Privacy Policy
This Privacy Policy describes how Sunly AS (registry code 14695483) processes your personal data as a controller. Keep in mind that personal data are any information relating to an identified or identifiable natural person (e.g. name, email address, personal identification code) and that processing of personal data is any operation (e.g. alteration, viewing, erasure, storage) which is performed on personal data.
Sunly processes personal data in accordance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR).
This Privacy Policy applies to you if:
(i) You apply for a job or traineeship with us
(ii) You want to acquire or you own our virtual shares
(iii) You are a representative or contact person of our service provider, cooperation partner or customer
(iv) We send you news and notifications about our activities
(v) You register for and participate in our events
(vi) You contact us
(vii) You visit our website
(viii) You fall in at least one of the categories above
Purposes, legal basis and duration of processing of personal data
(i) You apply for a job or traineeship with us
If you apply for a job or traineeship at Sunly, we will primarily process the personal data about you that you have provided in your application or CV. In addition, we collect personal data from public sources (e.g. information on LinkedIn profile). We may also contact the references you have identified to collect further information.
We process your personal data for the following purposes:
– In order to identify you, to contact you and, in case of a successful application, to prepare a contract, we will process your given name and surname and contact details (phone number, email address, address).
– In order to assess your suitability for the vacant position, we process data about your education, qualification and previous experience, data provided in your CV, data provided in your letter of motivation, data collected during interviews (e.g. about your skills and qualities).
– We process your contact details and communication information to manage the recruitment process, collect additional information and inform you of decisions.
The legal basis for the processing of personal data is our legitimate interest in finding the right person for the vacant position, in assessing the suitability of candidates in the recruitment process and in managing the recruitment process (Art. 6(1)(f) of GDPR). For the purpose of preparing a contract with a successful candidate, we process personal data in order to take the necessary steps towards entry into a contract (Art. 6(1)(b) of GDPR).
We store the personal data we collect during the recruitment process for one year after the date we make the recruitment decision and notify you, in order to protect our rights where necessary. If you have given your consent (Art. 6(1)(a) of GDPR), we will store your personal data for a longer period of time in order to keep you informed of future application opportunities.
(ii) You want to acquire or you own our virtual shares
If you have applied to acquire virtual shares of Sunly, or already own them, we will process personal data about you that you have provided to us for this purpose. We also collect data concerning the number of virtual shares, the transactions performed with them and other details about your virtual shares.
We process your personal data for the following purposes:
– To identify you, we process your identification data (given name and surname, date of birth, place of residence, personal identification code, identity document data).
– To contact you, we process your contact information (phone number, email address).
– In order to reserve or issue virtual shares and enable you to exercise your rights relating to virtual shares, we will process your identification data, contact details, as well as data relating to your virtual shares, payment details and information you have provided about your connection to the relevant area (to identify your right to acquire virtual shares).
– We process data relating to payments in order to comply with our legal obligations.
The legal basis for processing of personal data is the need to prepare the entry into of a contract at your request and subsequently to perform the contract entered into (Art. 6(1)(b) of GDPR). Also the need to comply with our accounting and tax obligations (Art. 6(1)(c) of GDPR).
We store personal data relating to the offer of virtual shares for as long as necessary to issue virtual shares to you and to enable you to exercise your rights related to the virtual shares.
(iii) You are a representative or contact person of our service provider, cooperation partner or customer
If you represent a company related to you in your communication with us (e.g. you are an employee or representative of that company), we will process personal data about you that you have provided to us or that have been provided by the company related to you.
We will process your personal data such as your given name and surname, work contact details, job position and, where applicable, data concerning your right of representation, for the purpose of performing and managing the contractual relationship with the company related to you and cooperating (including contacting) with the company.
The legal basis for processing of personal data is the need to perform or manage the contract entered into with the company or cooperate otherwise (Art. 6(1)(f) of GDPR).
We store personal data of representatives or contact persons for as long as it is necessary to manage the relationship with the company.
(iv) We send you news and notifications about our activities
In order to send you news and notifications (including invitations to Sunly events), we use your personal data that you have provided to us when you have expressed your wish to receive news from us, or that we have obtained from you in the course of our previous cooperation.
We process your personal data such as your given name and surname and email address for the purpose of sending you interesting information about the activities of Sunly and to invite you to our events.
