This is the privacy notice of Smart Load Solutions OÜ (hereinafter referred to as Themo) drawn up in accordance with the EU General Data Protection Regulation (GDPR). Drawn up 20 September 2022.
1. Principles of Data Protection
Protecting the privacy of our customers is of paramount importance to us. That is why we have made a commitment to compliance with legislation that governs the processing of personal data.
This privacy notice explains how we protect your privacy and process your personal data. In processing personal data, Themo complies with the Estonian and Finnish legislation and the regulations and instructions issued by authorities. This privacy notice is applied when you use our products and services or visit our website.
This privacy notice does not apply to links that lead to the websites and/or services of third parties, such as any third-party applications (for example Facebook) you may encounter while using our service.
We will update our privacy notice as and when legislation is amended or we reorganize our activities. We recommend that you check our website for the latest version of this privacy notice.
Smart Load Solutions OÜ (Themo)
Hirve tee 8-1
Contact person of the controller:
CEO Madis Uuemaa
3. Name of the register
The customer and marketing register of Themo.
4. Legal basis and purpose of the processing of personal data
Lawfulness of the processing of personal data under the EU General Data Protection Regulation is based on
the consent of the data subject (documented, voluntary, individualized, deliberate, and unambiguous)
an agreement to which the data subject is a party
Personal data is processed for several purposes:
- for the provision and development of a service
- for marketing and customer communications
- for recruitment purposes
Data shall not be used for automated decision-making or profiling.
5. Data Content of the Register
Information stored in the register includes:
- name of the data subject
- role or position
- company or organization
- contact information (telephone number, email address, address)
- website addresses
- IP address of the network connection
- accounts/profiles on social media platforms
- consents and prohibitions pertaining to direct marketing
- other information provided by the data subject or added to a CRM system (such as an expressed interest in a certain type of service)
categorization information provided by the data subject (such as interests), or other information added to a CRM system (such as an expressed interest in a certain type of product/service)
- customer feedback information
- order, invoicing, and delivery information
The IP addresses of website visitors and cookies that are necessary for the functionalities of the service are processed on the basis of a legitimate interest in order to, inter alia, ensure data security and collect statistics on website visitors in cases where such data can be considered personal data. Consent will be requested separately for third-party cookies where necessary.
6. Regular Sources of Data
Data stored in the register is received from the data subjects by messages sent through forms or chat functions on websites, via email, by telephone, through social media channels, agreements, meetings, and other situations where a data subject provides information pertaining to them.
Information pertaining to the contact persons of companies and other organizations can also be collected from public sources, such as websites, directory services, and other companies.
7. Data Recipients
We do not sell, rent or lease, or otherwise disclose personal data to third parties, unless otherwise stated below. We only share personal data within the Themo organization, and we do so only to the extent necessary for the performance and development of our services. We do not disclose personal data to third parties outside of the Themo organization, unless any of the following conditions apply:
For Legal Reasons
We may disclose personal data to third parties outside of our organization if access to personal is reasonably necessary (i) in order to comply with an applicable law, regulation, or court decision; (ii) in order to detect, prevent, or otherwise handle fraud or data security or technical issues; or (iii) in order to protect the property of Themo or the users, to ensure safety or security, or to secure public interests in accordance with legislation. We will notify you of any such disclosure or processing where possible.
To Authorized Service Providers
We may disclose personal data to authorized service providers that provide services to us. Agreements concluded with our service providers include commitments according to which service providers undertake to limit the use of personal data and observe privacy and data security standards that are at least equivalent with this privacy notice.
For Other Legitimate Reasons
If Themo is party to a merger, asset acquisition, or some other corporate transaction, we may disclose personal data to a third party that is a participant in the transaction in question. In that case, we will however ensure that all personal data remains confidential. We will give notice of the transaction to any users to whom the transfer of personal data applies or whose personal data is going to be processed under another privacy notice as soon as reasonably possible.
With Your Explicit Consent
We may disclose personal data to third parties outside of the Themo organization for reasons other than those mentioned above if we have your explicit consent to do so. You have the right to withdraw your consent at any time. We may also disclose information to third parties in such a format that the information does not comprise personal data and that users cannot be identified based on the information.
8. Regular Disclosure and Transfer of Data Outside the EU or EEA
Data is not regularly disclosed to other parties.
We will primarily store your personal data within the European Economic Area. However, our service providers operate in several geographical locations. Thus, we may also transfer personal data outside of the EU or EEA through our service providers. We will ensure a sufficient level of protection for any transfer of personal data to countries outside of the European Economic Area through agreements concluded with our service providers, which are based on the Standard Contractual Clauses adopted by the European Commission, or other similar agreements.
9. Principles of Register Protection
The register is handled with due diligence and the information processed using information systems is protected with appropriate methods. Where register data is stored on servers connected to the Internet, the physical and digital information security of the equipment used is ensured to an appropriate degree. The controller shall ensure that the stored information as well as the rights of access to the servers and any other information that is critical in terms of the security of personal data are handled confidentially and only by employees whose job descriptions include these tasks.
10. Right of Access and the Right to Rectification
Each data subject included in the register has the right to review the information pertaining to them stored in the register and to request the rectification of any incorrect information or the completion of any incomplete information. If a data subject wishes to review the information pertaining to them stored in the register or to request rectification of said information, they must send their request to the controller in writing. Where necessary, the controller may ask the person submitting the request to verify their identify. The controller will respond to the request to review information within the time specified in the EU General Data Protection Regulation (within one month in general).
11. Other Rights Pertaining to the Processing of Personal Data
The data subjects have the right to demand the erasure of any personal data pertaining to them from the register (“the right to be forgotten"). Data subjects also have the other rights under the EU General Data Protection Regulation, such as the right to restrict the processing of personal data in certain situations. All requests must be sent to the controller in writing. Where necessary, the controller may ask the person submitting the request to verify their identify. The controller shall respond to the customer within the time specified in the EU General Data Protection Regulation (generally within one month).