General Terms for Processing Personal Data by Aktsiaselts Jalajälg
Effective from 01.01.2024
INTRODUCTION
This document outlining the terms for processing personal data (hereinafter
referred to as the "Privacy Terms") describes how Aktsiaselts
Jalajälg (registration code 10188051, hereinafter referred to as
"Jalajälg") processes your personal data.
The purpose of these Privacy Terms is to provide clear and transparent information to the users of our services, partners, and other individuals regarding how Jalajälg may process your personal data.
If you have any specific questions about how we process your personal data or if you wish to submit requests related to the exercise of your rights concerning the processing of personal data, please contact us using the contact details provided in the section titled "Contact."
1. DEFINITIONS
“Data Subject”
A natural person whose data is being processed.
“Jalajälg”
Aktsiaselts Jalajälg, registration code 10188051.
“GDPR”
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27
April 2016 on the protection of natural persons with regard to the processing
of personal data and on the free movement of such data, and repealing Directive
95/46/EC (General Data Protection Regulation).
“Personal Data”
Any information relating to an identified or identifiable natural person (“Data
Subject”); an identifiable natural person is one who can be identified,
directly or indirectly, in particular by reference to an identifier such as a
name, identification number, location data, online identifier, or to one or
more factors specific to the physical, physiological, genetic, mental,
economic, cultural, or social identity of that natural person.
“Applicable Law”
All applicable European Union legal acts and all applicable legal acts of the
Republic of Estonia, including but not limited to national implementing acts of
the GDPR, in effect during the validity of these Privacy Terms or entering into
effect after their establishment.
“Services”
Services provided by Jalajälg.
“Stores”
Stores owned by Jalajälg as listed on the Website.
“Customer”
A person who uses the services provided by Jalajälg.
“Processing”
Any operation or set of operations performed on Personal Data or on sets of
Personal Data, whether or not by automated means, such as collection,
recording, organization, structuring, storage, adaptation or alteration,
retrieval, consultation, use, disclosure by transmission, dissemination, or
otherwise making available, alignment or combination, restriction, erasure, or
destruction.
“Data Controller”
A natural or legal person, public authority, agency, or other body that, alone
or jointly with others, determines the purposes and means of the processing of
Personal Data. For the purposes of these Privacy Terms, the Data Controller of
Personal Data is Jalajälg.
“Websites”
Websites managed by Jalajälg, including https://www.teamsport.ee/ee/, www.jalajälg.ee,
or any other website Jalajälg may introduce in the future.
“Data Processor”
A natural or legal person, public authority, agency, or other body that
processes Personal Data on behalf of the Data Controller.
“Mobile Application”
The mobile application Citysport managed by Jalajälg, available via Google Play
Store and Apple App Store.
2. WHAT PERSONAL DATA MAY WE PROCESS?
2.1. When you use Jalajälg’s Services, visit Jalajälg’s Websites, or use the Mobile Application, we may process your personal data.
2.2. The personal data that Jalajälg may process includes the following:
2.2.1. General Information:
2.2.2. Contact Information:
2.2.3. Account-Related Information:
2.2.4. Billing Information:
2.2.5. Service Usage Information:
2.2.6. Technical Information:
2.3. A more detailed overview of the specific personal data Jalajälg may process in individual cases is provided in Section 5 below.
3. ON WHAT LEGAL BASES DO WE PROCESS PERSONAL DATA?
3.1. Jalajälg primarily processes personal data for the purpose of selling products under the Jalajälg brand, especially in physical stores and online shops. When a customer of Jalajälg is a natural person (Data Subject), the legal basis for processing their personal data is Article 6(1)(b) of the GDPR – the processing is necessary for the performance of a contract to which the Data Subject is a party, or in order to take steps at the request of the Data Subject prior to entering into a contract.
3.2. Jalajälg may also process personal data when necessary to comply with a legal obligation to which Jalajälg is subject. For example, if Jalajälg is required to provide personal data to a court under a valid court order or judgment, or if law enforcement authorities require personal data based on applicable regulations. Additionally, Jalajälg may need to retain personal data to comply with the Accounting Act or other applicable legislation. The legal basis for such processing is Article 6(1)(c) of the GDPR – the processing is necessary for compliance with a legal obligation to which the Data Controller is subject.
