Terms and Conditions for Processing Personal Data
1.1. Processing Cardholder data – any operation regarding Cardholder data (including collecting, recording, preserving, modifying, using, transmitting, enabling access to and making inquiries about Cardholder data);
1.2. Terms and Conditions – this document, which regulates the bases and the Terms and Conditions for processing Cardholder data in the MinuKool information system;
1.3. Cardholder – the person that has applied for and is using/has used cards issued by the MinuKool information system (hereinafter referred to as Cards);
1.4. Third Person – any person that is not the Cardholder, the Federation, KS, or an employee of these organisations;
1.5. Federation – the Federation of Estonian Student Unions (MTÜ Eesti Üliõpilaskondade Liit);
1.6. KS – Koolisüsteemide OÜ, a company established and operating with the involvement of the Federation, whose function is to develop and manage the MinuKool information system and provide services related to electronic use of the Card (e.g., account service, message service) to the Cardholder;
1.7. Authorized processor – the person that processes Cardholder data on behalf of the Federation or KS.
2. CARDHOLDER APPROVAL
When the Cardholder enters into a transaction relationship with the Federation or KS, or applies for it, the Cardholder will give the Federation and KS their consent to have their Cardholder data processed under the Terms and Conditions.
3. LEGITIMACY OF PROCESSING CARDHOLDER DATA
3.1 The Federation and KS put great importance on protecting personal data; they guarantee a high standard of protection for Cardholder data and the legitimacy of its processing.
3.2 Processing Cardholder data is based on the Personal Data Protection Act, other legislation, and the Terms and Conditions. The rights and responsibilities of the Federation and KS in processing Cardholder data may be additionally regulated by a concrete service agreement or application form.
4. COMPOSITION OF CARDHOLDER DATA
4.1. The Cardholder data being processed in the MinuKool information system includes: (a) personal data; (b) contact data; (c) data about the Cardholder’s employment or studies; and (d) data about the Cardholder’s transactions and their related applications/agreements.
4.2. The Federation and KS shall process all Cardholder data they have received through a transaction relationship according to the objectives of processing Cardholder data.
4.3. The composition of the Cardholder data processed by the Federation and KS is based on agreements made between the parties, and other documents.
4.4 The Federation and KS process, inter alia, the following data:
4.4.1. Name, personal identification number, date of birth;
4.4.2. Address, telephone number, email address, etc.;
4.4.3 Status in an educational institution (high school student, university student, teacher, personnel, guest);
4.4.4. Card transactions, submitted applications, claims and notifications, signed/expired agreements, breaches of agreements, etc.
5. OBJECTIVES OF PROCESSING
5.1. The Federation and KS shall process all data comprising Cardholder data to achieve the objectives set out within the transaction relationship.
5.2. In order to establish a transaction relationship or make a relationship-related decision and fulfil duty of care, the Federation and KS have the right to process all publicly available Cardholder data (e.g., data published in state or local government institution databases, public databases, or on the Internet), as well as data received from Third Persons if transmission of information from Third Persons to the Federation and the KS is legal. Whereas in a situation where the Card issuance and usage occurs on the basis of the Cardholder’s high school student, university student, or teacher status, the Cardholder shall give EÜL and KS their permission to perform regular inquiries to the Estonian educational information system (EHIS) to check the Cardholder’s status, by agreeing with the Terms and Conditions.
5.3. The Federation and KS shall process Cardholder data in order to:
5.3.1. Fulfil the agreement made between the Cardholder and the Federation and/or KS (e.g., Card production and issuance upon Card application, provision of Card-related services and conveniences);
5.3.2. Realise their rights ensuing from the agreement related to the agreement made with the Cardholder (e.g., a Card issuance agreement made between the Federation/KS and an educational institution);
5.3.3. Segment Cardholders (e.g., high school students, university students, teachers, personnel, etc.);
5.3.4. Reduce and prevent risks, ensure safety and organise Card usage (e.g., to minimise misuse of the Card, to organise Card use within an educational institution);
5.3.5. Perform a statistical analysis;
5.3.6. Fulfil their responsibilities ensuing from legal norms (e.g., data transmission to research institutions, a notary, the Tax and Customs Board); and
5.3.7. Protect their rights that have been violated or disputed (e.g., data transmission to the attorney representing the Federation or KS, or to court).
