General provisions and definitions
This privacy policy (hereinafter referred to as the Policy) has been prepared on the basis of REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL (hereinafter referred to as the Regulation) and national legislation, and it regulates personal data processing by Elisa Eesti AS that belongs to the Elisa Group (hereinafter referred to as Elisa) as the controller. The definitions only include the terms not stipulated in the Regulation. The terms personal data, personal data processing, profiling, controller, and processor are used in this document within the meaning of the Regulation. Data subject means a natural person whose personal data are processed by ELISA. Data Subjects are potential, existing, and former clients, users of mobile telephone numbers, prepaid and/or internet card users, users of ELISA self-service and app, gift card recipients, data subject representatives, partners, makers of queries and guests. Client means a natural person who has expressed an interest in receiving a quote to use the services of ELISA or has expressed an interest in using the services of ELISA (potential client). A natural person who uses (existing client) or has used (former client) the services of ELISA. User means a natural person appointed by the Client who, with the Client’s consent and while the client remains liable, uses the services provided by or via Elisa to the Client’s mobile telephone number. Prepaid and/or Internet card user means a natural person who uses the communication services of ELISA with a prepaid card. ELISA self-service and App user means a natural person to whom ELISA has granted a non-exclusive licence to use the ELISA App or self-service. Gift card recipient means a natural person in whose name a gift card has been issued. Data subject representative means a natural person who represents the data subject either based on the law or a contract (authorised persons). Partner means a person with whom Elisa has entered into a contract for the development of business operations (e.g. a contract for the establishment of a right of superficies, a contract for the establishment of a personal right of use, a tenancy contract, etc.). Person who submits request means a natural person who submits a request for information to ELISA within or outside a client relationship. Guest means a natural person who has visited a shop, office, or the website of ELISA. Service usage details means the data of the service usage details that have become known to ELISA while providing the service, including: mobile communication services mean voice and data communication usage (time, volume, message content and service and network used) data communication services mean data usage (time, volume) television services mean the choice of channels value-added services mean video rental: rented films, Elisa Raamat: selection of books and similar services. Service consumption address means the client’s physically determined place of residence or location for the use of the ordinary telephone service and online Internet service. Location data means the data generated upon provision of communications services, which indicate the estimated and likely geographical location of the SIM card used by the client. Data processing systems means the databases and information systems used by ELISA, where personal data are processed (including the self-service of ELISA). Data processing registers means the public registers managed by private persons or public entities that include personal data. The data processing registers are listed in point 3.2. ELISA app means software for smartphones or web browsers that is either directly offered or mediated by ELISA. ELISA self-service means the online self-service environment of ELISA. Lawfulness and security of personal data processing
ELISA considers the confidentiality and protection of personal data crucial and guarantees the lawfulness of personal data processing. Personal data are processed in ELISA primarily according to the requirements stipulated in the Regulation and the Electronic Communications Act. ELISA applies organisational, physical and information technology security measures to protect personal details relying on the best practices of information security. The goal of ELISA is to guarantee processing that is responsible and proceeds from the interests, rights and freedoms of the Data Subject. Sources and types of personal data
The exact scope of the personal data processed is dependent on the type of services you use or the type of relationship you have with ELISA. The core business of ELISA is the provision of telecommunications and television services, but it also offers a range of value-added services. ELISA processes personal data obtained from:
the data subject (e.g. in pre-contractual negotiations, upon entry into contracts, during the terms of contracts, upon use of a prepaid and Internet card, upon registration of a gift card, upon use of the ELISA app, when making a request for information, upon use of the self-service bureau, when visiting sales and service channels);
data processing registers (e.g. e-Krediidiinfo, Taust.ee, number booking database (NBA), the Population Register, or
other service providers (e.g. banks). An overview of the categories of personal data is available in the document Categories of Personal Data. Legal grounds and purpose of personal data processing
ELISA collects personal data for specified, explicit and legitimate purposes and does not process them later in a manner that does not comply with these purposes. ELISA processes personal data either for the performance of a contract or taking measures preceding the conclusion of a contract based on the consent of the data subject or legitimate interest or for the performance of an obligation arising from law. You can read more about the purposes of personal data processing and the personal data processed in the following documents:
Personal data processing for the performance of a contract or taking steps before the conclusion of a contract
Personal data processing based on the data subject’s consent
Personal data processing on the basis of legitimate interest
Personal data processing for the performance of an obligation arising from law Disclosure and transmission of personal data
ELISA discloses Personal Data only to the extent necessary for achievement of the objectives specified in clause 4.3. ELISA discloses or transmits personal data to:
the contractual (authorised persons) or legal representative of the data subject; another controller on the basis of the data subject’s request (upon implementation of the right to transmit data); data processing registers (e-Krediidiinfo and Taust.ee in the case of debts, the number booking database (NBA) in the case of number portability). to the processors of ELISA:

resellers of services; call centres (answering the calls of clients); service partners (sending out satisfaction questionnaires); device maintenance centres (maintenance and repairs of the devices of clients); suppliers (delivery of cards and devices required for contracts and the use of services); invoice centres (preparation and issue of invoices); marketing partners (transmission of advertising offers); archiving centre (archiving contracts and other documents associated with contracts); debt collectors; managers of data processing systems;

