This Personal Data Processing Guide (hereinafter referred to as the guide) has been prepared in accordance with the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council, hereinafter referred to as the regulation) and the personal data protection law, and applies to the clients and potential clients of the accounting firm Daemon who have expressed an interest in ordering our services or in collaborating with us.
The guide is an integral part of the contracts concluded between us and the client and contains the following information:
- the types of personal data we collect
- why and on what basis we collect your personal data
- how we handle your personal data
- what your rights are
- where to find us to obtain information about your rights related to the processing of your personal data and to exercise those rights?
1.USEFUL DEFINITIONS
We use the following terms in the guide with the meanings specified below:
client – a natural or legal person who uses, has used, or has expressed a desire to use our services, or is otherwise related to our services (hereinafter referred to as client or you)
data subject – a natural person about whom we have information and data to identify the person. Data subjects include, for example, individual clients, visitors, inquirers and applicants, partners, representatives, and employees of legal entity clients (hereinafter referred to as person or client)
personal data – any information relating to an identified or identifiable natural person (data subject). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to personal data, location data, physiological, social, or economic characteristics
processing – any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
controller – a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data
processor – a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller
Due to the specific nature of accounting services, we act both as the controller and as the processor of personal data disclosed to us by the client. As a processor, we process the said personal data on the client's instructions and in accordance with the client's instructions. The relationships, rights, and obligations between the processor and the controller are determined, if necessary, in the client contract, taking into account the general obligations arising from applicable legal acts.
2. PERSONAL DATA
We process our clients' personal data solely in accordance with the General Data Protection Regulation, the personal data protection law, and for the purposes and on the grounds outlined in this guide. We process the following personal data of our clients:
Identification Data
- first and last name, contact details (including residence, email address, and contact phone number)
personal identification number/date of birth
- a copy of an identity document (passport, ID card)
- nationality
- other data as required by law (including data from laws on Anti-Money Laundering and Counter-Terrorism Financing)
Client Representation Rights
- data regarding the person's association with legal entities (e.g., data submitted by the person or visible from public registers, the basis of representation rights, or other connections for conducting transactions and representation on behalf of a legal entity)
Data Related to the Provision of Services
- personal data known through the provision of services to the client, i.e., indirectly obtained personal data (e.g., client's employees, clients, suppliers, and contractual partners), which we process for providing accounting and other related services and may include the following data: person's first and last name, personal identification number/date of birth, number of dependents, marital status, contact details (e.g., residence, email address, and contact phone number), residency, profession/position, details of fees paid, bank account number, client's employment contracts, additional data required for calculating salaries (including salary calculations, special health-related data, letters from bailiffs), ordered service and purchased goods, transactions and debts, data of the company's shareholders/stakeholders, beneficiary data or data of other persons associated with the entity in relation to investments and financial interests
- data reflecting the person's activities in ordering and using our services, including the content of the ordered service, contracts concluded with the person, and data on contract violations, customer communication and correspondence, information related to payment for the service (payments/debts)
- details of transactions made from the person's payment account, including the payer's name, payment date, currency, amount, and explanation.
Other Data
- internet data: data related to the use of the website, cookies, website log data, and IP addresses.
We collect the above data in various ways:
- data disclosed to us by the person (e.g., through inquiries, applications, contract conclusion) and data obtained as a result of communication (e.g., correspondence, phone calls, verbal conversation, etc.);
- data published by the person on the internet and social media;
- data obtained during payment for the service;
- data obtained from third parties – from public registers, government agencies;
- previous information about the person and the service stored in our databases.
3. PURPOSE AND BASIS OF DATA PROCESSING
We have a legal basis and interest in processing the personal data of a client or a client's representative for the purpose of establishing, maintaining, and terminating cooperation and client relationships, and to retain data related to the person throughout the process, including retaining data for the fulfillment of legal obligations, making claims, and conducting legal disputes.
We collect and process personal data primarily in the following situations and for the following purposes:
For the purpose and on the basis of contract fulfillment
- providing services, especially making a price offer to the client, performing pre-contractual actions, concluding and fulfilling the client contract;
- identifying the client's identity and verifying the existence of representation rights;
- organizing and recording client communication, updating and correcting personal data;
- data obtained in the course of providing services, keeping records of client work, previous projects, time tracking, processing purchase and sales invoices;
- data related to the fulfillment of client payment obligations, billing, invoicing, and collecting payments;
- making or participating in claims related to the client.
