Principles of data processing policy
This document provides information about the principles of data processing policy of GSMvalve OÜ. When processing personal data, the objective of GSMvalve OÜ is to be your reliable partner who respects your rights, and to set an example of others on the market.
1.1 Data Subject is a natural person about whom GSMvalve OÜ possesses information or information based on which it is possible to identify a natural person. For instance, Data Subjects are Customers, Visitors, partners and employees (i.e. natural persons) about whom GSMValve OÜ possesses Personal Data.
1.3 Personal Data is any information about an identified or identifiable natural person.
1.4 Personal Data Processing is any operation performed with the Personal Data of the Data Subject. For instance, collection, saving, arrangement, preservation, amendment and publication, allowing access, performance of queries and making of extracts, use, forwarding, cross-use, connection, closure, erasing or destruction of data or the combination of several operations indicated above, regardless of the way such operations are performed or the means used for the performance of such operations.
1.5 Customer is any natural or legal person who uses or has expressed their wish to use the Services of GSMvalve OÜ.
1.6 Agreement is the Service agreement or any other agreement concluded between GSMvalve OÜ and the Customer.
1.7 General Terms and Conditions establish the general terms which are applied when entering into a contractual relationship with GSMvalve OÜ.
1.8 Website stands for the web pages of GSMvalve OÜ, including www.navirec.com, www.gsmauto.eu, www.gsmtasks.com and www.valve.ee.
1.9 Visitor is a person who uses the Website of GSMvalve OÜ.
1.10 Child, in the context of Personal Data Processing and the provision of information society services in the Republic of Estonia, is a person under 13 years of age.
1.11 Services are any services and products offered by GSMvalve OÜ, including the information society services belonging in the Product Portfolio of GSMvalve OÜ.
1.12 Cookies are data files which are sometimes stored in the device of the Visitor of the Website.
1.13 Sales Channels are the ways GSMvalve OÜ communicates with the Data Subject and the means created for the sales of goods and services. Such ways and means include e-mail, telephone, public and social media, different chat lines, individualised and interactive advertisements and other similar tools on our Websites and elsewhere.
1.14 Product Portfolio is the economic units of GSMvalve OÜ and the different products and Services thereof, such as GSM Koduvalve, Navirec, GSMtasks, GSMauto.
2.1 GSMvalve OÜ is a legal person GSMvalve OÜ, registry code 11181045, address Tähetorni 21, 11625 Tallinn. GSMvalve OÜ owns a subsidiary company NAVIREC SP Z O.
2.2 GSMvalve OÜ may process Personal Data:
(1) as a responsible processor by determining the objectives and means of processing, for instance, when creating, structuring and operating the Services;
(2) as an authorised processor by following the instructions of the responsible processor, for instance, by allowing data collection according to the instructions from the Customer and extracts from the database;
(3) as a recipient to whom Personal Data are forwarded to.
3.1 The objective of GSMvalve OÜ is the responsible Processing of Personal Data, which is performed pursuant to best practices, keeping in mind that we are always ready to demonstrate the adherence of the Processing of Personal Data to the established objectives and that the activities of GSMvalve OÜ are always based on the interests, rights and freedoms of Data Subjects.
3.2 All processes, instructions, procedures and activities of GSMvalve OÜ which are related to the Personal Data Processing are based on the following principles:
(1) Legality. There is a legal basis for Personal Data Processing, e.g. a consent;
(2) Fairness. Personal Data Processing is fair, ensuring that the Data Subject has sufficient knowledge and information about how his/her Personal Data is being Processed;
(3) Transparency. Personal Data Processing is transparent for the Data Subject;
(4) Purposefulness. Personal Data is collected for precisely and clearly determined legitimate purposes and the data is later not processed in a way that contradicts these purposes. Each time the data is collected, the Data Subject is entitled to get acquainted with the predetermined purpose of Processing the data;
(5) Minimality. Personal Data is relevant, important and limited to the purpose of Personal Data Processing. The processing of Personal Data by GSMvalve OÜ is based on the principle of minimal Processing and when Personal Data is no longer needed or needed for the purpose of their collection, then such Personal Data will be deleted;
(6) Accuracy. Personal Data is accurate and updated, if necessary, and all reasonable measures have been taken to immediately delete or amend the Personal Data which is inaccurate for the purpose of Personal Data Processing;
(7) Storage restriction. Personal Data is stored in a form which allows to identify Data Subjects only in the extent necessary for the purpose of Personal Data Processing. This means that if GSMvalve OÜ wishes to keep Personal Data for a longer period than it is necessary for the purpose of collection of such data, GSMvalve OÜ anonymises the data in a way that does not any longer allow the identification of the Data Subject. Data which GSMvalve OÜ has collected through a customer relationship or similar relationship is stored by GSMvalve OÜ based on the best practices, and data processed based on the consent is generally stored until the withdrawal of the consent.