other processors:

when assigning claims to a new creditor;

state authorities:

investigative bodies, surveillance authorities, the Prosecutor's Office and courts pursuant to the Code of Criminal Procedure; security authorities; the Data Protection Inspectorate, the Consumer Protection and Technical Regulatory Authority, the Financial Supervision Authority, the Environmental Inspectorate, the Police and Border Guard Board, the Security Police Board and the Tax and Customs Board pursuant to the Code of Misdemeanour Procedure; the Financial Supervision Authority pursuant to the Securities Market Act; the court pursuant to the Code of Civil Procedure; the surveillance authority in the cases stipulated in the Defence Forces Organisation Act, the Taxation Act, the Police and Border Guard Act, the Weapons Act, the Strategic Goods Act, the Customs Act, the Witness Protection Act, the Security Act, the Imprisonment Act and the Aliens Act; to surveillance and security authorities and their supervisory authorities and the court pursuant to the Electronic Communications Act; in the cases arising from other legislation on the grounds and pursuant to the procedure stipulated therein;

ELISA ensures that the processors process personal data according to the instructions of ELISA and in accordance with applicable law and take relevant security measures. ELISA only allows instructed processors to access personal data. The processor has the right to process personal data only to the extent required for the achievement of the objectives set by ELISA. The processors must comply with the personal data processing requirements of ELISA. ELISA does not forward your personal data outside of the European Union or the European Economic Area, or to a third country or international organisation whose level of data protection has not been assessed as adequate by the European Commission. However, where necessary, such transfers will only take place where there is an appropriate legal basis for doing so and we will take appropriate safeguards. Storage of personal data
ELISA retains personal data for as long as necessary for the purposes of the processing. Further information on the retention of personal data can be found in Personal Data Retention Policy. If ELISA wants to retain personal data for longer than is necessary for the purposes of the collection of data, ELISA anonymises the personal data in such a way that the data subject cannot be identified. ELISA retains the personal data processed on the basis of consent until the consent is withdrawn. Rights of data subject
The data subject has the right to be informed of the conditions of data processing. ELISA will make the terms and conditions of data processing available to the data subject on the basis of this document or the respective request. The data subject has the right to review the information specified in Articles 15(1) and (2) of the Regulation. ELISA will make the information specified in Articles 15(1) and (2) of the Regulation accessible to the data subject via this document and the ELISA self-service environment. The data subject has the right to demand correction of personal data. The data subject can rectify the data in ELISA self-service or by submitting a respective signed request. If you wish to change your name, please send a copy of your identity document in addition to your request. The data subject has the right to have their personal data deleted (“the right to be forgotten”). The data subject has the right to request ELISA to erase their personal data, for example, if the data subject has withdrawn their consent to the processing and there is no other legal basis for the processing. Data subjects have the right to restrict the processing of their personal data. The data subject has the right to request the restriction of the processing of personal data if the processing of personal data is not permitted by law or if the data subject contests the accuracy of the personal data. The data subject has the right to request the restriction of personal data processing for a period of time that allows the controller to verify the accuracy of the personal data or if the processing of personal data is unlawful, but the data subject does not request the erasure of the personal data. The data subject has the right to receive information about the personal data concerning them that they have submitted to the controller and the right to send these data to another controller (the right to transfer data). The data subject has the right to file objections at any time to the processing of their personal data, which is necessary in the case of legitimate interest, including in respect of profiling based on legitimate interest. Exercise of rights and submission of requests
A request for the exercise of rights or an objection to processing must be signed and sent to a point of sale of ELISA or digitally signed and e-mailed to andmekaitse@elisa.ee. In order to transfer the Personal Data concerning the Data Subject, the Data Subject must fill in a request that can be found here. ELISA will respond to the requests and objections filed by the data subject within one month of receipt of the request or objection. This period of time may be extended by two months, if necessary, taking into account the complexity and the number of the requests or objections. ELISA will notify the data subject of the extension of the response deadline and the reasons for the delay within a month of receiving the request or objection. If the data subject submits the request or objection electronically, the response will also be sent electronically, unless otherwise requested by the data subject. ELISA has the right to reject the data subject’s request to exercise their rights if ELISA cannot identify the data subject (e.g. a person who submitted a Request outside a client relationship, an App user or a prepaid and/or Internet card user). If ELISA does not implement measures according to the data subject’s requests and objections, ELISA will notify the data subject of the reasons for not taking the measures within one month of receiving the request or objection and explain the option to file a complaint with the supervisory authority and use legal remedies. The data subject has the right to file a complaint with ELISA, the data protection inspectorate or a court if the data subject finds that their rights have been breached upon personal data processing. The contact details of the Data Protection Inspectorate (hereinafter referred to as the DPI) can be found on the website of the DPI at aki.ee. Other terms and conditions
ELISA has the right to update, clarify and amend this Data Protection Policy at any time based on changes in legislation, telecommunications practices and the services provided by ELISA. This Privacy Policy will enter into force on 1 January 2021. Contact details of the data protection officer: andmekaitse@elisa.ee