Privacy And Data Protection Policy
This Privacy and Data Protection Policy (hereinafter the Policy) defines the regulation of the relationship between FORDEWIND ESTLAND OÜ, incorporated under the laws of the Republic of Estonia, located at Estonia, Tallinn, Kesklinna linnaosa, Tuukri tn 19-216, 10152 (hereinafter the Company) and YOU (hereinafter theData Subject) regarding the use of your personal data.
ALL DATA SUBJECTS ARE REQUIRED TO READ THIS POLICY TO UNDERSTAND HOW THE COMPANY COLLECTS AND PROCESSES PERSONAL DATA AND WHAT SECURITY MEASURES ARE BEING APPLIED.
While conducting its activities, the Company adheres all conditions and requirements stipulated by the current legislation of the Republic of Estonia, European legislation including but not limited to the General Data Protection Regulation as well as by other international legislative acts concerning data protection.
1. DEFINITIONS
‘Personal data’ means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
‘Special categories of personal data’ (sensitive data) means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.
‘Data controller’ (controller) means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
‘Data processor’ (processor) means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
‘Data Subject’ means any living individual who is the subject of personal data are processed by the Company, including Visitors, Customers, Independent contractors, employees and other stakeholders.
‘Customer’ means legal person or individual who has concluded agreement for Services providing by the Company.
‘Independent contractor’ means business entity who may be engaged by the Company to perform the Services.
‘Visitor’ means the Data Subject who has entered the Website with any purpose.
‘Website’ means the website https://fordewind.io which is owned by the Company.
‘Services’ means software development services provided by the Company to the Customer under the agreement.
‘Processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
‘Profiling’ means any form of automated processing of personal data intended to evaluate certain personal aspects relating to a natural person, or to analyses or predict that person’s performance at work, economic situation, location, health, personal preferences, reliability, or behavior. This definition is linked to the right of the data subject to object to profiling and a right to be informed about the existence of profiling, of measures based on profiling and the envisaged effects of profiling on the individual.
‘Automated decision-making’ means an ability to make decisions by technological means without human involvement that produces legal effects concerning the Data Subject or similarly significantly affects the Data Subject.
‘Personal data breach’ means a breach of security leading to the accidental, or unlawful, destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
‘Consent’ means any freely given, specific, informed and unambiguous indication of the Data Subject’s wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data.
‘Data Protection Authority’ (DPA) means an independent public authority which is established by a Member State pursuant to the GDPR. In the contents of this Policy the DPA means an Estonian Data Protection Inspectorate that is located at the following address 19 Väike-Ameerika St., 10129 Tallinn, Estonia (website: http://www.aki.ee/).
2. STATEMENT
2.1. In collecting and using of the personal data, the Company is subject to a variety of the legislation controlling how such activities may be carried out and the safeguards that must be put in place to data protect.
2.2. This Policy applies to all Company’s employees, Independent contractors, Customers, Visitors, stakeholders and all other subjects that directly or indirectly participate in the personal data processing within Company’s activities.
2.3. This Policy sets out how the Company uses, processes and stores the Data Subjects’ personal information. The Company will obtain that information from Data Subject with his/her permission and consent. The Company may receive personal data to perform the contract to which the Data Subject is a party or to pursue legitimate interest of Data Subject’s employer in accordance with this Policy.The Data Subjects have a right to apply to the Company or to the DPA about his/her personal data breach if he/she becomes aware of it earlier than the Company.The Data Subjects have a right to apply to the Company or to the DPA about his/her personal data breach if he/she becomes aware of it earlier than the Company.
2.4. The Data Subjects have a right to apply to the Company or to the DPA about his/her personal data breach if he/she becomes aware of it earlier than the Company.
3. PRINCIPLES OF PROCESSING
3.1. During collecting and processing the personal data, the Company adheres the principles provided by the GDPR. The Company’s policies and procedures are designed to ensure compliance with the principles:
(a) Lawfulness, fairness and transparency
Lawfully – the controller identifies a lawful basis before to process the personal data (for example consent).
