- Arco has the right to amend and add to the policy. Clients are notified of changes in the policy by email (if Arco has access to the client’s email address).
Chief processor and data protection official
- The chief processor of the client’s personal data is Arco Vara AS, registry code 10261718, address Harju County, Tallinn, Kesklinna district, Maakri tn 19/1, 10145.
Principles of processing personal data
- Arco shall process personal data provided by the client in compliancy with the requirements established in current law, and shall always be guided by the client’s interests, rights and freedoms when processing personal data.
- Arco’s objective is responsible processing of personal data, guided by best practice and with a view of being always prepared to demonstrate the compliance of processing of personal data with the goals established.
- All processes, instructions, activities and operations related to processing of personal data in Arco are guided by the following principles:
- the processing of personal data involves legal basis, such as consent;
- Processing of personal data is fair, requiring first and foremost that the client has sufficient information on how personal data are processed;
- Processing of personal data is transparent to the client;
- Personal data are collected for purposes which are established precisely and clearly, and they are not later processed in a way that conflicts with those purposes;
- Personal data shall be relevant, important and limited to what is necessary for the purpose of processing those personal data. When processing personal data, Arco is guided by the principle of minimal processing and when personal data are no longer necessary, or no longer necessary for the purpose for which they were collected, then they shall be deleted;
- Personal data are correct and updated if necessary, and all reasonable measures are adopted to ensure that personal data which are incorrect for the purpose of processing personal data are deleted or amended immediately;
- Limit of preservation. Personal data are preserved in a form enabling to identify the client only as long as it is necessary for meeting the purpose for which the personal data are processed. This means that if Arco wishes to keep personal data for longer than necessary for the purpose of collection, Arco shall anonymize data in a way to ensure that the client can no longer be identified;
- Reliability and confidentiality. Personal data are processed in a way that ensures relevant security of personal data, including protection from unauthorized or unlawful processing and accidental loss, destruction or damage, with the use of reasonable technical or organizational measures;
- Default and integrated data protection. Arco ensures that all systems used comply with the required technical criteria. Suitable data protection measures are planned into the update or design of each information and data system (e.g. information systems and business processes are built on the basis of prerequisites for pseudonymization and encryption).
Purposes of processing personal data
- Arco collects the personal data of the client for the following purposes:
- for providing services to the client (incl. brokerage service, evaluation, real estate consulting);
- for carrying out pre-contractual negotiations and communicating with clients who are interested in the service;
- for forwarding marketing notices and information letters to the client.
Personal data to be processed
- Arco shall process the following personal data:
- in cases provided in clauses 1 and 10.2 – the client’s first and last name, address, company (if necessary), telephone number, email address, data of real estate owned by the client, ID code/date of birth, gender;
- in cases provided in clause 3 – the client’s email address, first and last name, and information on the client’s location (at county level);
Legal basis for processing personal data
- Arco will general process the client’s data because it is necessary for performing a contract concluded with involvement of the client (see clause 1 above) or adopting measures before concluding a contract pursuant to the client’s request (see clause 10.2 above). In this case, the legal basis for processing data is the contract concluded with the client or the client’s petition for undergoing pre-contractual negotiations.
- Arco shall process the client’s personal data for providing marketing materials and offers only if the client has provided their consent for it (see clause 3 above). In this case, the legal basis for processing data is the client’s consent.
Forwarding personal data to third persons
- Arco shall not forward the client’s personal data to third persons, except to:
- the provider of email forwarding service, if Arco is forwarding marketing materials and offers to the client;
- the ICT system developer of Arco in the extent necessary for managing the databases of Arco, providing services and communicating with clients;
- other members of the Arco Group (incl. to Arco Vara AS and subsidiaries of Arco Vara AS) in an extent necessary for providing services to the client (incl. [list group members]);
- All authorized processors listed in clause 14 shall ensure the same level of personal data protection as Arco.
Preservation of personal data
- The client’s personal data shall be preserved:
- for up to 3 years after the expiry of the contractual relationship in the extent to which Arco processes the client’s personal data in relation to providing services (see clause 1 above);
- for up to 3 years after the last contact with the client in the extent to which Arco processes the client’s personal data in relation to carrying out pre-contractual negotiations and communication with clients who are interested in services (see clause 2 above);
- indefinitely until the client withdraws consent in the extent to which Arco processes personal data for forwarding marketing materials and offers (see clause 3 above);
The client’s rights in regards to processing personal data
- right to request access to personal data concerning the client;
- right to request amendment of data;
- right to request deletion of data;
- right to restrict the processing of personal data;
- right to object to processing personal data;
- right to demand for transfer of personal data;
- right of not being subject to a decision based on automated processing;
- right to withdraw consent;
- right to submit a complaint to the Data Protection Inspectorate.