The company FUNDAUS OÜ, registration number: 14643807, legal address: Harju maakond, Tallinn, Nõmme linnaosa, Tina tn. 9, 10126, (hereinafter – Controller) the owner of the platform placed on homepage www.fundaus.com (hereinafter – Platform), in connection with provision of crowdfunding services (hereinafter – Service) performs natural person personal data (hereinafter – Data) processing activities.
Data processing is performed also by the Controller’s security agent FUNDAUS TRUST AGENT OÜ, registration number: 14810464, legal address: Harju maakond, Tallinn, Kesklinna linnaosa, Tina tn. 9, 10126, who is custodian of collateral (hereinafter – Joint controller). Controller and Joint controller (both together hereinafter – Joint controllers) jointly determine Data processing purposes and means.
Data processing principles apply only to natural person and are based on the Estonian Data Protection Act (hereinafter – the Act) and Regulation (EU) 2016/679 of the European Parliament and of the Council 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter - GDPR).
The access to Data is provided to the Joint Controllers employees, which ensure Data confidentiality during performance of their working duties on a basis of employment agreement and after its termination.
Unauthorized person access to Data without the consent of Data subject is restricted, excluding occasions mentioned in the Act and GDPR requirements.
Joint controllers process submitted Data performing Data exchange.
Joint controllers’ respective responsibilities for the fulfillment of obligations, relevant actual functions and relationships with respect to Data processing are defined in the agreement concluded between them (hereinafter – the Agreement).
Data subject is entitled to become acquainted with the basic conditions of the Agreement related to the Joint controlling of the Data on its written request.
Purposes of Data processing
The Controller processes Data for the following purposes:
Identity verification - in order to ascertain and verify Data subject’s identity, conclude contract and provide Service.
Platform account support - in order to create and maintain the Platform account, support its functioning.
Performance of due diligence - in order to perform Data subject research in compliance with the requirement of the Estonian and European Union legal regulation related to prevention of money laundering and terrorist financing activities.
Reminders and notifications - in order to remind about incomplete Platform account creation, notify about changes in provided Service and other changes that might affect Data subject’s rights and obligations.
Data subject can refuse reminders and notifications by informing the Controller via e-mail.
Sending information - in order to communicate with Data subject in commercial and marketing purposes.
Data subject can refuse communication in the defined purpose by informing the Controller via e-mail.
Enforcement of statutory obligations
in order to fulfill accounting and financial obligation, provisions of the Estonian law and regulations of the Controller internal control system any information from any Data category may be used.
Data processing purposes are interconnected with provision of Service, which may be provided only if the Data subject submits the Controller necessary Data determined in Data category.
Categories of processed Data
Controller processes the following Data categories:
Identification data - name, surname, personal identification code, residence or seat address.
Identity document data - copy of identity document.
Due diligence data - including, but not limited to information regarding source of funds, economic activity, information whether the person is a politically exposed (PEP) or sanctioned person, tax residence address.
Platform account data - information regarding creation and activities (logins, IP-addresses, etc).
Financial data - information regarding performed transactions, bank accounts or payment system accounts.
Contact data - information regarding residence or seat address, e-mail address and phone number.
Transmission of Data
The Controller transfers Data to another undertaking in order to achieve defined purposes and on a legal basis ensuring that undertaking had taken obligations not to divulge transmitted Data.
Identity verification service provider - Data subject identification and verification is carried out via electronic identity verification service provider where Data subject submits identity verification information.
Third party - in order to protect Controller’s legitimate interests.
Joint controller - Data transmission to security agent, who is custodian of collateral in connection with a secured loan (for detailed information relevant Terms and Conditions).
Outsource service providers - in order to fulfill Controller’s obligations using outsourcing service, Data can be transferred to accounting, communications, legal, IT, compliance service providers, payment intermediaries, credit institutions, etc.
State authorities - Data transmission to state institutions or organizations when these obligations are arisen from Estonian legislation are obligated.
Data collected for the purposes of implementation of due diligence measures are retained for 5 years after the termination of the business relationship or an occasional transaction.
Data collected for the purposes of fulfilment of accounting obligations are retained for 7 years after the termination of a contractual relationship.
Data may be stored for a longer period, but the period for which the Data are stored should be limited to a strict minimum.