6. DATA TRANSMISSION
6.1 The Federation/KS shall disclose or transmit Cardholder data to:
6.1.1. Companies belonging to the Federation and KS group (including future members of the parent company group);
6.1.2. Persons involved with fulfilment of the agreement made between the Cardholder and the Federation/KS (e.g., Card personaliser, the educational institution the Cardholder is involved with, partners of the Cardholder transaction (e.g., those installing access control systems)); and
6.1.3. Those maintaining the database to whom the Federation/KS is required to transmit information according to legal norms or agreements (e.g., EHIS, the study information system (ÕIS) of an educational institution). The given information shall also become accessible to all persons using the database.
6.2 The Federation/KS shall disclose client data to Third Persons only to the extent necessary for achieving the objectives set out in Article 5 of the Terms and Conditions.
6.3 The Federation/KS are required to disclose Cardholder data in order to fulfil their responsibility ensuing from legal norms (e.g., data transmission to research institutions).
6.4. In transactions with Third Persons, the transaction-related Cardholder data shall also become accessible to the Third Person (e.g., when using the Card electronically in access control systems or library accounting systems) who processes it at their own discretion.
6.5 In fulfilment of the agreement made with the Cardholder (e.g., Card transactions) the Federation/KS may use Third Persons (e.g., Card personalisers, those installing access control systems, etc.) and disclose Cardholder data to them. These persons can process Cardholder data according to the objectives set out in the agreement.
6.6 In transactions performed abroad the Cardholder data may also become accessible to accordant institutions in that country (e.g., research institutions, transaction handlers) and they can process Cardholder data under the law of that country.
6.7. The Cardholder is aware and agrees to have his/her Cardholder data become accessible to all parties of the user transaction (e.g., access control system installer, library system manager) in any Cardholder transaction.
7. EXTENT OF PROCESSING
7.1. The Federation/KS shall protect Cardholder data with strict security and confidentiality rules and have introduced organisational, physical, and technical security measures for Cardholder data protection.
7.2. The Federation/KS shall process the minimum amount of Cardholder data required for achieving the objectives set out in Article 5.
7.3. The Federation/KS shall grant access to Cardholder data only to trained personnel. An employee is allowed to process Cardholder data only to the extent necessary for carrying out his/her tasks.
7.4. When the Cardholder has given the Federation/KS his/her contact data (e.g., postal or email address, phone number), they have agreed to receive information (including advertisements) about the Cards and MinuKool project. The Federation/KS are required to discontinue sending information about the Cards and MinuKool project to the Cardholder without delay upon the receipt of a respective application.
7.5. The Federation/KS has the right to forward carefully selected offers from their partners to the Cardholder. The partner shall not acquire Cardholder data unless the Cardholder has expressed concrete interest in the goods or services provided by the partner. The Cardholder has the right to inform the Federation/KS about their wish not to receive personal offers at all times.
8. RECORDING CARDHOLDER DATA
8.1 The Federation/KS have the right to record all arrangements received through means of communication (e.g., telephone, computer), as well as other Cardholder transactions, and use these recordings as evidence for the arrangements and other transactions when necessary.
8.2 The Cardholder has the right to familiarise him-/herself with his/her data in the MinuKool information system at www.minukool.ee. If the Cardholder data is wrong, the Cardholder must inform the Federation/KS about this promptly.
8.3. The Cardholder has the right to demand his/her data processing, publishing and enabling access to it to be terminated, and/or the deletion of data collected, if this right ensues from the Personal Data Protection Act or any other legislation.
8.4. The Federation/KS shall process Cardholder data as long as it is necessary for achieving the objectives of processing Cardholder data or for the fulfilment of the responsibility ensuing from the legal norm.
8.5. The Cardholder may acquire more detailed information about Cardholder data by calling the MinuKool contact number (available at: www.minukool.ee) or by sending an email to firstname.lastname@example.org.
9. CHANGING THE PRINCIPLES OF PROCESSING CARDHOLDER DATA
9.1. The Federation/KS have the right to amend the Terms and Conditions unilaterally.
9.2 The Federation/KS shall inform the Cardholder through the MinuKool information system about amendments to the Terms and Conditions at least 1 (one) month before the amendments become effective.
9.3. The Cardholder is required to inform the Federation/KS without delay of any changes in data and circumstances in comparison to the data recorded in agreements or documents submitted to the Federation/KS.
10. CONTACT DATA OF DATA PROCESSORS
|Koolisüsteemide OÜ||Raekoja plats 20, 51004 Tartu, Eesti||(+372) 603 email@example.com|
|MTÜ Eesti Üliõpilaskondade Liit||Pärnu mnt 102-21, 11312 Tallinn, Eesti||(+372) 640 firstname.lastname@example.org|