Data Protection Terms and Privacy Policy

09.11.2022

1. INTRODUCTION AND KEY TERMS

AS Vipex (hereinafter referred to as “Vipex”), registry code 10170170, located at Kriidi tn 10, Tallinn 11415 (hereinafter – the company or we or the controller), cares about your privacy and the protection of your personal data and processes your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter – the Regulation) and other legal acts regulating the protection of personal data. We publish the data protection terms and privacy policy (hereinafter – privacy policy) on our website so that you are fairly and transparently informed about how personal data is processed. It is also possible to learn about the data protection terms and privacy policy by contacting our customer service or AS Vipex’s data protection specialist at info@vipex.ee.

The purpose of this privacy policy is to explain which personal data we process, as well as how and why we do so. In addition, this privacy policy describes our obligations and responsibilities regarding data protection.

The data protection terms and privacy policy apply to all personal data that we process as the controller.

The company processes, for example, personal data of employees, temporary employees, sole proprietors, job and position applicants, suppliers’ contact persons, customers, visitors, and other cooperation partners. The data protection terms and privacy policy also apply to all individuals who visit AS Vipex’s website www.vipex.ee or contact us.

This Privacy Policy describes how Vipex processes the personal data of its employees, clients, or people cooperating with the company in other ways, as well as the measures we take to protect personal data. We also describe which personal data we collect about you and the purposes for which we process it. This includes important information about protecting your personal data, your rights, and how to exercise those rights. In addition, we explain how we use and store your personal data.

Please read this Privacy Policy carefully and, if you have any questions, feel free to contact us at the details provided. If you do not agree with these conditions, we recommend not using Vipex’s website or services.

Note that we reserve the right to change this Privacy Policy in the future. You will be notified of any changes, but we recommend reviewing this periodically yourself as well.

Personal data – any data and information related to a physical person (a human being) that make it possible to identify that person. A person is identifiable if his or her identity can be determined within a reasonable scope by means of the data, without a disproportionate effort. Identification can be based, for example, on a name, personal identification code, location data, online identifier, or a physical, physiological, genetic, mental, economic, cultural, or social characteristic, or a combination of such characteristics. If your identity is known, or can be determined directly or indirectly by using the relevant data (for example, first name, last name, email address, telephone number, etc.).

Special categories of personal data – personal data revealing a person’s racial or ethnic origin, political views, religious or philosophical beliefs, or trade union membership. Also genetic data, biometric data for uniquely identifying a person, health data, or data regarding a physical individual’s sexual life and sexual orientation.

Personal data breach – a security breach that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to personal data transmitted, stored, or otherwise processed.

Customer – a physical person to whom the company provides services or offers goods in the course of its economic activities.

Third party – a physical or legal person, public authority, agency, or body other than the data subject, the controller, or the processor, as well as persons who may process personal data under the direct authority of the controller or processor.

Cooperation partner – a natural person who is a supplier to the company or an employee/representative/contact person of another legal entity cooperating with the company.

Processing personal data – any operation or set of operations carried out on personal data (including monitoring or recording by security cameras, collecting and storing personal data, retaining, editing, modifying, granting access, making inquiries, transmitting, archiving, etc.). Processing can be done manually or by using automated systems (e.g., IT systems).

The company follows these principles when processing personal data:

  • Only as much as necessary for achieving the specified and lawful objectives, while respecting the need to protect your privacy.
  • Your personal data is processed in compliance with clear data processing requirements set out in legislation.
  • Your personal data is processed only in a form that enables identification of you as a data subject for no longer than is necessary for the purpose for which your personal data is processed.
  • Your personal data is processed accurately, fairly, and lawfully, and for the purposes defined before the collection of your personal data.
  • We use appropriate technical or organizational measures for processing your personal data to ensure data security, including protection against unauthorized or unlawful processing and accidental loss, destruction, or damage to personal data.

Contractor – a natural person (i.e., not a company) with whom the company has concluded a contract for services (service provision agreement), including members of the company’s management bodies.

Controller – a person who decides why and how (i.e., for which purposes and by which means) personal data is processed. If a person independently decides how the personal data in his or her possession is processed and is responsible for it, this person is the controller.

Processor – a person who processes personal data on behalf of the controller. If the personal data is in someone’s possession or he/she processes it but does not have the authority to decide on its processing, i.e., follows the instructions of the controller, that person is the processor. An example of a processor might be a service provider (for example, a payroll service provider).

2. CATEGORIES OF PERSONAL DATA

Employees and Contractors

The company processes personal data related to its employees, job and position applicants (e.g., board members), and contractors, as well as former employees and former contractors.

