STORYBOOK OÜ Principles of Data Processing
Storybook OÜ is a subsidiary of Register OÜ, a business intelligence and analytics start-up company with the mission of optimising lead-to-cash processes for B2B sales oriented companies. Register OÜ holds 100% of Storybook OÜ’s shareholding. We in Register OÜ work towards helping users of CRM and ERP solutions get the full benefit of their tools – smart solutions in sales and credit management and enabling specialists to focus on key activities in business. We offer our clients up-to-date linked data, quality analytics and top-of-the-range know-how that will all help to set companies apart from their competition.
We collect data straight from original sources; clean, link, and upgrade it for credit analytics, sales analytics etc. Every week we collect terabytes of data, and we filter out millions of facts about Estonian companies. We use our own high-performance cluster for processing big data.
In co-operation with the University of Tartu and STACC, Register OÜ has created a model for assessing a company’s credit risks. Clients implement this model in credit management, it is part of the credit report on inforegister.ee and Inforegister’s product NOW! The model was created using machine learning methods and uses close to a thousand variables.
We have developed APIs to transmit data and analytics to clients for services in both real-time economy as well as more traditional business. These services are used in mission-critical POS; CRM and ERP solutions and for that reason we provide these through our own high-availability private cloud.
1. Terms used in Principles
The User’s personal data is processed as data controller within the meaning of GDPR in compliance with these Principles.
1.1. The following companies belong to the Group:
1.1.2 Storybook OÜ, administrator of online environment www.scorestorybook.ee,
1.1.3. Kreedix OÜ, provider of credit management services (pre-litigation debt management, representation in legal proceedings and enforcement action)
1.1.4. Kreedix Kindlustusmaakler OÜ, practicing credit risk mitigation at the highest level, providing credit insurance brokering service. Kreedix Kindlustusmaakler OÜ is licenced by the Estonian Financial Supervision and Resolution Authority.
1.1.5. Register OÜ is a founding member of the Estonian Creditors Association (www.evul.ee). The Association provides support and protection for successful commercial activity to its members (ca 2000); raises credit awareness of creditors and contributes to achieving a fairer and more transparent economic environment.
1.2. Data Subject – identified or identifiable natural person
1.2.1. Data Subjects, the Personal Data of whom Inforegister and Storybook process, are:
18.104.22.168. Any natural person (client or user) using the solutions provided by Inforegister OÜ and Storybook OÜ (Inforegister and Storybook)
22.214.171.124. Natural persons, whose Personal Data (first name, surname, personal ID code, relations to companies) is available as public information from public content holders (public databases) and who represent companies in the following roles:
126.96.36.199.1. Interim trustee in bankruptcy as liquidator; Document holder; Special Mode Manager; Special Mode Manager; A limited partner authorized to represent; Branch manager; The self-employed; Member of the Management Board; Board member; Liquidator of a member of the Management Board; Trustee in Bankruptcy; Liquidator; Member of an association with additional responsibility; Person competent to receive procedural documents; Moratorium administrator; Pawnbroker; Trustee in bankruptcy; Procurator; General partner; Limited partner; Member of the association; Shareholder; Founder; Founder (non-contributory); Auditor; Person authorized to represent; A limited partner authorized to represent; the person (s) entitled to represent; undertaking; Member of a building association; sole member of the board; chairman of the board; member of the board (chairman); Member of the Local Government Association; Member church; Auditor who assessed the non-monetary contribution; Chairman of the Board; Member of a council; Shareholder; Member of the Bankruptcy Committee; Member of the Audit Committee; Connecting natural person; Legal representative of the company
2. Personal Data and How We Collect Data
2.1. The Group collects Personal Data when signing a Contract, Providing Services and when the User uses the Webpage in the following ways:
2.1.1. The User provides Personal Data to the Group (for example, inserts name, contact details, user ID, password, posts a comment, uses different functions and Services on the Webpage);
2.1.3. The Group receives confirmation of identification from a third party providing such a service. For example, the User may identify him/herself with an ID-card, Mobile-ID, bank
link, Facebook account and LinkedIn account. The Group will not be able to see the User’s PIN 1 or PIN 2 codes or store them. When using an ID-card or Mobile-ID to authenticate him/herself or to sign indications or confirmations, the User is obligated to follow the specified security measures and recommendations of the relevant developers and the Group. We advise you to read additional information on these websites – https://mobiil.id.ee and https://www.id.ee;
2.2. The Group processes the following Personal Data:
2.2.1. identifying data (name, date of birth, sex, ID code);
2.2.2. contact details (telephone, e-mail);
2.2.3. bank details (User’s bank account, name of bank) in case of contractual payments;
2.2.4. data regarding IP address and Cookies.
