GENERAL PRIVACY POLICY OF THE MEDIA COMPANIES OF MM GROUP
The general privacy policy of the media companies of MM Group (hereinafter: MMG Privacy Policy) provides an overview of the principles of processing personal data at the media companies of the Group and of how personal data are processed. In addition, the Policy sets out the rights of the data subjects and all other terms and conditions relating to the processing of personal data, which apply to the media companies across the Group. The specifications for the processing of personal data at the media companies of the Group (hereinafter: Controller) can be found in the privacy policy or privacy statement of each respective Media Company, available on the website of each Media Company (see section 2.1 below) or by clicking on the logos here:POSTIMEES GRUPP AS:
DUO MEDIA NETWORKS OÜ:
POSTIMEHE KIRJASTUS AS:
MAAPORTAAL OÜ:
PMG LABOR OÜ:
If the Data Subject uses the services of a Media Company, visits the websites or participates in campaigns or raffles organised by the Controller or has otherwise disclosed his or her personal data to the Controller, this MMG Privacy Policy applies to the processing of the personal data of the Data Subject.
Definitions
The terms below are defined with the meanings used in the MMG Privacy Policy. The terms may also be defined within the text of the MMG Privacy Policy.
1.1 The terms concerning personal data are used with the meanings set out in the EU General Data Protection Regulation 2016/679 (hereinafter: GDPR).
1.2 A Data Subject is a natural person who can be directly or indirectly identified by the Controller through the processing of the data;
1.3 A User is the Controller’s client who has registered a user account with the Controller; for example, a registered user account of an online newspaper reader.
1.4 A Client is any legal or natural person who uses the services of the Controller or has shown an interest in using the services (a potential client);
1.5 A Visitor is a person using the website of the Controller.
1.6 Cookies are data files that are stored on the device of a Visitor of the website.
1.7 A Child, for the purposes of the provision of information society services in Estonia, is a person under 13 years of age who cannot give consent to processing.
1.8 A Contract is a service provision contract, or any other contract signed between the Controller and the Client, including the terms of use and other applicable procedures, policies and conditions.
1.9 The Controller / Media Company is an MM Group company operating in the field of journalism and/or other media. Media Companies may have special rights and obligations in the processing of personal data based on the regulations of the respective field and the protection of the freedom of expression. MM Group Media Companies are listed in clause 2.1.
1.10 MMG Privacy Policy is this privacy policy which sets out the general principles of and procedure for processing the personal data at MM Group Media Companies. It is necessary for a Data Subject to review the MMG Privacy Policy in order to obtain information about the processing of personal data. If a Data Subject does not want his or her personal data to be processed in the manner set out in the MMG Privacy Policy, the Data Subject must refrain from using the services of the Controller, as the Controller may not be able to provide the services to the Data Subject without processing the Data Subject’s personal data.
1.11 Services are all services and products provided by the Controller.
1.12 A Website is the website of an MM Group company, i.e. the Controller, and includes its sub-domains, as well as the social media pages and mobile applications of the Controller (if any).
1.5 A Visitor is a person using the website of the Controller.
1.6 Cookies are data files that are stored on the device of a Visitor of the website.
1.7 A Child, for the purposes of the provision of information society services in Estonia, is a person under 13 years of age who cannot give consent to processing.
1.8 A Contract is a service provision contract, or any other contract signed between the Controller and the Client, including the terms of use and other applicable procedures, policies and conditions.
1.9 The Controller / Media Company is an MM Group company operating in the field of journalism and/or other media. Media Companies may have special rights and obligations in the processing of personal data based on the regulations of the respective field and the protection of the freedom of expression. MM Group Media Companies are listed in clause 2.1.
1.10 MMG Privacy Policy is this privacy policy which sets out the general principles of and procedure for processing the personal data at MM Group Media Companies. It is necessary for a Data Subject to review the MMG Privacy Policy in order to obtain information about the processing of personal data. If a Data Subject does not want his or her personal data to be processed in the manner set out in the MMG Privacy Policy, the Data Subject must refrain from using the services of the Controller, as the Controller may not be able to provide the services to the Data Subject without processing the Data Subject’s personal data.
1.11 Services are all services and products provided by the Controller.
1.12 A Website is the website of an MM Group company, i.e. the Controller, and includes its sub-domains, as well as the social media pages and mobile applications of the Controller (if any).
General information
The general information section sets out information on the application of the MMG Privacy Policy, the companies that follow the Privacy Policy, their contacts (the contacts of the Controllers), and on how the MMG Privacy Policy and the Privacy Policies / Privacy Statements of the Controllers are related to each other.
2.1 Controllers, and contact information. The following MM Group Companies, i.e. Controllers, are guided by the MM Group Privacy Policy:
2.1.1. Postimees Group – Postimees Grupp AS (registry code 10184643, address Tartu mnt 80, 10112 Tallinn; general contact: postimeesgrupp@postimeesgrupp.ee; contact for data protection matters: isikuandmed@postimeesgrupp.ee), and group companies - (registry code, address Tartu mnt 80, 10112 Tallinn); the information and contacts are available at https://www.postimeesgrupp.ee/kontakt/;
2.1.2. Duo Media Networks OÜ (registry code 16077430, address Tartu mnt 80, Tallinn 10112; general contact and contact for data protection matters: info@duomedia.tv);
2.1.3. Maaportaal OÜ (incl. the trademark Soov.ee) (registry code 14619329, address Tartu mnt 80, 10112 Tallinn; general contact: info@maaportaal.ee; contact for data protection matters: isikuandmed@postimeesgrupp.ee)
2.1.4. PMG Labor OÜ (incl. the trademark Ypsilon) (registry code 16193277, address Tartu mnt 80, 10112 Tallinn; general contact: toimetus@ypsilon.ee; contact for data protection matters: isikuandmed@postimeesgrupp.ee)
2.1.5. Postimehe Kirjastus OÜ (registry code 16259326, address Tartu mnt 80, 10112 Tallinn; general contact: kirjastus@postimees.ee; contact for data protection matters: isikuandmed@postimeesgrupp.ee)
The Controllers are part of the MM Group. MM Group is a group consisting of parent, subsidiary and affiliate companies. Group companies may share personal data with other group companies, provided that there is a legal basis.
2.2 The roles in processing. As a whole, the Controller is the chief processor when providing its Services. In case of any exceptions to the roles concerning processing, these exceptions are set out in the Controller’s Privacy Policy / Privacy Statement which has been made available to the Data Subject.
2.3 Substantive application. The Controller is guided by the MMG Privacy Policy, taking into account the specific terms and conditions arising from its own particulars (i.e. the Controller’s Privacy Policy / Privacy Statement) whenever personal data are processed; for example, in the processing of personal data in a contractual relationship between the Controller and the Client. The employees and cooperation partners who have access to the personal data processed by the Controller are guided by the rights and obligations set out in the MMG Privacy Policy.
2.4 General exceptions to application. All principles and rights of the Data Subject set out in the MMG Privacy Policy cannot always be applied to the full extent. In applying data protection principles, the Controller must take into account the rights and principles of others. The rights of the Data Subject are not absolute and there may be preconditions for their fulfilment. For example, in the case of personal data contained in the articles published in the publications of the Media Companies and in other journalistic content, each principle and right of the Data Subject must be applied taking into account that the Media Company processes such data by exercising the right to freedom of expression and information, and for journalistic purposes.
