1. Data controller
Name: Datadat OÜ
Address: Parnu mnt 158, Tallinn, Estonia 11317
Company registration number: 14680412
VAT number: EE102152445
2. Relevant statury laws serving as legal basis for data handling
EU Regulation 2016/679 (“GDPR”)
3. Scope of data handled and the aim of data handling
Generally, our intent is to collect only the Personal Data that is provided voluntarily by Visitors, Subscribers and Registrants so that we can offer information and services to them.
We may collect and process Personal Data, including the following:
(a) contact information that allows us to communicate with you, such as your name, e-mail or mailing address, telephone numbers, Facebook Messenger ID or other addresses that allow us to send you messages;
(b) commercial information that helps us do business with you, such as the types of products and services that may interest you, information on the organization you represent, geographic locations and demographics. We collect this information from the forms you filled in and from the interactions you had with us on our social media channels (Facebook, Messenger);
Your Personal Data is not used for other purposes, unless we obtain your permission, or unless otherwise required or permitted by applicable law.
4. Legal basis of data handling
We only manage your Personal Data only if we have your agreement on it. Your opt-in can have several formats. For example, you can push the “Get Started” button on our Messenger channel or you can fill in a form on our Website.
5. Duration of data handling
We may store your data for 3 years after your last check-in to our IT services.
6. Data processor and sub-processors
We use our own software, so the data processor is the same as the Data Controller in this case. Datadat OÜ (Pärnu mnt 158/2-88, 11317, Tallinn, Estonia; registry number 14680412; VAT number EE102152445), url: winwith.me) as the data processor that operates the Messenger Bot-building software and the database connected to that. Datadat OÜ has a Facebook App (WinWith.Me) for the communication of the bot with Facebook as a platform, and this app had been approved by Facebook.
Datadat OÜ uses the Cloud Functions for Firebase, the Firebase Realtime Database, the Cloud Storage for Firebase services to store and access personal data provided by data processor/subprocessor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google usually operates these services from a Google server in the USA and stores the data there. Google is certified under the Privacy Shield agreement and thus provides a safeguard in adherence to European data privacy laws: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
7. Access to data and measures ensuring safe data handling
Personal Data collected is stored and processed on computers in the European Union and we protect it by maintaining physical, electronic and procedural safeguards in compliance with applicable EU laws and regulations.
We maintain adequate administrative, technical and physical safeguards designed to protect the Personal Data you provide against accidental, unlawful or unauthorized destruction, loss, alteration, access, disclosure or use.
When processed as part of a hosted service, the information may be processed and stored on the servers of third party providers hired to provide the hosting (www.hetzner.com), and our agreements with such parties require that they not use, disclose, or share such information
8. Rights of data holder and legal remedies
If we manage your Personal Data, in this context you are a Data Subject. As a Data Subject you have certain rights. We are doing our best effort to help you exercise these rights. Please contact us through our e-mail address email@example.com.
You can get information and help to exercise the following rights:
(a) The data subject’s right of access which means 1) the right to know whether data concerning you are being processed and 2) if so, access it with loads of additional stipulations (GDPR Article 15).
(b) The data subject’s right to rectification. When Personal Data are inaccurate, then we need to correct them if you ask us to do so (GDPR Article 16).
(c) The right to erasure, if Personal Data has been made public and you want us to remove it, we must do so. However, we never make your Personal Data public without your explicit consent to do so. (GDPR Article 17).
(d) The data subject’s right to restriction of processing. You have the right to limit the processing of your Personal Data (GDPR Article 18).
(e) The data subject’s right to data portability. With the right to data portability, you can ask us to transfer your stored Personal Data to an entity you specify in a machine readable format (GDPR Article 20).
(f) The data subject’s right to object. You can say you don’t want the Personal Data processing to be done or going on (GDPR Article 21).
GDPR – Records Management Policy of Datadat OÜ
1.1. This policy, together with the associated standards, applies to the management of all documents and records, in all technical or physical formats or media, created or received by the Datadat OÜ in the conduct of its business activities. It applies to all staff, contractors, consultants and third parties who are given access to our documents and records and information processing facilities.
1.2. Datadat OÜ is committed to maintaining the confidentiality of its information and ensuring that all records within Datadat OÜ are only accessible by the appropriate individuals. In line with the requirements of the General Data Protection Regulation (GDPR), Datadat OÜ also has a responsibility to ensure that all records are only kept for as long as is necessary to fulfil the purpose(s) for which they were intended.
1.3. Datadat OÜ has created this policy to outline how records are stored, accessed, monitored, retained and disposed of, in order to meet its statutory requirements. This policy applies to all records created, received, maintained or processed by staff of Datadat OÜ in undertaking its functions.
1.4. Records are defined as all documents which facilitate the business carried out by Datadat OÜ and are retained for a period of time which has been defined, in order to provide evidence of its transactions and activities. Documentation may be processed in electronic format, hard copies are only printed and held if it is required under law, by a Client of Datadat OÜ acting as data processor of a given data or by the data subject.