3. The purposes and legal basis of Personal Data Processing
3.1. The Group Processes the User’s Personal Data for the following purposes and on the following legal grounds:
3.1.1. To sign and fulfill a Contract with the User, for example:
188.8.131.52. to assist and consult a Contractual User, when the User has made an inquiry to Kreedix;
184.108.40.206. to transmit invoices or other vital notices concerning the Service to a Contractual User;
220.127.116.11. to provide Contractual Services to Contractual Users, including enabling access to the Webpage’s content;
18.104.22.168. with the User’s permission, displaying advertising deemed by the Group to be of potential interest to the User, provided that the User has agreed to placing relevant Cookies on his/her browser;
22.214.171.124. to send notifications to the User regarding the Group’s and the Group’s partners’ Services and discounts, provided that the User has agreed to such notifications;
126.96.36.199. to send newsletters to the User, provided the User has submitted his/her e-mail address to the Group for this purpose;
188.8.131.52. to contact the User for direct marketing, if based on the Contract signed or the Services provided it can be assumed that the User will be interested in the specific offer and the User has not expressed dissatisfaction with or objected to such notifications;
184.108.40.206. to ensure the fulfilling of the Contract signed with the User, including to ascertain violations of the Contract or breaches of legislation by the User and to provide evidence thereof (e.g., to file claims against the User). In such cases the legal basis for Data Processing is the Group’s legitimate interest to defend their rights. If the User is in breach of the Contract or legislation, the User’s interests and rights do not outweigh the legitimate interest of the Group;
220.127.116.11. to collect data about Webpage traffic, statistics regarding use of Services, and other non-personalised technical information about the use of the Webpage with the purpose of improving the Webpage and Services.
3.1.2. to fulfill the legal obligations of the Group, for example
18.104.22.168. the statutory obligation to keep accounting records;
22.214.171.124. the statutory obligation to transmit Personal Data of Users to competent authorities regarding legal requests;
126.96.36.199. the statutory obligation of the Group to reply to an inquiry or order by the User.
3.2. The User’s Personal Data may be Processed in case it is necessary in a specific case of the Group’s or a third party’s legitimate interest, except where such interests are overridden by the interests or fundamental rights and freedoms of the User which require protection of Personal Data, and also in cases where it is necessary to protect the vital interests of the User or another natural person.
3.3. If the Personal Data Processing is based on the Group’s legitimate interest, the User has the right to object at any time.
4. Transmitting Personal Data to Service Providers (Data Processors)
4.1. The Group uses service providers (Data Processors within the meaning of GDPR) in Processing the User’s Personal Data. The Group is satisfied that such Service Providers are reliable, has signed employment contracts and data processing contracts with these Service Providers, and shall assume responsibility for their actions.
4.2. The Group uses the following categories of Data Processors: Group entities, server and cloud providers, cooperation partner enterprises of the Group – IT-developers.
4.3. Storybook OÜ transfers Personal Data necessary for executing payments to the Data Processor Maksekeskus AS.
4.4. Employees of the Group are obligated, in accordance with the contracts signed and current legislation, to keep Personal Data entrusted to them in the course of their duties confidential. The Group’s employees and former employees are subject to obligation of confidentiality indefinitely.