2.5 MMG Privacy Policy and the Controller’s Privacy Policy / Privacy Statement. The Controller complies with the MMG Privacy Policy to the maximum extent applicable to it. In the event of conflicts between the MMG Privacy Policy and the Controller’s Privacy Policy / Privacy Statement, the Controller will follow the provisions of its own Privacy Policy / Privacy Statement.
2.6 Social media and third-party links. Links on the Controller’s website or in the Controller’s social media may direct the Data Subject to websites the use of and processing of personal data on which are governed by the terms and conditions of their respective service providers, including the privacy policy. Personal data are processed in the social media channels of the Controller in accordance with the privacy policy of the Controller and the provider of the respective platform.
Principles relating to processing of personal data
This section sets out the principles relating to the processing of personal data, which are always followed by the Controllers when processing personal data.
3.1 Principles of processing. In processing personal data, the Controller follows the requirements set out in the GDPR and in the applicable legislation. The Controller aims to process personal data in a transparent and secure manner. In the processing of personal data, the Controller observes the following eight principles:
(a) lawfulness – there is a basis for processing, and the processing is fair and transparent;
(b) purposefulness – personal data are collected for specific, clearly defined and legitimate purposes and are not subsequently processed in a manner which is in conflict with these purposes;
(c) collection of as little data as possible (data minimisation) – the personal data processed are relevant, significant and limited to what is necessary for the purpose of their processing;
(d) accuracy – the personal data are correct and, where necessary, updated, and reasonable measures have been taken to ensure that inaccurate personal data are erased or rectified;
(e) storage limitation – personal data are stored in a format which allows identification of the Data Subjects only for as long as it is necessary for the purpose of processing;
(f) integrity and confidentiality – processing is carried out in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using reasonable technical or organisational measures;
(g) data protection by design and by default – the Controller uses appropriate data protection measures at all times, including when developing new products and services;
(h) verifiability and accountability – the Controller’s objective is to always be able to demonstrate compliance with the above principles.
(d) accuracy – the personal data are correct and, where necessary, updated, and reasonable measures have been taken to ensure that inaccurate personal data are erased or rectified;
(e) storage limitation – personal data are stored in a format which allows identification of the Data Subjects only for as long as it is necessary for the purpose of processing;
(f) integrity and confidentiality – processing is carried out in a manner that ensures appropriate security of personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using reasonable technical or organisational measures;
(g) data protection by design and by default – the Controller uses appropriate data protection measures at all times, including when developing new products and services;
(h) verifiability and accountability – the Controller’s objective is to always be able to demonstrate compliance with the above principles.
Categories of Data Subjects, and the personal data processed
This section lists the Data Subjects and the categories of the personal data processed.
4.1 Categories of Data Subjects. The Controller processes several categories of Data Subjects, i.e.: Clients (natural persons), potential clients; natural person representatives of Clients (legal persons) and cooperation partners (including e.g. employees), Users i.e. Clients who have registered an account, employees of the Controllers, Website Visitors; visitors of programs and other (journalistic) content, participants, authors, interviewees; for the personal data of children, see Chapter 5.
4.2 Categories of personal data. The Controller collects personal data as follows:
4.2 Categories of personal data. The Controller collects personal data as follows:
(a) the personal data disclosed to the Controller by the Data Subject (e.g. when registering an account, signing a contract, placing an order, writing comments, leaving reviews/ratings; the personal data disclosed in programs, articles and interviews);
(b) the data generated in the performance of and in enabling the performance of a contract (e.g. address for delivery of goods, personal identification details for entering into the contract and ensuring performance to the right person);
(c) the personal data generated by using the Services (e.g., using the self-service, using the account, using the functions of the Service);
(d) the personal data arising from the interaction between the Data Subject and the Controller (e.g. in providing the customer support function, fulfilling orders, resolving complaints);
(e) the personal data clearly disclosed by the Data Subject (e.g. in social media);
(f) the personal data generated as a result of visiting and using the Website (e.g. the data collected by cookies);
(g) the personal data received from third parties (e.g. from payment service providers about the success of a payment; from cooperation partners about the successful identification of a person. Please note! The Controller cannot know or process the passwords, PIN-codes, etc. of the personal identification systems provided to the Data Subject by third parties);
(h) the personal data added to the personal data generated by the Controller and/or transmitted by the Data Subject (e.g. information on the use of the Service, interaction with customer support, purchase history).
4.3 The personal data processed. The Controller has the right to collect personal data in connection with the Service and the Website, including the following data:
1) the data necessary for identification of the Data Subject: name; contact information (e-mail, telephone number), date of birth, address/location, personal identification code, gender, social media account information;
2) the data necessary for the provision of the Service: name; contact information (e-mail, phone number), date of birth, address/location, personal identification code, gender, bank account details;
3) the data relating to the activities of the User or the Client (or the principal): place of business, field of activity, representative(s), contact persons, current account number, payment/invoice information, data generated through the use of the Service (e.g. recordings, participation in programs, interviews, purchase history, participation in radio and television games, and the information disclosed therein);
4) data on the Website, data from the use of the Service and on concluding and performing a Contract: information on the use of the systems (e.g. Website, online shop, information collected through cookies), data on the interest in and use of the Services, data on the performance of the Contract (payment information, bank information) and other data related to the provision/use of the Services and the activities of the Controller;
5) data about the Controller’s place of business / location and customer service/support: video and other recording data; the Controller may also record calls, e-mails and posts from the chat function, among other things. Information about recording calls is also provided while the calls are made.
4) data on the Website, data from the use of the Service and on concluding and performing a Contract: information on the use of the systems (e.g. Website, online shop, information collected through cookies), data on the interest in and use of the Services, data on the performance of the Contract (payment information, bank information) and other data related to the provision/use of the Services and the activities of the Controller;
5) data about the Controller’s place of business / location and customer service/support: video and other recording data; the Controller may also record calls, e-mails and posts from the chat function, among other things. Information about recording calls is also provided while the calls are made.
More information on the personal data processed by the Controller can be found in the Controller’s Privacy Policy / Privacy Statement and/or in the Controller’s personal data processing register.
Processing the personal data of children
Information society services are not intended for children.
5.1 Not intended for children. The Controller’s information society services are not intended for children, or no personal data of children are collected in the framework of such services. In the case of other services of the Controller that may be intended for children and where children’s personal data may be processed, such processing will take place according to the instructions or consent of the parent or guardian or on another legal basis.
5.2 Processing without the parent’s instructions/consent If the Controller learns that personal data has been collected from or about a child without the parent’s/guardian’s instructions/consent, the Controller will stop processing such personal data as soon as possible.
Purposes and bases of processing
This section sets out the information on the purposes and bases for which the Controller may process personal data.
6.1 Contract. The Controller may process personal data upon the conclusion and performance of a Contract. The purposes of processing personal data relating to the Contract are as follows:
(a) precontractual activities necessary for entry into the Contract upon the request of the Data Subject;
(b) identification of the Client for entry into the Contract and, if necessary, for performing the Contract;
(c) performance of the Contract for the provision of the Services, including providing the Services, providing access to the content or parts of the Website, providing access to the Service or certain functions/parts of the Service;
(d) interaction with the Client, including resolution of complaints, forwarding of notices related to the performance of the Contract, responding to the Client’s inquiries;
(e) enabling the performance of the Contract by the Client, and verifying the performance thereof, e.g. ensuring the performance of the payment obligation;
(f) where appropriate, the lodging and defence of claims.
