Applicable as of 13th of July 2021
We are Certific OÜ, a private limited company, incorporated under the laws of Estonia, registration code 16050394, registered address Tööstuse st 47d-69, 10416, Tallinn, Estonia ( “Certific”, “we”, “us” or “our”).
Certific operates the website http://www.certific.co/ and its subdomains (“Website”), applications (“App” or “Apps”) and the software, databases, interfaces, associated media, documentation, updates, new releases and other components or materials incorporated therein or integrated therewith (all together the “Platform”).
Please read the following carefully to understand our practices regarding Your personal data and how we will collect, use and disclose Your personal data. If You have any questions about how we process Your personal data specifically or if You wish to submit an application for exercising Your rights related to processing Your personal data, please contact us through the contact information provided in the section "Contacts" below.
2. WHAT PERSONAL DATA WE MAY PROCESS?
2.1 When You have opted to use Certific Services, Certific needs to process Your personal data to enable the Services via the Platform.
2.2 Personal data Certific may process may include the following data:
general personal information: name (first name, last name); date of birth, personal identification code, social security number or other relevant identifier, such as passport or ID document number;
identification information: ID document and information included in the ID document (including photo);
contact information: e-mail address; mailing address; phone number;
account related details: login details; password;
self-declaration questionnaire: answers the Customer provides to self-declaration questionnaire through use of the Services which include health related information;
Test result: result of COVID-19 (or similar) test and other information on the Certificate, such as information about the Test (date and time of Test sample; Test ID; name of Test; validity time of the Test, etc.); Test result (positive/negative/invalid);
Video recording: video recording of the test taking process, which includes the image of the Customer and procedure of taking of the Test
payment information: payment data related to the use of the Services, such as card details and amounts paid;
usage information: information on how our Services and Platform are used, including feedback provided;
other (consent information): on the basis of specific voluntary consent granted by you (if and when applicable) we may also process other data about you not listed above as and if specified in the specific consent you may, but are not obligated to, grant to us.
2.3 More detailed overview of the personal data Certific processes is provided in the Section 5 below.
3. ON WHAT LEGAL BASIS WE RELY WHEN PROCESSING PERSONAL DATA?
3.1 Certific may process personal data of the Customer for the purpose of being able to provide the Services in accordance with Certific Terms and Conditions. Legal basis for such data processing is GDPR Article 6-1-(b), i.e. processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract. Certific may rely on performance of a contract as a legal basis when transferring your personal data to third parties. For example, Certific may collaborate with event organizers, who may need to know whether you have received an Event Pass to allow you to enter an event you wish to attend and/or to refund you or allow you to rollover your tickets to other events, depending upon their terms and conditions. In such situations, they may contractually require us to inform them only of the tickets which have not been issued with an Event Pass so that they can perform their contract with ticketholders and issue them with refunds. We will never share health related data or Test results with event organisers without your explicit consent.
3.2 Certific may process personal data based on the consent granted by the Customer. Legal basis for such data processing is GDPR Article 6-1-(a). In those situations, we process personal data on the terms as provided in the consent that has been granted to us by each Customer and on the explicit consent condition in GDPR Article 9-2(a). For example, Certific may rely on the consent as a legal basis when processing special category data (health related data, such as the results of Test). In certain specific cases, Certific may rely on the consent as a legal basis also when transferring your personal data to third parties. For example, Certific may collaborate with scientific researchers, as well as, for example, event organizers, who may need your specific voluntary consent to obtain relevant personal data about you (for example, to do research on COVID-19 or to allow you to enter an event you wish to attend). In such situations, the types and categories of personal data we transfer, the specific recipient(s) of the personal data and other appropriate and relevant information are provided in the specific consent that may be asked from you.
3.3 Certific may process personal data when processing is necessary for compliance with a legal obligation to which Certific is subject. Legal basis for such data processing is GDPR Article 6-1-(c). As an example, Certific may need to process the personal data when the competent authorities require Certific to provide certain personal data pursuant to the applicable law, such as on the basis of valid court order or on the basis of the valid request by the law enforcement agency or on the other basis in accordance with applicable law. Please note that, health care related legislation applicable in different jurisdictions may require Certific to provide information on COVID-19 (or similar) test results to responsible government agencies, such as to Health Board in Estonia or to Public Health England. Certific may also need to process personal data to comply with the applicable accounting legislation.
3.4 In certain specific situations Certific may also process personal data where processing of personal data is necessary for the purpose of legitimate interests pursued by Certific or other controller, if appropriate. For example, we may process statistical and/or aggregated data on how our Services, App or Platform are used to improve and further develop the Services so that we can provide a better user experience in future. Legal basis for such data processing is GDPR Article 6-1-(f). In such a case Certific shall ensure that processing is proportionate and that we have carried out legitimate interest impact assessment. For example, for the purpose of our legitimate interest Certific may analyse how our Services and Platform are used by our Customers so we can provide better service.
