fbpx

PRIVACY POLICY

PRIVACY POLICY

 

Definitions.

The following phrases are to be understood as follows:

  1. Visitor – a person visiting the Controller’s Website using an Internet browser.
  2. Client – should be understood as a Customer, a Visitor, a Person interested in the services provided by the Controller or companies with equity or personal ties to the Controller.
  3. Interested person – a natural person making an enquiry to the Controller, a natural person acting on their own behalf or a natural person who is a board member or other person authorised to represent a legal person, acting on their behalf, regarding the use of the Controller?s services.
  4. Customer – a natural person acting on their own behalf and on their own account, or a board member or another person authorised to represent a legal person, a partner or an actual beneficiary of a legal person who was subject to Verification on the Website and was positively assessed in this Verification process and has started using the Controller?s services.
  5. Verification – a process consisting of actual activities, performed by the Controller and the Cooperating Entities, consisting in defining and verifying the correctness and authenticity of data of the Interested Person, in order to attribute the Customer status to the Interested Person.
  6. Website – the Controller’s website available at: thompsonstein.com.

 

Who controls your personal data?

In accordance with Article 13 section 1 and 2 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as GDPR), we wish to inform you that the Controller of clients’ personal data is Thompson&Stein OÜ with its registered seat in Tallinn, L??tsa tn 5, 11415 Tallinn, entered in the Estonian e-Business Register maintained by the Ministry of Justice of the Republic of Estonia under No. 12979503, share capital of EUR 2,500 paid in full, e-mail address: contact@thompsonstein.com, telephone: +48 22 270 69 66 (the “Controller“).

 

In case of any issues regarding personal data protection, contact Artur Kuczmowski, e-mail: artur@kuczmowski.pl.

 

Who might receive your personal data?

A Client’s personal data might be shared with the Controller?s employees, contractors or associates who are authorised to process them at the request of the Controller; they might also be shared with entities which the Controller entrusts with the processing of personal data, including entities providing accounting, IT, marketing or organisational services enabling the Controller to provide services, maintain the website, prepare and distribute the newsletter (“Cooperating Entities“)

 

Your data might be provided to relevant authorities (the Police, Prosecutor’s office, Courts) in line with the jurisdiction of the conducted proceedings within the scope of execution of their statutory tasks, on their demand, reported in compliance with the relevant procedure implementing a final decision, sentence, ruling or other equivalent judgment, maintaining all guarantees ensuring the security of the transferred data.

 

Your personal data might be transferred to entities from the Controller’s group, that is to entities with capital and personal ties to the Controller, especially within the scope necessary for the Controller to provide the services included in the contracts concluded with the Client, i.e. in particular Companies in the Thompson&Stein Group.

 

In particular, the Controller exercises due diligence in selecting its Cooperating Entities, and then at the stage of concluding contracts makes sure that these entities guarantee an adequate level of personal data protection.

 

Where do we store your personal data?

The collected personal data are stored within the European Economic Area (“EEA”), however they can also be sent to a country outside of this area and be processed there. Each operation of sending personal data is carried out in accordance with the applicable law, the internal procedures of the Controller’s Company and this Privacy Policy.

 

If data are transferred outside of the EEA, also if, at the Client’s request, the product is to be delivered or the services are to be provided outside of the EEA, the Controller uses all the available technical means in respect of the countries, where the European Commission did not determine the right level of data protection and processes the Client’s data only based on their voluntary consent.

 

The Controller’s guarantees and representations

The Controller guarantees personal data protection and processing of personal data in compliance with the GDPR. The Controller collects only the data which are necessary for performance of the contract. The Controller does not process data without the Client?s consent outside of the scope which is necessary to execute the contract, provide electronic services or the Controller?s legal obligation without the Client?s prior consent.