(8) Reliability and confidentiality. Personal Data is Processed in a way which ensures the relevant security of Personal Data, including protection from unauthorised or illegal Processing and from accidental loss, destruction or damage by using reasonable technical or organisational measures. GSMvalve OÜ possesses in-house instructions, rules for employees as well as separate agreements with every authorised employee which foresee the use of best practices, constant risk assessment and relevant technical and organisational measures for Personal Data Processing;
(9) Default and integrated data protection. GSMvalve OÜ ensures that all the used systems correspond to the technical criteria. Suitable data protection measures are designed each time any information and data system is updated or designed (e.g. information systems and business processes are built based on the prerequisites of aliasing and encrypting).
3.3 When Processing Personal Data, GSMvalve OÜ follows the principle of always being able to verify the performance of the above listed principles and the interested parties can ask information from GSMvalve OÜ about the implementation of the principles.
4.1 GSMvalve OÜ collects, inter alia, the following types of Personal Data:
(1) Personal Data disclosed to GSMvalve OÜ by the Data Subject, e.g. name and contact data of the Customer;
(2) Personal Data created as the result of normal communication between the Data Subject and GSMvalve OÜ, e.g. e-mail correspondence;
(3) Personal Data clearly disclosed by the Data Subject himself/herself, e.g. in social media;
(4) Personal Data created as the result of the consumption of services, e.g. Location data created when using the vehicle surveillance or logistics services of GSMvalve OÜ;
(5) Personal Data created as the result of visiting and using the Website (e.g. time spent on the Website);
(6) Personal Data obtained from third persons, e.g. Personal Data of the employees disclosed by the Customer of GSMvalve OÜ;
(7) Personal Data created and combined by GSMvalve OÜ, e.g. e-mail correspondence created in the framework of customer relationship or list of order history, also the data structured and combined by different Services during the provision of Services.
5.1 GSMvalve OÜ only Processes Personal Data based on the consent of the Data Subject or based on the law. Legal grounds for Processing Personal Data include the legitimate interest or an agreement concluded between the Data Subject and GSMvalve OÜ.
5.2 Based on the consent from the Data Subject, GSMvalve OÜ Processes Personal Data precisely within the limits, extent and purposes determined by the Data Subject. As regards to consents, GSMvalve OÜ acts according to the principle that every consent has to be clearly distinguishable from other questions, in a form which is easily understood and available, written in a clear and simple language. A consent may be given in a written or electronic form or as an oral statement. The Data Subject gives his/her consent voluntarily, specifically, knowingly and unequivocally, e.g. ticking the specific box on our Website. Based on the consent, GSMvalve OÜ Processes Personal Data, for instance, for sending the newsletter and offers, and such consent is without a specific term and valid until the Data Subject withdraws the consent.5.3 When concluding and executing an Agreement, Personal Data Processing may be additionally stipulated in the specific Agreement, however, GSMvalve OÜ may also Process Personal Data for the following purposes:
(1) taking measures prior to the conclusion of the Agreement based on the application of the Data Subject;
(2) identification of the Customer in the extent required by due diligence;
(3) performance of the obligations made to the Customer within the framework of the provision of Services;
(4) communicating with the Customer;
(5) ensuring the fulfilment of the payment obligation of the Customer;
(6) submission, realisation and protection of claims. For instance, if a Customer has not performed his/her financial obligation towards GSMvalve OÜ, the latter may forward the personal identification code, name and registry code of the Customer, the data on the beginning and end of the payment disorder and the payable sum to AS Krediidiinfo, who may, inter alia, process the submitted data for the purpose of making credit decisions in the credit register. The terms and conditions for processing the data of the customer by AS Krediidiinfo and the processed data are available on the website www.krediidiinfo.ee.
