1.1. Personal data - means any information about an identified or identifiable natural person ("data subject"); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identification feature such as name, social security code, location information, network identifier or on the basis of one or more physical, physiological, genetic, mental, economic, cultural or social characteristics of that natural person;
1.2. Processing of personal data - an automated or non-automated operation or a set of operations performed with personal data or their collections, such as collection, documentation, arrangement, structuring, storage, adaptation and modification, querying, reading, use, disclosure by transmission, distribution or otherwise making available, reconciliation or combining, limiting, erasing or destroying;
1.3. Controller - a natural or legal person who is the primary collector of personal data, or DTL;
1.4. Authorized processor - a natural or legal person who processes personal data on behalf of the responsible processor and on the basis of his instructions;
1.5. Third party - natural or legal person, agency or body;
1.6. Violation related to personal data - violation of requirements that causes accidental or illegal destruction, loss, alteration or unauthorized disclosure of or access to personal data transmitted, stored or otherwise processed;
1.7. Data subject - a person whose personal data is processed (for example, a natural person customer, website user or customer contact person).
2.1. DTL is based on the following principles when processing personal data:
2.1.1. the principle of legality, fairness and transparency - processing is legal, fair and transparent to the data subject;
2.1.2. principle of purpose limitation - personal data is collected for precisely and clearly defined and legitimate purposes and is not processed later in a way that contradicts these purposes;
2.1.3. the principle of collecting as little data as possible - personal data is relevant, important and limited to what is necessary for the purpose of their processing;
2.1.4. principle of correctness - personal data is correct and, if necessary, updated, and that all reasonable measures are taken to delete or correct personal data that is incorrect from the point of view of the purpose of processing without delay;
2.1.5. the principle of storage limitation - personal data is stored in a form that allows data subjects to be identified only as long as it is necessary to fulfill the purpose for which personal data is processed;
2.1.6. principle of reliability and confidentiality - personal data is processed in a way that ensures appropriate security of personal data, including protection against unauthorized or illegal processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
3. Security of personal data processing
3.1. DTL implements various organizational, physical and information technology security measures for the protection of personal data based on the principle of reasonableness, which takes into account the size of the risk when implementing the measures.
3.2. DTL has established guidelines and procedural rules to ensure the security of personal data processing, which measures include the protection of information, IT infrastructure, internal and public networks of the company, as well as office buildings and technical equipment, and implements appropriate administrative security measures.
3.3. DTL ensures that persons who come into contact with personal data have undergone appropriate training and received instructions for the secure processing of personal data.
3.4. DTL may in certain cases use authorized processors to process personal data. DTL ensures that authorized processors process personal data in accordance with our instructions and in accordance with applicable law and implement appropriate security measures.
4. Legal basis for personal data processing
4.1. DTL processes personal data to fulfill and ensure fulfillment of the contract concluded with the customer, to fulfill an obligation arising from the law, in case of legitimate interest or on the basis of the data subject's consent.
4.2. The processing of personal data carried out in order to fulfill the obligations arising from the law takes place in the case that DTL is obliged to process personal data because the company is required to do so by the applicable law, for example the Employment Contract Act, the Law on Prevention of Money Laundering and Terrorist Financing, the Accounting Act, the Consumer Protection Act, etc.
4.3. Legitimate interest as a legal basis for processing personal data means that, primarily for the purpose of providing a higher quality service and promoting business, we process the data subject's personal data, keeping in mind the data subject's fundamental rights and freedoms. When processing personal data on the basis of a legitimate interest, we ensure proportionality between the legitimate interest of DTL and the rights of the data subject.
4.4. When processing personal data on the basis of consent, we process personal data only with the informed consent of the data subject within the scope of specific purposes. The data subject consents to the processing of personal data for the stated purposes voluntarily, specifically, knowingly and unequivocally by agreeing to the privacy conditions when placing an order in the online store or creating a user account.
5. Types of personal data
5.1. Personal data: first and last name;
5.2. contact details: e-mail address, contact phone number, postal address (residential address);
5.3. indirectly obtained personal data that we process in addition to personal and contact data: bank account number; online identifier (username and password in the online store);
5.4. internet data: usage session data, cookies, website log data and IP addresses.
6. Purposes of personal data processing
6.1.1. performing commercial activities based on the Consumer Protection Act, the Accounting Act and other legislation;
6.1.2. processing of purchase and sales invoices;
6.1.3. fulfillment of the requirements arising from the current legislation.
7. Storage of personal data
7.1. Customer data is not processed longer than necessary. The retention period may be based on contracts with the customer, DTL's legitimate interest or applicable law. Data storage is based on the following:
7.1.1. accounting documents must be kept for 7 years based on the Accounting Act;
7.1.2. data collected on the basis of the Act on the Prevention of Money Laundering and Terrorist Financing is stored for 5 years after the end of the business relationship.
7.2. DTL securely destroys and/or deletes all personal data for which there is no purpose for retention or the retention period has expired.
8. Third parties and authorized processors
8.1. DTL may transfer personal data, limited to strictly necessary purposes, to third parties and authorized processors for the following purposes:
8.1.1. to carry out purchase and sale transactions in the online store;
126.96.36.199 Personal data is processed by Maksekeskus AS as an authorized processor when performing purchase and sale transactions. Data communication between the Buyer and the card payment center is encrypted, which ensures the security of the Buyer's personal data and bank details. The entrepreneur does not have access to the Buyer's confidential bank and payment card details.
8.1.2. to maintain the customer's database;
8.1.3. cooperation partners to provide better service to customers;
8.1.4. postal service providers, in order to deliver the ordered goods to the customer;
8.1.5. advertising and marketing service providers, including social media service providers, to whom we transmit only the data that is necessary to inform the customer about new products and campaigns and to analyze customer behavior in the e-store;
8.1.6. Companies providing information technology support in order to ensure the operation and development of the DTL online store and other used IT solutions.
8.2. Despite the access restriction, DTL issues relevant personal data in the event of a right arising from direct law (e.g. pre-trial proceedings, court, supervisory authority, etc.).
9. Rights of the data subject
9.1. The data subject has the right to receive information about the processing of his personal data. In this case, please send a written statement or an e-mail with your request either to the legal address Masti 17, 11911 Tallinn and/or to e-mail email@example.com;
9.1.1. When a person submits a request for personal data, DTL must make sure that it is the person who has the right to receive the corresponding data. Therefore, if necessary, the data requester must prove his identity or the right to request data;
9.2. The data subject has the right to request the deletion of his customer data, for example if it is processed with the customer's consent and if the customer has withdrawn the consent. Such a right does not apply if the customer data, which is requested to be deleted, is also processed on other legal grounds, for example for the performance of a contract;
9.3. The data subject has the right to request the correction of his personal data if they are insufficient, incomplete or incorrect;
9.4. The data subject has the right to make inquiries about the personal data concerning him/her that he/she has submitted to DTL;
9.5. The data subject has the right to limit the processing of personal data, for example during the time when DTL assesses whether the customer has a legal basis to request the deletion of his personal data;
9.6. The data subject has the right to receive self-provided customer data that is processed on the basis of consent or to fulfill a contract, in writing or in a commonly used electronic format, and, if technically possible, to transfer this data to another service provider (data portability). DTL does not have technical solutions for issuing personal data in machine-readable form or transferring it to another responsible employee.
9.7. The data subject has the right to withdraw his consent to the processing of personal data;
9.8. The data subject has the right to submit complaints about the use of personal data to the Data Protection Inspectorate (website: www.aki.ee) if the customer considers that the processing of his personal data violates his rights and interests based on the applicable law.