EN ET

EuDDN Platform Privacy Notice

This Privacy Notice describes how AS Postimees Grupp (hereinafter the Service Provider, we, us) processes personal data on behalf of and for the benefit of the data controller (the business customer, hereinafter the Client) when the Client uses the EuDDN platform (hereinafter the Platform) as a tool for managing its digital content (hereinafter the Content) and related data.

In addition, this Privacy Notice describes situations where the Service Provider acts as an independent data controller in connection with the provision and operation of the Platform (e.g. customer relationship management, billing, platform security). More detailed information about such data processing is provided in section 1.3 and in the General Privacy Policy.

When using the Platform and determining the purposes and means of processing personal data through the Platform, the Client acts as the data controller. The Service Provider acts as a data processor on the basis of the Client's documented instructions (for example, the agreement concluded between the parties), unless otherwise required by applicable law.

Data controller and data processor
1. Data controller is the business customer that uses the Platform and determines which personal data are processed on the Platform, for what purposes and on which legal basis.
2. Data processor (also: Service Provider) is AS Postimees Grupp, registry code 10184643, address Tartu mnt 80, Tallinn 10112, Estonia, email: legal@postimeesgrupp.ee. For data protection matters, the email address is: isikuandmed@postimeesgrupp.ee.
3. Service Provider as an independent data controller
  1. In certain cases, the Service Provider acts as an independent data controller in relation to the Platform, in particular when it:
    1. concludes and performs agreements with the Client (management of the customer relationship and billing);
    2. ensures the security of the Platform and related IT systems (including logging and monitoring based on its legitimate interest);
    3. develops and improves the Platform;
    4. fulfils obligations arising from legal acts (e.g. accounting and tax obligations);
    5. exercises its rights and legal remedies (e.g. in case of breaches of contract, security incidents and attacks).
  2. Within this scope, the Service Provider independently determines the purposes and means of processing personal data and is responsible, as data controller, for the lawfulness of the processing.
  3. Information on data processing carried out by the Service Provider as data controller (including the purposes of processing, categories of personal data, data disclosures, data subjects' rights and the procedure for exercising them, etc.) is provided in the General Privacy Policy.
Categories of personal data processed
1. As data processor, the Service Provider may process the following categories of personal data via the Platform, which the Client provides or makes available through the Platform:
  1. Client user account data:
    a) name of the Client's Platform users (hereinafter: Users);
    b) role (e.g. main user, regular user);
    c) work email address;
    d) name of the Client's organisation/company.
  2. Authentication and access data:
    a) username (email address);
    b) password (in encrypted form);
    c) roles and access rights (including association with accounts and rights to manage Content).
  3. Technical data related to the use of the Platform:
    a) logs of Users' activities (e.g. user ID, user name, making changes, uploading and publishing Content);
    b) User settings and preferences on the Platform.
  4. Data related to third-party platform integrations:
    a) metadata about third-party business or professional accounts connected by the Client (e.g. social media or other platforms allowing automated publication of Content);
    b) technical authorisations, tokens and configurations necessary for transmitting Content and retrieving statistics via third-party platform APIs;
    c) information on the publication of transmitted Content (e.g. publication time, status, statistics of views and other metrics).
  5. Content and personal data that may be contained in it
    a) Content and related information that the Client or a User uploads to, stores on, manages or transmits via the Platform (e.g. videos, images, descriptions, titles, metadata, etc.);
    b) personal data that may appear in the Content (e.g. images of individuals, voices, names, social media account data). The nature and scope of such data processing is determined by the Client;
    c) the Platform is intended for managing Content created for business or professional purposes. The Platform is not intended for managing, storing or publishing personal, private or purely private-life videos. If such Content is nonetheless processed via the Platform, the Client is solely responsible for this as data controller.
    d) The Platform is not intended for the systematic processing of special categories of personal data (GDPR Art. 9) or data relating to criminal offences (GDPR Art. 10). If the Client decides to process such data via the Platform, the Client is solely responsible for ensuring a valid legal basis and appropriate additional safeguards.
Purposes of processing personal data and legal bases
1. Service Provider as data processor.
  The Service Provider processes personal data only for the following purposes and to the extent necessary to enable the use of the Platform in accordance with the agreement concluded with the Client and the Client's instructions:
  1. Provision of Platform functionality
    1. authentication and authorisation of the Client and Users;
    2. management of user accounts and roles;
    3. technical uploading, storage, processing and transmission of Content;
    4. transmission of Content via APIs of third-party environments and platforms and embedding via iframes, in accordance with the Client's decisions and instructions.
  2. Ensuring service operation and technical support:
    1. monitoring the proper functioning of the Platform;
    2. detecting and resolving faults, errors and malfunctions;
    3. maintenance and development of the Platform (which may include the use of anonymised or aggregated data).
  3. Security and prevention of misuse
    1. implementation of security measures agreed with the Client.
2. The Service Provider does not use the personal data processed via the Platform for the purposes set out in section 3.1 for its own purposes, unless this has been separately agreed with the Client or is directly required by law.
Legal basis for processing personal data
1. The legal basis for processing personal data via the Platform is determined by the Client as data controller.
2. The Client undertakes to:
  1. determine the legal basis for each category of personal data (e.g. employee data, data of cooperation partners, data of data subjects contained in the Content processed via the Platform);
  2. provide data subjects (e.g. its employees and other data subjects) with the information required under Articles 13–14 of the GDPR, including, where necessary, notifying them that the Service Provider is used as a data processor;