5. Transfer of Personal Data to third persons
5.1. The Group transfers the User’s Personal Data to third parties only if the Group is under legal obligation to do so, if it is necessary for the fulfilling of the Contract with the User, if the Group has a legitimate interest or if the User has given permission.
5.2. The Group transfers the User’s Personal Data to the following third parties:
5.2.1. Group entities in order to enable offering the client discounts from Group enterprises. In this case, the legal basis of transfer is the Group’s legitimate interest of providing a service;
5.2.2. supervisory, investigating and law enforcement authorities on the grounds set out in relevant legislative acts. In this case, the legal basis of transfer is fulfilling the Group’s legal obligation;
5.2.3. auditors, legal advisors or other counsellors, if it is necessary for fulfilling their obligations to the Group provided that they keep such data confidential. In this case, the legal basis of transfer is fulfilling the Group’s legal obligation (e.g., in case of auditors) or the Group’s legitimate interest to defend their rights;
5.2.4. a person engaged in recovery of debts, if the User has accrued debts to the Group. In this case, the legal basis of transfer is the Group’s legitimate interest to defend their rights. If the User is in breach of the Contract or has otherwise violated the rights of the Group, the User’s interests and rights do not outweigh the legitimate interest of the Group.
6.1. Profiling is conducted only for natural persons acting in representative roles of enterprises, enabling to assess creditworthiness of these related enterprises and the probability of payments before and after sales. The history of companies related to natural persons is necessary for the establishment of payment patterns and making prognoses for these related enterprises. The legal basis of this data processing and analysis is the Group’s legitimate interest.
7. Retention of Personal Data
7.1. The Group retains the User’s Personal Data until it is necessary for the purposes for which they were collected, to protect the rights of the Group or as long as is necessary according to legislation.
7.2. Dependent on the type of Personal Data, Kreedix retains Personal Data as follows:
7.2.1. Accounting records: 7 years since the end of the relevant financial year, according to statutory obligation;
7.2.2. Personal Data relating to the Contract: 10 years since the end of the Contract, in accordance with the maximum limitation period for intentional infringements;
7.2.3. Personal Data for natural persons acting in representative roles of enterprises in case the person has fully ceased trading and 5 years has passed from the last role (the maximum time limitation for bringing claims).
8.1. The Group shall implement necessary organisational, physical and information technological security measures to ensure the security of the User’s Personal Data.
8.2. The User when creating a user account on the Webpage is obligated to keep the user ID and password necessary for entering the Webpage secret and in such a way that no third person shall have access to it, except in cases when the User has authorised a third person to use the user ID and password to use the Services.
8.3. The User having created a user account on the Webpage is obligated to inform the Group promptly when the User’s user ID or password is missing or in possession of a third party, so that the Group can implement necessary security measures to ensure the security of the User’s Personal Data.
8.4. The Group shall not be responsible for security breaches caused by the User’s own activities.
9. User’s Rights and Obligations
9.1. To the extent set out in relevant regulations (foremost GDPR), the User has the right to exercise the following rights regarding Personal Data Processed by the Group:
9.1.1. The right to request access to Personal Data;
9.1.2. The right to rectification of Personal Data;
9.1.3. The right to request erasure of Personal Data;
9.1.4. The right to object to Processing of Personal Data, especially in case the Group is Processing the data on the basis of legitimate interest;
9.1.5. The right to data portability;
9.1.6. The right to lodge a complaint against Processing of Personal Data;
9.1.7. The right to withdraw consent of Personal Data Processing at any time. Withdrawal of consent does not affect the legality of Processing that occurred prior to withdrawal of consent.
9.2. In order to exercise any of these rights, the User should contact the Group at the contact details outlined in Principles, clause 12. A User that has created an account on the Webpage can exercise certain rights also through the user account.
