Data protection policy for sensitive personal data
In this privacy policy, we describe and explain how, when and why we process your personal data, what values and general principles we follow when processing and what your rights are in relation to your personal data.
Data controller: Marena Tugikeskus OÜ
Processor: A person outside the institution who processes personal data on behalf of the controller (persons who process our data in the framework of projects; accountant).
Marena Tugikeskus data protection contact person: CEO Anne Soodla marenatugikeskus@gmail.com;
General principles of processing personal data
We act legally, fairly and transparently. We always have a legal basis for processing your personal data and we process your personal data on that basis. The processing is fair, understandable and understandable for the person whose personal data we process.
We are guided by the goal. We determine a legitimate purpose for the processing of personal data and process personal data only if there is a clear purpose and basis for doing so!
We collect minimum personal data. We collect only relevant and necessary personal data. The most important thing is to proceed from the principle of minimalism!
We keep personal data unchanged. The data stored about the employee and the service user must be correct and up-to-date. If necessary, we will update and correct personal data.
We protect personal data. We treat the processing of your personal data diligently and do our best to ensure that your personal data is protected. We implement various measures (physical, technical, organisational) to protect personal data from unlawful or unauthorised destruction, loss, alteration, disclosure, acquisition or unauthorized access by third parties.
We choose our cooperation partners carefully. We require and expect our contractual partners to be diligent and ethical in the processing of personal data and to keep and transfer personal data securely.
Storage limitation. We retain personal data only for as long as retention is required by law, contract or essential for the provision of a service. We store personal data related to disputes until the expiry of the claim. After the expiry of the term of storage of personal data, the archivist destroys or archives the documents in accordance with the list of documents.
Method of obtaining personal data
We receive your personal data through the Social Insurance Board if you have directed a service to the Marena Tugikeskus or wish to receive services from us. Also, if you contact us through our website, by e-mail, by letter or by call.
We receive employees’ personal data through application portals, by e-mail, by letter or by call.
Purpose and legal basis for the processing of personal data
Personal data are collected for precisely and explicit legitimate purposes and are not processed in a way that is incompatible with those purposes.
The legal bases for the processing of personal data come from the General Data Protection Regulation and the Social Welfare Act. When choosing the legal basis for the processing, we distinguish whether it is ordinary personal data or whether the personal data belongs to the category of special categories and criminal data.
The General Data Protection Regulation provides the legal basis for the processing of ordinary personal data:
- Assent. The person has given voluntary explicit consent to the operations with their personal data.
- Performance of a contract. The processing of personal data is necessary for the performance of a contract concluded with a person or for taking measures prior to entering into a contract in accordance with the person’s request.
- Compliance with a legal obligation. The processing of personal data is necessary for the performance of a legal or legal obligation to which the controller is subject.
- Protecting vital interests. The processing of personal data is necessary to protect a person’s own vital interests or those of another natural person.
- Performance of a task carried out in the public interest. The processing of personal data for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller shall be governed by national law.
- Legal obligation – performance of duties prescribed by law.
The General Data Protection Regulation provides the legal basis for the processing of special categories of personal data:
- Assent. The person has given voluntary explicit consent to the operations with their personal data.
- Law or other national legislation. Personal data are processed on the basis of the law or any other national law.
- Protecting vital interests. The processing of personal data is necessary to protect a person’s own vital interests or those of another natural person if the person is physically or legally incapable of giving their consent.
- Drawing up, filing or defending a legal claim. The processing of personal data is necessary for the establishment, exercise or defense of a legal claim or when courts are acting in their judicial capacity.
- Processing in the public interest. The processing of personal data is possible under national law and necessary for the performance of a task carried out in the public interest and does not unduly prejudice the rights of individuals.
Your rights in relation to personal data
The General Data Protection Regulation gives you extensive rights in relation to your personal data:
- Right to access personal data – You have the right to know which Personal Data we store about you and how we process it, you have the right to know the purpose of the processing, the persons to whom we disclose the personal data, information about automated decision-making, and the right to receive copies of your personal data.
- Right to rectification – You have the right to request the correction of insufficient, incomplete and incorrect personal data.
- Right to withdraw consent given for the processing of personal data – You have the right to withdraw the consent given to us for the processing of personal data. Please note that the withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal.
- Right to erasure of personal data (“right to be forgotten”) – You have the right to request that we erase your personal data (e.g. if you withdraw your consent to the processing of personal data or if the personal data is no longer needed for the purpose for which it was collected). We have the right to refuse to delete personal data if the processing of personal data is necessary for the performance of our legal obligation, the exercise of the right to freedom of expression and information, the establishment, exercise or defence of legal claims or in the public interest.
- Right to restriction of processing – In certain cases, you have the right to prohibit or restrict the processing of your personal data for a certain period of time (e.g. if you have objected to the processing of personal data).
- Right to object – You have the right to object to the processing of your personal data if the processing of your personal data is carried out in the public interest.
What to do in case of a personal data breach?
Please notify us immediately of any personal data processing breach or threat of such a breach known to you at marenatugikeskus@gmail.com. We take the issue of personal data security seriously and will respond immediately to any potential breach.
General information
Please note that we may update the Privacy Policy from time to time.
More information about the principles of data protection and your rights can be found on the website of the Data Protection Inspectorate: www.aki.ee and Chapter 3 of the General Data Protection Regulation.
If you wish to exercise any of the rights related to the processing of personal data or you have a question about the processing of personal data, please send us an e-mail to: marenatugikeskus@gmail.com. We will respond within 15 working days at the latest, and if the answer requires the release of personal data, we will verify the identity of the applicant beforehand.
If you are not satisfied with our answer, you can always lodge a complaint with the city’s data protection officer, supervisory authority (www.aki.ee) or directly with the court.