3.3. In certain cases, Jalajälg may process personal data when it is necessary for the purposes of Jalajälg’s legitimate interests, except where such interests are overridden by the interests or fundamental rights and freedoms of the Data Subject, particularly if the Data Subject is a child. The legal basis for such processing is Article 6(1)(f) of the GDPR. The Data Subject has the right to object to processing based on legitimate interests.
3.4. Jalajälg may also process personal data based on the consent of the Data Subject. For instance, this applies when we send newsletters. The legal basis for such processing is Article 6(1)(a) of the GDPR. When consent is obtained, we may process personal data only for the purposes defined in the consent and for the duration of its validity. The Data Subject has the right to withdraw their consent for personal data processing at any time.
3.5. A more detailed overview of the personal data processed and the applicable legal bases is provided in Section 5.
4. RETENTION OF PERSONAL DATA
4.1. Jalajälg does not retain personal data longer than necessary based on the purpose of processing or as required under applicable law.
4.2. Jalajälg applies the following general retention periods for personal data:
4.2.1. Accounting records are retained for 7 years in accordance with the Accounting Act.
4.2.2. Personal data related to contract execution, unless a longer retention period is required by applicable law, is generally retained for as long as it is needed for contract performance during the contract's validity or up to 3 years after the contract ends, based on Jalajälg's legitimate interest under Article 6(1)(f) of the GDPR and the statute of limitations established in the General Part of the Civil Code Act.
4.2.3. Data collected based on consent is retained until the consent is withdrawn or for up to 3 years (if consent is not withdrawn earlier).
4.3. A more detailed overview of the applicable retention periods is provided in Section 5. If you would like more specific information about the retention periods for personal data related to you, please contact us using the contact details provided in the section titled "Contact."
5. OVERVIEW OF PROCESSED PERSONAL DATA
Depending on how you use Jalajälg’s Services, Jalajälg may process the following personal data about you:
|
Purpose of processing |
Types of personal data being processed |
Source of personal data |
Retention period |
Legal basis |
|
Creating an account on the Website or Mobile App via email |
Email address, name, date of birth, gender, password, sports club membership (optional) |
Data subject |
3 years after the contract ends |
Article 6 (1) (b) of the GDPR, after the termination of the contract, Article 6 (1) (f) of the GDPR |
|
Placing orders through the website's online store |
Email address, name, phone number, parcel machine address |
Data subject |
3 years after the contract ends |
Article 6(1)(b) of the GDPR, after the termination of the contract, Article 6(1)(f) of the GDPR |
|
Creating an account on the Website or Mobile App via the Google or Facebook application |
Email address, name |
Third party (Google/Facebook) |
3 years after the contract ends |
Article 6 (1) (b) of the GDPR, after the termination of the contract, Article 6 (1) (f) of the GDPR |
|
Product delivery |
Address (delivery address or parcel machine address), name, phone number |
Data subject |
3 years after the end of the contract |
Article 6 (1) (b) of the GDPR, after the termination of the contract, Article 6 (1) (f) of the GDPR |
|
Data related to payment for products |
Amounts payable and amounts paid, in the case of payment by invoice or via bank link, the bank account number and the name of the bank; in the case of card payment, the last four digits, year, month, and type |
Data subject or payment solution provider |
7 years pursuant to the Accounting Act |
Article 6 (1) (b) of the GDPR, Article 6 (1) (c) of the GDPR |
|
Withdrawal processing and restitution of withdrawn contracts |
Name, amounts paid, information related to returned products |
Data subject or payment solution provider |
3 years after the termination of the contract; accounting-related data for 7 years in accordance with the Accounting Act |
Article 6 (1) (b) of the GDPR, Article 6 (1) (c) of the GDPR |
|
Sending a newsletter |
Email address |
Data subject |
Until the withdrawal of consent or up to 3 years after giving consent |
Article 6 (1) (a) of the GDPR, Article 6 (1) (f) of the GDPR |
|
Responding to inquiries, questions, or complaints |
Depending on the specific request |
Data subject |
Up to 3 years from the resolution of the inquiry |
Article 6 (1) (b) of the GDPR, Article 6 (1) (f) of the GDPR |
|
Improving user experience, Service development Information about the use of our services |
Information automatically collected about the use of services (see also the chapter on the use of cookies (chapter 7) |
Automatically |
Up to 3 years |