The legal basis for processing of personal data in this case is your consent (Art. 6(1)(a) of GDPR). If we have obtained your contact details because you have used our services in the past, we may also send you news and notifications about similar services on the basis of our legitimate interest (Art. 6(1)(f) of GDPR), subject to the restrictions applicable to direct marketing by electronic means. Keep in mind that you can always refuse to receive news and notifications from us at the time of the initial collection of your contact details. You can also refuse to receive further news and notifications by following the instructions at the end of an email sent to you.
We store your contact details for the purpose of sending you news and notifications as long as your consent to this is valid or as long as you prohibit such use of your contact details.
(v) You register for and participate in our events
When you register for our events, we will process personal data about you that you have provided to us or that have been provided by a company related to you. When attending public meetings, we collect personal data about participants on the spot.
When registering for and attending events, we will process your given name and surname and email address for the purpose of ensuring effective communication regarding the organisational side of the event and to give you a name tag to attend the event. We also prepare a list of participants in public meetings for the purpose of proving later, if necessary, that the meeting took place.
The legal basis for the processing of personal data in such cases is our legitimate interest in enabling you to participate in the event according to your wish and ensuring the successful conduct of the event and, where necessary, proving the conduct of the public meeting (Art. 6(1)(f) of GDPR).
Sunly events are sometimes photographed and/or filmed. The purpose is to capture the events and to share information about our activities outside Sunly (e.g. on our social media channels, media, website). If an event is photographed or filmed, we will inform you before the event and at the event thereof. You always have the right to refuse to be photographed or filmed by informing the person photographing or filming the event. The legal basis in such a case is our legitimate interest in receiving recordings of the events we organise (Art. 6(1)(f) of GDPR) or § 11 of the Personal Data Protection Act.
We store your personal data for as long as it is necessary for the purpose of conducting the event.
(vi) You contact us
When you contact us (e.g. by email, letter or phone), we process the personal data you have provided to us (given name and surname, contact details, content of the request).
The purpose of processing personal data is to respond to your request.
The legal basis for processing of personal data is our legitimate interest in responding to and/or settling your request (Art. 6(1)(f) of GDPR).
We store your personal data for as long as it is necessary for the purpose of managing and responding to your requests or taking the necessary steps in response to your request.
(vii) You visit our website
We use a variety of cookies on our website, through which we may also collect your personal data when you visit our website. Depending on the purpose for which personal data are collected, the processing is based on our legitimate interest in ensuring the functioning of the website (Art. 6(1)(f) of GDPR) or your consent (Art. 6(1)(a) of GDPR).
For more information about cookies, please refer to the cookie selection panel displayed when you enter the Sunly website, which can later be reopened by clicking on the “Consent Preferences” cookie icon in the corner of the website.
(viii) You fall in at least one of the categories above
Processing of personal data to protect our rights and to settle requests of data subjects
In addition to the purposes above, we may need to process personal data in order to protect our rights (e.g. in a legal dispute between us) or to settle a request you have submitted to us as a data subject to exercise your rights in relation to your personal data.
The legal basis for processing of personal data is the legitimate interest based on the necessity to protect our rights (Art. 6(1)(f) of GDPR). We are obliged to settle the requests of data subjects under GDPR, and, therefore, we process personal data for this purpose in order to comply with our legal obligation (Art. 6(1)(c) of GDPR).
We store your personal data for as long as necessary to protect our rights or comply with our legal obligations.
Processing of personal data based on legitimate interest
Upon processing personal data on the basis of legitimate interest, we have previously considered contradicting interests, as required, to assess whether our interest in processing the personal data outweighs your interests and the rights and freedoms for which the personal data are protected.
You have the right to object to such processing at any time. If you would like to object or find out more about the legitimate interest analysis, please contact us using the contact details below.
Processing of personal data based on consent
If we process personal data on the basis of your consent, you will have the right to withdraw your consent at any time (e.g. by clicking on the link at the end of an email or by sending us an email). However, withdrawal of the consent shall not affect the lawfulness of processing based on consent before its withdrawal.
Storage of personal data to protect rights and comply with legal obligations
In addition to storing personal data for the primary purpose for which the data were collected and processed, we sometimes need to store personal data beyond the primary purpose in order to protect our rights (generally for 3 years based on the usual limitation period for claims) or to comply with our legal obligations (for accounting and tax obligations, we store payment data for 7 years after the relevant financial year).
Sharing of personal data
Processors
In the course of our activities, we may also need to share your personal data with third parties. For example, some of our service providers may have access to your personal data when they provide services to us in support of our day-to-day business operations (e.g. various IT service providers, accounting service providers, communication consultancy service providers, recruitment support service providers). Such service providers process personal data only on our instructions as processors on our behalf and we remain responsible for their processing of personal data.
