PROCESSING OF PERSONAL DATA
The purpose of personal data protection is to safeguard the fundamental rights and freedoms of natural persons when processing personal data, in particular, the inviolability of their privacy. Personal data means any information relating to an identified or identifiable natural person that reveals any physical, mental, physiological, economic, cultural or social characteristics, or relationships or affiliations of that person.
• the processing of personal data on websites that are referred to on the museum’s website but are not managed by the museum (external links).
1.2. Personal data will only be processed if there is a legal basis for doing so.
1.3. The museum applies IT practices and, to the extent appropriate, the three-layered standard security system for information systems, which is common in the Estonian public sector, to protect data integrity, availability and confidentiality.
1.4. Museum staff are obliged to keep personal data disclosed in the course of their duties and/or in the course of their dealings with another institution confidential and to not disclose any such data to third parties, except where required by law.
1.5. All breaches of personal data processing in the museum are documented. Museum staff are obliged to immediately report any breach of personal data processing to the Data Protection Officer. The obligation to notify the supervisory authority and the data subject of a personal data breach depends on the risk to the data subject’s rights and freedoms.
2.1.1. the Internet address (IP address) of the computer or computer network used;
2.1.2. the name and address of the computer or computer network ISP used;
2.1.3. the time of the visit (time, date, year).
2.2. IP addresses are not linked to personally identifiable information. Data is collected about which part of the website is visited and for how long. The data collected is used to compile visitor statistics in order to develop the website and enhance the user experience.
2.3. The museum’s website may contain links to other websites that do not belong to Sihtasutus Eesti Ajaloomuuseum, and we are not responsible for the privacy and personal data processing policies of those websites.
2.4 It is possible for visitors to the website to opt out of the collection of data by cookies by clicking on the “ Reject cookies” first entering the site.
3.2. Personal data (e.g. name, contact details, description of the person’s issues) are included in all requests for clarification, letters of formal notice and requests for information (inquiries). Personal data may also be contained in a letter from another authority (e.g. a copy of a reply to a person’s request). All inquiries and correspondence received by the museum are registered in the document register.
3.3. Personal data is used to respond to queries. If this requires making an enquiry to a third party, only the minimum personal data required to do so will be disclosed to that party. If another authority has the competence to reply to the letter, it will be forwarded to that authority. The sender is informed if the letter is forwarded. Access to correspondence with private individuals is generally restricted. If someone wishes to access a person’s correspondence and submits a request for information, the content of the correspondence will be reviewed and a decision will be made as to whether full or partial access to the document/letter can be granted.
3.4. No personal contact details, such as an email address, postal address or telephone number, will be included in the forwarded document/letter. In other cases, restrictions on access will depend on the content of the document. Possible grounds for restrictions on access are set out in the Public Information Act.
3.5. Inquiries and correspondence addressed to the museum will be stored as indicated in the list of documents. Documents that have exceeded their retention period will be destroyed. Correspondence statistics and summaries are published in an anonymous format.
4.2. Public events at the museum may be photographed or filmed. These recordings are published on the museum’s website, in the media or in the museum’s publications. In accordance with Section 11 of the Personal Data Protection Act, the notification obligation does not apply in the case of public events, recording of which for the purposes of disclosure may be reasonably presumed. The museum may set a permanent retention period for any such photographic or video material.
5.2 Any data collected in the recordings made by these cameras is processed by a partner providing security services, and access to that data is restricted to those persons who need it for the performance of their duties.
5.3 As a rule, the recordings are stored for no longer than 30 days.
6.2. Only staff involved in the recruitment process have access to the application documents. These documents and data are not disclosed to third parties. The museum presumes that the persons nominated by an applicant as references may be contacted without asking permission.
6.3. The applicants’ data is restricted information to which third parties (including competent authorities) have access only in cases provided for by law.
6.4. Information about a person’s participation in any other competition (e.g. a scholarship competition) is also not subject to disclosure, except in the case of a positive decision. The museum gives access to the applicant’s documents to persons involved in the decision-making process of the competition.
6.5. Applications for job vacancies at the museum, together with supporting documents, will be kept, with the applicant’s permission, until the end of the competition, if necessary, but for no more than one year.
7.2. Everyone has the right to have any incorrect personal data concerning them corrected, supplemented or erased.
7.3. Everyone has the right to withdraw consent given for the processing of personal data concerning them if the consent was the basis for the processing.
7.4. If the museum has violated the rules on the processing of personal data when processing a person’s personal data, that person has the right to lodge a complaint with the Estonian Data Protection Inspectorate.
PLEASE NOTE! THE FOLLOWING PROVISIONS DO NOT COVER:
• the processing of data relating to legal persons and bodies, and the processing of data relating to a natural person where the processing is carried out in the exercise of their official duties;• the processing of personal data on websites that are referred to on the museum’s website but are not managed by the museum (external links).
1. PROCESSING OF PERSONAL DATA
1.1. When processing personal data, we ensure that the processing is legal, fair and transparent to the data subject.1.2. Personal data will only be processed if there is a legal basis for doing so.
1.3. The museum applies IT practices and, to the extent appropriate, the three-layered standard security system for information systems, which is common in the Estonian public sector, to protect data integrity, availability and confidentiality.
1.4. Museum staff are obliged to keep personal data disclosed in the course of their duties and/or in the course of their dealings with another institution confidential and to not disclose any such data to third parties, except where required by law.