The purpose of the processing of personal data may be additionally provided for in a specific contract concluded with the Data Subject.
6.2 Consent. Based on consent, personal data are processed in accordance with the consent given, i.e. taking into account the content, scope and purposes of the consent given. Consent is voluntary, specific, and given knowingly and unambiguously. Consent may also be given to a specific act; for example, the Data Subject can make inquiries, at his or her own will, via the inquiry forms on the Website, in which case the data are processed for the purpose of responding to and providing a service to the Data Subject. The Data Subject may withdraw his or her consent at any time. The Controller may process personal data on the basis of consent, for example, in the following cases:
(a) disclosure of the data by the Data Subject for further journalistic use, e.g. a guest on a show, a comment on journalistic content, a request to publish an advertisement;
(b) displaying advertisements that are of interest to the Visitor if the Visitor has consented to having the relevant Cookies stored on his or her device;
(c) sending notifications to the Data Subject about the goods, services and discounts of the Controller and its partners, if the Data Subject has given his or her relevant consent; e.g. loyalty program offers;
(d) sending a newsletter to the Data Subject if the Data Subject has given his or her e-mail address to the Controller for this purpose or has otherwise subscribed to the newsletter;
(e) carrying out the consumer games, raffles and promotions organised by the Controller, including text message games and radio games (where appropriate), if the Data Subject has given his or her consent, for example, by participating in a social media game by sharing/liking any content (consent to the act);
(f) providing / making available a particular Service or part of a Service to the Data Subject, for which consent has been requested for the processing of personal data, such as membership in the loyalty program and the provision of functions and benefits.
6.3 Legitimate interest. Legitimate interest is the interest of the Controller in managing or administering its business in order to provide the best possible services on the market. When relying on legitimate interest, the justification of processing has been assessed in advance based on the interests of the Controller and the Data Subject. Processing on the basis of a legitimate interest may not excessively prejudice the rights of the Data Subject. The Data Subject will always have the right to object to the processing based on legitimate interest and to examine the assessment of legitimate interest. Based on legitimate interest, the Controllers may process the personal data of the Data Subject for the following purposes:
(a) the processing of personal data for journalistic purposes if it has been established that the requirements laid down by law have been met, i.e. if there is a public interest and it is in accordance with the principles of journalistic ethics and the disclosure of personal data does not excessively prejudice the rights of the Data Subject, e.g. public and covert recording, storage and use of, or disclosure of journalistic content;
(b) to comply with the know-your-customer policy, which involves processing personal data to comply with anti-money laundering and counter-terrorism requirements, or to prevent fraud;
(c) processing for organisational purposes, in particular for financial management, and in the transfer of personal data within the group for internal administrative purposes (as well as for audits and other possible supervision activities);
(d) processing the personal data of Clients for the development of the Service (better, more efficient, more relevant, better quality), including compiling and analysing the client database and using various CRM and sales planning solutions to achieve the above;
(e) processing the client database to enable marketing activities;
(f) for sending promotional offers to the Client if it can be assumed, based on the previous interest of the person, or based on the Contract signed or Service provided, that the person is interested in the respective offer, and if the person has been provided with an opportunity to opt out of the respective offers;
(g) storing the information about opting out of a promotional offer to continue complying with the respective request of the Data Subject;
(h) the processing of the personal data collected through the Website or social media or other sales channel for the further development and improvement of the Service, and the processing of Website traffic, statistics on the use of the Service, and other technical information;
(i) to organise raffles, games and campaigns (including personalised and targeted campaigns); the terms and conditions of the campaigns are set out separately;
(j) feedback and satisfaction surveys;
(k) to measure the efficiency of marketing and sales work;
(l) to establish, prove, defend and file (legal) claims, including to assign claims to third parties, e.g. to collection service providers, or to collect information from the service providers who assess creditworthiness. This also includes processing related to the detection of violations, and any activities for verifying the performance of the Contract that are not carried out under the Contract;
(m) in order to defend, prove and prepare claims/orders/actions, the Controller may record notices and orders given both in its premises and by means of communication (e-mail, telephone, etc.), as well as information and other actions, including calls to (landline) phone numbers. The employees of the Media Companies, e.g. journalists, may also record the interaction, including phone calls, in the course of the performance of their duties. Recordings may also be used for better customer support and for assuring quality of the Service.
(n) the processing of network and other identifiers to ensure information security, including the security of the Website, and the measures taken to make copies or ensure the integrity of the data;
(o) to protect the health and property of the Controller, employees, potential clients, Clients and cooperation partners, the Controller may use cameras which may also record sound, for safety and security purposes on its territory and premises. Such recordings may also be used to defend and prepare claims;
(p) archiving and storing journalistic content or the content and/or recordings of other media (radio/TV shows) (unless covered by a legal obligation).
6.4 Unforeseeable legitimate interest. The personal data of the Data Subject may also be processed where necessary in a specific case in the case of a legitimate interest of the Controller or a third party, unless such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject for which the personal data must be protected. Processing can also be done on the basis of legitimate interest necessary for the protection of the vital interests of the Data Subject or another natural person.
6.5 Processing on the basis of the law. The Controller processes personal data for the performance of the obligations provided for by law. For example, the Controller is legally required to:
(a) keep accounting records;
(b) fill in and store various labour law documents;
(c) comply with the requirements for the prevention of money laundering and terrorist financing (if applicable) – this will result in the processing of personal data for identifying the Data Subject and applying other mandatory due diligence measures;
(d) transmit personal data to the competent national authorities on the basis of legitimate requests, including to archives storing journalistic content.
6.6 Processing for a new purpose. Where personal data are processed for a purpose other than the purposes for which the personal data were originally collected or further processing of the data collected based on consent is necessary, the Controller undertakes to carefully assess the admissibility of such new processing. In order to determine whether the processing for a new purpose is compatible with the purpose for which the personal data were originally collected, account will be taken, among other things, of the following:
(a) the link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data are collected, in particular, the link between the Data Subject and the Controller;
(c) the nature of the personal data, in particular, whether special categories of personal data or personal data relating to criminal convictions and offences are processed;
(d) the possible consequences of the intended further processing for the Data Subjects;
(e) the existence of appropriate safeguards.
6.7 Primary processing relating to recruitment. If a Data Subject is employed at the Controller, the internal conditions, procedures and instructions of the Controller will apply. In the case of a job applicant, if the applicant has not been informed otherwise, the processing before entering the employment contract is based on a legitimate interest.