3.5 More detailed overview of the legal bases Certific relies on when processing personal data is provided in the Section 5 below.
4. HOW LONG IS PERSONAL DATA RETAINED?
4.1 Certific does not retain personal data longer than it is necessary for the purposes of processing personal data or pursuant to applicable law. As a general rule, Certific applies the following retention periods.
4.2 Personal data related to contracts can be retained during the term of the contract and based on Certific legitimate interest pursuant to Article 6 (1) (f) of the GDPR until the end of the statutory limitation periods under applicable law. Accordingly, as a general rule Certific retains Customer data collected in relation to the provision of the Services as long as it is necessary for the provision of the Services during the term of the Agreement concluded between Customer and Certific and for 3 years after the term of the Agreement. In this regard, as a general rule, if the Customer not used the Platform for 3 years (Customer has not logged in to his/her profile on the Platform for 3 years), Customer’s profile and all personal data therein will be deleted, unless Certific has a legal basis for retaining personal data for longer time period.
4.3 Personal data collected on the basis of the consent will be retained until the withdrawal of the consent. If the Customer has not withdrawn from the consent, as a general rule Certific applies the same retention period to the personal data collected on the basis consents as to personal data collected to ensure the Services. In this regard, as a general rule, if the Customer has not used the Platform for 3 years (Customer has not logged in to his/her profile on the Platform for 3 years), personal data collected on the basis of the consent will also be deleted.
4.4 Personal data related accounting source documents and accounting journals must be retained in accordance with the relevant accounting laws. Therefore, pursuant to the Accounting Act, Certific retains accounting documents for 7 years.
4.5 More specific details about the retention periods are provided in Section 5 below.
5. FOR WHAT PURPOSES DO WE PROCESS YOUR PERSONAL DATA
Certific processes personal data for the following purposes:
6. WHEN DO WE SHARE YOUR PERSONAL DATA?
6.1 Certific may share Customer personal data with certain third parties service providers e.g. IT suppliers, other service providers or co-operation partners.
6.2 Certific may also share Customer personal data with third parties if Certific is legally required to do so, for example if personal data is requested from us by any authority competent to ask such data, for example if the data is asked from us by the court or law enforcement agency or to competent government agencies in accordance with law.
6.5 In relation to the use of the Services and the Platform, Customer personal data may be disclosed to following recipients:
6.6 Certific may also share anonymized Customer data and/or statistical data with third parties, for example for research purposes. Please be noted that in cases where we share anonymized Customer data and/or statistical data we make sure that no personal data is shared (which means that no Customer can be identifiable) and therefore personal data processing regulation and the GDPR shall not apply to such transfers (as no personal data is shared).
7. HOW DOES CERTIFIC PROTECT YOUR PERSONAL DATA?
7.1 To protect Customer personal data from unauthorized access, unlawful processing or disclosure, accidental loss, modification or destruction, Certific uses appropriate technical and organisational measures that comply with applicable laws. These measures include but are not limited to the implementation of appropriate computer security systems, protection of paper and electronic format files by technical and logical means, controlling and limiting access to documents and buildings.
8. CUSTOMER RIGHTS
8.1 Certific is dedicated ensuring that all data subject rights arising under applicable law are always guaranteed to the Customer. In particular, any Customer who is a data subject has:
the right to access the personal data processed about him/her;
the right to request that rectification of any inaccurate personal data about him/her;
the right to request erasure of personal data and/or restrict of processing of personal data if personal data is processed without a valid legal basis for processing;
the right to receive processed personal data in a structured, commonly used and machine-readable format and have the right to transmit personal data to another controller;
the right to object to the processing of personal data.
If the Customer believes that his/her rights have been infringed, the Customer may contact and lodge a complaint to the supervisory authority applicable for the Customer jurisdiction (Data Protection Inspectorate in Estonia address Tatari 39, Tallinn 10134, firstname.lastname@example.org or other competent authority in the Customer jurisdiction. List of national Data Protection Authorities in EU is available at https://edpb.europa.eu/about-edpb/board/members_en ).
If the Customer is a resident in the UK, the Customer may contact and lodge a complaint to Information Commissioner’s Office, address Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF; helpline number: 0303 123 1113. More details available at: https://ico.org.uk/global/contact-us .
9. GOVERNING LAW AND JURISDICTION
business name: Certific OÜ
registration code: 16050394
address: Tööstuse st 47d-69, 10416, Tallinn, Estonia