This personal data includes the following:

  • Personal details such as name, date of birth, bank account information, close family members, visa/passport/ID card information or a copy of these documents.
  • Contact information such as address and phone number, email address.
  • Personnel file data, including: employment conditions, training records, performance evaluations/assessments, promotions, personal development plans, behavioral and disciplinary data, workplace, salary information, bank account details, and taxpayer identification number and personal ID code.
  • Employment history or application data, such as education and previous employment history.
  • Family member data, such as children’s dates of birth and names (relevant if the individual is applying for parental leave, for instance).
  • Information related to work performance, such as annual salary review for employees.
  • Special categories of personal data: medical information such as doctors’ notes and sick leaves.

The above list is not exhaustive but covers the most commonly collected, used, or otherwise processed personal data.

Customers

The company also processes the personal data of its customers. This personal data may include, for example:

  • Personal details such as name, date of birth/personal ID code.
  • Contact information such as address, phone number, email address.
  • Credit card details such as card number, expiry date, CVV.

Cooperation partners

The company processes the personal data of its cooperation partners. Such personal data may include:

  • Personal details such as name, job title, position, work-related identification numbers, department, business unit (including contact information collected for training/checking).
  • Contact information such as email address, phone numbers, and workplace location.

3. PURPOSES FOR PROCESSING DATA

The company processes personal data for the purposes for which the data was collected.

We process employees’ personal data, for example, for the following purposes:

  • Fulfilling the obligations of an employer as defined in the Employment Contracts Act.
  • Managing salaries and benefits.
  • Personnel activities, performance, and talent management.
  • Internal audits.

We process the personal data of customers and cooperation partners, for example, for the following reasons:

  • Preparation and execution of the contract concluded with the customer/cooperation partner.

Personal data is used to allow us to conclude and perform a contract with you. For the purpose of fulfilling the contract, processing personal data is necessary to perform or conclude, according to the declared intention of the parties, a contract between Vipex and the customer/cooperation partner (e.g., a sales contract when buying goods from Vipex).

  • Marketing and public relations.
  • Improving company products and services.
  • Statistical analysis.
  • Developing the company’s business strategy.
  • Preventing and detecting illegal and/or criminal behavior toward the company or its employees and clients.
  • We process personal data for making and/or receiving orders for goods, managing them, and fulfilling them, including but not limited to processing payments, delivering goods, receiving returns, issuing invoices, communicating regarding the order and its fulfillment, dealing with and solving issues/queries, etc.
  • Managing customer relationships and communicating with customers.
  • Developing and analyzing customer relationships.
  • Login to self-service (for fulfilling the contract).
  • Offering products and services.
  • Direct and relationship marketing.
  • Using and improving the website.
  • Conducting surveys.
  • Compiling sales statistics.
  • Fulfilling tax obligations (issuing and managing accounting documents).

Occasionally, we may process personal data for other reasons as well:

  • Increasing representation and visibility in the public space (communications in social networks).
  • Protection of individuals and property.
  • Handling legal claims.
  • Handling requests, complaints, demands (processing inquiries).
  • Fulfilling obligations under the law.

When processing personal data, Vipex follows the principle of minimality, i.e., we process only that data and to the extent necessary to achieve a specific purpose.

The company aims to inform individuals about the purposes of data processing at the time the personal data is obtained. If that is not possible or reasonable, we try to inform people at the earliest opportunity after receiving personal data or otherwise using it.

4. SCOPE OF DATA PROTECTION TERMS

The data protection terms and privacy policy apply to all personal data that we process as the controller.

The company processes, for example, personal data of employees, temporary employees, sole proprietors, job and position applicants, supplier contact persons, customers, visitors, and other cooperation partners. The data protection terms and privacy policy also apply to all individual (natural) persons who visit AS Vipex’s website www.vipex.ee or contact us.

When applying for a job at Vipex, the personal data provided by the applicant is processed for the purpose of assessing the applicant’s suitability and compliance with the advertised position. Data about the applicant may also be obtained from other sources, such as public registers, referees, former employers, etc. A referee or a former employer is contacted only if the applicant has given consent to do so.

The company does not carry out profiling of your personal data that would result in automated decisions that could lead to legal or major consequences for you.

This Privacy Policy does not apply to any third-party program, service, or website, even if you can access them via the www.vipex.ee website. The Privacy Policy does not apply to personal data that has been provided to third parties. If this Privacy Policy does not apply, you should review the applicable privacy policy and related terms, which are published on the relevant website, application, and/or apply to any other service you use, before providing your personal data.