When Processing Personal Data based on the Agreement, the data is stored for the period of 3 years after the end of the validity period of the Agreement; the Agreements will be stored for 7 years. The main data on the consumption of Services (e.g. location data in case of using Navirec services) are stored for 3 years during the validity period of the Agreement or for the amount of time agreed upon in the customer agreement.
5.4 For concluding an employment agreement, the Personal Data Processing of GSMvalve OÜ, which is based on the conclusion of the agreement and legitimate interest, includes the following:
(1) Processing of data forwarded by the applicant to GSMvalve OÜ for the purpose of concluding the employment agreement;
(2) Processing of Personal Data obtained from the referee of the applicant;
(3) Processing of Personal Data obtained from national databases and registers and public (social) media.
If the applicant is not chosen for the position, GSMvalve OÜ stores the Personal Data collected for the conclusion of the employment agreement for two years in order to make the applicant a job offer if a suitable position becomes vacant. After two years from the submission of the application of employment, Personal Data of the applicant who was not selected for this position will be deleted.
5.5 Legitimate interest means the interest of GSMvalve OÜ to administer and manage the company, allowing to offer the best possible Services on the market. Based on the legal grounds, GSMvalve OÜ Processes Personal Data only after careful assessment, ascertaining that GSMvalve OÜ has legitimate interest to Process Personal Data and that this interest is necessary and corresponds to the interest and rights of the Data Subject (after conducting the so-called three-level test). Based on legitimate interest, Personal Data may primarily be processed for the following purposes:
(1) for ensuring a trustful customer relationship, e.g. Personal Data Processing which is strictly necessary for establishing actual beneficiaries or avoiding fraud;
(2) managing and analysing the customer base to improve the availability, selection and quality of Services and Products, and to make the best and personalised offers for the Customer, if the latter has given the respective consent;
(3) identifiers and Personal Data collected upon the use of Websites, mobile apps and other Services. GSMvalve OÜ uses the collected data for web analysis or for analysing mobile and information society services, ensuring the functioning and improvement thereof, for producing statistics, analysing the behaviour of the Customer and the user experience, and for the provision of better and more personal services.
(4) organisation of campaigns, including the organisation of personalised and targeted campaigns, carrying out Customer and Visitor surveys and measuring the efficiency of the performed marketing activities;
(5) analysing the Customer and Visitor behaviour in different Sales Channels and Websites;
(6) service monitoring. GSMvalve OÜ may record messages and orders given on its premises or through means of communication (e-mail, telephone, etc.), also information and other operations which are carried out by GSMvalve OÜ and if necessary, GSMvalve OÜ uses such recordings for verifying orders or other operations;
(7) measures taken for the consideration of network, information and cyber security and for ensuring the security of Websites and making and storing backup copies;
(8) organisational purposes. Primarily for financial management and within the group for forwarding Personal Data for the purposes of internal administration, including for Processing the Personal Data of Customers or employees;
(9) preparation, submission or protection of legal claims.
5.6 GSMvalve OÜ Processes Personal Data for the performance of its obligations arising from the law or for implementing the methods of use permitted by law. Obligations arising from the law include, for instance, the requirements for processing the payments or following the money laundering requirements.
5.7 If Personal Data is being Processed for another purpose than the initial purpose for collecting the Personal Data or the Processing is not based on the consent given by the Data Subject, GSMvalve OÜ will carefully evaluate the admissibility of such new Processing. The respective aims of such new Processing are always public. When determining whether the Processing of data for the new purpose corresponds to the initial aim of collecting the Personal Data, GSMvalve OÜ will also consider the following:
(1) connection between the initial aims of collecting the Personal Data and the aims of the planned future Processing;
(2) the context of the collection of Personal Data, primarily the connection between the Data Subject and GSMvalve OÜ;
(3) The nature of Personal Data, especially whether special types of Personal Data or Personal Data related to criminal offences or convictions in criminal offences are being Processed;
(4) the possible results of the planned future Processing for Data Subjects;
(5) the presence of relevant protection measures, such as encryption and aliasing.
