PRIVACY POLICY

Balti Meediamonitooringu Grupp OÜ, reg. No. 10332235 (hereinafter referred to as the Company), registered office Hallivanamehe 4, Tallinn, Estonia, telephone +372 525 8236, email address: info@bmmg.ee.

Should you have any questions regarding the processing of your personal data, you can contact us through any of the options above.

In processing personal data, the Company complies with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the Regulation), the Personal Data Protection Law, other applicable laws and regulations that concern processing and protection of personal data, as well as other legal requirements in effect in the Republic of Latvia, and protects personal data using the latest technical and organizational means.

The Company may process your personal data on paper or electronically, by telephone, or verbally in person. The processing of personal data may be carried out by an employee of the Company or by one of the Company’s processors (another company) with whom the Company has a contract. When processing personal data, the Company may act both as a controller and a processor.

The given Privacy Policy explains how the Company processes data of natural persons (customers, business partners, business partners’ representatives/contacts and other persons whose data may come into the Company’s possession in the course of its business activities), the procedure for exercising the data subject’s rights, and issues concerning protection of personal data. The Company’s Privacy Policy applies to processing of all kinds personal data by the Company.

We are aware that personal data is your value and we will process them in accordance with the requirements of confidentiality and ensure security of your personal data in our possession.

1. Principles for processing personal data

The Company processes personal data in accordance with the following data processing principles:

• Lawfulness, fairness and transparency – personal data are processed lawfully and fairly and in a transparent manner in relation to the data subject.
• Purpose limitation – personal data are collected for specified, explicit and legitimate purposes and only in accordance with such purposes, and not further processed in a manner that is incompatible with those purposes. Therefore the Company does not collect personal data and does not store them for unspecified future purposes, the need for which has not been assessed and approved by laws and regulations or internal regulations of the Company (decisions, orders, etc.).
• Data minimization – personal data are adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. In implementing this principle, the Company does not request more information from the data subject and does not process more information than is necessary to achieve the relevant purpose.
• Accuracy – personal data are accurate and, where necessary, kept up to date. If an employee has any doubts about the validity or accuracy of information provided by the data subject, the employee contacts the data subject to clarify the relevant information. Each data subject has the responsibility to notify the Company if any information (e.g. name, telephone number, email, etc.) has changed.
• Storage limitation – personal data are not stored for longer than is necessary for the purposes for which the personal data are processed.
• Integrity and confidentiality – personal data are processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss or destruction of the data.
• Accountability - the controller and its authorized representatives can definitely prove compliance with and fulfilment of the requirements of the Regulation.

2. Processing of personal data and purposes

The purposes of the processing of personal data by the Company are related to the Company’s business functions. The Company processes personal data for the following purposes:

• Preparation, conclusion, performance and administration of a contract: for this purpose the Company needs to identify the customer, ensure the appropriate calculation of payments and ensure the payment procedure, contact the customer on matters related to the provision of the service and/or performance of the contract, including for sending invoices.
• Staff recruitment and management.
• To ensure efficient business management.
• For handling and processing of appeals.
• For providing information to public administration authorities and bodies performing operational activities in the cases and to the extent specified in external regulatory enactments.
• For establishing and maintaining the Company's internal procedures, for ensuring circulation of documents and other internal procedures (such as archiving of contracts and other documents) to the extent necessary for this purpose.

The Company processes personal data only when there is a lawful basis to do so:

• The Company processes personal data for the provision of the service in order to comply with legal obligations to which the Company is subject, to conclude contracts, monitor their implementation, fulfil the terms of contracts concluded by identifying the data subject prior to entering into a contract. The Company processes personal data for the provision of the service in order to ensure appropriate calculation of payments, to communicate with the customer on matters concerning provision of the service and/or performance of the contract (pursuant to points (b), (c) and (f) of the first paragraph of Article 6 of the Regulation).
• The Company processes personal data in order to comply with its obligations under the applicable laws and regulations, such as laws and regulations on accounting, Archives Law and others, and to respond to requests from public and law enforcement authorities in the manner and to the extent required by law. The Company processes personal data in order to process, store and keep records of incoming and outgoing correspondence (mail, emails) (point (c) of the first paragraph of Article 6 of the Regulation).
• The Company processes personal data for the purpose of the Company’s legitimate interests, such as the conduct of its business, quality of its customer service, to review possible customer complaints and claims, to ensure protection of the property of the Company and its customers, to apply to public administration and law enforcement authorities and courts for the protection of its legitimate interests (to provide evidence) (pursuant to point (f) of the first paragraph of Article 6 of the Regulation).
• The Company processes personal data of employees on the basis of points (b) and (c) of the first paragraph of Article 6 of the Regulation.

