1. The controller of personal data collected in the e-shop of the University of Tartu (‘e‑shop’) is the University of Tartu (‘university’; registry code 74001073, address Ülikooli 18, 50090 Tartu, Estonia). The data subjects whose personal data the university processes are customers who are natural persons.
2. In the e-shop, the university processes the following personal data of customers:
2.1. name, telephone number and mail address. The processing of these personal data is necessary for managing orders, including providing customer support and delivery of goods;
2.2. data on purchases (date, goods and quantity) for an overview of purchased goods and services and for analysing customer preferences;
2.3. financial data (e.g. bank account number) for making refunds to customers;
2.4. the IP address or other web identifiers of e-shop customers for providing the e-shop as an information society service and for web use statistics.
3. Legal basis
3.1. The legal basis for the processing of personal data is a sales contract made with the customer.
3.2. The legal basis for the processing of personal data may also be the performance of a legal obligation (for example, accounting duties or a consumer dispute).
3.3. The legal basis for the processing of personal data may also be the consent of the customer (for example, for sending direct marketing messages).
4. Transfer of personal data to third persons
4.1. The University of Tartu passes the personal data necessary for making payments to the processor of data, Maksekeskus AS.
4.2. If the customer has chosen Omniva parcel terminal as the method of delivery, the university sends the customer’s name, telephone number and email address to Omniva OÜ (registry code 12670875). The university will not pass the customer’s personal data to other persons without the customer’s consent, except if otherwise provided by law.
5. Security and access to data
5.1. Personal data are stored in the university’s servers.
5.2. Access to personal data is only allowed to university employees whose duties include the management of the e-shop, to solve technical problems related to using the e-shop and provide customer support.
5.3. Relevant physical, organisational and IT security measures are applied to protect the personal data from accidental or unlawful destruction, loss, changing or unauthorised access and publication.
5.4. The university passes personal data to processors of the e-shop (for example, provider of transport service) on the basis of contracts made by the e-shop with the processor. Processors must ensure adequate protective measures when processing personal data.
The e-shop stores the personal data of a registered user (incl. data on purchases) until the customer has an active username in the university. When the user account is closed, the university will erase all personal data related to the customer from the e‑shop. The university preserves the personal data of both registered and unregistered users for solving consumer disputes and accounting for seven years.
7. Direct marketing messages
If the customer has given a separate consent, the university uses the customer’s email address for sending direct marketing messages. The customer may opt out from receiving direct marketing by following the instructions in the email or contacting the customer support of the e-shop.
Depending on the legal basis of processing of personal data, data subjects have the right:
8.1. to obtain confirmation as to whether the university processes their personal data, and access the data collected concerning them;
8.2. to demand the rectification of inaccurate personal data collected concerning them, and completion of incomplete personal data;
8.3. to demand the university to delete, without undue delay, their personal data which the university no longer has a legal basis to process or which the university no longer needs for the purpose for which it was collected or otherwise processed;
8.4. to withdraw their consent at any time, if the personal data are processed on the basis of data subject’s consent. This does not affect the legality of data processing that occurred before the withdrawal of the consent;
8.5. to demand the university to the restrict the processing of their personal data, in case:
8.5.1. the data subject has contested the personal data on the basis of accuracy. The university restricts the processing until the accuracy of the data is verified;
8.5.2. the processing of personal data is illegal, but the data subject does not request the deletion of the data;
8.5.3. the university no longer needs the personal data for processing, but the data subject needs them to assert, exercise or defend legal claims;
8.5.4. the data subject has filed an objection to processing personal data. The university restricts the processing until it is verified whether the university’s lawful reasons outweigh the data subject’s reasons;
8.6. to receive the personal data which they have submitted to the university and communicate them to another controller. The right to hand over the data applies solely to the personal data which the data subject has communicated to the university and which the university processes by automated means and on the basis of consent or contract;
8.7. to file an objection against processing their personal data, if the processing of data is based on legitimate interest, or if the processing is necessary for the performance of public duties or for public interest.
9. Registered users can access and change or edit their personal data in the user profile of the e-shop. Unregistered users can exercise the rights related to their personal data by contacting the customer support of the e-shop. Data subjects may contact the university’s data protection specialist with any questions relating to the processing of their personal data and to exercising the rights of the data subject, by email at email@example.com.
10. If the customer believes that the way how the university processes personal data conflicts with the legislation governing the processing of personal data, the customer is entitled to contact the Data Protection Inspectorate (email firstname.lastname@example.org, telephone number +372 627 4135) or another agency, primarily the competent supervisory authority of place of residence or work.