5.8 Based on the aforementioned, GSMvalve OÜ primarily Processes Personal Data for the following purposes:
(1) Name a. identifying the Customer and executing the Agreement; b. forwarding personal offers; c. reflecting the person in databases used for the provision of Services;
(2) E-mail a. identifying the Customer and executing the Agreement; b. forwarding personal offers; c. reflecting the person in databases used for the provision of Services;
(3) Telephone a. identifying the Customer and executing the Agreement; b. forwarding personal offers; c. reflecting the person in databases used for the provision of Services;
(4) Address a. analysis related to the business operations of the company after anonymising Personal Data; b. making personal offers; c. reflecting the person in databases used for the provision of Services;
(5) Gender a. alternative identification of the customer; b. making personal offers; c. reflecting the person in databases used for the provision of Services;
(6) Language a. customer communication;
(7) Date of birth a. analysis related to the business operations of the company; b. making personal offers; c. reflecting the person in databases used for the provision of Services;
(8) Personal identification code a. alternative identification of the customer; b. reflecting the person in databases used for the provision of Services;
(9) Workplace and position a. execution of the Agreement; b. statistical purposes; c. reflecting the person in databases used for the provision of Services;
(10) GPS data a. execution of the Agreement; b. statistical purposes.
6.1 GSMvalve OÜ cooperates with persons to whom GSMvalve OÜ may in the framework of cooperation forward data related to the Data Subject, incl. Personal Data.
6.2 Such persons primarily include the Customers of GSMvalve OÜ, who have determined specific persons who have access to the data created during the provision of services. The Customers undertake to follow all legal acts regulating data protection rights, ensuring an efficient protection of the rights of Data Subjects.
6.3 Such third persons may be persons belonging to the same group of companies with GSMvalve OÜ, advertising and marketing partners, companies organising customer satisfaction surveys, providers of debt collection services, credit registers, IT partners, persons mediating or providing (e-)mail services, institutions and organisations, provided that:
(1) the respective purpose and Processing are legal;
(2) Personal Data is Processed according to the rules of GSMvalve OÜ and pursuant to a valid agreement;
(3) information about such authorised employees has been disclosed to Data Subjects.
6.4 GSMvalve OÜ forwards Personal Data outside the European Union only if: the country where the data is forwarded to has sufficient data protection measures; protection measures have been agreed upon (e.g. binding rules or standard data protection clauses within the group of companies); the Data Subject has given his/her clear and informed consent about such forwarding; the forwarding of data is unambiguously required by the agreement concluded with the Data Subject; the forwarding is not repetitive, it concerns only a limited number of Data Subjects, it is necessary for the protection of legitimate interests of GSMvalve OÜ, against which the rights and freedoms of the Data Subject are not prevailing and if all the circumstances related to such forwarding have been estimated and suitable protection measures have been established for the protection of Personal Data or such forwarding is based on other legal grounds. GSMvalve OÜ informs the Data Protection Inspectorate about forwarding data based on legitimate interest.
7.2 GSMvalve OÜ has established instructions and procedure rules on how to ensure Personal Data security through the use of both organisational as well as technical measures. More detailed information on the security measures implemented by GSMvalve OÜ can be obtained from GSMvalve OÜ.
7.3 If any incidents occur in relation to the Personal Data, GSMvalve OÜ takes all necessary measures for alleviating the consequences and for hedging risks relevant in the future. Among other things, GSMvalve OÜ registers all incidents and in the predetermined cases, informs the Data Protection Inspectorate and the Data Subject directly (e.g. via e-mail) or publicly (e.g. via the news) about such situations.
7.4 The most important authorised employees for GSMvalve OÜ are:
(1) Sendsmaily OÜ, our partner we use for preparing and forwarding our newsletters
(2) GSMvalve OÜ, the developer of the website of GSMvalve OÜ
(3) persons carefully selected for the development process of the databases and software solutions necessary for the provision of our Services, e.g. Joel Muruvee
(4) as regards to the business operations of GSMvalve OÜ, the banks, state and local government authorities who have legitimate rights to request the disclosure of data
(5) data communication and server management services, primarily Elisa Eesti AS
8.1 The Services of GSMvalve OÜ, including the information society services, are not targeted for children.
8.2 GSMvalve OÜ does not knowingly collect information about persons under 13 years of age, i.e. Children, and if we knowingly collect information about Children, such activities are based on the wishes of the parents or the guardian.
