1. General Provisions
1.1. This Privacy Policy regulates the principles concerning the gathering, processing and retention of personal data. Personal data are processed and retained by the controller of personal data, AS Orto (hereinafter the Data Controller).
1.2. In the meaning of the Privacy Policy, a data subject is a customer or a natural person whose personal data the Data Controller processes.
1.3. In the meaning of the Privacy Policy, a customer is anyone who purchases goods or services on the homepage of the Data Controller.
1.4. The Data Controller shall comply with the principles of data processing established in legal acts. Among other things, the Data Controller shall process personal data lawfully, fairly and securely. The Data Controller is able to confirm that personal data have been processed in accordance with the provisions of legal acts.
2. Gathering, Processing and Retaining of Personal Data
2.1. The personal data which the Data Controller gathers, processes and retains have been gathered electronically, mainly via the homepage and e-mail.
2.2. By sharing his or her personal data, the data subject grants the Data Controller the right to gather, arrange, use and manage personal data, which the data subject directly or indirectly shares with the Data Controller upon purchasing goods or services on the homepage, for the purposes defined in the Privacy Policy.
2.3. The data subject is responsible for the accuracy, correctness and completeness of the data submitted by him or her. The intentional submission of false data is considered a violation of the Privacy Policy. The data subject shall be obligated to immediately inform the Data Controller of changes in the submitted data.
2.4. The Data Controller shall not be responsible for the damage caused to the data subject or third persons due to the submission of false data by the data subject.
3. Processing the Personal Data of Customers
3.1. The Data Controller may process the following personal data of data subjects:
3.1.1. Given name and surname;
3.1.2. Phone number;
3.1.3. E-mail address;
3.1.4. Delivery address;
3.1.5. Bank account number;
3.1.6. Payment card details.
3.2. In addition to the above, the Data Controller shall have the right to gather data available in public registers about customers.
3.3. The legal basis for the processing of personal data is paragraphs (a), (b), (c) and (f) of Article 6(1) of the General Data Protection Directive (GDPR):
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
3.4. Personal data processing according to the purpose of processing:
3.4.1. Purpose of processing – security and safety
The maximum period of retention of personal data – in accordance with the terms specified in legal acts.
3.4.2. Purpose of processing – processing of orders
The maximum term of retention of personal data – 7 years.
3.4.3. Purpose of processing – ensuring the functioning of the e-store services
The maximum term of retention of personal data – 7 years.
3.4.4. Purpose of processing – customer management
The maximum term of retention of personal data – 7 years.
3.4.5. Purpose of processing – financial activities, accounting
The maximum term of retention of personal data – 7 years.
3.4.6. Purpose of processing – marketing
The maximum term of retention of personal data – 7 years.
3.5. The Data Controller shall have the right to share the personal data of customers with third persons who include, for instance, data processors, accountants, transport and courier companies, and companies providing transfer services. The Data Controller is the controller of the personal data. The Data Controller shall transmit the personal data necessary for performing payments to data processor Maksekeskus AS.
3.6. In processing and retaining the personal data of data subjects, the Data Controller shall apply organisational and technical measures which ensure the protection of personal data from accidental or unlawful destruction, alteration, disclosure and any other unlawful processing.
3.7. The Data Controller shall retain the data of data subjects depending on the purpose of processing, but not longer than for 7 years.
4. Rights of Data Subjects
4.1. A data subject has the right to gain access to and review his or her personal data.
4.2. A data subject has the right to receive information about the processing of his or her personal data.
4.3. A data subject has the right to update or rectify inaccurate data.
4.4. If the Data Controller processes the personal data of a data subject on the basis of the consent of the data subject, the data subject shall have the right to withdraw his or her consent at any time.
4.5. A data subject can contact the e-store customer support at myyk@orto.ee in order to exercise his or her rights.
4.6. A data subject can file a complaint with the Data Protection Inspectorate for the protection of his or her rights.
5. Final Provisions
5.1. These data protection terms and conditions have been prepared in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), the Personal Data Protection Act of the Republic of Estonia, and the legal acts of the Republic of Estonia and the European Union.
5.2. The Data Controller shall have the right to partly or fully amend the data protection terms and conditions by notifying the data subjects of the amendments via the orto.ee website.