5. LEGAL BASES FOR PROCESSING PERSONAL DATA

Vipex collects and processes your personal data on the following legal bases:

  • On the basis of your consent, i.e., you have given Vipex consent to process your personal data for one or more purposes known to you in advance (direct marketing, consumer games).
  • On the basis of a contract, i.e., processing of personal data is necessary for the performance of a contract concluded between you and Vipex or for taking steps to conclude a contract according to your expressed intention, within the scope of rights and obligations arising from the contract (a sales contract when buying goods from Vipex).

If you purchase goods from us for a legal entity as its representative, a contract is concluded between you and the company for the purchase of specific goods, so we process your personal data as the representative of a legal entity under Article 6 (1)(f) of the Regulation, i.e., the processing of personal data is necessary to protect the legitimate interests of the company in concluding and performing a contract with a legal entity.

The personal data of employees of the legal entity who act on behalf of the legal entity are processed for the purpose of fulfilling the contract, pursuant to Article 6 (1)(b) of the Regulation, i.e., data processing is necessary for the performance of a contract concluded involving the data subject.

After the purchase-sale contract concluded with the company has been fulfilled, we must comply with obligations imposed on us by legislation and retain the contract and/or the evidence confirming it, so we process your personal data under Article 6 (1)(c) of the Regulation, i.e., data processing is necessary for compliance with a legal obligation to which the controller is subject (established by national legislation).

  • On the basis of the law, i.e., Vipex processes personal data in order to fulfill the obligations established by law (e.g., handing over ordered goods on the basis of an identity document, responding to requests from state authorities in cases and within the limits provided by law, etc.).

If you have been sold goods, services have been provided, and/or payment has been received for the provided services, we must fulfill the obligations specified by legislation to properly maintain the company’s accounting and keep accounting documents. Therefore, we process your personal data in accordance with Article 6 (1)(c) of the Regulation, i.e., data processing is necessary for compliance with a legal obligation of the controller (established by national legislation).

  • Legitimate interest, i.e., Vipex processes personal data for legitimate interests (use of video surveillance for the purpose of protecting individuals and property, handling legal claims). Vipex processes personal data under the legitimate interest only if this processing is not overridden by the interests or fundamental rights and freedoms of the data subject, which require personal data protection. If you wish to obtain specific information about how legitimate interests have been determined, you can request it from Vipex’s data protection specialist via email at info@vipex.ee.

6. DATA SUBJECT RIGHTS

Under data protection laws, individuals have certain rights in relation to their personal data.

The right to access data – you have the right to know what data is held about you and how it is processed.

The right to rectification – you have the right to request the correction of your personal data if it is incorrect.

The right to erasure (“right to be forgotten”) – in certain circumstances, you have the right to request that we delete your personal data (e.g., if we no longer need it, if you withdraw your consent for processing, etc.).

The right to restrict processing – in certain circumstances, you have the right to prohibit or limit the processing of your personal data for a certain period (e.g., if you have filed an objection to data processing).

The right to object – depending on your specific situation, you have the right to object to the processing of your personal data if your data is being processed based on our legitimate interest or the public interest. You may object to the processing of your personal data for direct marketing at any time.

The right to data portability – if the processing of personal data is based on a person’s consent or on a contract with the company, and the data is processed by automated means, then the individual has the right to receive his or her personal data (that he or she has provided to the controller) in a structured, commonly used, and machine-readable format, and has the right to transfer that data to another controller. You may also request that the company transfer your data directly to another controller, if technically feasible.

You may exercise your rights by submitting a request to the company in person (to a company employee), by post, through a representative, or by electronic means to info@vipex.ee, or by mail to Kriidi tn 10, Tallinn 11415.

To ensure the security of personal data processing, we ask that your request submitted electronically be digitally signed.

When submitting a request, the data subject must confirm their identity in one of the following ways:

  • By submitting a request to a company employee and presenting a valid identity document at the same time.
  • By submitting a request by mail or courier, enclosing a copy of a valid identity document certified in accordance with the procedure provided by law.
  • By submitting a request electronically, confirming it by electronic means that allow identification (e.g., mobile-ID, digital signature, etc.).

Vipex has the right to respond to your request within 30 days from receiving the request. Vipex has the right to refuse your request if identity cannot be established or if the provision of personal data is not secure, or if your requests are clearly unfounded or excessive, especially due to their repetitive nature. Vipex may refuse to comply with a request to restrict or delete data if data processing is required by a valid contract, by law, or is necessary for drafting, filing, or defending legal claims relating to the protection of persons and property. If Vipex cannot fulfill your request, Vipex will notify you promptly and at the latest within 30 days of receiving the request, stating the reasons for not fulfilling it.

