Procedure for use of data and data processing

MTÜ Nordic Institute for Interoperability Solutions

1.    Terms

1.1.     Data is any data that allow the identification of a person, any data that the person has disclosed to MTÜ Nordic Institute for Interoperability Solutions (hereinafter also “NIIS”) or the person’s or other person’s data that are in the possession of NIIS, including Personal data. Data may include identification and categorization, concerning contact information, service contracts and other transactions, habits and preferences reflecting and data collected under the law or data that is collected under the procedure for use of data and data processing.

1.2.     Personal data is any information relating to an identified or identifiable natural person („data subject“). Personal data is the name of a physical person and the person´s identification (name, personal identification code, date of birth), identity document, contact information (address, e-mail, telephone number), location data, an online identifier, IP-address and other personal information that has become known to the NIIS in relation to the provision and performance of the service.

1.3.     Processing of personal data is any operation performed on personal data, including the collection, recording, organization, storage, alteration, disclosure, granting access to personal data, consultation and retrieval, use of personal data, communication, cross-usage, combination, closure, erasure or destruction of personal data or several of the aforementioned operations, regardless of the manner in which the operations are carried out or the means used.

1.4.     Restriction of processing is the marking of stored personal data with the aim of limiting their processing in the future.

1.5.     Controller is the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data (NIIS).

1.6.     Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.

1.7.     A data subject is a person whose personal data is processed.

1.8.    A third person is a natural or legal person, public authority, agency or body other than the Data subject, Controller, Processor and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data.

1.9.    Consent of the data subject is any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which the person, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to the person.


2.    Processing of personal data with the consent of data subject

2.1.    Personal data shall be processed with the consent of the data subject in accordance with the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation (GDPR) Article 6, unless otherwise provided by the applicable law.

2.2.    The data subject shall be entitled to take the consent back at any time, informing the Controller whether by e-mail or by using the automatic “unsubscribe” function, whereas the Controller shall terminate the processing of personal data of the data subject as soon as possible.

2.3.    The data subject gives a clear consent to the Controller to process its personal data in accordance with the principles and purpose of this procedure. The consent with the information about the principles and purposes of processing personal data is given by the data subject separately on the NIIS website or any other information system provided to the use of the data subject by the NIIS.

2.4.     The NIIS processes the data as a Controller and the Processors are among others the accountant firm, the audit firm and other firms who offer such services to the NIIS.

2.5.     As the Controller the NIIS shall provide the Processor with mandatory instructions for processing personal data and shall be responsible for the Processor's compliance with the personal data processing requirements or responsible for establishing such compliance.

2.6.     The Processor may delegate the task of processing personal data to another person only with the written consent of the Controller, provided that this does not exceed the limits of the authority of the Processor.


3.    Principles and purpose of processing personal data

3.1.     The purposes of processing personal data are:
3.1.1.    Identification of the person;
3.1.2.    Determining the necessary skills and acknowledges of the person;
3.1.3.    In order to comply with the obligations taken and offering services in front of the person;
3.1.4.    Sending information about services, projects, developments, new and events;
3.1.5.    Asking for feedback and sending questionnaires;
3.1.6.    Fulfillment of the obligations provided by law or implementation of the permitted uses of the law.

3.2.     Controller nor the Processor shall not transfer, rent or otherwise give personal data to third parties, unless clearly requested so by the person.

3.3.     When processing personal data, the Controller and the Processor will follow the principles in the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation, including the principle of minimal processing.

3.4.     The NIIS works with third persons to whom NIIS shall be also forwarding data, including Personal Data, in the context of and for the purposes of cooperation. Such persons may be accounting firms, audit firms, IT-partners or providers of postal services, etc. authorities and organizations with which the NIIS cooperates, provided the NIIS authorizes its use of data to the minimum extent necessary; ensuring that data security is at least the same level as of the NIIS itself.


4.    The obligations of the NIIS

4.1.     The NIIS will process the data only according to documented guidelines.

4.2.     The NIIS ensures the protection of personal data through taking all kinds of organizational, physical and IT security measures and through strict confidentiality and security rules. The NIIS confirms that all necessary measures have been taken to protect personal data. The processing of personal data is limited to the minimum required for the purposes of the processing of personal data.

4.3.     The NIIS will only allow access to personal data to suitably trained employees of the NIIS and if necessary the Processor, who have the right to process personal data only to the extent necessary to achieve the purposes for processing personal data. The NIIS records the use of data and Processors.

4.4.     After the end of the provision of the data processing services after the termination of the services or upon receiving a corresponding request from the data subject, the NIIS, deletes or returns all personal data and deletes the existing copies, unless the law requires the retention of data.

4.5.     All provisions which are related to the relations between the NIIS and the Processor and which are not stated herein are either agreed separately between the NIIS and the Processor or regulated in the General terms and conditions of the NIIS Contracts.

4.6.     The NIIS is liable for compliance with the requirements of the Personal Data Protection Act of the Republic of Estonia and the EU General Data Protection Regulation.


5.    Protection of the rights of the data subject

5.1.     The data subject has the right to access personal data held about him/her by the NIIS and to receive further information on processing his/her personal data.

5.2.     The data subject has the right to submit complaints regarding the processing of his/her personal data at any time, including requiring the termination of the processing of personal data concerning him/her, the termination of the disclosure or the granting of access to personal data and / or the deletion, correction or destruction of the data collected.