Fairly – in order to process fairly, the controller has to make certain information available to the data subjects as practicable. This applies whether the personal data was obtained directly from the data subjects or from other sources.
Transparently – any information and communication relating to the processing of the personal data be easily accessible and easy to understand, and that clear and plain language be used.
(b) Purpose limitation
The personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, not be considered to be incompatible with the initial purposes.
(c) Data minimization
The personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
(d) Accuracy
The personal data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
(e) Storage limitation
The personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed. Personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, if only are implemented appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of the data subject.
(f) Integrity and confidentiality
The personal data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures.
4. COLLECTED PERSONAL DATA AND PURPOSES OF PROCESSING
4.1. While conducting its activities, the Company collects the following personal data for determined purposes:
PERSONAL DATA | PURPOSES |
The Customers (or its employees) personal data | |
|
the Services providing; making conversation about contracts performance or other financial/legal issues; sending advertising materials concerning the Services. |
The Independent contractor (or its employees) personal data | |
|
making conversation about contracts performance or other financial/legal issues. |
4.2. The Company gets Visitors personal data from cookies. A cookie is a text string that the Platform transfers to the cookie file of the browser on Visitor’s computer. The Company uses cookies to personalise content and ads, to provide social media features and to analyse its traffic. You may find more information about cookies here. The Company uses the following cookies for determined purposes:
Name |
Domain |
Purpose |
__cfduid [x2] |
.jquery.com .cloudflare.com |
Used by the content network, Cloudflare, to identify trusted web traffic. |
__utma |
.jquery.com |
Keeps track of the number of times a visitor has been to the site pertaining to the cookie, when their first visit was, and when their last visit occurred. |
__utmz |
.jquery.com |
Keeps track of where the visitor came from, what search engine used, what link clicked on, what keyword used. |
_ga |
.fordewind.io |
Registers a unique ID that is used to generate statistical data on how the visitor uses the website. |
easy_cookies_policy_check |
.fordewind.io |
Informs users that the site uses cookies in compliance with European Cookie law. |
wordpress_[hash] |
fordewind.io |
Store authentication details. |
wordpress_logged_in_[hash] |
fordewind.io |
WordPress cookie for a logged in user. |
wordpress_test_cookie |
fordewind.io |
Tests whether or not the browser has cookies enabled |
wp-settings-[UID] |
fordewind.io |
Used to customize view of admin interface, and possibly also the main site interface |
wp-settings-time-[UID] |
fordewind.io |
Used to customize view of admin interface, and possibly also the main site interface |
4.3. The Company does not collect and/or process the sensitive data.
4.4. While processing personal data, the automatic decision-making and profiling is not applied by the Company.
4.5. The Company does not collect from Data Subjects more personal data than it is determined in this Policy. The Company also does not collect more personal data than it is needed for the purposes of processing specified herein.
4.6. While collecting and processing personal data, the Company acts as the controller thus, the corresponding range of controller rights and responsibilities arises.
5. THE LAWFULNESS OF PROCESSING
5.1. The Company processes Customer’s or Independent contractor’s employees personal data because it is necessary for the persuasion of the legitimate interests of the Company. Also the Company may process Customers employees personal data on the basis of the consent.
5.2. The Company processes Customers or Independent contractors personal data (if he/she is sole proprietor), because it is necessary for the performance of the contract to which the Customer or Independent contractor is party. Also the Company may process Customers or Independent contractors personal data on the basis of the consent.
5.3. The consent is considered to be provided to after Data Subject has signed the Consent Form. By giving the consent the Data Subject acknowledges and accepts all terms and conditions specified in the Consent Form as well as all conditions specified in the current Policy.
5.4. The Company shall be able to demonstrate that consent was obtained for the processing operation if it is required.
5.5. The Consent Form contains, including the precise information concerning the purposes of processing and the information on methods of processing as well as on the period for which such personal data are to be stored.
