This document was last updated on September 5, 2018
This is a data protection policy adopted by Yomer OÜ (“Yomer”). The responsibility for the updating and distribution of this policy rests with Yomer Data Protection Officer. This policy is subject to periodic review to ensure that changes to the relevant legislation or the structure or internal Yomer’s policies are reflected in this policy. Yomer’s directors and staff are expected to apply the policy and to seek advice or consultation as appropriate. In the normal course of commercial operations, Yomer needs to collect and retain certain types of personal data (both public & non-public) from a variety of sources including clients, prospective clients, personnel, suppliers, business contacts, financial companies and institutions, and others who Yomer conducts business with. For the purpose of this policy, these will be referred to as (“Data Subjects”).
In addition, to ensure Yomer complies with its regulatory obligations it may be required by law to collect and use certain types of information.
Personal data means data which relates to an individual who can be identified from that data or from that data combined with other information which is in the possession of, or is likely to come into the possession of, the data controller.
All personal data must be dealt with correctly, as provided for by the safeguards in the General Data Protection Regulation (“GDPR”), however, it is ascertained, recorded and used. This applies equally whether the data is held electronically, on paper or by other means.
In addition to any legal consideration, Yomer believes the lawful and correct treatment of all personal data (non-public) is an essential step in building and maintaining confidence to everyone concerned including both staff, clients and business associates alike. We confirm that our company treats personal data in a lawful and correct manner.
In light of this Yomer fully endorses and comply with the principles set out below in the GDPR which govern the processing of personal data.
The data protection principles under the GDPR and some examples of practical steps taken by Yomer to help ensure compliance with the principles (by the application of appropriate management structure and strict use of criteria and controls) are set out below.
In particular, processing will not be fair and lawful if the data subject has been deceived or misled as to the purpose or purposes for which their personal data will be processed. Yomer will, therefore, ensure that certain information (“Personal Data”) has been provided to the Data Subjects before processing takes place (i.e. on their data collection forms). This information must include the following:
In addition to providing the Personal Data, to ensure that all processing is fair and lawful Yomer will also ensure that the processing in question can be justified under certain conditions set out under the GDPR. This means that at least one of the following must be met:
In the case of sensitive personal data (i.e. personal data concerning a Data Subject’s racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health or condition (which will include employee’s health records), sexual life or the commission or alleged commission of any offence or proceedings for any actual or alleged offence, the disposal of such proceedings or the sentence of any court in such proceedings) this may only be collected stored, used, disclosed or otherwise processed if, in addition to the requirements set out above one of the following conditions is met:
To ensure these goals, Yomer adheres to the following standards and rules:
In order to process data in a way which is compatible with the purposes for which it is processed Yomer will periodically review data collection procedures to ensure that they are adequate, relevant and not excessive in relation to the purpose for which data is going to be processed; review requests for personal data, to ensure that all data which is supplied is necessary or whether it can be destroyed; periodically review personal data held in manual filing systems and digital filing systems to ensure that Yomer is holding no more than the minimum of data required for the purpose for which the data was collected, and ensure that if employees are allowed to enter free text onto records, training is given to them to ensure its relevance. Personal data shall be accurate and, where necessary, kept up to date.
Yomer will check that personal data is accurate, complete and current by, for example: keeping a record of the dates on which personal data is created and/or obtained both manually and electronically; assessing the accuracy of the personal data at the time of collection when it comes from sources other than the data subject concerned and, in any case, reviewing the accuracy of personal data before it is entered into any filing systems; ensuring that where personal data is duplicated and held separately (e.g. at a different locations or in a different department) any updates or amendments are communicated to all holders of the personal data and that the personal data is updated/amended accordingly; and checking personal data periodically to ensure that it is accurate and up to date and to evaluate the degree of damage to the Data Subject and Yomer which could be caused through inaccurate or out of date personal data being held. This could be done by putting a procedure in place which provides that when a record is accessed, the individual accessing the file has to sign off that they have briefly reviewed the entire file and removed/amended any inaccurate personal data. Personal data processed for any purpose or purposes shall not be kept for longer than necessary for that purpose or those purposes.