6.3 Legitimate interest. Legitimate interest is the interest of the Controller in managing or administering its business in order to provide the best possible services on the market. When relying on legitimate interest, the justification of processing has been assessed in advance based on the interests of the Controller and the Data Subject. Processing on the basis of a legitimate interest may not excessively prejudice the rights of the Data Subject. The Data Subject will always have the right to object to the processing based on legitimate interest and to examine the assessment of legitimate interest. Based on legitimate interest, the Controllers may process the personal data of the Data Subject for the following purposes:
(a) the processing of personal data for journalistic purposes if it has been established that the requirements laid down by law have been met, i.e. if there is a public interest and it is in accordance with the principles of journalistic ethics and the disclosure of personal data does not excessively prejudice the rights of the Data Subject, e.g. public and covert recording, storage and use of, or disclosure of journalistic content;
(b) to comply with the know-your-customer policy, which involves processing personal data to comply with anti-money laundering and counter-terrorism requirements, or to prevent fraud;
(c) processing for organisational purposes, in particular for financial management, and in the transfer of personal data within the group for internal administrative purposes (as well as for audits and other possible supervision activities);
(d) processing the personal data of Clients for the development of the Service (better, more efficient, more relevant, better quality), including compiling and analysing the client database and using various CRM and sales planning solutions to achieve the above;
(e) processing the client database to enable marketing activities;
(f) for sending promotional offers to the Client if it can be assumed, based on the previous interest of the person, or based on the Contract signed or Service provided, that the person is interested in the respective offer, and if the person has been provided with an opportunity to opt out of the respective offers;
(g) storing the information about opting out of a promotional offer to continue complying with the respective request of the Data Subject;
(h) the processing of the personal data collected through the Website or social media or other sales channel for the further development and improvement of the Service, and the processing of Website traffic, statistics on the use of the Service, and other technical information;
(i) to organise raffles, games and campaigns (including personalised and targeted campaigns); the terms and conditions of the campaigns are set out separately;
(j) feedback and satisfaction surveys;
(k) to measure the efficiency of marketing and sales work;
(l) to establish, prove, defend and file (legal) claims, including to assign claims to third parties, e.g. to collection service providers, or to collect information from the service providers who assess creditworthiness. This also includes processing related to the detection of violations, and any activities for verifying the performance of the Contract that are not carried out under the Contract;
(m) in order to defend, prove and prepare claims/orders/actions, the Controller may record notices and orders given both in its premises and by means of communication (e-mail, telephone, etc.), as well as information and other actions, including calls to (landline) phone numbers. The employees of the Media Companies, e.g. journalists, may also record the interaction, including phone calls, in the course of the performance of their duties. Recordings may also be used for better customer support and for assuring quality of the Service.
(n) the processing of network and other identifiers to ensure information security, including the security of the Website, and the measures taken to make copies or ensure the integrity of the data;
(o) to protect the health and property of the Controller, employees, potential clients, Clients and cooperation partners, the Controller may use cameras which may also record sound, for safety and security purposes on its territory and premises. Such recordings may also be used to defend and prepare claims;
(p) archiving and storing journalistic content or the content and/or recordings of other media (radio/TV shows) (unless covered by a legal obligation).
6.4 Unforeseeable legitimate interest. The personal data of the Data Subject may also be processed where necessary in a specific case in the case of a legitimate interest of the Controller or a third party, unless such interest is overridden by the interests or fundamental rights and freedoms of the Data Subject for which the personal data must be protected. Processing can also be done on the basis of legitimate interest necessary for the protection of the vital interests of the Data Subject or another natural person.
6.5 Processing on the basis of the law. The Controller processes personal data for the performance of the obligations provided for by law. For example, the Controller is legally required to:
(a) keep accounting records;
(b) fill in and store various labour law documents;
(c) comply with the requirements for the prevention of money laundering and terrorist financing (if applicable) – this will result in the processing of personal data for identifying the Data Subject and applying other mandatory due diligence measures;
(d) transmit personal data to the competent national authorities on the basis of legitimate requests, including to archives storing journalistic content.
6.6 Processing for a new purpose. Where personal data are processed for a purpose other than the purposes for which the personal data were originally collected or further processing of the data collected based on consent is necessary, the Controller undertakes to carefully assess the admissibility of such new processing. In order to determine whether the processing for a new purpose is compatible with the purpose for which the personal data were originally collected, account will be taken, among other things, of the following:
(a) the link between the purposes for which the personal data were collected and the purposes of the intended further processing;
(b) the context in which the personal data are collected, in particular, the link between the Data Subject and the Controller;
(c) the nature of the personal data, in particular, whether special categories of personal data or personal data relating to criminal convictions and offences are processed;
(d) the possible consequences of the intended further processing for the Data Subjects;
(e) the existence of appropriate safeguards.
6.7 Primary processing relating to recruitment. If a Data Subject is employed at the Controller, the internal conditions, procedures and instructions of the Controller will apply. In the case of a job applicant, if the applicant has not been informed otherwise, the processing before entering the employment contract is based on a legitimate interest.
Read more: PROCESSING OF PERSONAL DATA UPON RECRUITMENT
6.8 Based on a legitimate interest, the Controller will process the following:
6.8 Based on a legitimate interest, the Controller will process the following:
(a) the personal data provided to the Controller by the job applicant for the purpose of concluding the employment contract (e.g. CV, motivation letter, referrers);
(b) the data of the tests/interviews taken by the job applicant (if applicable) and the information received from the person indicated as a referrer and, in the absence of a referrer, the personal data received from the previous employer;
(c) the processing of the personal data collected by the Controller (e.g. personal data collected from official databases, the databases of third-party service providers and public media and social media; a background check on the job applicant).
(b) the data of the tests/interviews taken by the job applicant (if applicable) and the information received from the person indicated as a referrer and, in the absence of a referrer, the personal data received from the previous employer;
(c) the processing of the personal data collected by the Controller (e.g. personal data collected from official databases, the databases of third-party service providers and public media and social media; a background check on the job applicant).
In order to offer another position to a job applicant or offer a position that will be vacant in the future, the Controller may preserve the data of the job candidates who were not selected, for up to 2 (two) years. The data relating to the participation of an applicant in the Controller’s traineeship program will be stored for 5 (five) years for the purpose of making a job offer to the applicant.
Transfer of personal data
This section sets out the information on when the Controller may transfer personal data to its cooperation partners. There may be various processing relationships between the Controller and cooperation partners, for example, controller-processor, controller-controller. In any case, the Controller undertakes to do its best to ensure compliance with the requirements of the GDPR, including, if necessary, by means of a data processing contract.
7.1 Transfer of personal data to cooperation partners. The Controller may disclose personal data to third parties if there is a need and a legal basis (e.g. a legal obligation, legitimate interest, consent), for example:
(a) the transfer of copies to third parties for the purpose of archiving print media and audiovisual content (e.g. to the National Library);
(b) to national authorities, including supervisory, investigative and law enforcement authorities, based on law;
(c) to a payment service provider. In such case, the legal basis for transfer is the performance of the contract signed with the Data Subject (e.g. Maksekeskus AS, EveryPay AS, Zlick Ltd, Swedbank AS, AS SEB Pank, AS LHV Pank, Coop Pank AS, Luminor Bank AS);
(d) to auditors, legal advisers and other advisers where necessary to fulfil their obligations to the Controller and provided that they keep the respective data confidential. In such case, the legal basis for the transfer is the performance of the Controller’s legal obligation (e.g. in case of auditors) or the legitimate interest of the Controller to protect its rights;
(e) based on consent, the tools provided by third parties, such as Google or Facebook, may be used to register an account and log in to the account. In such case, a profile is created for the Data Subject based on the information received from such service providers, and information about the Data Subject is provided to the respective service providers;
(f) to obtain traffic, usage statistics and other non-personal technical information about the Website of a Media Company, the Media Company may forward the information about the Client, User or Website Visitor to service providers such as Google and Facebook based on the legitimate interest of the Media Companies to improve the Website and the services (if allowed by the result of the assessment of legitimate interest);
(g) to a postal service provider (i.e. including e-mail) for the delivery of orders/goods and promotional materials; to home delivery service providers. In such case, the legal basis for the transfer is the performance of the Contract entered into with the Client, the legitimate interest of the Controller or the consent of the Data Subject;
(h) to companies belonging to the same group as the Controller in order to provide the Client with the discounts applicable at the companies belonging to the group and for group-wide reporting and the development of services. In such case, the legal basis for the transfer is the Controller’s legitimate interest to provide the Service, or the Data Subject’s consent within the loyalty program;
(i) to a person engaged in debt collection, if the Data Subject has incurred arrears with the Controller. In such case, the legal basis for the transfer is the legitimate interest of the Controller to protect its rights. In a situation where the Data Subject has breached the Contract or otherwise violated the rights of the Controller, the interests and rights of the Data Subject will not override the legitimate interest of the Controller;
(j) to a company providing an accounting system;
(k) to ICT partners, i.e. providers of various technical services (e.g. providers of server space and other cloud services);
(l) to marketing partners and agencies, including advertising;
(m) to customer satisfaction and feedback service providers;
(n) to the service providers used to carry out consumer games, raffles and campaigns;
(o) to payment default registers and invoicing service providers.