Article 6 (1) (f) of the GDPR |
|
Water footprint Use of security cameras in stores and warehouses (read more in chapter 6) |
Person's image |
Automatically |
Up to 60 days |
Article 6 (1) (f) of the GDPR |
|
Registration for events and lotteries in the Mobile App or on the Website |
Email address, name, phone number |
Data subject |
Until the event or draw takes place and 3 years after it takes place |
Article 6 (1) (b) of the GDPR, after the termination of the contract, Article 6 (1) (f) of the GDPR |
|
Payment for paid events in the Mobile App or on the Website |
Amounts payable and amounts paid, invoice payment or bank link via bank account number and bank name; in the case of card payment, the last four digits, year, month, and type |
Data subject or payment solution provider |
7 years pursuant to the Accounting Act |
Article 6 (1) (b) of the GDPR, Article 6 (1) (c) of the GDPR |
|
Information collected via cookies |
Read more in the chapter on the use of cookies (chapter 7). |
6. USE OF SECURITY CAMERAS
6.1. In accordance with applicable law, Jalajälg is entitled to use surveillance equipment to protect individuals and property. For this purpose, Jalajälg employs security cameras on its premises, which involve the processing of personal data.
6.2. The use of security cameras is necessary primarily to ensure security on Jalajälg’s premises, including in stores and warehouses, to prevent and address security incidents, and to protect Jalajälg’s property and the safety of people, including employees.
6.3. The legal basis for using security cameras is Jalajälg’s legitimate interest under Article 6(1)(f) of the General Data Protection Regulation (GDPR).
6.4. Jalajälg’s surveillance system consists of cameras installed in the following locations:
6.5. Security cameras are never installed in areas (such as restrooms or dressing rooms) where Jalajälg employees, customers, or other individuals in the camera’s view could expect complete privacy.
6.6. As a rule, Jalajälg does not share camera recordings with third parties, except where Jalajälg is authorized or obligated to do so by law. For example, recordings may be shared with authorities if required by law for investigating offenses or other incidents, such as with the Police and Border Guard Board.
6.7. Access to camera recordings is restricted to individuals who require access strictly for the performance of their job duties.
6.8. Jalajälg implements reasonable organizational and technical security measures to protect the recordings from accidental or unauthorized processing or disclosure. Camera recordings are stored on Jalajälg’s local server.
6.9. Jalajälg retains outdoor camera recordings for up to 60 days from the date of recording, unless an investigation is initiated during this period for an offense or other incident, requiring the specific recording to be kept for a longer period. The 60-day retention period is necessary to detect or investigate potential incidents or offenses within that timeframe.
6.10. All Jalajälg employees, customers, or other third parties who have been on Jalajälg’s premises and whose image has been recorded have the right to view the recording containing their image. Jalajälg cannot provide a recording if it has been deleted by the time the request is received. Additionally, to protect the rights and interests of other individuals appearing in the recording, their image must be obscured (blurred) to ensure they cannot be identified. Consequently, access to recordings cannot be provided immediately.
7. USE OF COOKIES
7.1. Jalajälg’s Websites use cookies. Cookies are small text files containing information stored on your computer, used for tracking or identification purposes.
7.2. Cookies can be categorized based on their validity period:
7.2.1. Temporary or session cookies – generally valid for a single web session and are deleted when the browser is closed;
7.2.2. Persistent cookies – stored on the user’s device for a defined period and activated each time the user visits the website that installed the cookie.
7.3. Cookies can also be categorized based on their source:
7.3.1. First-party cookies – originate from the website operator;
7.3.2. Third-party cookies – originate from, for example, advertisements on other websites that appear on the website visited by the user.
7.4. Cookies can be categorized by their purpose:
7.4.1. Essential cookies – crucial for navigating websites, using their functions, and accessing services requested by users. Without these cookies, the website and its functionalities cannot be provided.
7.4.2. Analytical cookies – collect information about how users interact with websites, such as the most frequently visited pages and any error messages encountered.
7.4.3. Preference cookies – remember choices made by users (e.g., text size, other customizable features) and characteristics (e.g., username, language, or country) to provide a more personalized and user-friendly experience.
