PURPOSE OF THE PRIVACY POLICY
This privacy policy is based on the General Data Protection Regulation (GDPR) and aims to protect the privacy of clients in accordance with the laws of the Republic of Estonia and European Union regulations.
The purpose of this privacy policy is to inform clients about what data is processed by Lifekeskus OÜ, why it is processed, how the data is processed, and what rights the client has regarding the processing of personal data.
DEFINITIONS
2.1. Data Subject – an individual whose personal data is processed, primarily the client in this context.
2.2. Personal Data – any information relating to an identified or identifiable individual, regardless of the form or format in which it is presented.
2.3. Special Categories of Personal Data – data regarding an individual’s health condition, disability, genetic information, sexual life or union membership; biometric data, data describing ethnic origin and racial affiliation, and data regarding political, religious, or philosophical beliefs.
2.4. Processing of Personal Data – any operation performed on personal data, such as collecting, recording, organising, storing, altering, disclosing; enabling access to personal data, conducting queries and making extracts; using, transmitting, cross-using, combining, closing, deleting, or destroying personal data; or multiple of the aforementioned operations, regardless of the methods and means used.
2.5. Data Processor – a natural or legal person who processes personal data based on their work duties and the nature of their work, or upon whose request personal data is processed.
2.6. Service – the services and goods offered by Lifekeskus OÜ, which can be viewed here: www.lifekeskus.ee or www.MERbiofeedback.com (hereinafter Service).
2.7. Client – an individual who has expressed a desire to receive or has received one or more Services offered by Lifekeskus OÜ.
DATA PROCESSORS
3.1. Data Controller: Lifekeskus OÜ
Registration code: 16103149
Phone: +372 5037 037
Legal address: Magdaleena 3, Tallinn 11312
Email: info@lifekeskus.ee
3.2. Lifekeskus OÜ discloses personal data to its partners who act as authorised processors of client personal data, providing services to Lifekeskus OÜ, such as IT, logistics, legal services, marketing services.
3.3. Client’s personal data is also processed by the management, therapists, and employees of Lifekeskus OÜ, who have the right and need to process client personal data based on their job responsibilities. In cases and on grounds specified by law, Lifekeskus OÜ discloses client personal data to public sector institutions (e.g., tax authority), law enforcement agencies, or other state institutions.
BASIS, PURPOSES, AND RETENTION PERIODS FOR PROCESSING PERSONAL DATA
4.1. Lifekeskus OÜ processes client’s general data in writing: first and last name; personal identification code; contact details: phone number, email address. Depending on the client, it may be necessary to process the client’s special categories of personal data, primarily health data, to provide the service.
4.2. The bases for processing personal data at Lifekeskus OÜ are:
4.2.1. client’s consent, including written consent with the client;
4.2.2. Lifekeskus OÜ’s legitimate interest;
4.2.3. compliance with a legal obligation of Lifekeskus OÜ.
4.3. Providing personal data is a prerequisite for receiving the service.
4.4. Data processed by Lifekeskus OÜ is obtained from the client, the parent of a minor client, or the guardian of a client with limited legal capacity.
4.5. Lifekeskus OÜ processes personal data for the following purposes and on the following grounds:
4.5.1. For client registration, conducting registration-related operations, contacting the client, and identifying the client in case of contact from the client. Personal data used: first name, last name, personal identification code, email address, phone number, fact of accepting conditions presented on the consent form. Basis: consent and its fulfilment agreed with the client.
4.5.2. For providing therapy services. Personal data used: first name, last name, personal identification code, email address, phone number, and health data based on the client’s health condition. Basis: consent and its fulfilment agreed with the client.
4.5.3. For delivering services ordered from Lifekeskus OÜ, such as a gift card. Personal data used: email address, phone number, client’s first name, last name, address if necessary. Basis: consent agreed with the client.
4.5.4. For accounting and tax purposes. Personal data used: as specified in the Accounting Act and tax laws. Basis: Accounting Act and other applicable laws and regulations.
4.5.5. For fulfilling other legal obligations, such as complying with orders, requests, and inquiries from law enforcement agencies. Personal data used: depending on the specific case. Basis: legitimate interest, other applicable laws, and regulations.
4.5.6. For direct marketing purposes (e.g., to receive a newsletter), if the client has indicated their wish to receive promotional emails on the consent form. Data used: client’s first name, last name, email address. Basis: client’s consent.