Yomer will comply with this principle by reviewing personal data periodically to determine whether retention is justifiably necessary for legitimate business purposes or whether the personal data can be archived or destroyed, and ascertaining whether such personal data could be retained in an anonymous format (e.g. if kept only for historical or statistical purposes).
Personal data shall be processed in accordance with the rights of Data Subjects under the GDPR.
Yomer will inform Data Subjects of: the obligatory or optional nature of the personal data requested (e.g. optional fields could be marked with a star which indicates that such personal data may be used for future marketing activities; and how Data Subjects can contact Yomer with any inquiries or complaints about the processing of personal data and the choices and the means offered by Yomer for limiting the use and disclosure of personal data.
Yomer has also established suitable procedures to enable an individual to find out whether personal data (of which that individual is the data subject) is being processed by or on behalf of Yomer and if so what such personal data comprises. Such a request by an individual must be in writing and Yomer may be entitled to charge a small fee for responding to such requests. Yomer has trained staff to recognize subject access requests from Data Subjects and to respond to these in accordance with the GDPR and particularly in accordance with the statutory time limits.
Yomer will ensure the rights granted to the people about whom personal data is held are upheld, including such issues as their right to be informed that processing is being undertaken, their rights to access such personal data, and their rights to correct or have deleted personal data that is determined as wrong personal data.
In order to protect personal data stored by Yomer from being lost, misused, accessed without authorisation, disclosed, altered or destroyed, Yomer will, for example: ensure that all necessary technical and structural security measures are undertaken to safeguard personal data; promote awareness of data security among employees and where possible, conduct training in security responsibilities and issues; only authorise individuals to access personal data where they have a business need to do so, where they are reliable and where they have the appropriate knowledge to make decisions concerning how it should be handled (i.e. carry out background checks and conduct training to ensure that individuals understand their responsibilities, particularly surrounding confidential information and special categories of data).
Yomer will also segregate employee duties to ensure that responsibility for sensitive tasks is appropriately controlled, monitor access to personal data to prevent violations, intentional or accidental damage or disclosure, identify potential security risks and exposures within the company and implement appropriate security measures to counter those risks. According to these measures Yomer will: (i) only give employees access to personal data where they are authorized and have a legitimate business need to do so, (ii) maintain a clear desk policy and ensure that: (i) computer servers are set up to optimise security, (ii) all systems passwords/authorization levels etc. are periodically reviewed to ensure that they are assigned to appropriate staff, (iii) where possible, audit trail capabilities of automated systems are used to track who accesses and amends personal data, (iv) implement procedures to stop all employees whose employment has been terminated or transferred who are no longer used, from accessing systems used to process personal data.
Personal data shall not be transferred to a country or territory outside the European Economic Area (EEA) unless that country or territory ensures an adequate level of protection for the rights and freedoms of Data Subjects in relation to the processing of personal data.
Yomer will ensure that the transfer of personal data abroad is only done once suitable safeguards have been made. This will be where either one or several of the following conditions apply:
All information you provide to us is stored on our secure servers. Any payment transactions carried out by us or our chosen third-party provider of payment processing services will be encrypted using Secure Sockets Layer technology or a secure virtual private network. Where we have given you (or where you have chosen) a password that enables you to access certain parts of our app and/or our website, you are responsible for keeping this password confidential. We ask you not to share a password with anyone.
Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your data transmitted to our app or our website; any transmission is at your own risk. Once we have received your information, we will use strict procedures and security features to try to prevent unauthorized access.
Certain services may include social networking, chat room or forum features. Ensure when using these features that you do not submit any personal data that you do not want to be seen, collected or used by other users.
To enable Yomer to achieve its objective of compliance with the principles of the GDPR we have appointed a designated Data Protection Officer with specific responsibility for data protection who will act as the central focus for all issues relating to data protection. Data Protection Officer will be responsible for identifying information, implementing appropriate data protection measures to comply with applicable law and maintaining those measures at appropriate levels.
Data Protection Officer has a number of important responsibilities including:
If you have any questions about this privacy notice, including any requests to exercise your legal rights, you can contact Data Protection Officer as follows:
Data Protection Officer: Evgenii K.
Yomer OÜ (14791904)
Registered address: Laki tn 30, Mustamäe linnaosa, Tallinn, Harju maakond, 12915, Estonia