7.4.4. Marketing cookies – collect information about the user’s website visits and usage to display advertisements relevant to their interests.
7.5. Before using the Websites, the Client is presented with an option to decline or consent to the use of cookies. The Client cannot decline essential cookies as the Websites will not function correctly without them.
7.6. Jalajälg’s website teamsport.ee uses the following cookies:
|
Cookie |
Type of cookie |
Cookie Description and Purpose |
|
PHPSESSID |
Necessary cookie |
Stores the logged-in user's username and a 128-bit encrypted key to allow the user to navigate the website without re-entering their username and password on every page. Essential for accessing authenticated areas of the website. |
|
private_content_version |
Necessary cookie |
Adds a random unique number and timestamp to client content pages to prevent them from being cached on the server. |
|
persistent_shopping_cart |
Necessary cookie |
Purpose: Stores a persistent cart key (ID) to enable the recovery of a shopping cart for anonymous shoppers. |
|
form_key |
Necessary cookie |
Purpose: Adds a random string to all form submissions to protect against cross-site request forgery (CSRF). |
|
store |
Necessary cookie |
Tracks the specific store view or locale selected by the shopper. |
|
login_redirect |
Necessary cookie |
Stores the landing page navigated to by the customer before being redirected for login. |
|
mage-messages |
Necessary cookie |
Tracks error messages and notifications shown to the user, such as cookie consent messages. These are cleared from the cookie after being displayed. |
|
mage-cache-storage |
Necessary cookie |
Enables e-commerce features by locally storing visitor-specific content. |
|
mage-cache-storage-section-invalidation |
Necessary cookie |
Forces local storage expiration for specific content sections. |
|
mage-cache-sessid |
Necessary cookie |
Triggers the clearing of local cache storage when needed. |
|
product_data_storage |
Necessary cookie |
Stores the product data configuration for recently viewed or compared products. |
|
user_allowed_save_cookie |
Necessary cookie |
Tracks whether the user allows cookies to be stored. |
|
mage-translation-storage |
Necessary cookie |
Stores translated content when requested by the shopper. |
|
mage-translation-file-version |
Necessary cookie |
Stores the version of the translated content file. |
|
section_data_ids |
Necessary cookie |
Stores customer-specific information related to user-initiated actions, such as wishlist display or checkout details. |
|
recently_viewed_product |
Marketing cookie |
Stores IDs of recently viewed products for easier navigation. |
|
recently_viewed_product_previous |
Marketing cookie |
Stores IDs of recently compared products for easier navigation. |
|
recently_compared_product |
Marketing cookie |
Stores IDs of recently viewed products for easier navigation. |
|
recently_compared_product_previous |
Marketing cookie |
Stores IDs of recently compared products for easier navigation. |
|
_ga |
Third-party (Google) analytical cookie |
Used to distinguish between users. |
|
_gid |
Third-party (Google) analytical cookie |
Used to distinguish between users. |
|
_gat |
Third-party (Google) analytical cookie |
Used to regulate query speeds. |
7.7. Jalajälg’s website, jalajalg.ee, uses the following cookies:
|
Cookie Name |
Cookie type |
Cookie description and purpose |
|
Cookiebot |
Essential Cookie |
Stores the user's cookie consent status for the current domain |
|
wp-wpml_current_language |
Preference Cookie |
Determines the country code based on the user's IP address. Used to set the language for the visitor. |
|
lastExternalReferrer |
Third-Party (Meta) Marketing Cookie |
Identifies how the user arrived at the website by recording their last URL. |
|
lastExternalReferrerTime |
Third-Party (Meta) Marketing Cookie |
Identifies how the user arrived at the website by recording their last URL. |
|
_fbp |
Third-Party (Meta) Marketing Cookie |
Facebook uses this cookie to deliver advertising products, such as real-time bids from third-party advertisers. |
|
_ga |
Third-Party (Google) Marketing Cookie |
Used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels. |
|
_ga_# |
Third-Party (Google) Marketing Cookie |
Used to send data to Google Analytics about the visitor's device and behavior. Tracks the visitor across devices and marketing channels. |
8. TRANSFER OF PERSONAL DATA AND USE OF AUTHORIZED PROCESSORS
8.1. Jalajälg does not transfer personal data to third parties unless it has a lawful basis to do so under applicable law.
