Procedure for the use of data and data processing

MTÜ Nordic Institute for Interoperability Solutions (NIIS)

Entered into force on 25 September 2020

TABLE OF CONTENTS

 1          Terms
2 Processing of personal data with the consent of data subject
3 Principles and purpose of processing personal data
4 The obligations of NIIS
5 Protection of the rights of the data subject
6 The data protection officer
7 Guidelines in case of a personal data breach
8 Use of cookies
9 Web analytics tool Google Analytics and video provider YouTube
10        Further information

 1        Terms

1.1        Data is any data that allows the identification of a person, any data that the person has disclosed to non-profit-making association MTÜ Nordic Institute for Interoperability Solutions (hereinafter also "NIIS") or data that is in possession of NIIS, including Personal data. Data may include identification and categorisation, concerning contact information, service contracts and other transactions, habits and preferences reflecting, and data collected under the law or data that is collected under the procedure for the use of data and data processing.

1.2        Personal data is any information relating to an identified or identifiable natural person ("data subject"). Personal data is all data related to a particular individual, such as the name of a physical person, personal identification code, date of birth, identity document, contact information (address, email, telephone number), location data, an online identifier, IP-address and other personal information that has become known to NIIS concerning the provision and performance of the services.

1.3        Processing of personal data is any operation performed on personal data, including the collection, recording, organisation, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of how the operations are carried out or the means used.

1.4        Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

1.5        The Controller is NIIS: MTÜ Nordic Institute for Interoperability Solutions, Hobujaama 4, 10151 Tallinn, Estonia, Phone +372 7130 800, email: [email protected].

1.6        The Processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the data controller and is permitted to perform data processing only as directed by the Controller.

1.7        A data subject is a person whose personal data is processed.

1.8        A third person is a natural or legal person, public authority, agency or body other than the Data Subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorised to process personal data.

1.9        Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject's wishes by which the person, by a statement or by clear affirmative action, signifies agreement to the processing of personal data relating to the person.

2        Processing of personal data with the consent of data subject

2.1        Personal data shall be processed with the consent of the data subject following the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation (GDPR) Article 6, unless otherwise provided by the applicable law.

2.2        The data subject shall be entitled to take the consent back at any time, informing the Controller whether by email or by using the automatic "unsubscribe" function, whereas the Controller shall terminate the processing of personal data of the data subject as soon as possible.

2.3        The data subject gives clear consent to the Controller to process its personal data following the principles and purpose of this procedure. The consent with the information about the principles and purposes of processing personal data is given by the data subject separately on NIIS website or any other information system provided to the use of the data subject by NIIS.

2.4        NIIS processes the data as a Controller, and the Processors are among others the accountant firm, the audit firm and other firms who offer such services to NIIS.

2.5        As the Controller, NIIS shall provide the Processor with mandatory instructions for processing personal data and shall be responsible for the Processor's compliance with the personal data processing requirements or responsible for establishing such compliance.

2.6        The Processor may delegate the task of processing personal data to another person only with the written consent of the Controller, provided that this does not exceed the limits of the authority of the Processor.

3        Principles and purpose of processing personal data

3.1        The purposes of processing personal data are:

3.1.1       Identification of the person;

3.1.2       Determining the necessary skills and acknowledges of the person; apply to work for NIIS

3.1.3       To comply with the obligations taken and offering services in front of the person;

3.1.4       Sending information about services, projects, developments, news and events;

3.1.5       Asking for feedback and sending questionnaires;

3.1.6       Visit NIIS websites;

3.1.7       Fulfilment of the obligations provided by law or implementation of the permitted uses of the law.

3.2        Controller nor the Processor shall not transfer, rent or otherwise give personal data to third parties, except with the person's consent. 

3.3        When processing personal data, the Controller and the Processor will follow the principles in the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation, including the principle of minimal processing.

3.4        NIIS works with third persons to whom NIIS shall also be forwarding data, including Personal Data, in the context of and for the purposes of cooperation. Such persons may be accounting firms, audit firms, IT-partners or providers of postal services, e.t.c., authorities and organisations with which NIIS cooperates, provided NIIS authorises its use of data to the minimum extent necessary; ensuring that data security is at least the same level as of NIIS itself.