Visitors personal data are being collected while the appropriate Visitor is entering the Website. Herewith, the personal data are being collected, because such data processing necessary for the persuasion of the legitimate interests of the Company. Also the Company may process Visitors personal data on the basis of the Consent.
The Company shows to the Visitor the Cookie Notice, which contains, including the precise information concerning the purposes and types of the cookies as well as how prohibit they using. The Visitor may provide Company with consent by pressing “I accept” button in the Cookie Notice.
6. USER AGE
6.1. The Company collects the personal data on the basis of consent obtained from the Data Subjects who have reached the age of 18 years.
6.2. If you know that the Company processes data of person under 18 years old, please inform about this by writing to e-mail address: gdpr@fordewind.io.
7. WITHDRAWING OF CONSENT
7.1. The Data Subject is entitled to withdraw the consent at any time he/she wishes. The withdrawal of the consent is considered to be properly made after the Data Subject has sent appropriate form of withdrawal (available at the following link Data Subject Request & Complaints Form) to the next e-mail address: gdpr@fordewind.io.
7.2. The appropriate request for withdrawing of the consent shall be examined within 72 hours since a moment the respective form of withdrawal is received, and the adequate decision will be made by the Company.
8. THE PERIOD OF STORAGE
8.1. The Company processes and stores the personal data during the period that is needed for realization of the processing purposes, specified in this Policy.
8.2. Taking into account the purposes of processing, the period of storage of the personal data (period of storage) is:
PERSONAL DATA |
PERIOD OF STORAGE |
The Customers (or its employees) personal data |
|
− full name; − position; − telephone number; − email address |
no more than 10 years since the end of agreement with this Customer |
The Independent contractor (or its employees) personal data |
|
− full name; − position; − telephone number; − email address |
no more than 10 years since the end of agreement with this Independent contractor |
The Visitors personal data. |
|
__cfduid [x2] |
1 year |
__utma |
2 years |
__utmz |
6 months |
_ga |
2 years |
easy_cookies_policy_check |
session |
wordpress_[hash] |
session |
wordpress_logged_in_[hash] |
session |
wordpress_test_cookie |
session |
wp-settings-[UID] |
1 year |
wp-settings-time-[UID] |
1 year |
8.3. After an expiration of the period of storage, the Company is obliged to delete the personal data or ask the Data Subject to provide the Company with a new consent, if the necessity of processing remains actual for the Company or another purpose of processing appears.
8.4. The Company is entitled not to store more and delete the earlier collected Data Subject’s personal data of at any time if such personal data are not needed more. Herewith, the Company is obligated to notify the respective Data Subject that his/her personal data are deleted.
8.5. The Company may keep storing the personal data if a subsequent processing is foreseen by law and is deemed relevant for a purpose which is not compatible with the original purpose of processing stated in this Policy. Herewith, under the incompatible purposes means the purposes concerning archiving in the public interest, scientific, statistical or historical use.
9. PROCESSORS
9.1. While processing the Data Subjects personal data, the Company may engage processors which act only in accordance with the Company instructions and within appropriate contract concluded between them. In accordance with this Policy, the processors are Google Inc. (Google) and Agile CRM Inc.
9.2. While processing the Data Subjects’ personal data, the Company engages Google as a processor. Herewith, all Data Subjects’ personal data are transferred onto the Google’s servers for storage. While processing the Visitors personal data the Company uses Google Analytics.
9.3. While processing the Customers (or its employees) personal data, Company engages Agile CRM Inc.
9.4. The Company is responsible for the proper processing of the personal data under the GDPR. Herewith, each processor is responsible for the adherence of the GDPR as well as for other legislative actions concerning data protection while processing the Data Subjects personal data.