7.2 Information about cooperation partners. The Data Subject has the right to request more detailed information about the cooperation partners used by the Controller to whom the personal data of the Data Subject have been transferred, by contacting the Controller at the contact information given (see Section 2.1).
7.3 Transfer of personal data to processors. Personal data are transferred to the persons specified in clause 7.1 (who are processors) provided that the processing has a legal basis and purpose and the processing is carried out in accordance with the instructions given by the Controller and an agreement been concluded for the processing of personal data.
7.4 Processing in the EEA. In the context of standard processing, the Controller will not transfer personal data outside the European Economic Area (EEA). If the transfer of personal data outside the EEA is necessary, the Controller will operate according to the options set out in Chapter V of the GDPR and will transfer the personal data out of the EEA only if there is a relevant basis and the mechanism set out in Chapter V is applicable, e.g. if the European Commission has decided that adequate protection is guaranteed in the relevant country or that the EU Standard Contractual Clauses agreed to or that any other appropriate option specified in Chapter V applies.
Personal data storage, and the security of processing
This section sets out information on the storage of personal data and on the general protection measures.
8.1 The storage of personal data. Personal data will be stored only for the time necessary for the purpose of processing, for the protection of the Controller’s rights, or for the period required by legislation. If the storage period has elapsed, the Controller will permanently delete or anonymise the data (or organise these procedures). Depending on the purpose of the processing, personal data will be stored in accordance with the Controller’s Privacy Policy / Privacy Statement and/or in accordance with the register for processing operations (if made available). By default, the following storage principles will apply:
(a) accounting documents: in accordance with the law, e.g. order letters and advertisements for 1 year; all accounting and financial documents for 7 years from the end of the relevant financial year as required by law; staff documents as required by law, for example, employment contracts for 55 years;
(b) the personal data relating to the Contract: 10 years from the expiry of the Contract, based on the maximum limitation period in case of intentional violation;
(c) data of a Client: 3 years after the end of the client relationship; up to 10 years in the case of a legal dispute or a risk thereof, or until the end of the dispute.
(d) data on Cookies: according to the Cookie policy / information about Cookies on the Website;
8.2 Criteria for determining the storage period of journalistic content for Media Companies. The storage of journalistic content is closely linked to the freedom of the media and the press. The notes or recordings of a journalist of a Media Company may be necessary years later to create new journalistic content, to resolve disputes or provide evidence in court or at other authorities. The material collected for the production of journalistic content is deleted if 10 years have elapsed from the disclosure of the journalistic content, i.e. when the Media Company and journalist can be sure that the statement can no longer be subject to (court) disputes and the Media Company and the journalist are convinced that the material is no longer necessary for any articles of future public interest or for other content.
8.3 General security. The Controller has established, or group-wide guidelines and procedural rules are in place that help ensure the security of personal data. The Controller implements appropriate technical measures as well. Among other things, the following is done to ensure security and confidentiality:
(a) access to personal data is granted only if it is necessary for the performance of work duties, for example, and if the person and the Controller have the right to do so;
(b) the Controller may process the personal data transferred to it only for the purposes and to the extent necessary for the provision of the services specified in the Contract;
(c) software solutions are in place to ensure a level of security that meets the market standard.
8.4 Security incident. In case of a security incident concerning personal data, i.e. a personal data breach within the meaning of Article 33 of the GDPR, the Controller will take the necessary measures to mitigate the consequences and manage the relevant risks in the future. The Controller will register all incidents or will have all risks registered, and will notify the Data Protection Inspectorate and the Data Subject directly or publicly (e.g. through national media) if required under the GDPR.
Rights of the Data Subject with regard to personal data
The personal data of the Data Subject belong to the Data Subject and this section sets out the information on the rights of the Data Subject in the protection of his or her personal data.
9.1 General rights of a Data Subject. The rights of the Data Subject with regard to the processing of personal data:
(a) right of information – the Controller undertakes to provide the Data Subject with information as to whether the personal data of the Data Subject are being processed, and to provide/refer to mandatory information pursuant to Article 13 or 14 of the GDPR;
(b) right of access and right to obtain a copy – the Data Subject may request access to and/or a copy of his or her personal data. The Client who is a User may be allowed to access the personal data collected by the Controller in the Controller’s self-service (if possible);
(c) right to rectification – the Data Subject has the right to request the rectification of inaccurate personal data. The User may be allowed to rectify incorrect data in the Controller’s self-service;
(d) right to request restriction of processing – the Data Subject has the right to request the restriction of processing if the processing of personal data is not permitted by law or if the Data Subject temporarily objects to the admissibility of processing;
(e) right to portability – the Data Subject has the right to receive the personal data concerning him or her in a machine-readable format or to request that the personal data be sent to a new service provider, provided that the prerequisites established in the GDPR are met;
(f) right to object – the Data Subject has the right to object to the processing of personal data if the processing is based on public interest or legitimate interest, including processing for direct marketing purposes;
(g) right to erasure – the Data Subject has the right to request the erasure of personal data if the prerequisites provided in the GDPR are met, for example, by withdrawing the consent given to processing and by requesting erasure (except where the Controller has an overriding interest in further processing, e.g. in order to defend legal claims);
(h) rights regarding automated processing, including profiling – the Data Subject has the right to object, demand human intervention and information on the logic of making automated decisions. For the sake of clarity, if the Controller uses automated decision-making or profiling, this is set out in the Controller’s Privacy Policy / Privacy Statement;
(i) right to contact a supervisory authority – the Data Subject has the right to contact a supervisory authority of his or her place of residence with regard to the processing of his or her personal data if the Data Subject has doubts as to the lawfulness of the processing;
(j) right to claim compensation for damages – the Data Subject has the right to claim compensation for any damages caused to him or her, and the right to have recourse to the courts, among other things.
9.2 Rights of the Data Subject regarding consent. The Data Subject has the right to withdraw his or her consent at any time. Upon withdrawal of the consent, the Controller may no longer process the personal data on the basis of the consent, but the withdrawal of the consent does not affect the lawfulness of the processing prior to the withdrawal. If provided with the option, the Data Subject can manage the consents given to the Controller in the self-service or by writing to the Controller’s e-mail address (see clause 2.1).