8.2. Jalajälg may use authorized processors for data processing or share personal data within Jalajälg group companies for internal administrative purposes. Authorized processors, who may process personal data in limited cases, include IT service providers (such as server hosting providers and software developers) or other support service providers. Jalajälg works only with trusted partners who are committed to processing personal data in compliance with applicable law. Authorized processors are used for:
8.2.1. IT services
(server hosting providers, other IT solutions, and software programs);
8.2.2. Payment solutions (e.g., Montonio);
8.2.3. Identity verification services for convenient login options
(e.g., Facebook, Google);
8.2.4. Sending newsletters;
8.2.5. Delivering ordered products (couriers, postal services).
8.3. Jalajälg may transfer personal data in connection with legal transactions, such as corporate restructuring, sales, or other transactions. In such cases, personal data may be transferred to transaction partners and legal advisors (e.g., law firms, auditing firms).
8.4. Jalajälg may transfer personal data in compliance with legal obligations, such as when required by a court order or judgment, or when requested by an investigative authority under applicable law.
8.5. Jalajälg does not typically transfer personal data outside the European Economic Area. If such transfers occur, appropriate security measures will be implemented.
9. DATA SUBJECT RIGHTS
9.1. Jalajälg ensures all rights granted to data subjects under applicable law.
9.2. Each data subject has, among others, the following rights:
9.2.1. Right of access:
The right to request at any time whether Jalajälg has personal data about you
and to receive information about the personal data Jalajälg processes about
you.
9.2.2. Right to rectification of personal
data:
The right to request that Jalajälg correct or update your personal data if it
is inaccurate, incomplete, or incorrect.
9.2.3. Right to object:
The right to object to the processing of your personal data, for example, when
personal data is processed based on Jalajälg’s legitimate interest.
9.2.4. Right to request erasure of personal
data:
The right to request the deletion of your personal data, for example, when data
is processed based on your consent, and you withdraw that consent.
9.2.5. Right to restrict processing:
The right to request that Jalajälg restrict the processing of your personal
data under applicable law, for example, when Jalajälg no longer needs the data
for processing purposes or when you have objected to the processing of personal
data.
9.2.6. Right to withdraw consent:
If the processing of personal data is based on your consent, you have the right
to withdraw your consent at any time. For newsletters, consent can be withdrawn
by clicking the “unsubscribe” link at the bottom of the newsletter. Consent for
cookies can be withdrawn via the "cookies" link in the footer of the
website.
9.2.7. Right to data portability:
The right to receive personal data that you have provided to Jalajälg, which is
processed based on your consent or a contract, in a written or commonly used
electronic format. You can also request that Jalajälg transfer the data
directly to another data controller, if technically feasible.
9.2.8. Right to file a complaint:
If you believe your rights have been violated in the processing of your data,
you can file a claim or complaint with the Data Protection Inspectorate –
Tatari 39, 10134 Tallinn, info@aki.ee, www.aki.ee.
If your permanent residence or workplace is in another country, you can file a
complaint with the supervisory authority of that country. For more information
on data protection authorities in EU/EEA member states: https://edpb.europa.eu/about-edpb/about-edpb/members_en.
However, we recommend contacting us first to find a quick and effective
solution.
9.3. The data subject's rights listed in this section regarding the processing of their personal data are not absolute. In certain cases, the rights of other data subjects or Jalajälg’s legal obligations may limit the rights of the data subject.
9.4. To exercise your rights related to personal data processing or to submit requests regarding the processing of personal data, please contact us using the contact details provided in the “Contact” section below.
10. PERSONAL DATA SECURITY
10.1. Jalajälg is committed to ensuring the security of personal data processing, aiming to protect personal data from accidental or unauthorized processing, disclosure, or destruction.
10.2. Taking into account the latest advancements in science and technology, the costs of implementation, the nature, scope, context, and purposes of personal data processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects, Jalajälg implements appropriate technical and organizational measures to ensure the security of personal data.
11. CONTACT
11.1. If you have any questions regarding the processing of personal data or wish to submit requests related to personal data processing, please contact Jalajälg.
Jalajälg's contact details are:
Aktsiaselts Jalajälg
Pärnu mnt 144, Tallinn 11317
Email: jalajalg@jalajalg.ee
Phone: +372 654 8434
4o