  3. ensure that the Platform is used in compliance with applicable law (including legislation on the protection of personal data) and with the terms of service of third-party platforms.
3. The Service Provider relies on the instructions given by the Client for data processing and assumes that the Client has issued such instructions within the limits of applicable law.
Sources of personal data
1. The Service Provider obtains personal data mainly:
  1. directly from the Client or from Users of the Platform when they create and use accounts on the Platform (e.g. registration, settings);
  2. indirectly, when the Client integrates the Platform with third-party services (e.g. social media accounts connected via an API or other integrations) and such services transmit data to the Platform;
  3. through Content, related entered information and metadata that the Client or Users upload to the Platform.
Disclosure and recipients of personal data
1. As data processor, the Service Provider discloses personal data only on the basis of the Client's documented instructions and to the extent necessary for the operation of the Platform.
2. Third-party platforms based on the Client's instructions
  1. When the Client connects third-party services to the Platform (e.g. social media platforms or other environments), the Service Provider transfers personal data (including Content, related data and metadata) to such platforms to the extent necessary for:
    1. publishing and distributing Content as determined by the data controller;
    2. receiving statistics or other information provided by third-party platforms into the Platform.
  2. In such third-party platforms, personal data are processed in accordance with their own privacy and terms of use. The Client is responsible for the lawfulness of such data transfers (including where data are transferred outside the EEA) and for properly informing data subjects.
3. Disclosures required by law
  Where required by applicable law (e.g. a binding request from a court, supervisory authority or law enforcement authority), the Service Provider may be obliged to disclose personal data even without the Client's instructions. Where possible, the Service Provider will notify the Client of such disclosure before or immediately after the disclosure, unless prohibited by law.
Retention and deletion of data on behalf of the Client
1. Platform data (Content, related data, metadata, account data)
  1. As a general rule, data stored on the Platform on behalf of the Client are retained for the duration of the agreement concluded with the Client.
  2. After termination of the agreement, the Service Provider deletes the Content stored on the Platform, accounts and the Client's and Users' data within 30 calendar days, unless otherwise agreed with the Client or unless a retention obligation arises from legal acts.
  3. The Client can also delete personal data itself within the possibilities provided on the Platform.
2. Backups
  1. Where agreed in the agreement with the Client, the Platform data are backed up under the terms agreed.
  2. Backups are deleted or overwritten in accordance with what is agreed in the contract. Selective deletion of data from backups may not be technically feasible, but backups are used only to restore the service in the event of a failure or security incident, or in other cases agreed in the contract.
3. Security and usage logs
  1. The Service Provider retains security and usage logs for a reasonable period of time necessary to:
    1. ensure the security and reliability of the Platform;
    2. detect and investigate incidents;
    3. substantiate potential contractual or legal claims.
  2. Exact retention periods may be set out in the Service Provider's internal procedures or in the agreement concluded with the Client.
4. The Service Provider may retain certain logs and contract-related data for a longer period in order to substantiate its legal claims, in accordance with statutory limitation periods.
Security measures
1. The Service Provider applies appropriate technical and organisational security measures to protect personal data processed on the Platform against accidental and unlawful destruction, loss, alteration, unauthorised disclosure or unauthorised access.
2. In providing the service, content delivery networks (CDN) are used, through which streaming content and related technical data are transmitted.
3. The security measures applied by the Service Provider include, among other things:
  1. access to personal data is granted only to authorised persons;
  2. personal data are transmitted between the user's device, the Service Provider's systems and the CDN via encrypted connections;
  3. limited logging is used to ensure the security and reliability of the service, including for detecting technical events and potential security incidents;
  4. measures are implemented to ensure the availability of the services;
  5. the effectiveness of the applied security measures is periodically assessed.
4. All security measures are applied in line with the nature of the data processing and the related risks.
5. Additional security measures may be agreed in the data processing agreement concluded with the Client.
Use of cookies and other web technologies on the Platform
1. The Platform uses strictly necessary cookies that are required for the technical functioning of the Service and for ensuring security.
2. The cookies used protect the website from security attacks, store information about the logged-in User's active session to maintain the login status while navigating between pages, and allow, if the User so wishes, to remember the logged-in status.
3. These cookies are not used for other purposes (e.g. creating profiles, tracking activities for marketing purposes, or collecting statistics).
4. If the User disables strictly necessary cookies in their browser settings, some functions of the Platform may not function correctly.
Rights of data subjects
1. The primary contact point for data subjects' rights (e.g. access, rectification, erasure) is the Client as data controller. The Client undertakes to inform data subjects of their rights under the GDPR and the means of exercising those rights.
2. For processing activities where the Service Provider is the data controller (see section 1.3 and the General Privacy Policy), data subjects can exercise their rights by contacting us at isikuandmed@postimeesgrupp.ee.
Amendments to this Privacy Notice and processing conditions
1. The Service Provider is entitled to update this Privacy Notice and the conditions of data processing.
2. The updated Privacy Notice will be published on the Platform and/or on the Service Provider's website.
3. The Service Provider will inform the Client, in the manner and through the channels agreed in the contract (e.g. by email), of any material changes that may affect the Client's or data subjects' rights (e.g. changes to the purposes of processing, addition of new categories of personal data, engagement of new subprocessors).