1.5. This document complies with the requirements set out in the GDPR. The retention periods outlined in this policy are good practice guidelines, and the decision making process of Datadat OÜ should ensure that specific requirements for setting shorter retention periods are considered when implementing these timeframes by the controller of the given data.
2.1. This policy has due regard to legislation including, but not limited to, the following:
General Data Protection Regulation (2016)
Personal Data Protection Act of Estonia (2018)
2.2. This policy will be implemented in accordance with the following policies and procedures:
- Data Protection Policy
- terms and conditions of Datanet OÜ products
3.1. Datadat OÜ as a whole has a responsibility for maintaining its records and recordkeeping systems in line with statutory requirements.
3.2. The Managing Partner holds overall responsibility for this policy and for ensuring it is implemented correctly.
3.3. The Data Protection Officer (hereinafter: DPO) supports the management of records.
3.4. The Managing Partner is responsible for promoting compliance with this policy and reviewing the policy on an annual basis, in conjunction with the DPO.
3.5. The Managing Partner is responsible for ensuring that all records are stored securely, in accordance with the retention periods outlined in this policy, and are disposed of correctly.
3.6. All staff members are responsible for ensuring that any records for which they are responsible are accurate, maintained securely and disposed of correctly, in line with the provisions of this policy.
3.7. The Managing Partner is responsible for ensuring that any contracts held with third parties who process personal identifiable information (considered as data processors or subprocessors as outlined in the GDPR) are compliant with the GDPR.
4.1. Datadat OÜ’s primary activity is providing IT solutions for political campaigns as a data processor. Datadat OÜ’s products are opt-in only messaging channels and other opt-in only tools facilitating the communication of the client organisations (political parties, NGO’s, advocacy groups, hereinafter reffered as Clients) with private indivituals who had freely given their consent for the use of the product. The rights and duties of the controller are excercised by the Clients without any limitations.
4.2. The following information is stored by Datadat OÜ as processor via products under point 4.1.:
- social network Identification number (e. g. Facebook ID),
- Facebook Page-Scoped Identification Number (Facebook PSID),
- the messages sent and recieved by the data subject via the products,
- e-mail address,
- phone number,
- ZIP code.
4.3 Datadat OÜ will comply with its Clients instructions unless EU or EU Member State law to which Datadat OÜ is subject requires other processing of Customer Personal Data, in which case Google will inform its Client (unless that law prohibits Datadat from doing so on important grounds of public interest). Client instructions are to be given in written form, nomally by the electronic means used for the communication between the parties.
4.4. Datadat OÜ gives direct access for Clients to individual records containing personal data, as well as the right to delete those records without any further actions of Datadat OÜ.
5.1. The retention periods for individual records processed by Datadat OÜ via products under point 4.1. and the action that will be taken after the retention period are based on a system of double opt-in. Names, social network Identification numbers, Facebook PSIDs and messages sent and recieved by the data subject via the products are deleted automathically on the basis of the withdrawal of consent given for the use of the products by the data subject. E-mail addresses, phone numbers and ZIP codes are deleted automathically either by the withdrawal of consent given for the use of the products by the data subject or by the withdrawal of the separate consent given for the use of these contact data by the data subject. The data is nevertheless automathically deleted in a three year period after the last interaction via the products by the data subject.
5.2. Electronic copies of any information and files will be destroyed in line with the retention periods above.
6.1. The DPO will undertake a risk analysis to identify which records are vital to Datadat OÜ’s management and these records will be stored in the most secure manner.
6.2. Datadat OÜ assures the operation of an effective back up system to ensure that all data can still be accessed in the event of a security breach, e.g. a virus, and prevent any loss or theft of data for the purpose of compliance with the principle of integrity and confidentiality under the GDPR and business continuity. Backups of data must be made on a regular basis. Backed-up information will be stored off the premises, using a backup service which is operated by a provider who is compliant with the GDPR. Datadat OÜ has a system restore protocol in place.
6.3. Datadat OÜ provides 24/7 DevOps support for its Clients and a constant monitoring of the proper functioning of its products and infrastructure. Datadat OÜ runs integrity and load test of its systems to ensure safe functioning.
6.4. Datadat OÜ maintaines secure user identification methods for its Clients.
6.5. Confidential paper records are kept in a locked filing cabinet, drawer or safe, with restricted access only to those personnel who require access to fulfil their delegated duties in accordance with their job role. Confidential paper records including records containing personal information are not left unattended or in clear view when held in a location with general access.
6.6. Digital data is coded, encrypted or password-protected, both on a local hard drive and on a network drive that is regularly backed-up off-site.
6.7. Data is not saved on removable storage.
6.8. Memory sticks and are not used to hold personal information.
6.9. All electronic devices (including portable devices) used by Datanet OÜ are password-protected to protect the information on the device in case of theft. Datadat OÜ staff members must enable electronic devices to allow the remote blocking or deletion of data in case of theft.