9.5. The processors are not entitled to define any additional purposes for the personal data processing.
10. DATA SUBJECTS RIGHTS
10.1. This Policy provide all Data Subjects with opportunity to realize any of the following rights:
right to access. The Data Subjects have a right to know whether their personal data are being processed and if so, access such data.
right to rectification. If the personal data are inaccurate, the respective Data Subject is entitled to ask the Company to correct them indeed.
right to erasure or right to be forgotten The Data Subjects have a right to obtain from the Company the erasure of the Data subjects’ personal data without undue delay and the Company has the obligation to erase such personal data without undue delay.
right to restriction of processing. The Data Subjects have a right to limit processing of their personal data with several exceptions under the scope of the GDPR.
right to be informed. The Company obliged to inform Data Subjects what data is being collected, how it’s being used, how long it will be kept and whether it will be shared with any third parties. This information must be communicated concisely and in plain language.
right to data portability. The Data Subjects are permitted to obtain and reuse their personal data for their own purposes across different services. This right only applies to personal data that Data Subject has provided to the Company by way of the consent.
right to object. The Data Subjects can object to the processing of personal data that are being processed by the Company. The Company must stop processing personal data unless the Company can demonstrate compelling legitimate grounds for the processing that overrides the interests, rights and freedoms of the individual or if the processing is for the establishment or exercise of defense of legal claims.
right not to be subject to a decision based solely on automated processing. The Data Subjects have a right to object to any automated profiling that is occurring without consent. Herewith, the Data Subjects have a right their personal data are to be processed with the human involvement.
10.2. To realize any of the rights mentioned above, the Data Subjec should complete the appropriate form at the following link: Data Subject Request & Complaints Form and send it to the email address: gdpr@fordewind.io.
10.3. These are the timescales within which the Data Subjects may realize its rights, stated above (the period starts from the moment the Company receives the request):
Data Subject Request |
Timescale |
The right to be informed |
When data is collected |
The right of access |
2 weeks |
The right to rectification |
2 weeks |
The right to erasure |
Without undue delay |
The right to restrict processing |
Without undue delay |
The right to data portability |
2 weeks |
The right to object |
On receipt of objection |
11. SECURITY
11.1. The Company is responsible for ensuring that any personal data that Company holds and for which they are responsible, is kept securely and is not under any conditions disclosed to any persons unless that persons has been specifically authorized by Company to receive that information and has entered into a confidentiality agreement.
11.2. All personal data should be accessible only to those who need to use it under internal documentation of the Company. The personal data shall be treated with the highest security and must be kept encrypted.
12. DATA BREACH NOTIFICATION
12.1. The Company takes all reasonable steps to minimize the risk of the personal data breach while processing the personal data.
12.2. In the case of a personal data breach, the Company shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the DPA, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of the Data Subjects.
12.3. The risk assessment the Company has to carry out will have determined whether the risk to the rights and freedoms of the data subjects affected is judged to be sufficiently high to justify notification to them.
12.4. Also, in the case of a personal data breach, which is likely to result in a high risk to the rights and freedoms of the Data Subjects, the Company shall without undue delay notify the appropriate Data Subject the personal data of which were breached.
12.5. If measures have subsequently been taken to mitigate the high risk to the Data Subjects, so that it is no longer likely to happen, then communication to the Data Subject is not required by the GDPR.
12.6. The Company documents all personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken. That documentation shall enable the DPA to verify compliance with the GDPR.
12.7. The respective processor is obligated without undue delay to notify the Company about the breach of the personal data while processing such personal data under the Company’s instructions.
13. DATA TRANSFER
13.1. The Company stores personal data in USA.
13.2. The Company does not sell or trade personal data to any legal persons or individuals.
13.3. The Company may transfer the personal data to its processors, specified in this Policy and which are registered in the USA.
13.4. The Company may transfer Customer’s (or its employees) personal data to the Independent contractor’s (or its employees) and vice versa. Such personal transfers concernin with Services providing based on GDPR and adequacy decision if needed. Such personal data transfers concern with providing Services and are based on GDPR and adequacy decision if needed.
13.5. The personal data are transferred with the purposes as it is stated herein according to the Personal Data Transfer Policy.
14. ADDITIONAL CONDITIONS
14.1. The Company may revise this Policy from time to time. If the Company makes material changes to this Policy, it will notify the Data Subjects by email or by posting a notice on the Website prior to the effective date of the changes.