9.3 Nature of the rights. All data protection principles and rights of the Data Subject cannot always be applied to the full extent. In applying each principle and right of the Data Subject, account must be taken of other possible personal and other rights and the prerequisites for the exercise of such right. Before the Data Subject can exercise a right, the Controller has the right to assess the prerequisites for the exercise of the respective right and to not allow the Data Subject to exercise the right if the prerequisites are not complied with. Furthermore, in the case of Media Companies, it must be taken into account that a Media Company processes personal data by exercising the right to freedom of expression and information, and for journalistic purposes, which must be weighed against any possible opposing interests of the Data Subject, if necessary.
(j) right to claim compensation for damages – the Data Subject has the right to claim compensation for any damages caused to him or her, and the right to have recourse to the courts, among other things.
9.2 Rights of the Data Subject regarding consent. The Data Subject has the right to withdraw his or her consent at any time. Upon withdrawal of the consent, the Controller may no longer process the personal data on the basis of the consent, but the withdrawal of the consent does not affect the lawfulness of the processing prior to the withdrawal. If provided with the option, the Data Subject can manage the consents given to the Controller in the self-service or by writing to the Controller’s e-mail address (see clause 2.1).
9.3 Nature of the rights. All data protection principles and rights of the Data Subject cannot always be applied to the full extent. In applying each principle and right of the Data Subject, account must be taken of other possible personal and other rights and the prerequisites for the exercise of such right. Before the Data Subject can exercise a right, the Controller has the right to assess the prerequisites for the exercise of the respective right and to not allow the Data Subject to exercise the right if the prerequisites are not complied with. Furthermore, in the case of Media Companies, it must be taken into account that a Media Company processes personal data by exercising the right to freedom of expression and information, and for journalistic purposes, which must be weighed against any possible opposing interests of the Data Subject, if necessary.
Exercise of the rights, and the filing of claims
This section sets out information on how to exercise rights and what preconditions may need to be fulfilled.
10.1 Exercise of rights:
a. The Data Subject may submit questions, requests and complaints concerning the processing of his or her personal data to the contact details of the Controller as provided in clause 2.1;
a. The Data Subject may submit questions, requests and complaints concerning the processing of his or her personal data to the contact details of the Controller as provided in clause 2.1;
b. To get initial answers and exercise certain rights, the User may use the Controller’s self-service (if available).
10.2 Prerequisites relating to the right of erasure. The Data Subject has the right to request the erasure of personal data if one of the following grounds exists:
(a) the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
(b) the Data Subject withdraws his or her consent to the processing of personal data and there is no other legal basis for the processing of the personal data;
(c) the Data Subject objects to the processing of personal data based on the legitimate interest of the Controller, and there are no overriding legitimate grounds for the processing;
(d) the Data Subject objects to the processing of personal data for direct marketing purposes;
(e) if the Controller has sent direct marketing messages to the Data Subject based on a legitimate interest (same and/or similar Services), the Data Subject will have the right, both upon the initial collection of the contact information and upon the receipt of an offer, to prohibit the use of his or her contact information for direct marketing purposes by contacting the Controller by e-mail (see clause 2.1) or by clicking on the opt-out hyperlink at the end of the offer e-mail;
(f) the personal data have been processed unlawfully;
(g) the personal data must be deleted in order to comply with a legal obligation of the Controller;
(h) the personal data of a child under 13 years of age processed on the basis of consent.
The Controller is not required to delete personal data if there is no basis for doing so or the processing is necessary in order to fulfil a legal obligation, or to prepare, submit or defend legal claims, or there is another legal basis for the further processing of personal data. In the case of Media Companies, the right of refusal may also be derived from the exercise of the right to freedom of expression and information.
10.3 Rights of the Controller regarding the exercise of the rights of the Data Subject. The Controller may request identification of the Data Subject before exercising the rights. This is necessary to ensure the security of personal data and to avoid the exercise of rights of the Data Subject by anyone else. The Controller has the right to verify the prerequisites for exercising a right (arising from the GDPR or other regulation). The Controller undertakes to respond to a request by the Data Subject within 1 month and to inform the Data Subject of whether and what measures the Controller has taken to resolve the request. If the request is complex or comprehensive, the Controller may extend the deadline for replying by 2 months. If the Controller does not take measures based on the request of the Data Subject, the Controller will inform the Data Subject of the reasons for not taking measures and introduces the option of filing a complaint with the Data Protection Inspectorate or turning to a court for the protection of his or her rights. If the requests of the Data Subject are clearly unfounded or excessive, in particular due to their repetitive nature, the Controller may either charge a reasonable fee or refuse to take the measures requested.
10.4 Options for submitting complaints. The Data Subject has the right to turn to the Controller, the Data Protection Inspectorate or a court with the complaint. The contact details of the Data Protection Inspectorate can be found here: https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.
10.2 Prerequisites relating to the right of erasure. The Data Subject has the right to request the erasure of personal data if one of the following grounds exists:
(a) the personal data are no longer necessary for the purpose for which they were collected or otherwise processed;
(b) the Data Subject withdraws his or her consent to the processing of personal data and there is no other legal basis for the processing of the personal data;
(c) the Data Subject objects to the processing of personal data based on the legitimate interest of the Controller, and there are no overriding legitimate grounds for the processing;
(d) the Data Subject objects to the processing of personal data for direct marketing purposes;
(e) if the Controller has sent direct marketing messages to the Data Subject based on a legitimate interest (same and/or similar Services), the Data Subject will have the right, both upon the initial collection of the contact information and upon the receipt of an offer, to prohibit the use of his or her contact information for direct marketing purposes by contacting the Controller by e-mail (see clause 2.1) or by clicking on the opt-out hyperlink at the end of the offer e-mail;
(f) the personal data have been processed unlawfully;
(g) the personal data must be deleted in order to comply with a legal obligation of the Controller;
(h) the personal data of a child under 13 years of age processed on the basis of consent.
The Controller is not required to delete personal data if there is no basis for doing so or the processing is necessary in order to fulfil a legal obligation, or to prepare, submit or defend legal claims, or there is another legal basis for the further processing of personal data. In the case of Media Companies, the right of refusal may also be derived from the exercise of the right to freedom of expression and information.
10.3 Rights of the Controller regarding the exercise of the rights of the Data Subject. The Controller may request identification of the Data Subject before exercising the rights. This is necessary to ensure the security of personal data and to avoid the exercise of rights of the Data Subject by anyone else. The Controller has the right to verify the prerequisites for exercising a right (arising from the GDPR or other regulation). The Controller undertakes to respond to a request by the Data Subject within 1 month and to inform the Data Subject of whether and what measures the Controller has taken to resolve the request. If the request is complex or comprehensive, the Controller may extend the deadline for replying by 2 months. If the Controller does not take measures based on the request of the Data Subject, the Controller will inform the Data Subject of the reasons for not taking measures and introduces the option of filing a complaint with the Data Protection Inspectorate or turning to a court for the protection of his or her rights. If the requests of the Data Subject are clearly unfounded or excessive, in particular due to their repetitive nature, the Controller may either charge a reasonable fee or refuse to take the measures requested.
10.4 Options for submitting complaints. The Data Subject has the right to turn to the Controller, the Data Protection Inspectorate or a court with the complaint. The contact details of the Data Protection Inspectorate can be found here: https://www.aki.ee/et/inspektsioon-kontaktid/tootajate-kontaktid.