6.10. Datadat OÜ staff members do not use non-encrypted personal laptops, computers, phones or other electronic devices for business purposes which involve the downloading or storing of personal identifiable or confidential data.
6.11. All members of staff are provided with their own secure login and password, and every computer regularly prompts users to change their password.
6.12. Emails containing sensitive, personal or confidential information are encrypted or password-protected to ensure that only the recipient is able to access the information. The password will be shared with the recipient in a secure and appropriate format.
6.13. Data stored on encrypted hard drives or USBs must not be stored on or downloaded to personal devices.
6.14. All documents which are accessed by members of the staff externally to their premise via a portable electronic device must be done so utilising services designated by Datadat OÜ. Personal accounts must not be used to access Datadat OÜ data.
6.15. All staff members apply a ‘clear desk policy’ to avoid unauthorised access to physical records containing sensitive, confidential or personal information. All confidential information will be stored in a securely locked filing cabinet, drawer or safe with restricted access.
6.16. Personal data must not be stored on the hard drive of any device unless it is running appropriate encryption software.
6.17. Data must be subject to a robust password protection regime. Password sharing is not permitted.
6.18. Computers must be locked when not staffed to prevent unauthorised access.
6.19. Under no circumstances are visitors allowed access to confidential or personal information. Visitors accessing areas containing sensitive information are supervised at all times.
6.20. The physical security of Datadat OÜ’s offices and storage systems, and access to them, is reviewed termly (and documented) by the person with responsibility for sites in conjunction with the DPO. If an increased risk in vandalism, burglary or theft is identified, this will be reported to the Managing Partner and extra measures to secure data storage will be put in place. Data Protection Impact Assessments are undertaken where required.
6.21. Archive rooms should be lockable and secure, and be able to maintain restricted access.
6.22. All members of Datadat OÜ’s staff are obliged to sign a non-disclosure agreement before given access to personal data. Datadat OÜ takes its duties under the GDPR seriously and any unauthorised disclosure may result in disciplinary and criminal action.
6.23. The DPO is responsible for supporting continuity and recovery measures are in place to ensure the security of protected data.
7.1. Before onboarding subprocessors, Datadat OÜ conducts an audit of the security and privacy practices of subprocessors to ensure subprocessors provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide. The subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms to fulfill the obligations under GDPR.
7.3. Datadat OÜ uses the Cloud Functions for Firebase, the Firebase Realtime Database, the Cloud Storage for Firebase services to store and access personal data provided by data processor/subprocessor Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (“Google”). Google usually operates these services from a Google server in the USA and stores the data there. Google is certified under the Privacy Shield agreement and thus provides a safeguard in adherence to European data privacy laws: https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI&status=Active
8.1. Datadat OÜ is transparent with data subjects as a data controller, the information we hold and how it can be accessed.
8.2. Datadat OÜ as a data processor provides its Clients all the relevant information to enable them to act as a transparent data controller.
9.1. Datadat OÜ stores data in a multi-tenant environment on the servers of the cloud service providers under point 7.2 and 7.4. Datadat OÜ also logically isolates the Client’s data.
9.2. Datadat OÜ keeps a continous and veryfiable log file on all the operations performed upon the processed personal data.
10.1 If Datadat OÜ becomes aware of a Data Incident, Datadat OÜ will: (a) notify the Client of the Data Incident promptly and without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
10.2 Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and steps Datadat OÜ recommends Client take to address the Data Incident.
10.3 Notification(s) of any Data Incident(s) will be delivered by e-mail or at Datadat OÜ’s discretion, by direct communication (for example, by phone call or an in-person meeting).
10.4 Datadat OÜ will not assess the contents of Customer Data to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Data Incident(s).
10.5 No Acknowledgement of Fault by Google. Google’s notification of or response to a Data Incident under this Section 7.2 (Data Incidents) will not be construed as an acknowledgement by Google of any fault or liability with respect to the Data Incident.
11.1. Datanet OÜ will conduct an information audit on an annual basis against all information held by it to ensure that they are correctly managed in accordance with the GDPR.
11.2. The information audit may be completed in a number of ways, including, but not limited to interviews with staff members with key responsibilities to identify information and information flows, questionnaires to key staff members to identify information and information flows.
11.3. The DPO is responsible for completing the information audit.
11.4. Datanet OÜ cooperates with its Clients with all thier audits and monitoring activities aiming for the complience with GDPR.
12.1. All records containing personal information or information must be disposed of in a way which ensures they are unreadable or unreconstructable. Paper records must be shredded using a cross cut shredder, CDs/DVD should be cut into small pieces and hard drives must be wiped according to the nature of the data stored on them.
12.2. In case of opt-out performed by the data subject, the relevant personal data must also be deleted from the log file under point 9.2, with the exeption of the case a statutory regulation, the Client or the data subject required it otherwise in accordance with the GDPR.
13.1. This policy will be reviewed on an annual basis by the Managing Partner in conjunction with the DPO – the next scheduled review date for this policy is November 2019.
13.2. Any changes made to this policy will be communicated to all members of staff.