Applicable as of 27-Apr-2021
We are Certific OÜ, a private limited company, incorporated under the laws of Estonia, registration code 16050394, registered address Tööstuse st 47d-69, 10416, Tallinn, Estonia ( “Certific”, “we”, “us” or “our”).
Certific operates the website http://www.certific.co/ and its subdomains (“Website”), applications (“App” or “Apps”) and the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (all together the “Platform”).
Please read the following carefully to understand our practices regarding Your personal data and how we will collect, use and disclose Your personal data. If You have any questions about how we process Your personal data specifically or if You wish to submit an application for exercising Your rights related to processing Your personal data, please contact us through the contact information provided in the section "Contacts" below.
2. what personal data we may process?
2.1 When You have opted to use Certific Services, Certific needs to process Your personal data to enable the Services via the Platform.
2.2 Personal data Certific may process may include the following data:
general personal information: name (first name, last name); date of birth, personal identification code, social security number or other relevant identifier, such as passport or ID document number;
identification information : ID document and information included in the ID document (including photo);
contact information : e-mail address; mailing address; phone number;
account related details : login details; password;
self-declaration questionnaire: answers the Customer provides to self-declaration questionnaire through use of the Services which include health related information;
Test result : result of COVID-19 (or similar) test and other information on the Certificate, such as information about the Test (date and time of Test sample; Test ID; name of Test; validity time of the Test, etc.); Test result (positive/negative/invalid);
Video recording : video recording of the test taking process, which includes the image of the Customer and procedure of taking of the Test;
payment information: payment data related to the use of the Services, such as card details and amounts paid;
usage information : information on how our Services and Platform are used, including feedback provided;
2.3 More detailed overview of the personal data Certific processes is provided in the Section 5 below.
3. On what LEGAL BASIS WE RELY WHEN PROCESSING PERSONAL DATA?
3.1 Certific may process personal data of the Customer for the purpose of being able to provide the Services in accordance with Certific Terms and Conditions. Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract
3.2 Certific may process personal data based on the consent granted by the Customer. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process personal data on the terms as provided in the consent that has been granted to us by each Customer. For example, Certific may rely on the consent as a legal basis when processing special category data (health related data, such as the results of Test).
3.3 Certific may process personal data when processing is necessary for compliance with a legal obligation to which Certific is subject. Legal basis for such data processing is GDPR Article 6-1-(c). As an example, Certific may need to process the personal data when the competent authorities require Certific to provide certain personal data pursuant to the applicable law, such as on the basis of valid court order or on the basis of the valid request by the law enforcement agency or on the other basis in accordance with applicable law. Please note that, health care related legislation applicable in different jurisdictions may require Certific to provide information on COVID-19 (or similar) test results to responsible government agencies, such as to Health Board in Estonia or to Public Health England. Certific may also need to process personal data to comply with the applicable accounting legislation.
3.4 In certain specific situations Certific may also process personal data where processing of personal data is necessary for the purpose of legitimate interests pursued by Certific. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case Certific shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest Certific may analyse how our Services and Platform are used by our Customers so we can provide better service.
3.5 More detailed overview of the legal bases Certific relies on when processing personal data is provided in the Section 5 below.
4. HOW LONG IS PERSONAL DATA RETAINED?
4.1 Certific does not retain personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law. As a general rule, Certific applies the following retention periods.
4.2 Personal data related to contracts can be retained during the term of the contract and based on Certific legitimate interest pursuant to Article 6 (1) (f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Certific retains Customer data collected in relation to the provision of the Services as long as it is necessary for the provision of the Services during the term of the Agreement concluded between Customer and Certific and for 3 months after the term of the Agreement. In this regard, as a general rule, if the Customer not used the Platform for 3 months (Customer has not logged in to his/her profile on the Platform for 3 months), Customer’s profile and all personal data therein will be deleted, unless Certific has a legal basis for retaining personal data for longer time period.
4.3 Personal data collected on the basis of the consent will be retained until the withdrawal of the consent. If the Customer has not withdrawn from the consent, as a general rule Certific applies the same retention period to the personal data collected on the basis consents as to personal data collected to ensure the Services. In this regard, as a general rule, if the Customer has not used the Platform for 3 years (Customer has not logged in to his/her profile on the Platform for 3 years), personal data collected on the basis of the consent will also be deleted.
4.4 Personal data related accounting source documents and accounting journals must be retained in accordance with the relevant accounting laws. Therefore, pursuant to the Accounting Act, Certific retains accounting documents for 7 years.
5. For what purposes do we process Your Personal Data
Certific processes personal data for the following purposes:
6. WHEN DO WE SHARE YOUR PERSONAL DATA?
6.1 Certific may share Customer personal data with certain third parties service providers e.g. IT suppliers or other service providers.
6.2 Certific may also share Customer personal data with third parties if Certific is legally required to do so, for example if personal data is requested from us by any authority competent to ask such data, for example if the data is asked from us by the court or law enforcement agency or to competent government agencies in accordance with law.
6.4 In relation to the use of the Services and the Platform, Customer personal data may be disclosed to following recipients:
7. HOW DOes certific PROTECT YOUR PERSONAL DATA?
7.1 To protect Customer personal data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, Certific uses appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings.
8. CUSTOMER RIGHTS
8.1 Certific is dedicated ensuring that all data subject rights arising under applicable law are always guaranteed to the Customer. In particular, any Customer who is a data subject has:
the right to access the personal data processed about him/her;
the right to request that rectification of any inaccurate personal data about him/her;
the right to request erasure of personal data and/or restrict of processing of personal data if personal data is processed without a valid legal basis for processing;
the right to receive processed personal data in a structured, commonly used and machine-readable format and have the right to transmit personal data to another controller;
the right to object to the processing of personal data.
If the Customer believes that his/her rights have been infringed, the Customer may contact and lodge a complaint to the supervisory authority applicable for the Customer jurisdiction (Data Protection Inspectorate in Estonia address Tatari 39, Tallinn 10134, email@example.com or other competent authority in the Customer jurisdiction. List of national Data Protection Authorities in EU is available at https://edpb.europa.eu/about-edpb/board/members_en ).
If the Customer is a resident in the UK, the Customer may contact and lodge a complaint to Information Commissioner’s Office, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline number: 0303 123 1113. More details available at: https://ico.org.uk/global/contact-us .
9. GOVERNING LAW AND JURISDICTION
business name: Certific OÜ
registration code: 16050394
address: Tööstuse st 47d-69, 10416, Tallinn, Estonia