3.5        NIIS shall also be forwarding data to the members of NIIS for marketing purposes. Such data may be used only in connection with NIIS activities, we do not sell personal data to, or share it with, such partners or others for purposes of their direct marketing or advertising, except with users' consent.

3.6        Unless stipulated otherwise, the criterion NIIS uses to define the storage time for Personal Data is the relevant statutory retention period. Once this period has expired, the data is deleted, providing it is not required for fulfilment or initiation of a contract.

3.7        NIIS may transfer to, and store the data we collect in, countries other than the country in which the data was originally collected, including the United States or other destinations outside the European Economic Area ("EEA"). Those countries may not have the same data protection laws as the country in which the data was provided. When personal data is transferred to other countries, we will protect the data as described in this procedure and comply with applicable legal requirements providing adequate protection for the transfer of data to countries outside the EEA.

4        The obligations of NIIS

4.1        NIIS will process the data only according to documented guidelines.

4.2        NIIS ensures the protection of personal data through taking all kinds of organisational, physical and IT security measures and through strict confidentiality and security rules. NIIS confirms that all necessary measures have been taken to protect personal data. The processing of personal data is limited to the minimum required for the purposes of the processing of personal data.

4.3        NIIS will only allow access to personal data to suitably trained employees of NIIS and if necessary, the Processor, who have the right to process personal data only to the extent necessary to achieve the purposes for processing personal data. NIIS records the use of data and Processors.

4.4        After the end of the provision of the data processing services after the termination of the services or upon receiving a corresponding request from the data subject, NIIS, deletes or returns all personal data and deletes the existing copies, unless the law requires the retention of data.

4.5        All provisions which are related to the relations between NIIS and the Processor and which are not stated herein are either agreed separately between NIIS and the Processor or regulated in the General terms and conditions of NIIS Contracts.

4.6        NIIS is liable for compliance with the requirements of the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation.

5        Protection of the rights of the data subject

5.1        The data subject has the right to access personal data held about him/her by NIIS and to receive further information on processing his/her personal data. The data subject has the right to correct and update his/her personal data, also ask that NIIS change or update their data, including if they believe such data is inaccurate or incomplete.

5.2        The data subject has the right to submit complaints regarding the processing of his/her personal data at any time, including requiring the termination of the processing of personal data concerning him/her, the termination of the disclosure or the granting of access to personal data and/or the deletion, correction or destruction of the data collected.

5.3        The data subject has the right to obtain from NIIS restriction of processing, where one of the following applies:

5.3.1       the accuracy of the personal data is contested by the data subject, for a period enabling the controller to verify the accuracy of the personal data;

5.3.2       the processing is unlawful, and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;

5.3.3       the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defence of legal claims;

5.3.4       the data subject has objected to processing according to GDPR Article 21(1) pending the verification whether the legitimate grounds of the controller override those of the data subject.

5.4        The data subject shall have the right to receive any personal data concerning the person, which the person has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided.

5.5        The data subject shall have the right to request the erasure of personal data concerning him/her or her without undue delay, and the Controller shall have an obligation to erase personal data without undue delay where one of the following grounds applies:

5.5.1       the personal data are no longer necessary concerning the purposes for which they were collected or otherwise processed;

5.5.2       the data subject withdraws consent on which the processing is based according to point 2.1 and where there is no other legal ground for the processing;

5.5.3       the data subject objects to the processing, and there are no overriding legitimate grounds for the processing;

5.5.4       the personal data have been unlawfully processed;

5.5.5       the personal data has to be erased for compliance with a legal obligation in applicable law to which the controller is subject.

5.6        The data subject has right to choose whether to receive from NIIS information and promotions for our services, also whether personal data is shared with third persons so they can send to data subject offers and promotions about their products and services.

5.7        If the data subject has used the right of restriction of processing, NIIS has the right to retain the data but not process the data.

5.8        NIIS shall communicate any rectification or erasure of personal data or restriction of processing carried out following GDPR Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed unless this proves impossible or involves disproportionate effort. NIIS shall inform the data subject about those recipients if the data subject requests it.