 

The Controller exercises due diligence in order to protect the interests of the data subjects, in particular the Controller ensures that the collected data are processed in compliance with the law; the data are collected for the specified purposes compliant with the law and are not processed further in a way inconsistent with these purposes; the data are relevant and adequate to the purposes for which they are processed and stored in a form which permits identification of the data subjects no longer than it is necessary to achieve the purpose of their processing.

 

In view of the nature of the Controller’s services, the Controller does not process any data of natural persons which are under 18 years old or which do not have full legal capacity due to a relevant declaration of total incapacitation, or who should act through a statutory representative due to partial incapacitation.

 

On what basis does the Controller process your personal data?

  • Processing of personal data takes place for the following purposes and is based on the following legal bases:
  • within the scope in which the processing takes place as a result of the Controller conducting an activity and providing services for the Client, i.e. in regard of collecting and archiving the Client’s declarations of intent in respect of undertaking activity on the Website, using the thompsonstein.com website, a concluded contract regarding the provision of legal or accounting services, in order to execute these contracts or to execute the contracts regarding the provision of electronic services, and so in order to enable the Website’s functionality to be used and to perform the other electronic services, and also in order to perform other contracts to which the Client is a party or to undertake activities on the client’s demand before concluding a contract, in order to consider potential complaints – Article 6 (1) (b) of the GDPR;
  • in regard to keeping accounting books and settlements in connection with the performance of the concluded contract, the Controller processes the personal data as a part of the legal obligations to which they are subject, including the value-added tax regarding to the Controller issuing a VAT invoice – Article 6 (1) (c) of the GDPR;
  • in order to consider potential complaints or reported claims, in regard to pursuing claims for conducting an economic activity, for archiving (evidence) purposes in pursuit of our legitimate interest of securing information in case of the legal need to present facts to competent state authorities, for analytical purposes [optimising our products based also on the client’s comments and the client?s interest, optimising service processes based on the service processes experienced by the Client] ? in our opinion processing of these data is beneficial also for the user, as it improves their experience and allows us to offer them services of better quality – Article 6 (1) (f) of the GDPR;
  • After giving a separate consent under Article 6 (1) (a) of the GDPR, allowing us to offer products and services directly (direct marketing), including tailoring them to the client?s needs, sending newsletters through communication channels indicated by the Client (including text and multimedia messages sent to the phone number provided by the Client) ? only if you consent to it.
OBJECTIVE

BASIS FOR PROCESSING

1. Verification, including the Client?s Verification performed manually; point 1(1) of the Privacy Policy.

 The processing of your data is necessary and results from legal obligations imposed on the Controller by a number of legal acts ? The Estonian Money Laundering and Terrorist Financing Prevention Act of 26 October 2017, the Directive (EU) 201/843 of the European Parliament and the of the Council of 30 May 2018 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, and amending Directives 2009/138/EC and 2013/36/EU, Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial systems for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC (Text with EEA relevance).

The aforementioned acts of law oblige the Controller to carry out Verification of the Client ? this Verification includes in particular establishing the identity and its proper confirmation, specifying the Client’s address of residence, including the verification of sources used by the Client to finance their business, which is within the scope of the services provided by the Controller.

The Controller does not use tools allowing to automate the management of this process in order to carry out the Verification or decide whether to grant the Client access to services provided by the Controller,

The Client Verification is necessary for the Client to use the Controller’s services. As the Controller is obligated to assess the risk relating to the transaction with a potential client, without the Verification, it would be impossible for the Controller to provide services.

2. Contract performance, providing services for the Client and the effects of the concluded contract or provided services ? point 1(1)(2)(3) of the Privacy Policy.

 Processing the Client?s data is necessary for performance of the service provision ?contract and granting access to the Website.

We believe that we have a legitimate interest to perform necessary verifications to detect and prevent abuse while providing the Client with services. In our opinion, the processing of the data is beneficial for all parties involved in the process of paying for services, in particular for the Client, as it allows us to take relevant measures to protect them from third party abuse attempts.