Cookies and other web technologies
This section sets out general information on the Cookies or other technologies used on the Website, and on how the Data Subject can control the use of such technologies. The Controller may have its own Cookie policy, in which case more information is provided in that policy and/or in the Cookie solution on the respective Controller’s website.
11.1 Application of the Cookie Policy. This section on the use of Cookies (hereinafter: Cookie Policy) describes the Cookies and other similar technologies used on the Websites of the Controllers. If the Controller’s Website applies separate terms and conditions for the use of Cookies, the respective terms and conditions must be followed. The peculiarities of the Media Companies that create journalistic content through their services are pointed out separately, i.e. the Websites of Postimees Group and Duo Media Networks (“Controller providing journalistic content”).
11.2 Liability for third-party cookies. The Controller is not liable for third-party Cookie technologies. Third parties and their privacy policies are listed at the bottom of the Website in the description of the Cookie preferences (if enabled) or in the special terms and conditions of the respective Controller.
11.3 Persistence of cookies. Cookies may be divided according to the time for which they are stored:
11.3.1. temporary or session Cookies – allow linking the activities of a Visitor temporarily during a browsing session of the same browser, i.e. from the opening of the browser window until closing, or for up to 4 hours after the last page view;
11.3.2. persistent Cookies – stored on the Visitor’s device permanently for the period specified within the Cookie and activated each time a Visitor visits the website from which the Cookie was stored.
11.4 Cookie installers. Cookies may be divided according to their ownership as follows:
11.4.1. first-party Cookies – originate from the website viewed. Websites may use these Cookies to store information that will be reused the next time the website is visited. For the purposes of processing personal data, a first-party Cookie is installed by the controller (or any of its processors) who manages the website visited;
11.4.2. third-party Cookies – originate, for example, from advertisements by other websites located on the website visited by the user. For the purposes of processing personal data, a third-party Cookie is installed by the controller, who is different from the operator of the website visited.
11.5 Types of Cookies. Data collected by Cookies, and classification of such data according to the general purpose of storage:
11.5.1. necessary / essential Cookies – essential for navigating on a website, using its functions and providing the services selected by Visitors. If these Cookies are not installed, the website and the services requested by the Visitor cannot be provided to the Visitor.
11.2 Liability for third-party cookies. The Controller is not liable for third-party Cookie technologies. Third parties and their privacy policies are listed at the bottom of the Website in the description of the Cookie preferences (if enabled) or in the special terms and conditions of the respective Controller.
11.3 Persistence of cookies. Cookies may be divided according to the time for which they are stored:
11.3.1. temporary or session Cookies – allow linking the activities of a Visitor temporarily during a browsing session of the same browser, i.e. from the opening of the browser window until closing, or for up to 4 hours after the last page view;
11.3.2. persistent Cookies – stored on the Visitor’s device permanently for the period specified within the Cookie and activated each time a Visitor visits the website from which the Cookie was stored.
11.4 Cookie installers. Cookies may be divided according to their ownership as follows:
11.4.1. first-party Cookies – originate from the website viewed. Websites may use these Cookies to store information that will be reused the next time the website is visited. For the purposes of processing personal data, a first-party Cookie is installed by the controller (or any of its processors) who manages the website visited;
11.4.2. third-party Cookies – originate, for example, from advertisements by other websites located on the website visited by the user. For the purposes of processing personal data, a third-party Cookie is installed by the controller, who is different from the operator of the website visited.
11.5 Types of Cookies. Data collected by Cookies, and classification of such data according to the general purpose of storage:
11.5.1. necessary / essential Cookies – essential for navigating on a website, using its functions and providing the services selected by Visitors. If these Cookies are not installed, the website and the services requested by the Visitor cannot be provided to the Visitor.
The data stored by essential Cookies depend on the specific Cookie. In general, Cookies store changes to the privacy settings selected by the Visitor, about the services the User wishes to use (i.e. information about the Services), or to log into the Services (i.e. storing the User’s ID, etc.), identify malicious use of the Website (i.e. information about it), distinguish between the User and bots, and collect necessary information about the use of the Website. This category also includes the Cookies used for the display and processing of non-personalised advertising, as the Services of a Controller providing journalistic content could not be provided without advertising;
11.5.2. statistical / performance Cookies – collect information about how Visitors use the websites, such as which websites they visit most often and what error messages they receive from the websites. For personalised analytics Cookies, see the description of the last Cookie type. Some of the information collected will be aggregated and anonymised. The purpose of these Cookies is to improve the functioning of the websites.
11.5.2. statistical / performance Cookies – collect information about how Visitors use the websites, such as which websites they visit most often and what error messages they receive from the websites. For personalised analytics Cookies, see the description of the last Cookie type. Some of the information collected will be aggregated and anonymised. The purpose of these Cookies is to improve the functioning of the websites.
Statistical Cookies collect data about the visit and use of websites (including which (sub)pages and parts of a website were opened). For example, information is collected about the Visitor’s device / user interaction / experience on the website (e.g. error messages, etc.), the IP address and location information of the User’s device. Analytical Cookies cannot access IP addresses;
11.5.3. preference / functional Cookies – these Cookies allow remembering the choices (such as text size, other customisable features of the website) made by the Visitor, and the attributes (such as user name, language or country of location of the User), in order to provide more personalised and convenient ways to use the website;
11.5.3. preference / functional Cookies – these Cookies allow remembering the choices (such as text size, other customisable features of the website) made by the Visitor, and the attributes (such as user name, language or country of location of the User), in order to provide more personalised and convenient ways to use the website;
Although separate from essential Cookies, preference Cookies are necessary to ensure that the Visitor is displayed the appropriate solution. The data stored depend on the specific Cookie. As a general rule, technical data on the Visitor’s device is collected to determine the appropriate video quality, record the choices made by the user (e.g. text size, other customisable features of the website), and attributes (e.g. user name, language, country of location). Preference Cookies are also decisive in the sense of the Media Services Act in the performance of the obligation to ensure accessibility (e.g. displaying page contrast selection options for the visually impaired).
11.5.4. (personal) advertising Cookies (including personal analytics, tracking cookies) – these Cookies allow us to show a Visitor personalised advertisements and to carry out market research and analysis using the data obtained about the Visitor’s behaviour and interests. The data obtained may be shared with advertising networks and advertising service providers.
11.5.4. (personal) advertising Cookies (including personal analytics, tracking cookies) – these Cookies allow us to show a Visitor personalised advertisements and to carry out market research and analysis using the data obtained about the Visitor’s behaviour and interests. The data obtained may be shared with advertising networks and advertising service providers.
Personalised advertising Cookies and personal analytics cookies collect information about the Visitor’s visit to and use of the websites (i.e. about interests and behaviour) in order to show advertisements that are presumably of interest to the Visitor (information about the use of the websites by the User), information about the advertisements already shown and “interaction” with them (i.e. whether the person has opened any advertisements/offers, etc.), information about the Visitor’s device (to identify, for example, on a new visit), etc.. Advertising Cookies are also understood as social media Cookies in the part that does not apply to the Visitor, only because the Visitor wants to share the content.