1.5. All breaches of personal data processing in the museum are documented. Museum staff are obliged to immediately report any breach of personal data processing to the Data Protection Officer. The obligation to notify the supervisory authority and the data subject of a personal data breach depends on the risk to the data subject’s rights and freedoms.
2. VISITING THE MUSEUM WEBSITE
2.1. The following data is collected when a person visits the museum’s website:2.1.1. the Internet address (IP address) of the computer or computer network used;
2.1.2. the name and address of the computer or computer network ISP used;
2.1.3. the time of the visit (time, date, year).
2.2. IP addresses are not linked to personally identifiable information. Data is collected about which part of the website is visited and for how long. The data collected is used to compile visitor statistics in order to develop the website and enhance the user experience.
2.3. The museum’s website may contain links to other websites that do not belong to Sihtasutus Eesti Ajaloomuuseum, and we are not responsible for the privacy and personal data processing policies of those websites.
2.4 It is possible for visitors to the website to opt out of the collection of data by cookies by clicking on the “ Reject cookies” first entering the site.
3. REQUEST FOR CLARIFICATION, LETTER OF FORMAL NOTICE, REQUEST FOR INFORMATION AND OTHER CORRESPONDENCE
3.1. The museum is a public body within the meaning of the Public Information Act, and requests for clarifications, letters of formal notice, requests for information and other correspondence addressed to the museum are public. In the course of its work, the museum also receives personal data, including sensitive and private information. Such data may reach the museum through correspondence, for example.3.2. Personal data (e.g. name, contact details, description of the person’s issues) are included in all requests for clarification, letters of formal notice and requests for information (inquiries). Personal data may also be contained in a letter from another authority (e.g. a copy of a reply to a person’s request). All inquiries and correspondence received by the museum are registered in the document register.
3.3. Personal data is used to respond to queries. If this requires making an enquiry to a third party, only the minimum personal data required to do so will be disclosed to that party. If another authority has the competence to reply to the letter, it will be forwarded to that authority. The sender is informed if the letter is forwarded. Access to correspondence with private individuals is generally restricted. If someone wishes to access a person’s correspondence and submits a request for information, the content of the correspondence will be reviewed and a decision will be made as to whether full or partial access to the document/letter can be granted.
3.4. No personal contact details, such as an email address, postal address or telephone number, will be included in the forwarded document/letter. In other cases, restrictions on access will depend on the content of the document. Possible grounds for restrictions on access are set out in the Public Information Act.
3.5. Inquiries and correspondence addressed to the museum will be stored as indicated in the list of documents. Documents that have exceeded their retention period will be destroyed. Correspondence statistics and summaries are published in an anonymous format.
4. SUPPLY OF SERVICES
4.1. For any services requested, including educational programmes, excursions, children’s camps, room rentals, birthday programmes, Christmas parties, etc., the museum will use the personal data it has received only in connection with those services and will not disclose it to third parties. Data collected in the context of public events, including data related to pre-registration and pre-sales of tickets, will also only be used for personal notifications related to the specific event and will be deleted after the event.4.2. Public events at the museum may be photographed or filmed. These recordings are published on the museum’s website, in the media or in the museum’s publications. In accordance with Section 11 of the Personal Data Protection Act, the notification obligation does not apply in the case of public events, recording of which for the purposes of disclosure may be reasonably presumed. The museum may set a permanent retention period for any such photographic or video material.
5. VIDEO SURVEILLANCE
5.1 Video cameras have been installed on the museum’s premises to ensure security.5.2 Any data collected in the recordings made by these cameras is processed by a partner providing security services, and access to that data is restricted to those persons who need it for the performance of their duties.
5.3 As a rule, the recordings are stored for no longer than 30 days.
6. APPLYING FOR A JOB OR APPRENTICESHIP
6.1. Documents related to an application for a job or apprenticeship (e.g. the application form and accompanying documents, correspondence with the candidate, information collected from public sources about the candidate) contain personal data. Applicants have the right to know what data the museum has collected about them. Applicants also have the right to access the data collected by the museum, to provide explanations and to raise objections.6.2. Only staff involved in the recruitment process have access to the application documents. These documents and data are not disclosed to third parties. The museum presumes that the persons nominated by an applicant as references may be contacted without asking permission.
6.3. The applicants’ data is restricted information to which third parties (including competent authorities) have access only in cases provided for by law.
6.4. Information about a person’s participation in any other competition (e.g. a scholarship competition) is also not subject to disclosure, except in the case of a positive decision. The museum gives access to the applicant’s documents to persons involved in the decision-making process of the competition.
6.5. Applications for job vacancies at the museum, together with supporting documents, will be kept, with the applicant’s permission, until the end of the competition, if necessary, but for no more than one year.
7. DATA SUBJECTS’ RIGHT TO ACCESS THEIR DATA. THE RIGHT TO HAVE INCORRECT DATA RECTIFIED OR ERASED.
7.1. Everyone has the right to access any personal data concerning them that has been collected. If the personal data is not disclosed on the website, it is possible to submit a data request (this must be digitally signed by the person, therefore, making that person identifiable). If possible, the data will be released in the manner requested by the applicant within 10 (ten) working days of the registration of the application.7.2. Everyone has the right to have any incorrect personal data concerning them corrected, supplemented or erased.
7.3. Everyone has the right to withdraw consent given for the processing of personal data concerning them if the consent was the basis for the processing.
7.4. If the museum has violated the rules on the processing of personal data when processing a person’s personal data, that person has the right to lodge a complaint with the Estonian Data Protection Inspectorate.