Moreover, the Controller processes the personal data concerning services provided in the scope necessary to keep the records, in order to demonstrate the facts of purchases made by the Client to the relevant state authorities, and in particular to perform the obligations resulting from the Estonian Value Added Tax Act of 10 December 2003.

3. Client Service, Improving Products, Services, and the Website, Quality Analysis ? point 1(3) of the Privacy Policy; Cookies Policy

 The Controller has a legitimate interest to manage requests and enquiries made by the Clients through various available means of contact. In the Controller’s understanding, processing of this data is beneficial for Clients because of the possibility of providing them with proper services and the possibility to answer their questions.

When the Client contacts the Controller, especially in order to manage actions relating to the Verification or the product/service purchased via the Website, data processing is necessary for the performance of the service provision contract.

If the Client’s enquiry concerns exercising the rights described later herein, or a complaint about our services, we are authorised to process the Client’s data by the Controller’s obligation to perform its legal obligations.

The Controller has a legitimate interest to conduct Website usability testing and test the Client satisfaction level, as in its opinion, the processing of these data is also beneficial for the Client. It allows for improving the Client’s experience as the user and offering them higher-quality services.

Moreover, in line with the Cookie Policy, in order to be able to provide the Client with electronic services of the highest possible quality, technically adjusted to their personal preferences and the constant improvement of the services offered on the Website, we collect first- and second-category cookie files, based on the Client’s movements on the Website. The processing of cookie files is automated and in the scope not covered by the Client’s explicit consent, it is necessary for improving the Website and providing the Client with the technical possibility to explore the Website.

The Client has the right to prevent the Controller from collecting the cookie files ? the Cookie Policy contains the detailed conditions concerning the processing of cookie files.

4. Marketing ? point 1(4) of the Privacy Policy; Cookies Policy

All marketing activities are conducted by the Controller on the basis of your explicit consent with a precise reason for processing.

The legal basis for processing the Client?s data for marketing purposes is their explicit consent given, for example, while accepting the receiving of information adjusted to your individual preferences through different means of communication or, when you accept the legal basis of participation in a given promotional campaign, or when you accept the settings of third-category cookies collected by the Website.

The Controller?s actions within this scope aim at presenting the Client with an offer to purchase the Controller’s products or services, corresponding to the Clients preferences as much as possible.

The Controller ensures that providing any data is voluntary, but in scopes other than receiving the newsletter or for direct marketing (the grounds for data processing are defined in point 1(4)), providing the data is necessary for creating an account on the Website, concluding the service provision contract and the supply of the services. Failure to provide personal data or demanding their deletion or restricting its processing will render providing the services impossible in the aforementioned scope.

 

How long does the Controller store your personal data?

(“Processing periods”)

The Controller stores personal data which are processed in the case of:

  1. Visitors – personal data of a Visitor will be processed as long as the Visitor remains on the Controller?s Website or in the case a consent to the processing of cookie files for marketing purposes is granted, until the Visitor withdraws such a consent.
  2. Interested persons – personal data of the Interested person will be processed until the Interested person?s question is answered or until the completed Verification which is (a) positive ? in which case the Interested person?s data will be processed in line with the processing periods for the Customer, (b) negative ? then the Interested Person’s personal data will not be processed further.
  3. Customers – the Customer’s personal data will be processed during the period of providing the Customer with the services or until the legal obligation based on the Act of prevention of money laundering and financing terrorism expires, i.e. for 5 years from the termination of the last relation with the Client, pursuant to Section No. 47 of the aforementioned Act.

 

What are your rights?

The Controller stores personal data on secured servers. Only selected employees and associates listed above have access to the data. The place and manner of storing the data are to ensure their full security. The Clients? rights related to personal data processing are as follows:

  1. the right to withdraw consent to data processing
  2. the right to access data and obtain a copy of them,
  3. the right to demand that personal data are rectified (corrected)
  4. the right to demand that personal data are erased,
  5. the right to demand that personal data processing is restricted,
  6. the right to object to data processing due to a particular situation, which justifies discontinuation of the processing of data which is the subject of the objection,
  7. the right to transfer personal data, i.e. the right to receive the personal data in a structured, commonly used machine-readable format. The right to transfer personal data applies only to the data which are processed under a contract or a consent.