5.9        If the data subject finds that NIIS has violated his/her rights in the processing of personal data or if he/she wishes to delete his/her data, he/she has the right to appeal to NIIS for the termination or deletion of the violation.

5.10     The data subject has the right at any time to seek the protection of his/her rights from the Estonian Data Protection Inspectorate or the Harju County court, if not in contradiction with the law.  

6        The data protection officer

6.1        NIIS shall appoint a data protection officer.

6.2        The data protection officer may be a staff member of the Controller or Processor or fulfil the tasks based on a service contract. The data protection officer may perform other tasks and duties. NIIS shall ensure that any such tasks and duties do not result in a conflict of interests.

6.3        NIIS shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

6.4        NIIS shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

6.5        The data protection officer shall have at least the following tasks:

6.5.1       to inform and advise NIIS and the employees who carry out the processing of their obligations according to data protection provisions;

6.5.2       to monitor compliance with GDPR, with Personal Data Protection Act of the Republic of Estonia and with any policies of NIIS if applicable concerning the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

6.5.3       to provide advice where requested as regards the data protection impact assessment and monitor its performance;

6.5.4       to cooperate with the supervisory authority;

6.5.5       to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, concerning any other matter.

6.6        The data protection officer shall in the performance of his/her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of the processing.

6.7        NIIS shall support the data protection officer in performing the tasks referred to in 6.5 by providing resources necessary to carry out those tasks and access to personal data and processing operations and to maintain his/her expert knowledge.

6.8        NIIS shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall not be dismissed or penalised by the Controller or the Processor for performing his/her tasks. The data protection officer shall directly report to the Management Board of NIIS.

6.9        Data subjects may contact the data protection officer concerning all issues related to the processing of their personal data and the exercise of their rights under the law.

6.10     The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his/her tasks, following the applicable law.

7        Guidelines in case of a personal data breach

7.1        The personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. Personal data breach includes breaches that are the result of both accidental and deliberate causes.

7.2        The personal data breach is a case when any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorisation; or if the data is made unavailable, for example, when it has been encrypted by ransomware or accidentally lost or destroyed.

7.3        Personal data breaches can include: access by an unauthorised third party; deliberate or accidental action (or inaction) by a controller or Processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alternation of personal data without permission; loss of availability of personal data.

7.4        In the case of a personal data breach, NIIS shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

7.5        The Processor shall notify the Controller within 24 hours after becoming aware of a personal data breach.

7.6        The notification about the breach referred to above shall at least:

7.6.1       describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned, and the categories and approximate number of personal data records concerned;

7.6.2       communicate the name and contact details of the data protection officer or another contact point where more information can be obtained;

7.6.3       describe the likely consequences of the personal data breach;

7.6.4       describe the measures taken or proposed to be taken by the Controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;

7.6.5       Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

7.6.6       The Controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action is taken.

7.7        NIIS must document each incident. NIIS can be requested to assess how data controllers comply with their data breach notification obligations.

8        Use of cookies

8.1        Cookies are small text files which allow users/visitors to be recognised. The browser memory stores them on the computer of the visitor.

8.2        In several places on the website, www.niis.org and x-road.global cookies are used for several purposes, which are described below.

8.3        The cookie-related information is not used to identify the website visitor personally, and the pattern data is entirely under the control of NIIS.

8.4        There are several ways for the visitor to manage cookies and other tracking technologies. Through browser settings, the website visitor can accept or decline cookies or set the browser to prompt the visitor before accepting a cookie from the website visit. To do so, please follow the instructions provided by the visitor browser which are usually located within the "Help" or "Preferences" menu. If the visitor uses different devices in different locations, the visitor will need to ensure that each browser is adjusted to suit his/her preferences. A visitor should be aware that some features of the website may not work as intended if the visitor disable cookies entirely. Removing or rejecting browser cookies does not necessarily affect third-party flash cookies which may be used by our partners in connection with our Services or us. To delete or disable flash cookies, please visit https://helpx.adobe.com/flash-player/kb/disable-local-shared-objects-flash.html for more information. For further information about cookies, including how to see what cookies have been set on the visitor device and how to manage and delete them, visit youradchoices.com and youronlinechoices.eu for EU visitors.