9.3. The Group has the right to request additional information to identify the User.
9.4. The Group shall reply to the User’s request within 30 days and shall inform the User as to whether and, if so, which measures the Group has implemented to resolve the User’s request. If the request is complex or substantial, the Group can extend the deadline for replying by 60 days. If the Group does not implement measures according to the User’s
request, the Group shall inform the User of the reasons for not doing so, and shall inform the User on the possibilities of lodging a complaint with the Estonian Data Protection Inspectorate or seeking legal redress.
9.5. If the User’s requests are clearly unfounded or disproportionate, foremost due to their repetitive nature, the Group may:
9.5.1. charge a reasonable fee; or
9.5.2. refuse implementing the requested measures.
9.6. The User may request erasure of Personal Data only on the following grounds:
9.6.1. Personal Data is no longer necessary for the reason that they were collected or otherwise processed for;
9.6.2. the User withdraws consent of Personal Data Processing and there is no other legal basis for Processing Personal Data;
9.6.3. the User objects to Processing of Personal Data on the basis of the Group’s legitimate interest and there are no overriding legitimate reasons for Processing;
9.6.4. the User objects to Processing of Personal Data for the purpose of direct marketing;
9.6.5. Personal Data has been Processed unlawfully;
9.6.6. Personal Data shall be deleted to meet the Group’s statutory obligations;
9.6.7. for natural persons acting in representative roles of enterprises in case the person has fully ceased trading and 5 years has passed from the last role;
9.6.8. the Personal Data concerned relate to a child under the age of 13, Processed on the basis of consent.
9.7. If the User requests erasure of Personal Data, the request must specify the exact grounds listed in clause 9 of these Principles that the request relies on. The Group is not obligated to erase Personal Data, if there are no grounds or when the Processing of Personal Data is necessary for the following reasons:
9.7.1. to exercise the right of freedom of speech and freedom of information;
9.7.2. to meet the statutory obligations of the Group;
9.7.3. to establish, exercise or defend legal claims;
9.7.4. the Group has other legal basis for Processing Personal Data.
9.8. If Processing User’s Personal Data is based on User’s consent, the User has the right to withdraw that consent at any time. Withdrawal of consent does not affect the legality of Processing that occurred prior to withdrawal of consent.
9.9. If in relation to the User’s Personal Data should occur a violation and the Group considers it to present a high risk to the User’s rights and freedoms, the Group shall inform the User without undue delay at the contact details provided to the Group by the User, or, if that is not possible, publicly.
9.10. With the purpose of keeping the User’s Personal Data up-to-date, the User shall inform the Group of any changes in Personal Data.
9.11. In case the User’s rights have been violated, the User has the right to lodge a complaint with the Estonian Data Protection Inspectorate or to seek legal redress.
10. Profiling for Marketing Purposes
10.1. The Group performs Profiling for Marketing Purposes by placing small text files or Cookies (by the Group or by third parties) on the users’ web browsers. Profiling is data processing with the goal of making predictions about the User’s demographic variables (age, sex) and interests and based on that, display adverts and offers the Group assesses to be of interest to the User.
10.2. As a result of Profiling for Marketing Purposes, no decisions with legal effect shall be taken regarding the User.
10.4. The Group does not use for profiling purposes personal data that the User has transmitted for the purposes of setting up an account or signing the contract when creating an account on the Webpage.
11. Changes to the Principles
11.1. The Group may need to change the current Principles based on changes in legislation, changes in the Group’s personal data processing processes or guidelines given by supervisory authorities or courts. In such cases, the Group shall provide prior and reasonable advance notification of the changes to the User.
12. Contact details
12.1. To exercise his/her rights, withdraw consents, to seek further information or to lodge a complaint against the Group, the User may contact:
Data Protection Officer, contact details: e-mail address firstname.lastname@example.org, postal address Tähe 129B, Tartu, 50113.
Effective as of 01.03.2019