To exercise the above-listed rights, the Client should contact the Controller. To make sure that the Controller is contacted by a person authorised to submit an application, the Controller might ask for additional information, which will allow for effective authentication and identification.

Within the scope in which the data are processed on the basis of a consent, the consent can be withdrawn at any time. The withdrawal of the consent does not affect the lawfulness of the processing performed on the basis of the consent before its withdrawal. The consent can be withdrawn by sending a statement about the consent withdrawal to our mailing address or e-mail address.

 

Cookies Policy

  1. We use a technology which stores and accesses the information on the computer or other terminal device connected to the Internet. We use cookies. Cookies are small text files providing information on how the Website is used, they are stored with the browser of the person visiting the Website and contain data on the user?s usage of that site. The space referred to as local storage of the user’s browser is used for the same purposes and the provisions concerning the cookie files apply also to that space. We collect three categories of cookies; they are characterised in detail below.
  2. We want to address our Client’s needs as closely as possible and that is why we analyse anonymised data about how our Website is used. For this purpose, we use the Google Analytics code. It is an Internet analysis tool which helps us improve the Website’s functionality. The Google Analytics service collects anonymous information, registers trends occurring on websites without identifying individual Users. Like many other services, the Google Analytics tool uses its own Cookie files to analyse the Users? actions. These files are used for storing information, for example the starting time of the current visit or if the User had used the Website before, which website directed them to our Website, what is the screen resolution of their device, what products they browsed on the Website, etc. We also use Sumome to create click maps, scroll maps (which show us at which point visitors stop scrolling down the website), panels to share on social media or pop-ups and sidebars with information on discounts/offers. We also use integration with Facebook, the social media channel, which allows us to display Facebook advertisements to people who had visited our Website before.
  3. Internet browsers allow for storing and accessing cookies by default. By modifying the settings of their Internet browser, each person browsing through the Website can prevent the Cookie files from being saved on their device or can delete the saved files permanently. You decide about cookie processing by choosing the settings of your Internet browser.
  4. By using the Controller’s website without changing the settings of the Internet browser in order to turn off the usage of Cookie files, the user agrees to cookies being stored on their device and to access to the user’s end device. Users can change the settings of the Internet browser at any point to turn off the usage of cookie files. The above applies to cookies of the first and second categories.
  5. Collecting, processing and using Cookie files of the third category takes place on the basis of the Client’s prior consent to process data for marketing purposes. The consent to process cookies of the third category is voluntary and can be withdrawn at any time. The withdrawal of the consent does not affect the lawfulness of the processing performed before its withdrawal.
  6. We would like to inform you that restrictions on cookie usage can have a negative impact on the correctness and convenience of using the Website for the Clients. The Controller does not ensure the Website’s full functionality and correctness in the case when consent to the processing of cookies of the first and second categories is not granted.
  7. Cookies do not constitute personal data such as the user’s address, password, credit card data; instead, they are only data received by the website in an automated way.
  8. The Controller does not bear any responsibility for the contents or the reliability of third-party websites.
  9. The Controller collects Cookie files in 3 categories:

Category

Name

Basis for data processing

Managing

The purpose of data processing
First category

Withdrawing consent to the processing will result in lack of possibility to ensure correct functioning of the Controller’s Website.

 Technical cookies Required to allow for performance of the contract or to take actions on the Client’s demand ? Article 6 (1) (b) of the GDPR. Controller They are necessary for the Controller’s Website to function correctly. They are used to maintain the Client’s session while visiting the website and for logging into the Account.

 

They ensure that the Website is displayed correctly and adjust technical aspects of the services to the Client?s preferences.