After receiving your request to exercise data subject rights, we will provide you with a response without delay, but no later than one month from the date of receiving your request. This period may be extended by an additional month if necessary, taking into account the complexity and number of requests. We will notify you separately of such an extension within one month. This information is provided to you free of charge. If the data subject’s requests are clearly unfounded or excessive, particularly due to their repetitive nature, we have the right to charge a reasonable fee (i.e., ask for reimbursement of administrative costs) or refuse to act on the request altogether.

The response is provided to you in the manner requested in your application. If the application does not specify a manner in which to receive the response, the response will be provided in the same manner as your request was submitted.

You are responsible for the accuracy, correctness, and completeness of the personal data you submit. Therefore, if your personal data (which is needed for the above-mentioned purposes) changes, you have the obligation to notify the company of any changes without delay.

By submitting your personal data, you assume full responsibility for its correctness and bear responsibility for any damages to us and/or third parties that may result from the unlawful processing of such personal data.

Filing Complaints

In addition to the right to view recordings, a person has the right to exercise all other data subject rights set out in Regulation (EU) 2016/679 of the European Parliament and of the Council.

All data subjects have the right to submit a complaint to the national data protection supervisory authority if they believe that the processing of their personal data does not comply with data protection legislation and general data protection rules. In Estonia, the national supervisory authority is the Data Protection Inspectorate.

If you believe that Vipex has violated your rights regarding personal data processing, you have the right at any time to contact the Data Protection Inspectorate (www.aki.ee) or the court.

7. PERSONAL DATA WE PROCESS

We collect and process personal data only if it is necessary for achieving the purposes for which it is processed. Considering the services, features, and other communication channels we offer, we may process the following personal data:

Data category Personal data collected and processed Source of personal data
Contact details Identification data: Your first name, last name. Contact details: email address, phone number, home address. Received from you when you place an order through Vipex.ee and provide the required data for its fulfillment, create a personal Vipex.ee account and provide your data via that account, contact us with an inquiry, request, complaint, etc. You apply to work with us. You contact us via social media.
Social activities Communication, photos, posts, participation in events, evaluations. Directly from you (on your social network account) when you interact with us (using social network tools such as “Messenger,” or when you visit our managed social accounts and/or website).
Registration, login, and account technical and administrative data Registration and login data: email address and password, which we securely store in encrypted form so that it cannot be seen, Facebook ID if you create a connection through your Facebook account. Technical/administrative data needed for the account to function and ensure security: username, account status (active, blocked, etc.), IP address, login attempts and actions associated with the account. Other info: a note indicating you have read Vipex.ee’s Terms of Use and/or Privacy Policy, and the date/time you did so. Collected from you when you register on Vipex.ee and create an account. Created or stored automatically (including through cookies and similar technologies) when you register, log in, or use your account (e.g., technical data).
Purchase data Details of your order: goods ordered, their quantity, prices, discounts applied, coupons used, the date/time the order was placed; Billing information: payment method, date/time, details about the payment (including, among others, the bank account number). Delivery information: delivery method and/or delivery address, recipient’s basic data if you marked a third party as the recipient. Information about order status and progress: whether the order is ready, dispatched, delivered, information regarding product and refund returns, etc. Communication data: information about communication with you or from you regarding the order and the performance associated with it, plus any other content of the interactions. Other info: a note confirming that you have read Vipex.ee’s Terms of Use and/or Privacy Policy, plus the date/time. If you make a purchase as a registered user, your purchase data is associated with other data stored in your personal account. Provided by you when you place an order via Vipex.ee, make a payment, contact us (or we contact you) regarding the order and its fulfillment, if you request a product return, etc. This data is created during the order fulfillment process, or obtained from the sellers whose goods you purchased and/or from our partners who help fulfill orders (e.g., information about when the order was paid for, shipped, delivered, etc.). We use cookies and similar technologies when such data is necessary for concluding a sales contract, accepting and processing the order (for instance, cookies help record that you’ve read the Terms of Sale and/or the Privacy Policy).
Your consents, communication preferences Consents and communication options: your consent to receive marketing and/or other notices, subscription to information and/or opting out of such notices. Your cookie choices. Provided by you (and stored by automated means, including cookies and similar technologies) when you mark your consent and/or preferences, subscribe to or refuse relevant notices and/or services.
Data on your browsing on Vipex.ee Browsing data: pages viewed, products viewed, date/time viewed, browsing duration, items added to cart and/or wishlist, date/time of upload, clicks on banners, other clicks and interest in content, referrer information about how users arrived at the site, including but not limited to affiliate ad statistics. Technical data: IP address, session ID, browser used, device type, screen resolution. Collected via cookies and similar technologies when you browse the Vipex.ee website. Produced from your browsing data (e.g., browsing statistics).
Other data generated when you use the relevant Vipex.ee services Data generated from using certain Vipex.ee services or features: for example, if you save items to a wishlist, select and save a city (to see the nearest pick-up point), save a language choice. If you perform these actions as a registered user, the data is tied to your other data stored as a registered user. Provided by you (and stored by automated means, including cookies and similar technologies) when you use the relevant Vipex.ee service or feature.
Newsletter and other message-view data Information that the message was successfully delivered, details of when it was opened (date/time), clicking on links in the message, email details, forwarding or rejection statistics, etc. Collected through cookies and similar technologies when you receive newsletters or other messages.
Details of interaction with you When you contact us for help, submit questions, provide feedback, file complaints, etc., we process the documents and copies used to contact us, plus any documents and information you provide, as well as any additional data we collect as needed to evaluate your request and provide a response. Provided by you when you contact us with a request, feedback, complaint, or other inquiry. We gather data about you that is already legally available to us and/or from third parties (e.g., state authorities) if necessary to process your request and provide an answer.
Video recordings Personal data captured on a video recording. If you visit the Vipex showroom.

