Frequently asked questions

Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation or the GDPR), the aim of which is to give natural persons a better overview of the distribution of their personal data. In the context of Estonian law, the Personal Data Protection Act (PDPA) (publication notation RT I, 04.01.2019,11) corresponds to the GDPR.

The GDPR and the PDPA cover all personal data, including special types of personal data. These include: name, personal identification code, location information, network identifiers (attributes which lead to a particular person in a communication network), as well as physical, physiological, genetic, mental, economic, cultural and any other characteristics and the combinations thereof which allow identification, data related to payment services in banks, credit card data, digital trust service data for digital signing, non-public data about the proprietary status of a person, communication data covered by message confidentiality, real-time location determination data, credit rating and other profiling with legal consequences or significant impact. Special types of personal data include racial or ethnic origin, political views, religious or philosophical beliefs or trade union membership, genetic data, biometric data used for the unique identification of natural persons (primarily fingerprint, palm and eye iris images), health data or data concerning the sex life or sexual orientation of a natural person. In conclusion, the GDPR and the PDPA cover all the information that makes it possible to identify a person, including indirectly.

The GDPR does not cover non-personalised statistics which does not allow the association of gathered information with a particular person. For instance, being part of a segment of males in their 50s who are interested in sports.

Gathering special types of personal data (health, family members, sexual orientation, finances and other such) and creating segments which allow the identification of persons must definitely be avoided.

The main principle to observe is that you can ask as much as you minimally need. For instance, in the case of a game that involves sending a physical prize, the delivery address is needed, while in the case of a prize sent by email a postal address is not needed. At times, the winner needs to be contact by phone and in such cases that is also important information. The most important thing to remember here is that data may be stored until the end of the need to process them; that is, the gathered data has to be destroyed after the game has ended and the prize has been drawn. Only the contact details of those who have granted their consent to the further processing of their data (e.g. for receiving offers or newsletters) may be kept.

The disclosed information must definitely be specified in the campaign terms and conditions which should also specify the disclosure period. If the aim of disclosure is to inform the participants of the winner, personal data has to be removed after the prize has been handed over, but if the campaign terms and conditions stipulate otherwise, the information may be kept. This particularly applies in campaigns where participants have to send images or videos which are later published on a webpage. The principle that a data subject has the right to be forgotten must also be observed.

Postimees Grupp applies the principle that if the party ordering a game draws a prize, the information necessary for drawing and delivering the prize shall be transmitted, as well as the data of the participants who have agreed to receive offers. If the prize is drawn and delivered by Postimees Grupp, the data of the participants who have agreed to receive offers is transmitted to the party ordering the game and the rest of the data is destroyed after the prize has been drawn and the term of submitting complaints has expired. These principles have been established to ensure that the processing of data in environments owned by Postimees Grupp is in accordance with the consent granted by data subjects.

Data subjects must be informed of all parties who process their data and for what purpose.

Data subjects must be informed of all parties who process their data and for what purpose. How long may the gathered personal data be stored? Data may be stored until the end of the need to process them; that is, the gathered data has to be destroyed after the game has ended and the prize has been drawn. Only the contact details of those who have granted their consent to the further processing of their data (e.g. for receiving offers or newsletters) may be kept. If the objective of gathering data is to subsequently continue forwarding offers, the data may be kept until the user withdraws his or her consent.

Personal data must be stored in a manner which ensures the security of the data and excludes the accessibility of the data to third persons. Data may be stored in a cloud, but it must be ascertained that the cloud is sufficiently secure. Detailed rules are stipulated in a data processing agreement between the customer and Postimees Grupp.

In the case of a personal data leak, the instructions of the Data Protection Inspectorate must be complied with (available here).

Access to personal data must be restricted to the number of people whose work duties involve the respective activities and access must be excluded to third parties, including the company employees whose work duties do not involve the processing of personal data.