They identify the user’s http session. They are commonly used in all Internet applications in order to identify users? requests during sessions.

They allow for identifying the user?s navigation status on the Website.

Second Category

 Analytical cookies Legitimate interest of the Controller ? Article 6 (1) (f) of the GDPR. Google Analytics ? Third Party

Controller ? within the remaining scope

 This way the Controller measures movement on the website, studies the effectiveness of actions and also improves the website’s functioning, and also prevents undesirable activities (e.g. bot movements, endangering users by exposing them to undesired contents).

 

As for Google Analytics ? they allow for monitoring the website using the Google Analytics tool, which is a service provided by Google Inc. headquartered in the USA, i.e. outside of the EEA. They are used to obtain information about the user’s access to the website, e.g. to determine the number of the Client?s visits, the date of the first and last visit, visit duration, the browser used to access the website or a link that was used to redirect to the website. The Controller does not have impact on the contents or technical contents of these files; they are determined and stored by Google Inc. That is why the Controller advises familiarising oneself with the Google Analytics privacy policy,

https://developers.google.com/analytics/devguides/collection/analyticsjs/cookie-usage.

Third category

 Marketing cookies The User’s consent ? Article 6 (1)(a) of the GPDR The Controller and Third Parties The Controller uses them to personalise the advertisements displayed on the website and on external websites, taking into consideration the Client’s actions and preferences on the Website, adjusting the contents of advertising messages to the Clients? preferences.

If you believe that the processing of your personal data violates the provisions of the GDPR, pursuant to Article 56 of the GDPR you have the right to file a complaint to the chief supervisory authority,  i.e. the Director General of the Estonian Data Protection Inspectorate, or in the case of processing significantly impacting persons in a different Member State, the supervisory authority relevant for that Member State.

Information clause on personal data processing

Thompson&Stein OÜ with its registered seat in Tallinn

(“Information clause”)

 

In accordance with Article 13 section 1 and 2 of the Regulation of the European Parliament and of the Council (EU) 2016/679of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/WE (“GDPR“), we wish to inform you that:

 

  • The Controller of your (“Client’s“) personal data is Thompson&Stein OÜ with its registered seat in Tallinn, at L??tsa tn 5, 11415 Tallinn, entered in the Estonian Commercial Register maintained by the Ministry of Justice of the Republic of Estonia under No. 12979503, share capital of EUR 2,500 paid in full, e-mail address: contact@thompsonstein.com, telephone: +48 22 270 69 66 (“Controller“). In case of any questions concerning the protection of your personal data, please contact Artur Kuczmoski, e-mail address: artur@kuczmowski.pl.

 

  • The Controller processes the data and fulfils information obligations resulting from Article 13 and 14 of the GDPR. This Information Clause is publicly available at: thompsonstein.com; furthermore, the Information Clause is provided to the Client with each first action taken by the Client or the Controller in connection with data processing.

 

  • The Controller will be processing the following personal data for individual Client categories:
    1. regarding Clients who are natural persons and act on their own behalf and on their own account – names, surnames, address of residence, e-mail address, phone number, PESEL number or other equivalent identification number, data concerning the origin of assets (in particular including data obtained on the basis of documents presented by the Client);
    2. regarding Clients who are natural persons, associates of legal persons – names, surnames, address of residence, e-mail address, phone number, PESEL number or other equivalent identification number, the share in the capital structure participation of the legal person, the date of acquiring the share in the capital structure of the legal person;
    3. regarding Clients identifying as Beneficial owners of legal persons – names, surnames, address of residence, e-mail address, phone number, PESEL number or equivalent identification number, date of birth, number and a series of the identification document, information on whether the person meets the definition (1) of a person holding an exposed political office or (2) a family member of a person holding an exposed political office (3) a person known to be a close associate of a person holding an exposed political office.