Vipex only processes your special categories of personal data if an event affecting your health has occurred in connection with goods or services provided by Vipex or if you have contacted us with a request that includes special categories of personal data. Vipex processes your personal data only if you voluntarily provide this information.

8. RETENTION PERIODS FOR PROCESSING PERSONAL DATA

Vipex retains personal data only as long as such retention is deemed necessary for the purposes for which the data was collected. Personal data is retained according to relevant laws and the company’s policies.

The company processes your personal data at the beginning and during the customer relationship, primarily when you visit the company and the website www.vipex.ee. Vipex processes personal data as long as necessary to perform the customer relationship or an equivalent relationship between Vipex and the data subject, or until the data subject withdraws consent to process personal data, or for legal purposes until the deadlines specified by law.

The company follows these criteria when retaining personal data:

  • The length of time personal data is needed to provide our services.
  • If a person has a customer account with the company, we retain the data for the entire time the account is active or as long as needed to provide services to that person.
  • If the company has a statutory, contractual, or similar obligation to retain personal data, it is retained as long as necessary to fulfill that obligation.
  • After the end of a contractual relationship, we retain certain data as long as the person (data subject) or the company itself has the right to file claims under the contract against the other party.

The data processing retention periods are:

  • We retain written documents of the employment contract according to the requirements of the Employment Contracts Act for 10 years after the end of the employment contract.
  • For an applicant hired for a position at Vipex, data is retained in accordance with labor law. For an applicant not hired, data is kept for up to six months from the date of the recruitment decision. With the consent of the applicant, Vipex may store the applicant’s personal data for up to three years in order to provide the applicant with future job offers.
  • For customers who made a purchase as a guest in the online store, personal and purchase data – 3 years from the date of purchase.
  • We process your contract and/or orders with supporting evidence (including personal data you provide) for the entire validity period of the contract and retain them for up to 5 years from the end of the contract’s validity. Data about customers who have not fulfilled their financial and/or property obligations or have caused damages to the company are retained for an additional 5 years.
  • Vipex video recordings – 72 hours, unless a longer retention is required in connection with an ongoing investigation related to the protection of persons and property, or due to a longer deadline specified by law.
  • Customer inquiries and contacts, as well as complaints – 3 years from the time Vipex provides a final answer.
  • Personal data related to handling legal claims – 3 years from the date of the event underlying the procedure.

After the expiration of the stated periods, the personal data is automatically deleted or rendered anonymous.

9. DISCLOSURE AND TRANSFER OF PERSONAL DATA

From time to time, the company may disclose personal data to third parties or allow them access to personal data processed within the company (for example, if a law enforcement authority or the Data Protection Inspectorate makes a valid request for access to personal data).

The company may share personal data:

  • With other parties, such as business partners, suppliers, and contractors.
  • If the company has a legal obligation to disclose personal data (this includes information exchange with other companies and organizations to prevent fraud).
  • If the company concludes contracts with other parties to process personal data on behalf of the company, it ensures the appropriate contractual safeguards for the protection of personal data, including data protection standard clauses to be included in contracts with the persons processing data on the company’s behalf.

The company discloses or grants access to personal data to the following categories of entities, for the purposes explained below:

  • Telecommunications service providers – for setting up employee voice and data services.
  • Software developers – for software development.
  • Security service providers – for ensuring a secure work environment and fulfilling security requirements.
  • Payroll service providers – for payroll management of employees.
  • Occupational health service providers – for organizing employee occupational health services.
  • Recruitment agencies – for finding new employees/contractors.
  • Marketing companies – for direct marketing to customers named by the company.
  • Insurance brokers and insurance companies – for travel, accident, or other relevant insurance for company employees.