Third parties
In addition to processors, in certain cases, we may also need to share your personal data with third parties who process your personal data as independent controllers. Such third parties include, for example, our auditors, legal service providers and other consultants, where the sharing of personal data is necessary in the context of a service provided to us. We may also share personal data with other Sunly group companies, where necessary, for the purposes for which we process your personal data.
We may also need to provide access to your personal data where it is relevant in connection with a restructuring, merger, acquisition, sale or other transaction involving Sunly or in connection with the assignment of claims.
We will only share your personal data with third parties if we have a legal basis for such sharing.
Transfer outside the European Economic Area
Where the service provider with whom we share personal data processes personal data outside the European Economic Area (including the European Union), we have applied additional safeguards in accordance with GDPR to ensure that your personal data remains protected as a result of such transfer.
Your rights concerning your personal data
If you have any questions about the processing of your personal data or wish to exercise your rights, please contact us by email at [email protected].
Keep in mind that your rights concerning your personal data are not absolute and we may not always be obliged or able to take the action based on your request. You have the right to:
– Request to obtain all the personal data we process about you. For this purpose we will ask you to explain whether you would like a confirmation of the personal data we hold about you and/or would like a copy of your personal data.
– Request rectification of your personal data. Exercising the right to rectification of your personal data requires that your personal data are inaccurate or incomplete. If this is the case, we will rectify and/or complete your personal data. To do this, we ask you to specify in your request the personal data that need rectification.
– Request erasure of your personal data. You may request the erasure of personal data if (i) we no longer need the personal data for the purposes for which we collected them; (ii) you wish to withdraw your consent to the processing of your personal data and we have no other legal basis for continuing the processing; (iii) you object to the processing of your personal data and we have no overriding legitimate grounds for continuing to process your personal data; (iv) we have processed your personal data unlawfully; (v) we are under a legal obligation to do so. However, if despite the foregoing, we need to continue to process personal data in order to comply with our legal obligation or to protect our rights, we may not be able to erase the personal data. In this case, we will explain why we cannot erase personal data.
– Request the restriction of processing of your personal data. This will be the case if (i) you have drawn our attention to the fact that your personal data are inaccurate and we are verifying the accuracy of the data; (ii) the processing of personal data is unlawful but you oppose the erasure of the personal data and request the restriction of their processing instead; (iii) we no longer need the personal data for the purposes of the processing but you require and/or your company requires them for the establishment, exercise or defence of legal claims; (iv) you have objected to the processing of personal data and we are verifying whether our legitimate grounds for processing override the grounds for termination of processing. Even if the processing of personal data is restricted, we may process that data if (i) you have given your consent; (ii) the data are necessary for us for the establishment, exercise or defence of legal claims; (iii) the data are necessary for us to protect the rights of a natural or legal person; or (iv) the processing is necessary for reasons of important public interest.
– Request the portability of your personal data. You have the option to request to receive your personal data in a structured, commonly used and machine-readable format and to transmit those data to another controller (or to request that we transmit the data) where the processing of personal data is based on your consent or on a contract entered into between us and the personal data are processed by automated means.
– Object to the processing of personal data. You have the right to object to the processing of personal data where we process the data on the basis of our legitimate interest or the legitimate interest of a third party. In the event of an objection, we shall no longer process the personal data unless we demonstrate compelling legitimate grounds for the processing of personal data which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defence of legal claims.
– Withdraw consent given to the processing of personal data. Where the processing of personal data is based on consent, you have the right to withdraw your consent at any time. Please note, that this does not affect the lawfulness of the processing based on consent before its withdrawal.
We will respond to your request within one month, unless there are circumstances that require us to take longer to respond. In any case, we will inform you within one month.
In addition, you have the right to lodge a complaint with the Data Protection Inspectorate if you find that your personal data have not been processed in accordance with applicable data protection legislation and your rights have been violated (address of the Data Protection Inspectorate is Tatari 39, 10134 Tallinn, phone +372 627 4135, email: [email protected]). If your habitual residence, place of work or place of the alleged violation are in another Member State, you also have the right to lodge a complaint with the data protection supervisory authority in that State.
Amendments to this Privacy Policy
If we need to change the terms of this Privacy Policy, we will always notify you of such changes via our website https://sunly.ee/.