Nets Estonia OÜ (“we" or “us") provides payment solutions to businesses and financial institutions.
The protection of personal data is important to us, therefore we strive to provide the best possible protection of personal data. This also includes the protection of personal data of our clients' representatives, visitors of our websites and physical premises and other third parties that may be in contact with us.
Last updated in March 2024.
1. What does this privacy notice cover?
This privacy notice applies to the following situations:
- when the legal entity you work for or represent wishes to conclude or has concluded a contract with us;
- when you visit or otherwise interact with the website of www.nets.eu/etee;
- when you visit our office;
- when you perform your rights under the GDPR by making a data subject access request;
- when you communicate with us through e-mail, website or other communication channels;
- when you take any other actions, which entail us receiving and processing your personal data.
2. Who is the data controller?
The data controller of the processing activities described in this privacy notice is Nets Estonia AS with registry code 10452335 and address Tartu mnt 63, Tallinn 10115, Estonia.
We process your personal data as described in this privacy notice and in accordance with applicable legislation, including the European Union's General Data Protection Regulation (2016/679) (“GDPR") and other personal data protection legislation, as applicable towards to us.
This is a special privacy notice to the General Nets privacy notice available at https://www.nets.eu/gdpr/pages/privacy-notice-for-nets.aspx. Should you wish to find out how other group entities process your personal data, please refer to the General Nets privacy notice.
3. The types of personal data we process, our processing purposes and legal basis
Services
If the company you represent or work for wishes to become our client or is already our client, we may process your:
- Contact data such as name, e-mail address, phone number, job title and the legal entity's information you represent or work for (e.g., legal entity's name, registry code, address, e-mail address)
- Communication data if you communicate with us such as date and time of the communication and contents and answer to the request or message
We process the personal data to handle pre-contractual negotiations and communications, conclude a contract, perform the contract and manage contractual relationship, provide customer support and send information and updates regarding the contracted solutions.
The legal basis for such processing is our legitimate interest in taking and implementing pre-contractual measures of the potential contract to be concluded between the legal entity you represent or work for and us, our legitimate interest in performing the contract concluded between the legal entity you represent or work for and us or our legitimate interest in providing information about the services the legal entity has contracted from us (Art 6(1)(f) of the GDPR).
Our website
When you visit www.nets.eu/etee, Nets Denmark A/S and we process your personal data as joint controllers. Information on such processing can be found from General Nets privacy notice available at https://www.nets.eu/gdpr/pages/privacy-notice-for-nets.aspx.
When you submit a data subject request (DSR)
If you make a data subject access request through the Nets DSR-portal (available at https://www.nets.eu/gdpr/dsr) or just by sending an e-mail, a letter or via another means of communication, we may process your:
- Identification information such as name, address, e-mail address, mobile number
- Company name, CVR number, Nets merchant ID and order number (if applicable)
- Social security number or personal identification code (if specifically requested)
- Copy of ID (if specifically requested)
- Details of the requests, including whether it's a request for access, rectification, erasure, restriction of processing, data portability
We process the personal data in order to identify you, assess your request, determine how and to what extent we shall accommodate your request and answer your request.
The legal basis for such processing is us fulfilling our legal obligation under the GDPR and other applicable personal data protection legislation to assess and answer your request (article 6(1)(c) of the GDPR).
Visitors to the physical offices, including CCTV
If you as an external party visit our office, we may process your:
- Identification information such as name and date and time of the access
- Reason for visiting us (e.g. business purposes, job interview, representation etc.)
- Recordings from CCTV on our physical premises
- If you use our public Wifi network, then date and time of the usage, IP address and MAC address
We have CCTV at our physical premises to ensure a high level of safety and security. This may result in situations where you can be recorded on CCTV. The recording cams are set up in accordance with applicable legislation and signs are set up to inform about CCTV monitoring when required.
We process the personal data to use CCTV, provide access to our premises and administer and manage access to our public Wifi network.
The legal basis for such processing is our legitimate interest to ensure the safety and security of our employees, property and premises and ensure the security of our IT systems, including preventing malicious actions (article 6(1)(f) of the GDPR).
Other actions
From time to time we may be in contact with external parties that are not subject to the provisions above or similar provisions in other privacy notices. This may be the case with external parties that don't act as consultants, or other external parties where no direct business relationship yet has been established between us and the external party, but where we regardless may process personal data. Such scenarios may non-exhaustively include the below cases:
- Complaints and inquiries
- Inquiries and requests from competent public authorities and agencies
- Marketing, including gathering information about publicly available resources and registrars for the purposes of contacting potential clients and contacting potential clients and offering our services
The information we may process in relation to the above may include:
- Name, e-mail address and position within an organization
- Details of a complaint or inquiry, including related e-mail communications
The legal basis for such processing is performance of our legal obligations (article 6(1)(c) of the GDPR) or our legitimate interest in looking for new clients to provide our services in order to expand our business and promote our services to potential clients in order to attract new clients.