4.6. Lifekeskus OÜ retains documents containing personal data until the expiry of the deadlines stipulated by law or, if such deadlines are not specified by law, until the original purpose of collecting the personal data has been achieved. The deadlines as of the drafting of this policy are as follows:
4.6.1. Personal data of accounting significance is retained for seven years from the creation of the relevant entry as an accounting source document, considering the requirements of the Accounting Act.
4.6.2. Sales or service provision contracts, documents related to the contract, correspondence, and other documented communication with the client are retained for three years from the end of the respective contract or communication, as such data retention is important for Lifekeskus OÜ to protect its rights concerning the statute of limitations.
4.6.3. Any data related to consent is retained as long as necessary for the provision of the service and until the client’s given consent is valid and has not been withdrawn.
4.7. After the retention period has expired, personal data will be deleted or destroyed in a manner that prevents the readability of the personal data. Digital data carriers will be deleted using file overwriting programs; paper data carriers will be destroyed using a paper shredder.
CLIENT RIGHTS
5.1. The client has the right to:
5.1.1. request access to their personal data;
5.1.2. request that Lifekeskus OÜ correct incorrect data or complete incomplete data about them;
5.1.3. request the deletion of data if:
5.1.3.1. the data is no longer needed for the original collection or processing purposes;
5.1.3.2. the client has withdrawn their consent for data processing and there are no other bases for processing the data;
5.1.3.3. the personal data has been processed unlawfully; or
5.1.3.4. such a right arises from directly applicable EU or member state law regarding Lifekeskus OÜ.
5.1.4. request the restriction of personal data processing if:
5.1.4.1. they have contested the accuracy of the personal data;
5.1.4.2. the processing of personal data is unlawful, and the client does not request deletion; or
5.1.4.3. Lifekeskus OÜ no longer needs the personal data for processing purposes, but the client requires it for the establishment, exercise, or defence of legal claims.
5.1.5. object to the processing of personal data;
5.1.6. request the transfer of data provided to Lifekeskus OÜ to another data processor if the processing was based on a contract and the data was processed automatically. Data provided in paper form does not qualify for transfer.
5.1.7. lodge a complaint with a supervisory authority, namely the Data Protection Inspectorate, or court regarding personal data processing.
5.1.8. withdraw their consent for processing activities for which the client has given their consent. The withdrawal of consent does not affect the lawfulness of data processing based on consent before its withdrawal. After the withdrawal of consent, Lifekeskus OÜ may continue to process personal data to the extent necessary to fulfil legal obligations arising from national or EU law.
5.2. If the client has requested the deletion of data or restriction of data processing, Lifekeskus OÜ will inform all recipients to whom personal data has been disclosed, unless this proves impossible or involves disproportionate effort. Lifekeskus OÜ has the right to refuse data deletion if it is necessary for:
5.2.1. compliance with a legal obligation arising from EU or member state law applicable to Lifekeskus OÜ or for the performance of a task carried out in the public interest; or
5.2.2. the establishment, exercise, or defence of legal claims.
5.3. To exercise the aforementioned rights, the client must submit the request in writing, signed, or via email using the email address previously provided to Lifekeskus OÜ for contacting them. Lifekeskus OÜ will provide the requested data along with the personal data processing rules or justify the refusal to provide the data within one month of receiving the request.
5.4. The data will be provided to the client in the manner in which the request was submitted (in writing or electronically). Health data on paper will be given to the applicant upon presentation of an identity document. Data transmitted electronically will be encrypted. Lifekeskus OÜ has the right to charge the client a reasonable fee for providing the data.
5.5. Lifekeskus OÜ will refuse to provide data if there is a legal basis for doing so or if there are doubts about the identity of the person requesting the data.
TRANSFER OF PERSONAL DATA TO THIRD PARTIES
6.1. Lifekeskus OÜ transfers data to third parties if such an obligation arises from Estonian or European Union law, and also to the persons mentioned in point 4.3.
6.2. Lifekeskus OÜ does not transfer personal data to third countries.
NOTIFICATION OF PERSONAL DATA BREACHES
7.1. Lifekeskus OÜ will notify the client immediately of any personal data breach that is likely to pose a risk to the client’s rights and freedoms.
7.2. Lifekeskus OÜ is not required to notify if:
7.2.1. the personal data was processed using appropriate technical and organisational security measures that render the data unreadable to unauthorised persons;
7.2.2. Lifekeskus OÜ has taken subsequent measures to ensure that the risk is unlikely to materialise.
Approved by the Management Board of Lifekeskus OÜ on 15 March 2021