Principles for the Processing of Personal Data
1.1 The principles for the processing of personal data describe the general rules of processing personal data by Stell pursuant to the conditions provided by law.
Personal data - any data that allow the identification of a person (for example, name, personal identification code, photo, address or other data specified in the Personal Data Protection Act). See section 4 of the Personal Data Protection Act.
Processing of personal data - any activity performed with personal data. See section 5 of the Personal Data Protection Act.
1.3 Personal data collected and processed by Stell are protected by an access restriction.
1.4 In addition to the law, the processing of personal data also follows:
• the procedure of processing personal data (form 114)
• the recruitment procedure (form 409)
2. Job applications and appointments
2.1 All documents linked to applying for a job contain personal data (such as an application with accompanying documents, correspondence with a candidate, information about the candidate collected from public sources). Stell presumes that the applicant has adhered to the Personal Data Protection Act in presenting the data of other people in their documents, and that Stell has, for example, the right to contact the persons designated as recommenders in the documents.
2.2 A candidate has the right to know what kind of data Stell has collected on them, to access the data, and to provide their own explanations. Upon applying for a position in Stell, personal data are collected on candidates and processed by persons working on relevant positions. All documents linked to a person’s application process have restricted access. Information about a person’s participation in the application process is also not to be disclosed.
2.3 Documents linked to application are registered in the WebDesktop document management software. Documents containing data are retained pursuant to the document retention periods in the list of documents provided in the procedure of processing personal data. Additional documents collected by Stell that have been documented but not registered are destroyed when no longer needed.
3. Concluded contracts and client data
3.1 Stell takes all precautionary measures (including administrative, technical and physical measures) to protect personal data.
3.2 Access to contracts entered into with natural persons and/or personal data obtained during the provision of service that may compromise a person’s privacy when disclosed (such as contact details) is only granted to persons involved in the relevant process.
3.3 To perform contractual obligations, Stell also processes client data we receive from our cooperating partners who are involved in the contracts between Stell and its clients. Client data required to perform contractual obligations include postal addresses , invoices, phone numbers to contact the client, and other sensitive data related only to that person.
3.4 The law is followed in the collection of personal data and data are collected to the extent that is necessary to perform contracts and to provide better service to clients.
3.5 Client contracts and data related to the provision of service (acts, orders, etc.) are entered into the Sales Logix client management software that can be accessed only within Stell. At that, data is processed only to the extent that is necessary to perform tasks.
4. Forwarding personal data to another institution or person
Documents with limited access are only to those institutions and persons who have a direct right and a valid need (need to know basis) to apply for the documents pursuant to the law (such as a body conducting pre-trial proceedings or a court, the police, a bailiff, a guardianship authority, an auditor, a supervisory authority, etc.).
5. The right to access one’s data and to request the correction of incorrect data
5.1 Everyone has the right to access their personal data that Stell has collected, acquaint themselves with the purpose for the processing of data and the (reasoning behind) retention periods. In order to exercise these rights, one must file a signed request with the human resources department.
5.2 To communicate personal data to a private person, Stell must confirm the identity of the person who filed the request for information. Data are in the manner desired by the requester within 30 days of receiving the request.
5.3 Stell does not issue personal data to the person who filed the request for information if it is impossible to avoid disclosing the data of other persons in the process. If possible, the requester is issued an extract of the document where the personal data of other persons has been redacted. Data are not issued without a legal basis.
5.4 Every person has the right to get confirmation that their personal data is processed without consent within the employment relationship and only with written permssion outside the employment relationship (for publishing photos and other information in a magazine, for example).
5.5 Every person has the right to object to the processing of their personal data, including demanding that the processing of their personal data be terminated, that the disclosing of or allowing access to their personal data be terminated, and/or that the collected data be deleted or destroyed, if such a right arises from the Personal Data Protection Act or other legal act. Everyone has the right to demand that their personal data be transferred, and a right to withdraw their consent for processing their data at any time.
5.6 If a natural person finds that their rights have been violated by Stell in processing personal data, they have the right to file a request with Stell to terminate the violation.
5.7 Every person has, at all times, the right to turn to the Estonian Data Protection Inspectorate or the court to protect their personal data rights.
5.8 If Stell no longer has a legal basis to use a person’s personal data, the person may demand the use of data to be terminated or the data to be deleted before the prescribed term (generally one year).
6. Retention of personal data
6.1 Employment contracts, personal information forms and other personnel data is retained pursuant to the requirements provided by law and the procedure of processing personal data.
6.2 After the retention period has expired, documents/data are deleted or destroyed; any other personal data are also destroyed when no longer needed.
7. Notification obligation
7.1 Stell is required to notify data subjects of:
• every personal data processing breach, if it may cause discrimination, identity theft or fraud, financial or reputational damage, loss of confidentiality of personal data protected by professional secrecy, other types of economic or social damage, or if a person may be deprived of their rights, liberties or control over their personal data.
• amendment or deletion of personal data or restricting the processing of personal data.
7.2 The notification will occur within 72 hours of becoming aware of the breach or amendment.