Processors may only process personal data according to Vipex’s instructions, and the company has concluded confidentiality agreements with the processors for keeping personal data confidential. In addition, Vipex has the right to transfer personal data to supervisory, investigative, and law enforcement authorities and third parties if such an obligation arises under law.

Vipex AS authorized processors of personal data.

10. DIRECT MARKETING AND SATISFACTION SURVEYS

With your consent, Vipex may use your personal data to send you information about special offers, campaigns, and offers, as well as conduct satisfaction surveys.

If you no longer wish to receive direct marketing from Vipex, you may withdraw your consent for processing personal data at any time by following the instructions in the direct mailing or by contacting Vipex customer service. Withdrawal of consent does not have retroactive effect, i.e., it does not affect processing that was carried out before the withdrawal of consent.

11. SECURITY CAMERAS AND VIDEO RECORDINGS

AS Vipex uses security cameras to protect people (i.e., customers, employees, and visitors), ensure safety, and detect compliance with internal rules. The controller of personal data is AS Vipex.

When using security cameras at AS Vipex, three keywords are important – purposefulness, information, and minimal intrusion on individuals. Cameras are placed so that the entrances to the warehouses, common areas, and parking area are under surveillance. This means that customers and other visitors who operate in these areas are included in the surveillance area and video recordings.

Basic conditions for using security cameras include:

  • The legal basis for using the cameras – legitimate interest.
  • A brief description of the monitoring system – a digital system without audio recording capability.
  • The recording may be forwarded to the PPA (Police and Border Guard Board), the AKI (Data Protection Inspectorate), and other authorities and individuals prescribed by law.
  • Access to the monitoring system is with the IT manager/administrator and a member of the company’s management board.
  • Recordings are retained for 72 hours, after which the video system automatically overwrites. In the event of a security incident, relevant parts of the recording are retained until the incident is resolved.
  • The type of monitoring – real-time viewing is possible, with recording and the ability to review afterward.

The collected data is protected, and recordings are stored on a server accessible only to the company’s IT manager and the chair of the management board using personal user credentials and passwords.

In order to fully inform employees and ensure they understand under what conditions they are monitored, we have prepared, in accordance with the recommendations of the Data Protection Inspectorate, a brief description of how monitoring devices are used:

  • The purpose of using security cameras at AS Vipex is the protection of persons and property, safety, and compliance with internal rules.
  • The recordings of security cameras are not used for the initial investigation of job duties and/or occupational safety violations.
  • The monitored area is limited to property and buildings owned by the company.
  • Recording only occurs when movement is detected.
  • There is no continuous real-time monitoring; no dedicated employee is hired for that purpose.
  • Security camera recordings are automatically deleted after 72 hours.
  • No monitoring of private areas is conducted. Security cameras have not been installed in areas not intended for employees to perform their job duties, but for their private use, such as restrooms, showers, dressing rooms, employee lounge areas.
  • Likewise, no security cameras have been installed in offices or rooms in the company’s office building.

In the event of a potential data leak regarding video surveillance, we work with the Data Protection Inspectorate and law enforcement agencies to stop the leak and remedy the situation immediately.

Data recorded by the video surveillance system is not processed unless a legitimate, interest-based request is made regarding the data.

The operation and functioning of the video surveillance system is managed by AS Vipex (registry no. 10170170), Address: Kriidi tn 10, Tallinn 11415, Republic of Estonia. Email: info@vipex.ee, telephone +372 6201000.

The person responsible for data protection and personal data processing at the company is AS Vipex’s Chair of the Management Board, Ivo Kollo (email: ivo.kollo@vipex.ee, mobile +372 5017177), who can provide more specific information about personal data processing and allow those interested to see recordings that contain their personal data.

In addition to the right to view recordings, individuals have the right to exercise all other data subject rights under Regulation (EU) 2016/679 of the European Parliament and of the Council. The data subject rights are also described in AS Vipex’s Privacy Policy in Section 14 (“Your rights regarding the processing of your personal data”). And the legal analyses underlying data collection.

The legitimate interest analysis for using security cameras is presented and made available to company employees as a separate document in the employee lounge. For other data subjects interested in reviewing the legitimate interest analysis of using security cameras, please contact AS Vipex’s Chair of the Management Board, Ivo Kollo (email: ivo.kollo@vipex.ee, mobile +372 5017177).

Additional information:

It is important to know that everyone has the right to know about all operations performed on their personal data within the company. Likewise, everyone has the right to access such information within a reasonable time for checking and reviewing their personal data.

