Privacy policy
PRIVACY POLICY AND PROCESSING OF PERSONAL DATA
Data Controller
NabuMinds OÜ, Estonian registry code 14690847, address Valukoja tn 8/2, 11415 Tallinn, Estonia
Definitions
The data controller is a natural or legal person, public authority, agency or other body which determines the purposes and means of the processing of personal data.
The processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Personal data means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, personal identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing of personal data means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A cookie is a small text file that a website stores on your computer or smart device when you visit our website. It allows storing information about your preferences so that you do not have to make selections again when revisiting the site or browsing pages.
Whose personal data does this privacy policy cover?
We describe here how we process your personal data when you:
- Apply for a job with us
- Contact us
- Are our customer (private individual)
- Are a representative or contact person of our client, partner or service provider
- Visit our website
- Are present in our buildings or on our premises
What personal data do we collect and use, and for what purposes?
(1) You apply for a job with us
If you apply for a vacancy, Nabuminds OÜ collects and processes the following data:
- Name
- Contact details (email address, phone number)
- Content of the application
- Data contained in submitted application documents describing your suitability (education, qualifications, previous experience, skills, characteristics), including information received from references
We primarily collect personal data that you have provided in your application or CV. For additional data, we may contact references you have indicated. In such case, we assume you have obtained consent from the reference to share their contact details.
We use personal data such as name and contact details to identify you, contact you, and prepare a contract if necessary. We also use personal data to assess your suitability, manage the recruitment process, gather additional information, and inform you of our decisions. If you have expressed interest, we may also use your data to inform you of future job opportunities.
The legal basis is the necessity to take steps prior to entering into a contract (GDPR Art 6(1)(b)) or our legitimate interest in recruiting and managing candidates (GDPR Art 6(1)(f)). With your consent, we may notify you of future vacancies (GDPR Art 6(1)(a)).
(2) You contact us
In case you contact us to request an offer or ask questions, we collect:
- Name
- Contact details (email, phone)
- Content of the inquiry and subsequent communication
We use this data to identify you, contact you, and respond to your inquiry, including making an offer.
The legal basis is the necessity to take steps at your request before entering into a contract (GDPR Art 6(1)(b)) or our legitimate interest in responding to your inquiry (GDPR Art 6(1)(f)).
Inquiries can be submitted via a contact form or by email at contact@nabu.ee. When preparing an offer, we may also query the Creditinfo register.
(3) You are our customer (private individual)
In case you are our client, we collect and process:
- Name
- Personal identification code or date of birth
- Contact details (email, phone)
- Contract data
- Payment data
- Communication data
We use this data to identify you, contact you, perform the contract, and manage the contractual relationship.
The legal basis is contract performance (GDPR Art 6(1)(b)), legitimate interest (GDPR Art 6(1)(f)), legal obligations such as accounting (GDPR Art 6(1)(c)), and protection of our rights (GDPR Art 6(1)(f)).
(4) You are a representative/contact person of a client or partner
In case, you are a representative/contact person of a client or partner, we collect:
- Name
- Work contact details (email, phone)
- Job position
- Representation authority data
- Communication data
We use personal data for the purpose of concluding, performing and managing a contract to be entered into or already entered into with the company related to you, and for cooperating with that company.
The legal basis for such processing of personal data is the necessity to conclude, perform and manage contracts related to the company or to cooperate with the company (GDPR Art 6(1)(f)). We may also use personal data in order to fulfil our accounting and tax-related legal obligations (GDPR Art 6(1)(c)) or to protect our rights (GDPR Art 6(1)(f)).
(5) You visit our website
We use cookies (session, persistent, third-party such as Google Analytics, Facebook) to:
- Identify new and returning users
- Remember preferences (language, contrast, font size)
- Store cookie consent choices
- Collect usage statistics to improve the website
Cookies are not strictly necessary but improve user experience. You may delete/block them, but some functions may not work properly.
Please note that some cookies originate from third-party service providers who perform certain of these functions on our behalf.
More details are available in the cookie panel on the website.
(6) You are on our premises
We use surveillance cameras (with signage) to ensure safety and protect property and rights (GDPR Art 6(1)(f)).
Cameras record video only.
How long do we retain personal data?
We retain personal data for as long as it is necessary to fulfil the purpose for which we have collected it.