11.6 The purposes of Cookies. The Controllers use the types of Cookies described above on the Websites for the following purposes:
11.6.1. for the smooth operation of the Websites and the provision of the Service;
11.6.2. to increase the user-friendliness and accessibility of the Websites;
11.6.3. to show advertisements;
11.6.4. to pay journalists fair remuneration in case of Controllers providing journalistic content – statistical, analytical and advertising (including personalised advertising) Cookies are used. Statistical Cookies are essential for measuring the need for and popularity of the content created which, in turn, partially affects the wages of a journalist. Advertising Cookies are also directly related to the income of a journalist. A reduction in the use of advertising Cookies automatically means less information paid for, which is used to pay wages to a journalist;
11.6.5. to improve content/service – statistical and analytics Cookies allow improving content according to the number of views. This provides the journalist with essential information on what people are currently interested in;
11.6.6. if necessary, the personal data collected by Cookies will be used as evidence in court or other law enforcement agencies (for example, to demonstrate one’s data protection processes).
11.7 Legal bases for the use of Cookies. The Controllers install Cookies either on the basis of consent, for the performance of a contract or on the basis of a legitimate interest. Legitimate interest is relied on by the Controllers providing journalistic content.
11.7.1. Consent. The Controllers request consent to the use of Cookies on their Website. The Controllers providing journalistic content ask Users of general content and special paid content for their consent to the use of personal advertising Cookies.
11.7.2. Legitimate interest and performance of ta contract. In addition to consent, the Controllers providing journalistic content may use both a legitimate interest and a contract as legal grounds, based on the type of Cookies:
(a) essential cookies – as essential Cookies are necessary for the provision of the Service and without them, the Service cannot be provided, consent to the use of these Cookies is not required. Essential Cookies are automatically enabled and cannot be disabled. The basis for processing is either a legitimate interest or a contract, if the use of the Cookie is necessary for the performance of a contract between the Visitor and the Controller providing journalistic content.
11.6 The purposes of Cookies. The Controllers use the types of Cookies described above on the Websites for the following purposes:
11.6.1. for the smooth operation of the Websites and the provision of the Service;
11.6.2. to increase the user-friendliness and accessibility of the Websites;
11.6.3. to show advertisements;
11.6.4. to pay journalists fair remuneration in case of Controllers providing journalistic content – statistical, analytical and advertising (including personalised advertising) Cookies are used. Statistical Cookies are essential for measuring the need for and popularity of the content created which, in turn, partially affects the wages of a journalist. Advertising Cookies are also directly related to the income of a journalist. A reduction in the use of advertising Cookies automatically means less information paid for, which is used to pay wages to a journalist;
11.6.5. to improve content/service – statistical and analytics Cookies allow improving content according to the number of views. This provides the journalist with essential information on what people are currently interested in;
11.6.6. if necessary, the personal data collected by Cookies will be used as evidence in court or other law enforcement agencies (for example, to demonstrate one’s data protection processes).
11.7 Legal bases for the use of Cookies. The Controllers install Cookies either on the basis of consent, for the performance of a contract or on the basis of a legitimate interest. Legitimate interest is relied on by the Controllers providing journalistic content.
11.7.1. Consent. The Controllers request consent to the use of Cookies on their Website. The Controllers providing journalistic content ask Users of general content and special paid content for their consent to the use of personal advertising Cookies.
11.7.2. Legitimate interest and performance of ta contract. In addition to consent, the Controllers providing journalistic content may use both a legitimate interest and a contract as legal grounds, based on the type of Cookies:
(a) essential cookies – as essential Cookies are necessary for the provision of the Service and without them, the Service cannot be provided, consent to the use of these Cookies is not required. Essential Cookies are automatically enabled and cannot be disabled. The basis for processing is either a legitimate interest or a contract, if the use of the Cookie is necessary for the performance of a contract between the Visitor and the Controller providing journalistic content.
(b) statistical Cookies – the use of statistical / analytics Cookies is essential in the business of a Controller providing journalistic content in order to create journalistic content. In the case of these Cookies, the processing is based on a legitimate interest and the Visitor can disable the respective Cookies.
(c) preference Cookies – although Cookies are not strictly necessary for the technical functioning of the service, preference Cookies are essential to provide the Visitor with an appropriate service and to ensure basic user convenience, given that the respective Cookies generally store the preferences regarding language, video quality, page size, etc. Similarly, enabling preferences by default is necessary in the interests of accessibility, to allow the best possible access to the pages in accordance with the WCAG 2.1 accessibility standard for websites. The use of preference Cookies is based on a legitimate interest and the Visitor can disable these Cookies.
(d) personal advertising Cookies (including personal analytics, tracking cookies) – the basis for processing is either the Visitor’s consent or a legitimate interest. These cookies are not automatically enabled; the Visitor gives his or her consent to the use of personal advertising Cookies, or the use of advertising Cookies may be requested to provide free access to certain content (i.e. a specific story) (processing based on a legitimate interest).
11.8 The particulars of social media. We would like to point out that in the case of Cookies related to social media services, the Controller cannot guarantee that personal data will not be transferred to the United States of America. For example, Facebook has declared that data on persons in the European Union are stored in Europe, but the Court of Justice has found the opposite in the case known as Schrems II (C-3111/18)). With regard to Facebook-related Cookies, the data collected are anonymous for the Controller, but are stored and processed by Facebook. Facebook can link these data to your Facebook account and use them for advertising purposes in accordance with Facebook’s data processing rules (https://www.facebook.com/about/privacy/) both on and off the Facebook platform. If you do not wish to have your data transferred to Facebook, you have the right not to grant, or withdraw, your consent for processing based on consent and, in the case of processing based on a legitimate interest, you have the right to object to processing. You can also disable further processing from your Internet browser http://networkadvertising.org/choices.
11.9 Managing cookies. The Controllers allow Visitors to manage the use of Cookies and to enable and disable Cookies by type (except for essential Cookies). The Visitor can change his or her preferences at any time by clicking on the Cookie Preferences link at the bottom of the Website (if applicable). For more information on how to manage cookies in your browser, visit:
· Internet Explorer: http://support.microsoft.com/kb/278835
· Chrome: https://support.google.com/chrome/answer/95647?hl=en
· Firefox: http://support.mozilla.org/en-US/kb/Clear%20Recent%20History
· Opera: https://www.opera.com/help/tutorials/security/privacy/
· Safari: http://support.apple.com/kb/PH5042
· Chrome: https://support.google.com/chrome/answer/95647?hl=en
· Firefox: http://support.mozilla.org/en-US/kb/Clear%20Recent%20History
· Opera: https://www.opera.com/help/tutorials/security/privacy/
· Safari: http://support.apple.com/kb/PH5042
Information about the MMG Privacy Policy
This section sets out the validity of and amendments to the MMG Privacy Policy.
12.1 Right to make changes. The Controller may need to change the Privacy Policy due to changes in legislation, in the Controller’s personal data processing processes, or in the instructions given by supervisory authorities or courts. The Controller has the right to unilaterally change the Privacy Policy. The data subjects will be notified of significant changes on the website and/or in other ways.
12.2 Changes. Latest changes to and entry into force of the MMG Privacy Policy:
Publication: 5 October 2022
Entry into force: 5 October 2022
Main changes: New version 1.0
12.3 Earlier version. The earlier Privacy Policy of Postimees Grupp AS is available HERE.
12.3 Earlier version. The earlier Privacy Policy of Postimees Grupp AS is available HERE.
General Privacy Policy of the Media Companies of MM Group