Data Privacy Policy
ULTIMATEMARKET INTERNATIONAL OÛ CUSTOMER DATA PRIVACY POLICY
Date of Issue: 29.11.2023
(According to the GDPR Data Protection Regulation)
- Data Controller
The data controller for the register is Ultimatemarket International Oü (registration number 12339672).
Contact person for registry matters: Kari Rosendahl
ONLINE STORE:
Ultimatemarket International Oü
Business ID: 12339672
Postal Address: Tööstuse tn 6, 76505 Keila
Location: Keila
Phone: +358 2 2590 200
Email: info@ultimatemarket.com
- Name of the Register
The register’s name is the Ultimatemarket International Oü customer register. - Purpose of Processing Personal Data
Personal data is processed for purposes related to customer relationship management, administration, and development, providing and delivering services, as well as service development and invoicing. Personal data is also processed for handling complaints and other claims as needed.
Additionally, personal data is processed for customer communications, such as information and news, as well as marketing, including direct marketing and electronic direct marketing. The customer has the right to opt-out of direct marketing.
The data controller processes data directly and utilizes subcontractors on behalf of the controller for processing. Payment processing information for the online store is transferred to a server authorized by Maksekeskus AS.
- Legal Basis for Processing
The legal bases for processing personal data are the following grounds under the EU General Data Protection Regulation (GDPR):
- The data subject has given consent to the processing of their personal data for one or more specific purposes (GDPR Article 6(1)(a));
- Processing is necessary for the performance of a contract to which the data subject is a party or to take steps at the request of the data subject prior to entering into a contract (GDPR Article 6(1)(b));
- Processing is necessary for the purposes of the legitimate interests pursued by the data controller or a third party (GDPR Article 6(1)(f)).
The aforementioned legitimate interest is based on the relevant and appropriate relationship between the data subject and the data controller, resulting from the data subject being a customer of the data controller and when processing is for purposes reasonably anticipated by the data subject at the time of data collection and in connection with that relationship.
- Content of the Register (Categories of Personal Data Processed)
The register includes the following personal data for each registered individual:
- Basic personal and contact details: first name, last name, address, phone number, email address;
- Information related to the individual's company or organization and the individual’s position or job title in that company or organization;
- Direct marketing permissions and prohibitions.
- Regular Data Sources
Personal data is collected directly from the individual. Data is also collected and updated from publicly available sources, as permitted by applicable laws, in connection with the customer relationship between the data controller and the data subject, enabling the data controller to fulfill customer relationship obligations. - Data Retention Period
Data collected in the register is retained only as long and to the extent necessary for the original or compatible purposes for which the personal data was collected.
The necessity of retaining personal data is assessed every five years, and in any case, data on an individual will be deleted from the register ten years after the termination of the customer relationship, provided that obligations related to the customer relationship are completed. For example, accounting documents are kept for five years after the end of the financial year.
The data controller regularly assesses the necessity of retaining data in accordance with internal guidelines. Additionally, the data controller takes reasonable measures to ensure that inaccurate, erroneous, or outdated personal data are deleted or corrected without delay.
- Recipients of Personal Data (Recipient Categories) and Regular Transfers of Data
Personal data is not disclosed to third parties. - Data Transfer Outside the EU or EEA
Personal data contained in the register is not transferred outside the EU or EEA. - Principles of Register Protection
Materials containing personal data are stored in locked facilities accessible only to designated and authorized individuals.
The database containing personal data is on a server located in a locked facility, accessible only to designated and authorized individuals. The server is protected by an appropriate firewall and technical security.
Access to databases and systems is restricted to users with personal usernames and passwords. The data controller has limited access rights and authorizations to data systems and other storage platforms, so that only those necessary for lawful processing can view and handle the data. Additionally, activities in the databases and systems are recorded in the data controller’s IT system logs.
Employees of the data controller and other individuals are committed to confidentiality and to keeping personal data confidential.
- Rights of the Data Subject
The data subject has the following rights under the EU General Data Protection Regulation:
- The right to obtain from the data controller confirmation as to whether or not personal data concerning them is being processed and, if such data is being processed, access to the personal data and the following information: (i) the purposes of the processing; (ii) the categories of personal data concerned; (iii) the recipients or categories of recipients to whom the personal data has been or will be disclosed; (iv) the envisaged period for which the personal data will be stored, if possible, or the criteria used to determine that period; (v) the right to request rectification or erasure of personal data or restriction of processing or to object to processing; (vi) the right to lodge a complaint with a supervisory authority; (vii) if the personal data has not been collected from the data subject, any available information as to its source (GDPR Article 15). These basic details (i)-(vii) are provided to the data subject on this form;
- The right to withdraw consent at any time without affecting the lawfulness of processing based on consent before its withdrawal (GDPR Article 7);
- The right to have inaccurate or incomplete personal data rectified or completed by providing additional information in relation to the purposes for which the data were processed (GDPR Article 16);
- The right to have the data controller erase personal data without undue delay, provided that (i) the personal data is no longer necessary for the purposes for which it was collected or otherwise processed; (ii) the data subject withdraws consent, and there is no other legal basis for the processing; (iii) the data subject objects to the processing and there are no overriding legitimate grounds; (iv) the personal data has been unlawfully processed; or (v) the personal data must be erased to comply with a legal obligation (GDPR Article 17);
- The right to restrict processing where (i) the accuracy of the personal data is contested, processing is restricted for a period enabling the controller to verify the accuracy; (ii) the processing is unlawful, and the data subject opposes the erasure and requests restriction instead; (iii) the data controller no longer needs the personal data, but the data subject requires it for the establishment, exercise, or defense of legal claims; or (iv) the data subject has objected to processing pending verification of whether the controller’s legitimate grounds override those of the data subject (GDPR Article 18);
- The right to receive the personal data provided by the data subject in a structured, commonly used, and machine-readable format and the right to transmit that data to another data controller if the processing is based on consent and carried out automatically (GDPR Article 20);
- The right to lodge a complaint with a supervisory authority if the data subject believes that the processing of personal data concerning them infringes the GDPR (GDPR Article 77).
Cookies
Adjust cookie settings.
Requests regarding the exercise of the rights of the data subject should be addressed to the contact person of the data controller specified in section 1 by email at info@ultimatemarket.com