In the case of video recordings, one should keep in mind that the company does not retain the recordings for longer than 72 hours, after which they are automatically deleted.

Everyone has the right to file objections regarding the use of security cameras.

If the explanations from the controller are not relevant, understandable, sufficient, or if there is suspicion of a violation in the processing of personal data, there is the option to seek legal certainty by contacting the Data Protection Inspectorate (www.aki.ee) by phone at 627 4135 or via email at info@aki.ee. More detailed contact information can be found on the Data Protection Inspectorate’s website.

Under §14 point 2 of the Personal Data Protection Act, collecting personal data must be purposeful. AS Vipex, as an employer, highly values, respects, and protects the privacy of all data subjects, and therefore the security camera system is set up in such a way as to minimize any impact on the privacy of company employees and other data subjects, ensuring that they typically do not appear, or appear to a minimal extent, in the view of the security cameras.

References to potential violations, the need for quality control, or providing evidence for disputes are generally not sufficient justification for implementing surveillance systems. Likewise, remote monitoring of an employee’s work for quality or quantity control is not permitted. Such activities are strictly prohibited at our company!

Which of your personal data do we process using security cameras, and how long do we keep it?

Our company does not use audio devices. The security cameras only record without audio (sound) and store the recordings for 72 hours, after which the recordings are completely deleted automatically.

To whom may we disclose your personal data?

Data may be submitted to competent authorities and/or law enforcement agencies (for example, courts, the police, or other supervisory authorities), legal and/or debt collection service providers, insurance companies, etc. However, your data will only be transmitted if it is required by applicable law and only in accordance with the procedure established by law, in order to protect our rights and ensure the security of our clients, employees, and resources, and to bring, enforce, and/or defend legal claims.

We note that your personal data is transmitted only to third parties who ensure proper processing and protection of personal data. Your personal data is not transmitted to third countries (i.e., outside the European Union or European Economic Area) or to international organizations.

Under which lawful processing conditions do we process your personal data?

We process your personal data under Article 6 (1)(f) of the Regulation, i.e., the processing is necessary for the legitimate interests pursued by the controller or by a third party.

12. COLLECTING DATA FOR IMPORTANT NOTICES

When we send data subjects important notifications – i.e., information related to our contract (e.g., changes or additions to contract terms; changes to the price of a service or product, etc.) and/or notifications related to handling complaints/claims/requirements or similar requests (e.g., replies to your complaints, email correspondence regarding dispute resolution, etc.) – we have a legitimate interest in ensuring that the data subject is informed of the latest changes in the General Terms of the contract and collecting evidence that this type of message has been delivered to the data subject and opened (read). Therefore, with such messages, we additionally track the message itself, i.e., we collect statistical information about messages sent (for instance, the name of the message, date/time of sending, date/time the message was opened/read, date/time a link in the message was clicked, etc.).

The collection of this personal data (statistical message information) is carried out for the proper performance of the contract and/or handling of complaints, in accordance with Article 6 (1)(f) of the Regulation, i.e., the processing is necessary to protect the company’s legitimate interests in safeguarding its property interests. This data is retained for the entire period of contract performance and/or the complaint/inquiry/claim handling period, and 5 years from the day the message is sent.

13. COMMUNICATION ON SOCIAL NETWORKS

In order for us to properly represent the company and increase our visibility in the public space, the company manages the following social network accounts:

@vipex25, at: https://www.facebook.com/vipex25

@vipexas, at: https://www.instagram.com/vipexas/

https://www.linkedin.com/company/vipex-as

To whom can we disclose your personal data?

To ensure the proper representation of the company in the public space and to maintain continuous communication with you, we may share your data with the processors involved (e.g., advertising agencies, consultants, etc.).

Data may also be disclosed to competent authorities and/or law enforcement agencies (for example, courts, police, or other supervisory bodies), legal service providers, etc. However, your data will be disclosed only if required by the applicable laws and solely in accordance with legally prescribed procedures, to protect our rights and our clients’, employees’, and resources’ security, or to file, fulfill, and/or defend legal claims.

We note that your personal data is disclosed only to those third parties who guarantee proper processing and protection of the data. Your personal data is not transferred to third countries (i.e., outside the European Union or European Economic Area) or to international organizations.

We draw your attention to the fact that personal data submitted on social networks is processed together with the manager of that social network (e.g., Facebook and/or Instagram). Therefore, to more extensively familiarize yourself with how personal data is processed on social networks, we suggest also reading the privacy policy of the social network manager.

For what purposes do we use and process your personal data?