8.3 If GSMvalve OÜ finds out about having collected Personal Data from a Child or about a Child, GSMvalve OÜ does its utmost to stop such Processing of Personal Data.
9.1 Rights related to the consent:
(1) the Data Subject is entitled to inform GSMvalve OÜ at any time about his/her wish to withdraw the consent for Personal Data Processing;
9.2 The Data Subject also has the following rights related to Personal Data Processing:
(1) The right to obtain information, i.e. the right of the Data Subject to obtain information about the Personal Data collected about him/her. The Data Subject can receive information from GSMvalve OÜ about the options of getting additional information about the execution of his/her data rights.
(2) The right to get acquainted with the data, which also includes the right of the Data Subject to obtain a copy of his/her Personal Data which is being Processed.
(3) The right to correct incorrect Personal Data.
(4) The right to have the data deleted, i.e. in some cases the Data Subject is entitled to request his/her Personal Data be deleted, for instance, when the data is Processed only based on the consent.
(5) The right to request the limitation of Personal Data Processing. This right arises if, inter alia, the Personal Data Processing is not allowed according to law or if the Data Subject disputes the accuracy of the data. The Data Subject is entitled to request the limitation of Personal Data Processing for the time which allows the responsible processor to check the accuracy of Personal Data or if the Processing of Personal Data is illegal but the Data Subject does not apply for the deletion of Personal Data.
(6) The right to transfer data, i.e. in certain cases the Data Subject has the right to take the Personal Data with him/her in the machine-readable form or to have such data transferred to another responsible employee.
(7) The rights related to automated Processing, which among other things also means that based on his/her specific situation, the Data Subject is entitled to raise objections against the Personal Data Processing related to him/her at any time, which are based on automated decisions. To clarify – GSMvalve OÜ may Process Personal Data for making automated decisions which promote the business (e.g. for segmenting Visitors in the marketing context and targeting personalised messages for them, starting an employment relationship and ensuring that our employees follow our internal security rules). Automated Processing may partly be based on data collected also from public sources. You are entitled to avoid any decisions based on the automated Processing of Personal Data, if they can be classified and profiling.
(8) The right to obtain an assessment from a supervisory authority about whether the Processing of Personal Data of the Data Subject is legal or not. (9) The right for the indemnification of damages.
10.1 Execution of rights. In the event of questions, applications or complaints related to the Processing of Personal Data, the Data Subject is entitled to contact GSMvalve OÜ by using the contact data provided in point 14 of the present document.
10.2 Submission of complaints. If the Data Subject has any complaints, he/she is entitled to turn to GSMvalve OÜ, the Data Protection Inspectorate or the court, if the Data Subject finds that his/her rights are violated when Processing his/her Personal Data. The contact data of the Data Protection Inspectorate is available at: http://www.aki.ee/.
11.2 GSMvalve OÜ uses the collected data to ensure the provision of Services according to the habits of the Visitor or Customer; to ensure the best quality of Services; to inform the Visitor and Customer about the content and make recommendations; to make the advertisements more relevant and improve our marketing efforts; to facilitate the log in procedure and the protection of data. The collected data are also used for counting the Visitors and establishing the habits of the users.
11.3 GSMvalve OÜ uses session cookies, persistent cookies and advertising cookies. Session cookies are deleted automatically after every use; persistent cookies are maintained if the Website is used repeatedly and the advertising cookies and third party cookies are used by the Websites of the partners of GSMvalve OÜ, which are related to the Website of GSMvalve OÜ. GSMvalve OÜ does not control the creation of such Cookies, therefore, information about such Cookies can be obtained from third parties. Read more about the Cookies in the explanatory material (see point 12: Important documents, instructions and procedures).
(1) All About Cookies (in English): the descriptions of Cookies and other web technologies used by GSMvalve OÜ;
(2) Your Online Choices; About Ads; Network Advertising, (in English): platform for controlling and monitoring the Cookies and other web technologies where the Data Subject can change and control himself/herself how Personal Data is used and collected.
13.1 Contact data important for the Data Subjects of GSMvalve OÜ:
(1) In issues regarding Personal Data, contact us via e-mail firstname.lastname@example.org or call us +372 6870722.