8.5        The cookies that may be used on NIIS websites fall into the five categories described below. These descriptions can help a visitor determine if and how the user would like to interact with our websites and other online services.

8.5.1       Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies. 

8.5.2       Preference cookies enable a website to remember information that changes the way the website behaves or looks like visitor preferred language or the region that visitors are. 

8.5.3       Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously. 

8.5.4       Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual visitor and thereby more valuable for publishers and third-party advertisers. 

8.5.5       Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies. 

8.6        The following table sets out the different categories of cookies that NIIS uses and why we use them.

9        Web analytics tool Google Analytics and video provider YouTube

9.1        NIIS website uses if the visitor agrees, Google Analytics, a web analytics service provided by Google, Inc. ("Google"). Google Analytics uses "cookies", which are text files placed on your computer, to help the website analyse how users use the site. The information generated by the cookie about visitor use of the website will be transmitted to and stored by Google on servers in the United States. This cookie is only set if the visitor has agreed to track by clicking on the cookie banner.

9.2        In case IP-anonymisation is activated on this website, visitors IP address will be truncated within the area of Member States of the European Union or other parties to the agreement on the European Economic Area. Only in exceptional cases the complete IP address will be first transferred to a Google server in the USA and truncated there. The IP-anonymisation is active on this website. Google will use this information on behalf of the operator of this website for the purpose of evaluating visitor use of the website, compiling reports on website activity for website operators and providing them other services relating to website activity and internet usage.

9.3        The IP-address that visitors browser conveys within the scope of Google Analytics will not be associated with any other data held by Google. Users may refuse the use of cookies by selecting the appropriate settings on their browser. However, we point out that if they do this, they may not be able to use the full functionality of this website. Users can also opt-out from being tracked by Google Analytics with effect for the future by downloading and installing Google Analytics Opt-out Browser Add-On for their current web browser: tools.google.com/dlpage/gaoptout.

9.4        The following Google Analytics link can be used as an alternative to the browser add-on or within browsers on mobile devices Set Google Analytics Opt-Out-Cookie to prevent logging by Google Analytics within this website in future (the opt-out only works in the browser and only for this domain). An opt-out cookie will be stored on the visitors' device. If users delete these cookies in this browser, they must click on this link again. The data is deleted after 14 months.

9.5        NIIS uses the provider YouTube LLC, 901 Cherry Avenue, San Bruno, CA 94066, USA, represented by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, the USA for the integration of videos into our website. Usually, as soon as visitor call up a page containing embedded videos, visitors IP address is sent to YouTube and cookies are installed on the visitors' computer. However, the advanced data protection mode is enabled for the YouTube videos integrated into the site (which means that in this case although YouTube contacts the Google service Double Klick, personal data is not evaluated following the Google Privacy Policy). If the visitor clicks on the video, his/her IP address will be sent to YouTube and YouTube will find out that visitors have watched the video. If the visitor is logged in to YouTube, this information will also be assigned to visitors' user account (you can prevent this by logging out before watching the video). For more information, refer to the YouTube Privacy Policy under https://policies.google.com/privacy?hl=en The DoubleClick service by Google Inc., 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA ("Google") is used within the scope of integration. DoubleClick uses cookies to ensure only adverts relevant to the user are displayed. During this process, the requesting browser is assigned a pseudonym identification number (ID) to verify which advertisements appeared in this browser and which adverts were clicked on. The cookies do not contain personal information. Ultimately, DoubleClick cookies are only used to display adverts based on previous visits to our web pages or other web pages on the Internet. Google transfers the information generated by the cookies to a server in the USA, where it is saved and used for evaluation purposes. Google only transfers data to third parties if statutory regulations require this, or within the scope of processing order data.

10      Further information

10.1     The user is aware of the fact that, even with the current state of technology, privacy for data transmissions on the Internet cannot be guaranteed. In this respect, users themselves are responsible for the security of the data they transmit online. Our users' trust is important to us. Therefore, NIIS is more than willing to answer questions concerning the processing of personal data. If questions arise that are not answered by this procedure for the use of data and data processing, or if users wish to receive more detailed information on some point, they should not hesitate to contact us at the following email address: [email protected].