** NOTICE: You can find our Privacy Agreement translated into Spanish here. Please note that the legally binding version of this Privacy Agreement is in the English language. **
The Companies are subject to Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (hereinafter ‘General Data Protection Regulation’).
We process personal data only for the purpose of providing products and services to our clients and ensuring the proper operation of all the functions of all their means of work.
We process the personal data of our employees, representatives and contact persons of clients and, if necessary, users of the Companies’ means of work (more information is available in section 2 ‘Controller’).
The Companies also process data on behalf of their clients who are controllers (more information is available under heading ‘Processor’). Data subjects whose data is processed by the Companies are also referred to as ‘natural persons’ in this Privacy Notice.
If the Companies determine the purposes, means and extent of processing of personal data, they are the controller.
We only process the personal data of representatives of clients to perform Our contractual obligations and provide high quality services to Our clients. The legal basis for processing is Our legitimate interest, meaning our interest in the management and direction of our business in order to be able to offer the best possible services on the market; and/or the performance of a contract concluded with a data subject or the taking of pre-contractual measures as requested by a data subject to ensure the proper provision of Our services or the sale of goods. We only process the personal data of job applicants to assess their competence and suitability. If data is processed for said purpose, the legal basis for processing is legitimate interest or the data subject’s consent, as the case might be.
We generally collect personal data directly from data subjects, which means representatives of clients, natural persons and employees of corporate customers who buy and use Our products and services as well as job applicants, Our employees, subcontractors and so on.
The Companies do not process special categories of personal data, for example sensitive personal data. We process the following personal data:
We are interested in providing the best possible user experience and service to Our end-users. Therefore it is possible that We will share personal data to e‑resident store OÜ.
We may share certain categories of personal data with Our cooperation and business partners if it is necessary for providing Our services, lawful and in compliance with the applicable personal data protection law. In that case We may share personal data only in connection with providing products or services to Our clients. The legal basis for such processing of personal data is Our legitimate interest.
We share personal data that is required for payment processing, with our authorized data processor.
In cases provided by law, the police, the Tax Board and other authorities may require Us to disclose certain categories of personal data. The Companies provide the personal data of natural persons to authorities only in compliance with applicable law. In that case, the legal basis for processing of personal data is the performance of an obligation arising from the law.
The Sunny Companies generally do not offer their products and services to new clients by way of mass posting and/or mass messages. However, if at times it is deemed necessary to send messages to a target client group or to current clients, you can always opt out by:
Data subjects have the right to request access to, rectification or erasure of their personal data or restriction of processing and to object to processing as well as the right to data portability. Data subjects also have the right to lodge a complaint with a supervisory authority.
Should you choose to exercise those rights, We kindly ask you to contact Us at the address email@example.com.
The secure storage of data is the highest priority for the Companies. We have done everything possible to avoid unauthorised access to and disclosure, loss or other unlawful processing of data. We protect the confidentiality and integrity of personal data and We ensure access to data in compliance with applicable law. To protect personal data collected and processed by Us, We have taken reasonable and sufficient organisational measures and set technical and physical restrictions. The measures applied depend on the category of personal data and the possible effects of its disclosure.
The storage and retention of all data retained by the Companies (including personal data) takes place on the territory of the Republic of Estonia either in Our own servers and/or under a contract in servers of verified cooperation partners. We and Our cooperation partners have taken high level technical, physical and organisational measures necessary to ensure security:
The work organisation of controllers and processors is set up so that the work computers of employees are only used to carry out the process of providing the service of data processing. Processed data is stored in file servers with the highest level of security, which can only be accessed by those liable for and carrying out the processing.
The Companies retain personal data only for as long as necessary to achieve the purpose for which the data was collected. The retention period also depends on the need to reply to data subjects’ enquiries, solve problems and comply with requirements for document retention arising from the law. When We no longer need personal data and the law does not require the retention thereof, We erase the data without delay.
The Companies provide various services to their clients. Generally, the provision of such services entails the processing of (personal) data obtained from Our clients (for example, accounting and wage data which may also contain personal data or personal data of private persons or employees of companies who buy Our services, which is retained in the economic software used by Us or in databases in file servers). In that case We only process data for the purposes determined by Our clients and the controller is Us or Our client.
The Companies are mostly processors of personal data and We process personal data only on behalf of Our client and under the client’s instructions. The relationship between and the rights and obligations of the processor and controller (meaning the Companies and their clients) are also determined, if necessary, in a personal data processing agreement. Where the Companies are the controller, We strictly comply with the requirements arising from Regulation 2016/679 of the European Parliament and of the Council.
Where the controller is Our client, the legal basis for the processing of personal data shall be determined by the client. The controller is also required to assess and manage the risks involved in the processing of personal data and perform duties related to notifying data subjects. As the processor, the Companies perform a significant portion of the controller’s duties since Our services are part of personal data processing, the compliance of which with the law must be ensured by the controller. If the Companies process personal data on behalf of their clients (meaning as the processor), We operate in compliance with applicable provisions of law that govern the operation of processors.
The Companies and the client who is the controller shall cooperate to ensure the prescribed protection of data subjects. If necessary, We provide the client with information necessary for compliance with the applicable personal data protection law.
We use subcontractors for the processing of personal data but We do not export personal data outside the European Union. For example, our contractual subcontractors are Estonian providers of cloud computing services and other IT services. The Companies enter into a data processing agreement with each and every subcontractor and verify the compliance with the terms and conditions of contract in order to protect personal data and perform their obligations toward their clients.
If you would like more information about the possible use of subcontractors in the provision of services to you, We kindly ask you to contact Us as set out under ‘Contact Details’.
For the purpose of increasing security or complying with amendments to law, the Companies may amend or adapt this Privacy Notice at any time. Should We do so, We shall publish the revised Notice here with a new version date. We may notify of significant changes in Our Privacy Notice and privacy principles before they take effect by way of e‑mail, announcement on Our website and/or on Our social media sites. Nevertheless, please visit this site from time to time to keep up to date with minor changes in the Privacy Notice.
We value your feedback, opinions and suggestions. If you have any problems, comments or questions, please contact Us at the address firstname.lastname@example.org. You can also contact Us through regular mail at the address Järvevana tee 9-40, Tallinn 11314, Estonia.