Data subject’s rights related to processed Data
To exercise any of the rights Data subject can send to the Controller a request using an e-mail email@example.com. The exercise of a right must be clearly designated in the request provided to Controller.
The request is answered without undue delay within a month after it has been received. That period may be extended by two further months where necessary, taking into account the complexity and number of the requests. Controller informs Data subject of the extension period and the reason of delay. The information upon request is provided in electronic form unless is otherwise requested.
If the Controller does not take an action on the request it informs Data subject on the reasons at the latest within one month of receipt of the request. Information on Data issued upon request is free of charge, but compensation for any reasonable costs associated with dealing with the request may be demanded.
Controller keeps right to request additional information concerning Data subject and its representative’s right to receive information and to request of rectification and erasure of Data. Controller keeps rights to refuse to act on the request in case when it is manifestly unfounded or has an excessive character. Controller also may restrict Data transmission or not transmit it in the case provided by Estonian legislation.
Right of access
Data subject is entitled to:
- obtain information on whether Data are being processed;
- obtain information on source from which Data are being processed (if Data are not collected form Data subject);
- receive an access to processed Data;
- receive additional information on categories, purposes and retention of processed Data;
- receive information on enterprises to whom Data are transmitted.
Right to rectification
Data subject is entitled to request prompt rectification of the incorrect Data and completing of the incomplete Data.
Right to erasure
Data subject is entitled to request prompt erasure of Data if one of the following conditions exists:
- purpose of Data processing is reached and Data are no longer necessary;
- Data subject withdraws consent given to the processing for specific purposes;
- Data subject objects to Data processing;
- Data have been processed unlawfully;
- Data have to be erased for compliance with a legal obligation.
The request to erase Data may be denied if there is a legitimate legal ground for doing so.
Right to restrict processing
Data subject is entitled to restrict processing of Data where one of the following applies:
- the accuracy of Data is contested;
- Data processing is unlawful;
- Data are no longer necessary for defined purpose;
- Data subject has objected to processing, pending the verification whether the legitimate grounds for processing of the Controller override those of the accuracy of Data are contested.
Right be informed
Data subject is entitled to receive information on each enterprise and person who was informed on Data rectification or erasure or restriction of processing Data upon its request.
Right to Data portability
Data subject is entitled to receive Data and transfer them to another Data controller insofar Data have been provided based on Data subject content and the processing is carried out by automated means.
This right does not apply to Data created by Controller.
Right to withdraw the consent
Data subject has right to withdraw the consent to Data processing.
Right to protect
if Data subject finds that the rights listed above are violated upon processing of Data, it is entitled to address with compliant the Estonian Data Protection Inspectorate https://www.aki.ee/en/ 39 Tatari Street, 10134, Tallinn, Estonia, telephone (from abroad add +372) 627 4135, firstname.lastname@example.org
Data protection officer
To enhance effectiveness of Data protection measures and ensure compliance with the Act and GDPR requirements Data Protection Officer who’s involved in all Data protection issues is appointed and notified through the Data Protection Inspectorate Enterprise Portal.
Version 1. In force from the 1st of March, 2020.
 PEP - 1) a natural Politically Exposed Person who is or who has been entrusted with prominent public functions including a head of State, head of government, minister and deputy or assistant minister; a member of parliament or of a similar legislative body, a member of a governing body of a political party, a member of a supreme court, a member of a court of auditors or of the board of a central bank; an ambassador, a chargé d'affaires and a high-ranking officer in the armed forces; a member of an administrative, management or supervisory body of a State-owned enterprise; a director, deputy director and member of the board or equivalent function of an international organization, except middle-ranking or more junior officials; 2) PEP family member - the spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a child and their spouse, or a person considered to be equivalent to a spouse, of a politically exposed person or local politically exposed person; a parent of a politically exposed person or local politically exposed person; 3) PEP close associate - a natural person who is known to be the beneficial owner or to have joint beneficial ownership of a legal person or a legal arrangement, or any other close business relations, with a politically exposed person or a local politically exposed person; and a natural person who has sole beneficial ownership of a legal entity or legal arrangement which is known to have been set up for the de facto benefit of a politically exposed person or local politically exposed person.
© 2018 – 2020, Fundaus OÜ