3. Personal data processed by the Company

The Company may process the following categories of personal data in the course of its business and during the provision of services:

• Identification data of the data subject – name, surname, personal number, date of birth, passport number/ID number, signature, position, scope of authorization.
• Contact details of the data subject – address, telephone number, email address.
• Information about persons who have applied for a position at the Company, including their education, work experience, current employment, positions held, professional activity, birth data, special categories of data and other data identifying the person.
• Professional (employment) data, such as information on education, work experience, current employment, positions, professional activity.
• Contact data of a cooperation partner – contact person indicated by the cooperation partner to be contacted: name, surname, telephone number, email address, position, scope of authorization.
• Contract details – contract numbers, dates of signature, contracting parties, contact details, signatures.
• Service (goods) purchase data – name of the service, date of purchase, delivery note number, invoice number, method of receiving the service, price, method of payment, check details, address where the service is provided, and others.
• Billing data – current account number, bank account number, invoice number, date, amount, method of invoicing, date of payment, amount owed, debt recovery information.
• Information on visits to the Company’s website (cookies).
• Other data that may be processed as part of the provision of a certain process.

4. Personal data storage period    

The Company keeps personal data in accordance with the defined purposes of processing personal data and the requirements of laws and regulations for as long as at least one of the following criteria applies:

• The Company can exercise its legitimate interests (e.g. file an objection or to bring legal action) in accordance with the procedure laid down in external laws and regulations.
• The Company is under a legal obligation to store the data.
• The data subject’s consent to the processing of personal data is valid, unless there is another lawful basis for processing the data.

Below is a list of the most common personal data storage periods:

• Personal data necessary for the performance of a contractual obligation – the Company keeps such data until the contract is performed and until other data storage periods are over (see below).
• The Company stores personal data required to be kept in order to comply with legal requirements for the periods specified in the relevant laws and regulations, e.g. the Accounting Law stipulates that source documents must be stored until the date they are necessary to determine the beginning of each economic transaction and trace its course, but not less than 5 years.
• The Company keeps data to prove the fulfilment of its obligations for the general limitation period and in accordance with the following limitation periods for claims: 10 years in accordance with the Civil Law, 3 years in accordance with the Commercial Law, and other periods, taking also into account the time periods for bringing an action in accordance with the Civil Procedure Law.

If personal data are no longer necessary for the purposes specified, the Company deletes or destroys them.

5. Recipients of personal data

The Company takes appropriate measures to process personal data in accordance with applicable law and to ensure that personal data are not accessed by third parties who do not have an appropriate legal basis for processing these specific personal data.

Personal data, if necessary, may be accessed by the following:

• Employees of the Company or persons directly authorized by the Company who need to do so for the performance of their duties.
• In order to comply with its obligations under the applicable laws and regulations, the Company may transfer the data to state and local authorities in the cases provided for by law (e.g. law enforcement authorities, tax administration, a court, a bailiff).
• For the provision of certain services, the Company may transfer personal data to business partners – processors in accordance with services they provide and only to the extent necessary, which carry out the necessary data processing on behalf of the Company, such as auditors, technical database maintenance entities and other persons related to the provision of services to the Company.
• Third parties, subject to a careful assessment of whether there is an appropriate legal basis for the transfer of data in question.

The Company does not transfer personal data to third countries (countries that are not member states of the European Union and the European Economic Area).

6. Choice of cooperation partners for processing of personal data or choice of personal data processors

The Company takes appropriate measures to ensure the processing, protection and transfer of personal data to data processors in accordance with applicable law. The Company carefully selects personal data processors and, when transferring data, assesses the necessity and the amount of data to be transferred. The transfer of data to processors is carried out in compliance with the requirements of confidentiality and secure processing of personal data.

7. Access to personal data and other rights of the data subject

In order to obtain information about a data subject’s personal data that the Company processes, the data subject must submit an application:

• By electronic mail with a secure electronic signature, by sending the email to the following email address: info@bmmg.ee.
• By sending a letter by mail to the registered office of the Company.

The data subject has the right to access his/her data (to submit an application to the Company) to request restriction of the processing of personal data, erasure of personal data, portability of personal data, to object to the processing of personal data or to request rectification of personal data, as well as other rights arising from the provisions of the Regulation.

The Company communicates with data subjects using the contact details (telephone number, email address, address) provided by the data subject. The Company ensures data processing and security in accordance with the requirements of the regulatory enactments; in case of objections from the data subject, the Company takes prompt action to find a solution to the situation. However, if a data subject considers that the data subject’s right to the protection of personal data has been violated, the data subject has a right to lodge a complaint with the supervisory authority – the Data State Inspectorate.

Upon receipt of a written request from the data subject, the Company:

• Verifies the identity of the data subject
• Examines the request
• Executes it in accordance with the applicable laws and regulations

If the Company needs additional information to identify the data subject requesting information or to comply with the request, the Company may request additional information in order to be able to correctly comply with the request and to select the information requested (e.g. to specify a reference to specific documents and dates).

The Company does not use customers’ data for automated decision-making.

8. Right to withdraw consent

If processing of personal data has been initiated and is carried out in accordance with the data subject’s consent, the data subject has the right to withdraw it, either in person or in writing, by submitting an application to the Company’s registered office at Hallivanamehe 4, Tallinn, Estonia (upon presentation of an identity document) or by electronic mail with secure electronic signature, sent electronically to email address: info@bmmg.ee. Withdrawal of consent shall not affect processing of data carried out at the time when the data subject’s consent was valid.

Withdrawal of consent may not interrupt processing of data carried out by the Company on the basis of other legal grounds.

9. Changes to the Privacy Policy

The Company shall have the right to alter the given Terms. The current version of the Terms is available on the Company’s website: www.bmmg.ee.