 

  • Processing of the Client’s personal data and legal bases of this processing can be divided into four categories:

 

  • within the scope in which the processing takes place as a result of the Controller conducting an activity and providing services for the Client, i.e. in regard of collecting and archiving the Client’s declarations of intent in respect of undertaking activity on the thompsonstein.com website, using the www.thompsonstein.com website, a concluded contract, in order to execute the contract regarding the provision of electronic services, regarding the provision of legal and accounting advisory services, i.e. in order to perform other contracts to which the Client is a party or to undertake activities on the Client’s request before concluding a contract, in order to consider potential complaints – Article 6 (1) (b) of the GDPR;
  • in regard to keeping accounting books and settlements in connection with the performance of the concluded contract, the Controller processes the personal data in connection with the legal obligations to which they are subject, including the value-added tax regarding to the Controller issuing fiscal receipts and VAT invoices – Article 6 (1) (c) of the GDPR;
  • in order to consider potential complaints or reported claims, in regard to pursuing claims for conducting an economic activity, for archiving (evidential) purposes in pursuit of our legitimate interest of securing information in case of the legal need to present facts to competent state authorities, for analytical purposes [optimising our products based also on the Client’s comments and the Client?s interests, optimising service processes based on customer experience] ? in our opinion processing of these data is beneficial also for the user, as it improves their experience and allows us to offer them services of better quality – Article 6 (1) (f) of the GDPR;
  • after a separate consent under Article 6 (1) (a) of the GDPR is given, allowing us to offer products and services directly (direct marketing), including tailoring them to the Client?s needs, sending newsletters through communication channels indicated by the Client (including text and multimedia messages sent to the phone number provided by the Client or e-mails sent to the e-mail address provided by the Client) ? only if you give your consent.

 

  • The obligation of providing data is the result of provisions of law on processing for purposes which are referred to in section (iv) subsection 2; in the case of data processing for the purpose referred to in section (ii) subsection 1 ? providing the data is an additional result of the contractual relation, and processing which referred to in section (ii) subsection 3 is based on the Controller?s legitimate interest. Additionally, in the remaining scope, the obligation is the result of the consent given by the Client. Refusing to provide data with regard to their processing for purposes listed in the aforementioned sentence (section (ii) subsection (1-3) prevents the Controller from ensuring the Client?s correct usage of services covered by the contract; in particular renders impossible considering the claims submitted by Clients.

 

The Client has the right to:

  1. withdraw the consent to data processing,
  2. access data and obtain a copy of them,
  3. demand that personal data are rectified (corrected),
  4. demand that personal data are erased,
  5. demand that personal data processing is restricted,
  6. object to the data processing due to a particular situation, which justifies discontinuation of the processing of data which is the subject of the objection,
  7. to transfer personal data, i.e. the right to receive the personal data in a structured, commonly used machine-readable format. The right to transfer personal data applies only to the data which are processed under a contract or a consent.

 

If you believe that the processing of your personal data violates the provisions of the GDPR, pursuant to Article 56 of the GDPR you have the right to file a complaint to the chief supervisory authority, i.e. the Director General of the Estonian Data Protection Inspectorate, or in the case of processing significantly impacting your rights in a different Member State, the supervisory authority relevant for that Member State.

 

Your providing of personal data is a legal requirement and the condition of concluding the contract on maintaining an account in the Controller’s store. Failure to provide the personal data will prevent the services from being provided in the scope mentioned above.

 

We would like to inform you that your personal data will be transferred to the following categories of data recipients. (i) entities cooperating with the Controller at providing services covered by the contract, in particular the companies with equity or personal ties to the Controller (ii) entities with concluded contracts on provision of IT services to the Controller, (iii) providers of the legal, bookkeeping, accounting or advisory services and entities supporting the Controller in exercising due claims (in particular law firms and debt collection companies) exclusively for the purpose and within the scope necessary for performance of the contract. In particular, the Controller exercises due diligence in selecting its Cooperating Entities, and then at the stage of concluding contracts, makes sure that these entities guarantee an adequate level of personal data protection.

Comments are closed.