4. With whom do we share your data?
We will not share information about you with other entities, unless there's a clear legal basis to do so (e.g. our legitimate interest).
We may share personal data with the following data recipients:
- Public sector authorities, supervisory and law enforcement authorities to fulfil our statutory obligation, a court order, to establish, exercise or defend our legal rights or in other cases where this is necessary to prevent and deter lawful acts. The legal basis is performance of our legal obligations (article 6(1)(c) of the GDPR) or our legitimate interest in facilitating effective establishment, exercise or defence of legal claims (article 6(1)(f) of the GDPR).
- Professional advisors to ensure our proper economic activity and to establish, exercise and defend our legal rights. The legal basis is our legitimate interest in seeking legal advice and managing legal claims, facilitating effective establishment, exercise, or defence or legal claims (article 6(1)(f) of the GDPR).
- Third party vendors, including IT service providers to help us providing the services. The legal basis is our legitimate interest in providing the services and ensuring our proper economic activity (article 6(1)(f) of the GDPR).
- Group entities to utilize joint technical infrastructure and preform internal administrative tasks. The legal basis is our legitimate interest in utilizing joint technical infrastructure and performing internal administrative tasks (article 6(1)(f) of the GDPR).
6. For how long do we store your personal data?
We retain your personal data as long as reasonably necessary to attain the objectives stated in section 3, or until the legal obligation stipulates that we do so. To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the processing purposes and whether we can achieve these purposes through other means, and applicable statutory obligations. Whilst retaining the personal data, we take into account the need to resolve disputes and enforce the contract or anonymize your personal data and retain this anonymized information indefinitely.
7. Transfers to countries outside EU/EEA
In some cases, we may transfer your personal data to countries outside the European Union / European Economic Area. Such transfers will only take place subject to appropriate safeguards are in place for the transfer such as:
- The country has been deemed by the European Commission to have an adequate level of protection of personal data
- The country has not been deemed by the European Commission to have an adequate level of protection of personal data, but we provide appropriate safeguards for the transfer through the use of standard contractual clauses approved by the European Commission, Binding Corporate Rules (BCRs), any other contractual agreement approved by the competent authorities or any other legal basis, including the use of supplementary measures if deemed necessary, or if any of the derogations of article 49 of the GDPR are deemed adequate as a basis for the transfer
If you wish to receive additional information on the safeguards applied, please contact us via the contact information below.
8. Security
We are dedicated to protecting your personal Information. We have adopted internal security policies and instructed our employees accordingly in order to comply with applicable legislation, e.g. the GDPR. We have implemented appropriate procedures and security measures to protect your personal data from being destroyed, lost or altered, publicised unlawfully and against being disclosed to unauthorised persons or otherwise processed contrary to applicable personal data protection legislation.
However, please note that no security measure can be 100% effective, and we cannot guarantee the security of your data, including against unauthorised acts, access, hacking or data loss.
9. Your rights as a data subject
- You have the right to request access to, rectification or erasure of your personal data.
- You also have the right to object to the processing of your personal data and have the processing of your personal data restricted.
- If processing of your personal data is based on your consent, you have the right to withdraw your consent at any time. Your withdrawal will not affect the lawfulness of the processing carried out before you withdrew your consent.
- You have the right to receive your personal data in a structured, commonly used and machine-readable format (data portability).
- You may always lodge a complaint with a data protection supervisory authority in the EU/EEA member state of your habitual residence, place of work or where the alleged infringement has taken place. You can find the contact information of data protection supervisory authorities at the website of the competent data protection supervisory authority, where you may choose to lodge your complaint. In Estonia the supervisory authority is the Data Protection Inspectorate (in Estonian: "Andmekaitse Inspektsioon"), https://www.aki.ee/en, info@aki.ee.
There may be conditions or limitations on these rights. It is therefore not certain for example you have the right of data portability or to be deleted in the specific case - this depends on the specific circumstances of the processing activity.
You can take steps to exercise your rights by submitting your request here:
https://www.nets.eu/gdpr/dsr
If you don't find the specific product or service relevant for your request you may contact us via the contact information below.
10. Contact us
Our Data Protection Officer's contact information is dpo@nexigroup.com.
For questions of a more general character, you can write to us here.