For fulfilling a legal obligation
- fulfilling due diligence, including for the prevention of money laundering and terrorism financing;
- organizing accounting and fulfilling tax obligations;
- mandatory reporting to and responding to information requests from public authorities and government institutions (considering legal restrictions);
t- ransferring personal data to authorized processors, national or regulatory authorities when necessary;
- protecting our and our clients' assets.
On the basis of legitimate interest
- protecting the legitimate interests of the client and us to improve the quality of our services, to prove business relationships, and to promote communication with the client;
- marketing activities and maintaining and developing client relationships, including transmitting information related to client events and trainings;
- capturing client events and trainings through photos and/or filming with the aim of introducing our business activities, products, and services to clients and offering events of interest.
- with the client's consent direct marketing (e.g., introducing services offered by us and presenting offers via email);
- data resulting from visiting and using the website (e.g., data on how you use the website, IP address, and location information).
4. ACCESS TO PERSONAL DATA AND SECURITY
We ensure the confidential and secure storage of personal data as required by law and organize the protection of personal data against unauthorized access, unlawful processing or disclosure, accidental loss, alteration, or destruction.
Access to personal data is limited to our company's legal representatives or designated employees. Certain personal data may be transferred to a third party, i.e., an authorized processor, for the purpose of fulfilling contractual and legal obligations (see section 5 of the guide).
We organize the storage and exchange of information in a secure manner, using multiple personal access and identity verification codes and secure channels for transmitting information, thereby preventing access by third parties and minimizing the risk of data leakage.
5. DATA SHARING
We transfer client personal data to third parties when required by law, necessary for the organization of our work, for the fulfillment of obligations or rights arising from the law, or on any other legal basis. Personal data provided to authorized processors are processed on the basis of the law and only to the extent necessary.
We transfer personal data to the following recipients:
- authorized processors for the purpose of organizing our work (e.g., IT systems manager, client program manager, economic software, accounting software, archiving service provider, etc.);
- government authorities (Tax and Customs Board, Unemployment Insurance Fund, Health Insurance Fund, courts, Police and Border Guard Board, Financial Intelligence Unit, Data Protection Inspectorate, etc.);
- legal service and audit service providers.
6. RETENTION AND DURATION OF PERSONAL DATA
We do not process personal data for longer than is necessary for the purposes related to the data, including fulfilling the data retention obligations set out in legislation.
Accordingly, we adhere to the following in terms of personal data retention:
- Accounting documents are retained for 7 years in accordance with the Accounting Act;
- Data collected under the Anti-Money Laundering and Counter-Terrorism Financing Act are retained for 5 years;
- Information obtained based on consent is kept until the withdrawal of consent.
Clients have the right to withdraw their consent at any time by sending a corresponding notice to us via email or following the instructions provided in the footer of the newsletter. The withdrawal of consent does not affect the legality of the processing of personal data that took place before the withdrawal of consent.
Personal data is processed within the European Union/European Economic Area. Should there be a need to process personal data on servers located outside the aforementioned region, the transfer will only occur to recipients who are in a country deemed by the European Commission to have an adequate level of data protection or to recipients certified under the data protection framework Privacy Shield (applicable to recipients in the USA).
7. CLIENT RIGHTS
In the organization of personal data protection by us, the client has the following rights:
- To access information about themselves and, if necessary, receive a copy of the data;
- To demand the correction of outdated or incorrect data;
- To demand the deletion or cessation of processing of data if there is no longer a legal basis for the retention or processing of the data, and if the retention of the person's data is no longer necessary for data processing;
- To request the transfer of data to a third party;
- The right to lodge a complaint with a supervisory authority.
- To exercise the above rights, please contact our representative. If the client suspects misuse of their personal data, they should immediately notify our representative.
8. COOKIES AND OTHER WEB TECHNOLOGIES
A cookie is a small text file that is stored on the user's device. Our website and social media may use cookies to provide services to the user, to analyze and improve the user experience, and for more effective marketing. By visiting the website and social media, the user agrees to the use of cookies as described in the guide.
Cookies are generally used to collect statistical data by paying attention to user preferences when visiting various websites. The information is used to make the website more user-friendly and better.
To limit the use of cookies, the user can set their preferences through their web browser settings. Without the use of cookies, websites may not function correctly, and all services may not be available.
We reserve the right to update and change this guide. Changes will be made visible to clients on our website.
For questions related to the processing of personal data, please contact us at info@daemon.ee.