5.3.     The data subject has the right to obtain from the NIIS restriction of processing where one of the following applies:
5.3.1.    the accuracy of the personal data is contested by the data subject, for a period enabling the Controller to verify the accuracy of the personal data;
5.3.2.    the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead;
5.3.3.    the Controller no longer needs the personal data for the purposes of the processing, but they are required by the data subject for the establishment, exercise or defense of legal claims;
5.3.4.    the data subject has objected to processing pursuant to GDPR Article 21(1) pending the verification whether the legitimate grounds of the Controller override those of the data subject.

5.4.     The data subject shall have the right to receive any personal data concerning the person, which the person has provided to the Controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another Controller without hindrance from the controller to which the personal data have been provided.

5.5.     The data subject shall have the right to request the erasure of personal data concerning him/her or her without undue delay and the Controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
5.5.1.    the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
5.5.2.    the data subject withdraws consent on which the processing is based according to point 2.1 and where there is no other legal ground for the processing;
5.5.3.    the data subject objects to the processing and there are no overriding legitimate grounds for the processing;
5.5.4.    the personal data have been unlawfully processed;
5.5.5.    the personal data has to be erased for compliance with a legal obligation in applicable law to which the controller is subject.

5.6.     If the data subject has used the right of restriction of processing, the NIIS has the right to retain the data but not process the data.

5.7.     The NIIS shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with GDPR Article 16, Article 17(1) and Article 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The NIIS shall inform the data subject about those recipients if the data subject requests it.

5.8.     If the data subject finds that the NIIS has violated his/her rights in the processing of personal data or if he/she wishes to delete his/her data, he/she has the right to appeal to the NIIS for the termination or deletion of the violation.

5.9.     The data subject has the right at any time to seek the protection of his/her rights from the Estonian Data Protection Inspectorate or the Harju County court, if not in contradiction with the law.  

6.    The data protection officer

6.1.     The NIIS shall appoint a data protection officer.

6.2.     The data protection officer may be a staff member of the Controller or Processor, or fulfill the tasks on the basis of a service contract. The data protection officer may fulfill other tasks and duties. The NIIS shall ensure that any such tasks and duties do not result in a conflict of interests.

6.3.     The NIIS shall publish the contact details of the data protection officer and communicate them to the supervisory authority.

6.4.     The NIIS shall ensure that the data protection officer is involved, properly and in a timely manner, in all issues which relate to the protection of personal data.

6.5.     The data protection officer shall have at least the following tasks:
6.5.1.    to inform and advise the NIIS and the employees who carry out processing of their obligations pursuant to data protection provisions;
6.5.2.    to monitor compliance with GDPR, with Personal Data Protection Act  of the Republic of Estonia and with any policies of the NIIS if applicable in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;
6.5.3.    to provide advice where requested as regards the data protection impact assessment and monitor its performance;
6.5.4.    to cooperate with the supervisory authority;
6.5.5.    to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation and to consult, where appropriate, with regard to any other matter.

6.6.     The data protection officer shall in the performance of his/her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

6.7.     The NIIS shall support the data protection officer in performing the tasks referred to in 6.5 by providing resources necessary to carry out those tasks and access to personal data and processing operations, and to maintain his/her expert knowledge.

6.8.     The NIIS shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. The data protection officer shall not be dismissed or penalized by the Controller or the Processor for performing his/her tasks. The data protection officer shall directly report to the Management Board of the NIIS.

6.9.     Data subjects may contact the data protection officer with regard to all issues related to processing of their personal data and to the exercise of their rights under the law.

6.10.    The data protection officer shall be bound by secrecy or confidentiality concerning the performance of his/her tasks, in accordance with the applicable law.


7.    Guidelines in case of a personal data breach

7.1.     Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alternation, unauthorized disclosure of, or access to, personal data. Personal data breach includes breaches that are the result of both accidental and deliberate causes.

7.2.     Personal data breach is a case, when any personal data is lost, destroyed, corrupted or disclosed; if someone accesses the data or passes it on without proper authorization; or if the data is made unavailable, for example, when it has been encrypted by ransomware, or accidentally lost or destroyed.

7.3.     Personal data breaches can include: access by an unauthorized third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alternation of personal data without permission; loss of availability of personal data.

7.4.     In the case of a personal data breach, the NIIS shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. Where the notification to the supervisory authority is not made within 72 hours, it shall be accompanied by reasons for the delay.

7.5.     The Processor shall notify the Controller within 24 hours after becoming aware of a personal data breach.

7.6.     The notification about the breach referred to above shall at least:
7.6.1.    describe the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
7.6.2.    communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
7.6.3.    describe the likely consequences of the personal data breach;
7.6.4.    describe the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects;
7.6.5.    Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
7.6.6.    The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

7.7.     The NIIS has the obligation to document each incident. The NIIS can be requested to assess how data controllers comply with their data breach notification obligations.


8.    Use of Cookies

8.1.     Cookies are small data files that host the Web server on a web server. The web browser is being sent to the browser and the visitor is kept on the computer so that the web page recognizes the computer.

8.2.     NIIS uses cookies. NIIS collects data and cookies from visitors to the web.

8.3.     The cookie-related information is not used to identify the website user personally and the pattern data is fully under the control of NIIS.

8.4.    NIIS only uses cookies that serve the purposes described above.

8.5.     The website visitor can choose whether or not to accept cookies. The website visitor can delete or block these cookies, but if he/she does that some features of this site may not work as intended.


Shall enter info force on 25 May 2018