When you interact with us and/or visit our managed accounts or our website, you consent to our viewing your messages and responding. Thus, we process your personal data under Article 6 (1)(a) of the Regulation, i.e., the data subject has given consent for processing his or her personal data for one or more specific purposes.

How long do we process your personal data?

We process the personal data you provide for as long as it is needed or until you withdraw your consent (i.e., delete your personal data from the account), but no longer than until the account of the Company is deleted. Note that we process data only on the social network manager’s platform, so the precise purpose and conditions for processing are ultimately determined by the social network’s controller.

If prohibited communication occurs (e.g., defamation, damage to the reputation of the company, etc.), we may keep this communication as evidence for the relevant period to protect our rights or legitimate interests (i.e., for the entire pre-trial or court dispute period).

14. SECURITY AND SAFEGUARDS

The company has implemented physical, technical, and organizational measures to protect personal data against unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition, or unauthorized access.

Vipex uses up-to-date and appropriate technical and organizational security measures in collecting, storing, and processing personal data to protect it from unauthorized access, alteration, or destruction. Access to personal data for alteration or processing is granted only to authorized persons.

For example, the company uses the following physical security measures:

  • Documents on paper containing personal data are kept in locked cabinets and rooms, to which only the management board member or the employee replacing him or her has access, as required by their job duties.
  • The premises and IT systems used for data processing are adequately protected against fire, overheating, water, power surges, and power outages.

When processing your personal data, we apply appropriate organizational and technical measures to safeguard your data against accidental or illegal disclosure, destruction, alteration, or any other illegal action. We choose these measures by considering the risk to your rights and freedoms as a data subject.

Technical security measures in place include, for example:

  • Video surveillance.
  • All workstations are protected by a password-protected screensaver when the employee leaves.
  • The IT system does not allow new login attempts and locks the user ID if the number of failed attempts exceeds a certain limit.
  • Particularly vulnerable systems (e.g., laptops, smartphones) are adequately protected (for example, using encryption or other methods).

We ensure strict access control to the personal data processed, granting it only to those employees who need it for their job duties, and we monitor how they use that access. Access to personal data is enabled through appropriate-level passwords and by concluding confidentiality agreements with individuals who have access to your personal data.

All company employees with access to your personal data have been made aware of data protection requirements and must ensure the confidentiality of the personal data they process.

Examples of organizational security measures include:

  • Access to key IT systems and rooms is regulated.
  • All IT system users have assigned roles and profiles.
  • It is defined which data each user can access, and access rights correspond to each employee’s job needs.
  • It is ensured that access rights are revoked when an employee leaves the company.
  • It is ensured that one cannot enter from publicly accessible spaces into rooms used for processing personal data without proper authorization.
  • Rooms where the computers accessing the IT system are located, and rooms where documents containing personal data are stored, are monitored/under security after working hours, too.

15. USE OF COOKIES

A cookie is a small text file automatically stored by your web browser on the device you use. Cookies are used to collect information about how the user uses the website, with the aim of providing the user with a better browsing experience. The website www.vipex.ee uses the following cookies:

  • Session cookies, intended to allow use of the website.
  • Persistent cookies, intended to remember the customer’s choices on the website.
  • First- and/or third-party cookies, intended to show the user relevant ads and offers.
  • Third-party analytics cookies, intended to optimize marketing communications.

The website visitor can delete or block cookies stored on his or her devices by adjusting the settings of his or her web browser. If cookies are not used, the website may not function as intended, and some functionalities might not be accessible to users.

16. PROCESSING NON-PERSONALIZED DATA

When visiting www.vipex.ee, Vipex may collect non-personally identifiable data such as the date and time of the website visit, downloaded information from the website, information about the browser name and operating system, internet service provider, and other similar details. Vipex processes such data anonymously, and primarily uses it to improve the functionality of the website.

17. AREAS OF RESPONSIBILITY

The company is responsible for processing personal data. Overall responsibility for compliance with the privacy policy within the company lies with the company’s management, which designates a main contact in relation to the processing of personal data regarding company employees and contractors, clients and cooperation partners, and personal data security within the company.

All company employees who encounter personal data processing are obliged to follow the most up-to-date published version of this privacy policy. For any questions, please contact the person responsible for data protection and personal data processing within the company, AS Vipex’s Chair of the Management Board, Ivo Kollo (email: ivo.kollo@vipex.ee, mobile +3725017177).

18. AMENDMENTS TO THE DATA PROTECTION TERMS

Vipex has the right at any time to change and supplement the data protection terms. The valid data protection terms are always available on Vipex’s website www.vipex.ee. You can also view the data protection terms by visiting Vipex’s showroom customer service or by contacting Vipex’s data protection specialist at info@vipex.ee.

Copyright © 2025 Vipex