We retain applicants’ personal data for as long as it is necessary to make a decision regarding the candidate and to notify them of such decision, and for the protection of our rights for one year after notifying the candidate of the decision (in the case of a successful candidate, personal data is retained further in accordance with the rules for the retention of employees’ personal data). If the candidate has expressed a wish to be informed about future job openings, we may use the data for this purpose for up to one year.
We retain data related to inquiries until we have responded to the inquiry and achieved the purpose set out in the inquiry. We retain data related to customers for as long as it is necessary for the performance of the contract and the management of the contractual relationship, as well as for the protection of our rights (generally for 3 years after the end of the contractual relationship), and for compliance with legal obligations (accounting and tax obligations require certain data to be retained for 7 years after the end of the relevant financial year).
If you have submitted a request to exercise your rights as a data subject, we will also process and retain your personal data for the purpose of responding to the request and taking the measures requested therein. Responding to such requests constitutes our legal obligation.
With whom do we share personal data?
We may make your personal data available to companies that provide services supporting our business activities, such as IT service providers or website analytics providers. These companies are authorised to use personal data only for the purpose of providing services to us.
In addition, we may need to share your personal data with service providers who process personal data as independent controllers. Such third parties include, for example, our legal service providers and auditors.
We may also need to grant access to your personal data where this is relevant in connection with the restructuring, merger, acquisition, sale or other transaction involving Nabuminds OÜ, or in connection with the assignment of claims, based on our legitimate business interests.
We share your personal data with third parties only in the manner described in this privacy policy. We do not sell your personal data to third parties.
When selecting service providers, we ensure that the service provider is located within the European Economic Area, meaning that your personal data is not transferred outside the European Economic Area.
What rights do you have regarding your personal data?
If you have questions regarding the processing of your personal data or wish to exercise your rights, please contact us at contact@nabu.ee.
Where we process your personal data on the basis of legitimate interest, we have carried out a proper balancing test of competing interests and have assessed whether our interest in processing personal data outweighs your interests and the rights and freedoms for which personal data is protected. You always have the right to object to such processing as described below. If you would like more information about processing based on legitimate interest, please let us know.
When personal data is processed on the basis of consent, you always have the right to withdraw your consent. Withdrawal of consent does not affect the lawfulness of processing carried out on the basis of consent before its withdrawal.
Your rights regarding your personal data are not absolute; therefore, we may not always be obliged or able to take the requested measures based on your request. In addition to the above, you have the right to:
- Request access to your personal data.
You may ask us to provide all personal data that we process about you. For this purpose, please clarify whether you wish to receive confirmation of what personal data we hold about you and/or a copy of your personal data.
- Request rectification of your personal data.
Exercising the right to rectification assumes that your personal data is inaccurate or incomplete. If this is the case, we will correct and/or supplement your personal data. Please specify in your request which personal data requires correction.
- Request erasure of your personal data.
You may request erasure where (i) we no longer need the personal data for the purpose for which it was collected; (ii) you withdraw your consent and there is no other legal basis for processing; (iii) you object to processing and we have no overriding legitimate grounds; (iv) we have processed your personal data unlawfully; (v) erasure is required to comply with a legal obligation.
However, if despite the above we need to continue processing personal data to comply with a legal obligation or to protect our rights, we may not be able to erase the data. In such cases, we will explain why erasure is not possible.
- Request restriction of processing of your personal data.
This applies where (i) you have contested the accuracy of your personal data and we are verifying it; (ii) processing is unlawful but you oppose erasure and request restriction instead; (iii) we no longer need the data but you require it for legal claims; (iv) you have objected to processing and we are verifying whether our legitimate grounds override yours.
Even where processing is restricted, we may process data if (i) you have given consent; (ii) it is necessary for legal claims; (iii) it is necessary to protect the rights of another natural or legal person; or (iv) it is required for important public interest.
- Request data portability.
You may request your personal data in a structured, commonly used, and machine-readable format and transmit it to another controller (or request us to transmit it), where processing is based on consent or a contract and carried out by automated means.
- Object to the processing of personal data.
You have the right to object where processing is based on our or a third party’s legitimate interest. Upon objection, we will not continue processing unless we demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms, or for legal claims.
We will respond to your request within one month, unless circumstances require more time. In any case, we will inform you within one month.
In addition, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate if you believe that the processing of your personal data has not complied with applicable data protection laws and your rights have been violated (address: Tatari 39, 10134 Tallinn, phone +372 627 4135, email: info@aki.ee). If your habitual residence, place of work, or place of the infringement is in another Member State, you also have the right to lodge a complaint with the supervisory authority of that country.