1. The controller of personal data is AS Baltika (Valukoja 10, Tallinn, registry code 10144415). The appointed data protection specialist is Kaupo Lõhmus, email email@example.com.
2. The processing of personal data is subject to the legislation of Estonia and the European Union.
3. The controller collects the following personal information: name, gender, birthday, personal identification code, phone number, e-mail and purchase history. Baltika’s services, incl. digital services, are not directed towards children under 13.
4. Among others, personal data is collected and processed for the following purposes: to make purchase analyses, to sell goods and provide services, to serve the client's loyalty program. The controller has the right to query, analyze, sort, and take samples of personal data in the database.
5. The controller does not disclose the information received by him to third parties.
6. By joining the client program, the client gives consent to the processing of his/her personal data. Personal data transmitted to the controller is protected and treated as confidential information, including information stored on the customer and his/her orders stored in the e-store order environment.
7. The data communication between the client and the banks and the card payment center is encrypted, which ensures the security of the customer's personal data and bank details. The data controller does not have access to client confidential bank and payment card requisitions.
8. The data controller will implement all measures, including information technology and organizational measures, for the protection of the personal data collected. Access to data editing and processing is restricted to authorized persons.
9. AS Baltika may authorize other legal entities (authorized processors) to process personal data, provided that an agreement has been entered with such a processor under which the processor is required to keep the personal data processed as confidential and to ensure the protection of personal data in accordance with the requirements provided by law. Such authorized processors are cash register software service providers, software development partners, logistics service providers and marketing service providers. The authorized processors are also companies belonging to the same consolidation group with AS Baltika and their employees who process personal data for the performance of their duties.
11. The customer has the right to get information and check his/her personal data, request access to the personal data, request corrections to the personal data, request limiting the personal data, request the deletion of personal data, request the transfer of personal data, rights relating to the automated processing of data, right to an evaluation by a supervisory authority. The customer also has a right to renege on his/her permission to process personal data. To get information and to check his/her personal data, the client should send a written application to firstname.lastname@example.orgemail@example.com.
12. The controller of personal data may send newsletters to the client, including satisfaction surveys and offers to the client's e-mail address or via SMS only if the client has given prior consent at the time of joining the client program or in the self-service environment.
13. The client can at any time cancel the offers and newsletters sent by logging in to the self-service environment at www.monton.eu/www.ivonikkolo.com, by emailing it to firstname.lastname@example.orgemail@example.com at or by following the instructions in the email.
14. The client can at any time check his/her personal information and partially modify it by logging in to the www.monton.eu/www.ivonikkolo.com self-service environment or by sending an email to firstname.lastname@example.orgemail@example.com. In order to delete personal information collected, the client shall submit a written request to firstname.lastname@example.orgemail@example.com. The data controller changes and/or deletes the client data after the client has been identified.
15. The deadline for maintaining client’s personal data is five years from the last purchase.
16. In the event of personal data being processed for a new purpose, different from the purpose for which the data was initially collected, or if collection of the data is not based on the subject’s consent, Baltika AS will carefully consider the permissibility of such processing. In order to determine whether processing of personal data for a new purpose is compliant with the purpose for which the personal data was initially collected, Baltika AS will, among other things, consider:
(1) Connections between the purposes for which the personal data was collected and the purposes of the intended further processing;
(2) The context of collection of the personal data, primarily the connection between the data subject and Baltika AS;
(3) The type of the personal data;
(4) The potential consequences of the intended further processing for the data subjects;
(5) Existence of relevant security measures.