from which the cookie was installed.
Depending on the purpose of the cookies, they can be divided into necessary cookies, or functional cookies (necessary for the functioning of the website), analytics cookies (to allow the collection of statistics about your visit to the website), preference cookies (to store your preferences) or advertising cookies (to provide personalised ads).

More specifically, the following cookies are used by the controller on the website:

Cookie	Description and purpose	Type	Shelf life
_ga	Google Analytics cookie used to distinguish users. Read more: https://policies.google.com/technologies/partner-sites?hl=en	Analytics	2 years
_gid	Google Analytics cookie used to determine the number of page views. Read more: https://policies.google.com/technologies/partner-sites?hl=en	Analytics	Day 1
_GRECAPTCHA	A Google cookie used to ensure the security of the website. Read more: https://policies.google.com/technologies/partner-sites?hl=en	Required by	6 months
_gat	Used to narrow down the frequency of an application. If Google Analytics is enabled via Google Tag Manager, this cookie will be named _ dc_gtm_. Read more: https://policies.google.com/technologies/partner-sites?hl=en	Analytics	1 minute

The data subject has the right to disable the use of cookies at any time by modifying the settings of their browser. However, in such a case, the Customer must be aware that not all the functions of the website may function correctly. It is possible to disable cookies by following the instructions of the “help” or “help” function of the web browser. More information on how cookies work or how to disable cookies can also be found at www.allaboutcookies.org.

DATA SUBJECT RIGHTS
1. The data subject has all the rights under the applicable law in relation to the processing of his or her personal data.
2. Data subjects have the following rights, among others, with regard to the processing of their personal data:
  1. Right of access: the right to ask at any time whether or not the controller holds personal data about him or her and to be informed of what personal data the controller is processing about him or her;
  2. the right to rectification: the right to request the controller to specify or rectify your personal data if it is insufficient, incomplete or incorrect;
  3. right to object: the right to object to the controller processing your personal data;
  4. right to request erasure of personal data: the right to request the erasure of personal data, for example where personal data are processed with consent and where the data subject has withdrawn consent;
  5. right to restriction of processing: the right to require the controller to restrict the processing of personal data, for example where the controller no longer needs the personal data of the Client for the purposes of the processing or where the data subject has objected to the processing of personal data;
  6. the right to withdraw consent to the processing of personal data: where the processing of personal data relating to a data subject is based on the data subject’s consent, for example in the case of direct marketing, the data subject has the right to withdraw the consent given to the controller at any time;
  7. the right to data portability: the right to obtain from the controller, on his or her own initiative, the personal data which the data subject has provided to the controller and which the controller processes in written form or in a commonly used electronic format and, where technically feasible, to request the controller to transfer those data to a third party service provider;
  8. right to lodge a complaint: if a data subject considers that his or her rights have been infringed by the processing of his or her personal data, he or she has the right to lodge a claim with the Data Protection Inspectorate or the courts.
CONTACT
1. If you have any questions regarding the processing of your personal data or if you wish to make a request regarding the processing of your personal data, please contact the controller by telephone, e-mail or post.
  
  The contact details of AS EG Ehitus are:
  
  Business name: AS EG Ehitus
  
  Address: Gaasi tn 5, 13816, Tallinn, Estonia
  
  Phone: +372 6580240
  
  E-mail: info@ege.ee
  
  The contact details of OÜ INF Engineering are:
  
  Business name: OÜ INF Engineering
  
  Address: 5 Sadama Street, 10111
  
  E-mail: info.inf@inf.ee
  
  The contact details of OÜ INF Ehitus are:
  
  Business name: OÜ INF Ehitus
  
  Address: 5 Sadama Street, 10111
  
  E-mail: info.ehitus@inf.ee
  
  The contact details of OÜ INF Infra are:
  
  Business name: OÜ INF Infra
  
  Address: 5 Sadama Street, 10111
  
  E-mail: info.infra@inf.ee