Who is this privacy policy for?
Udrop EE OÜ, company code 16567708, registered office address Estonia pst 9, 10143 Tallinn (hereinafter referred to as the “Company“, the “Data Controller” or “We“) are concerned about your privacy and the protection of your personal data, and therefore we process your personal data in accordance with the General Data Protection Regulation of the European Parliament and of the Council (Regulation (EU) 2016/679) and the Law on Legal Protection of Personal Data, as well as with the other legal acts regulating the protection of personal data. Therefore, in order to ensure fair and transparent information about the processing of your personal data, we are publishing this privacy policy (hereinafter referred to as the “Policy”).
In this Policy, we describe which of your personal data we collect and for what purposes we process it when you use our services, browse our websites or otherwise. This Policy also contains important information about the protection of your personal data, the rights you have and how to exercise them. Therefore, please take the time to review this Policy and if you have any questions, please do not hesitate to contact us using the contact details provided below. Please note that we reserve the right to change this Policy in the future. You will be further informed of any changes to this Privacy Policy, but we encourage you to review this Privacy Policy periodically.
What is personal data and how is it processed?
Personal data – means any information relating directly or indirectly to you where your identity is known or can be established, directly or indirectly, by reference to relevant data (such as name, surname, telephone number, email address, etc.).
Processing of personal data means any operation performed on personal data (including collection, recording, storage, editing, alteration, access, retrieval, transmission, archiving, etc.).
The Company, when processing your personal data, adheres to the following principles of personal data processing:
- Your personal data shall be processed only to the extent necessary to achieve the relevant clearly defined and legitimate purposes, taking into account the protection of your privacy;
- Your personal data shall be processed accurately, fairly and lawfully and shall be processed only for purposes that are consistent with the purposes specified before your personal data were collected;
- Your personal data is processed in strict compliance with the clear and transparent requirements for the processing of personal data set out in the legislation;
- Your personal data shall be processed only in a form which permits identification of you for no longer than is necessary for the purposes for which the personal data is processed;
- The processing of your personal data is subject to appropriate technical and organisational measures to ensure the security of your personal data, including protection against unauthorised processing and against accidental loss, destruction and damage.
How do we take care of the security of your personal data?
In processing your personal data, we apply appropriate organisational and technical personal data security measures to protect your personal data against accidental or unlawful disclosure, destruction, alteration or other unauthorised acts. These measures are chosen taking into account the risks to your rights and freedoms as a data subject.
In this case, we ensure strict access control to the personal data we process, so we only grant access to those employees who need your personal data to carry out their job functions, and we monitor the use of granted access. Access to personal data is secured by the use of passwords at the appropriate level and by confidentiality agreements with those who have access to your personal data.
Please note that all employees of the Company who have access to your personal data are aware of the requirements for the protection of personal data and are obliged to ensure the confidentiality of processed personal data.
For what purposes and what personal data do we process?
The Company processes your personal data for the following purposes:
- Parcel machine (delivery/collection/holding/return) service;
- The Company processes the following personal data:
Customer (sender, recipient): name, surname, phone number, email address, payment details. Also the address of the pick-up point (i.e. Parcel machine) and/or other technical details (such as time and date of insertion, pick-up, etc.).
- The Company shall process and/or store this data:
Data on the use of parcel machine services is actively managed for 1 year from the date of collection. It is then transferred to the archives and kept for 5 years.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(b) of the Regulation, i.e. the processing is necessary for the performance of a contract to which the data subject is a party (i.e. the sender or the recipient), or for the purpose of taking action at the request of the data subject prior to the conclusion of the contract.
- Video surveillance of parcel machines (to ensure the security of the Company’s and/or individuals’ property).
- The Company processes the following personal data:
Video data (including images of individuals, actions taken, etc.) of data subjects (customers, etc.) who have come under video-camera (CCTV) surveillance, technical data (such as date, time, etc.) of recordings.
- The Company shall process and/or store this data:
Video recordings shall be kept for a maximum of 6 months from the date of their recording. If warranted (e.g. there is an incident recorded and/or damage caused to the Company or third parties), video recordings may be kept for a longer period of time.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(f) of the Regulation, i.e. The Company’s legitimate interest in ensuring the security of the Company’s and/or individuals’ property (e.g. parcel machine infrastructure, parcels, etc.), public order, etc.
- Direct marketing (including sending surveys);
- The Company processes the following personal data:
Email address, phone number
- The Company shall process and/or store this data:
The data will be processed until the date of withdrawal of consent, but no longer than 1 year from the date of consent and/or the last order for goods and/or services.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(f) of the Regulation, i.e. for the purposes of the legitimate interests of the Company (to offer or ask for an opinion on its goods and/or services in accordance with the Law of the Republic of Estonia on electronic communications).
- Recording telephone conversations (to ensure quality of advice and service);
- The Company processes the following personal data:
People calling support telephone hotline (customers, etc.): Call records (including content), caller’s phone number, technical details of the recordings (such as date, time, etc.).
- The Company shall process and/or store this data:
Audio recordings shall be kept for a maximum of 6 months from the date on which their conversation ends. If warranted (e.g. a recorded incident, etc.), call recordings may be kept for longer periods.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(a) of the Regulation, i.e. the caller’s consent to participate in the call, which is recorded.
- Representation of the company on social networks (e.g. Facebook, Instagram, LinkedIN, account management), communication in public space and other e-channels.
- The Company processes the following personal data:
Personal data of social network users on accounts managed by the Company: name; information about the communication on the account (“like”, “follow”, “comment”, “share”, etc.); photos (profile and/or with the Company’s name on them); the message sent; information about the message (time of receipt of the message, content of the message, attachments to the message, correspondence history or others.); information about participation in events and/or games organised by the Company (participation, non-participation, interest, fulfilment of the game rules, etc.); information about the evaluation of the Company (rating score, feedback, etc.).
- The Company shall process and/or store this data:
The data shall be stored on the platforms of the aforementioned social networks for no longer than the validity of the data subject’s consent (i.e. until the erasure/deletion of the personal data provided from the account and/or platform); or for the storage period set by the social network manager.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(a) of the Regulation, i.e. with the data subject’s consent when the data subject communicates with Us using social networks and/or visits accounts managed by Us.
Please note that personal data provided in social networks is processed jointly with the social network operator (i.e. Facebook, LinkedIn, Instagram platforms), we therefore suggest that you consult the privacy policy of the social network operator to learn more about the processing of personal data on social networks.
- Recruitment (searching for staff and employment).
- The Company processes the following personal data:
The candidate’s name, education, qualifications, work experience, financial expectations, favourite activities and any other information given in the CV, cover letter and/or other information provided by the candidate.
- The Company shall process and/or store this data:
Personal data is stored for 1 year from the moment the data is received or from the time the candidate attends the job interview.
- The Company processes this data on the basis of the following conditions of lawfulness of processing:
Article 6(1)(a) of the Regulation, i.e. the candidate’s consent (participation in the selection and/or additional consent to future use of the data).
Who can your personal data be provided to?
For the purposes set out above, the Company may transfer the processing of your personal data to third parties who assist us in the administration of the websites and the storage of the data contained therein. Also to suppliers of parcel machine maintenance and servicing, customer advisory services or other service providers (acting as Data Processors).
It may also be transferred to competent government and/or law enforcement authorities (such as courts, police or other supervisory authorities); legal service providers; insurance companies and/or others. However, your data will only be provided if required to do so by applicable law and only in accordance with the procedures set out in the law, in order to safeguard Our rights, the safety of our customers, our employees and our resources, and to assert, submit and/or defend legal claims.
We note that your personal data is only provided to third parties that ensure appropriate conditions for the processing and protection of personal data. Your personal data is not transferred to third countries (i.e. outside the European Union or the European Economic Area) or international organisations.
What rights do you have and how can you exercise them?
Data subjects whose personal data we process have the right to:
- request access to and a copy of your personal data;
- request the rectification or restriction of inaccurate or incomplete personal data;
- request the erasure or restriction of excessive or unlawfully processed personal data;
- object to the processing of his/her personal data;
- request the transfer of your personal data in a structured, computer-readable format;
- withdraw your consent at any time where processing is based on the data subject’s consent (under Article 6(1)(a)). Withdrawal of the data subject’s consent shall not affect the lawfulness of the processing prior to the withdrawal of consent;
- lodge a complaint with the State Data Protection Inspectorate (info@aki.ee)
The Company does not use only automated processing, including profiling, to make decisions based on the processing of data that could lead to legal consequences for you or similarly affect you in a significant way.
Data subjects may exercise their rights by submitting a written request to the Company by means of electronic communications – by e-mail: info@udrop.ee, in writing – to the address Estonia pst 9, 10143 Tallinn.
The data subject must verify his or her identity in one of the following ways at the time of the request:
- by post or courier, enclosing a copy of a valid identity document, certified in accordance with the procedure laid down by law;
- by submitting the request electronically, authenticated by electronic means of communication that allow proper identification of the person (e.g. mobile signature, qualified electronic signature, etc.).
We will respond to your request regarding the exercise of data subjects’ rights as soon as possible, but no later than 1 month from the date of your request. This period may be extended by a further two months if necessary, depending on the complexity and number of requests. You will be notified of such an extension in the first month. The information you request will be provided free of charge. However, if we see that your requests are manifestly unfounded or disproportionate, in particular because of their repetitive content, we have the right to charge a reasonable fee (i.e. to request reimbursement of administrative costs) or to refuse to act on such a request from the data subject.
The answer will be provided in the way you choose in your request. If you do not specify in your request the method by which you want to receive a reply, the reply will be sent to you in the same way as the request was made.
Do you have further questions?
For any questions you may have regarding the services provided by the Company and/or this Policy, please contact us by e-mail: info@udrop.ee or by post: at Estonia pst 9, 10143 Tallinn.