Effective from [*]
1. SCOPE OF POLICY
2. DATA CONTROLLER
2.1. For the purpose of clarity, the data controller is TASMetals OÜ, registry code 14450014, address Paenurme tee 31, Lubja küla, Viimsi vald, Harju maakond, 74010.
2.2. All questions, comments and requests regarding data processing are welcomed and should be addressed to TASMetals’ e-mail address [*].
3. WHY AND WHAT CATEGORIES OF PERSONAL DATA IS PROCESSED
3.1. TASMetals collects personal data for the following purposes:
a) providing services (hereinafter: Services) via the Marketplace (i.e. buying and selling metals);
b) communicating and providing customer support in relation to the Services;
c) alerting Customers of features or enhancements to the Services by e-mail;
d) enforcing and defending TASMetals’ legal rights;
e) complying with legal or regulatory obligations or requests, including the obligations and requests regarding prevention of money laundering and terrorist financing regulation (hereinafter: AML regulation).
3.2. TASMetals may collect and process the following personal data:
a) for purposes stated in sections 3.1.a), 3.1.b), 3.1.d) - Data Subject’s username, first and last name, e-mail address, phone, the name and registry code of the company which Data Subject represents (if applicable), bank’s name and bank account number, address;
b) for purpose stated in section 3.1.c): Data Subject’s username, first and last name, e-mail address, the name and registry code of the company which Data Subject represents;
c) for purpose stated in section 3.1.e) TASMetals collects and processes both data regarding the Data Subject as well as any relevant transaction or circumstances. Such personal data may include:
• first and last name, personal identification code, place and date of birth;
• residential address, postal address, location at the time contact is made with TASMetals;
• e-mail address, phone number;
• professional or field of activity;
• copy of identification document (passport, ID card of driver’s license), data regarding travel document issued by foreign state (name, number, date of issue, name of issuer);
• information whether the Data Subject has been entrusted with prominent public functions or whether the Data Subject is a close associate or family member to such person (i.e. politically exposed person according to AML regulation);
• the name and registry code of the legal person which the Data Subject represents;
• photo or video recording of Data Subject.
• transaction date and description of transaction’s substance;
• information on the circumstance of TASMetals’ refusal to establish a business relationship or make an occasional transaction;
• the circumstances of a waiver to establish a business relationship or make a transaction, including an occasional transaction, on the initiative of the Customer where the waiver is related to the application of due diligence measures by TASMetals;
• information according to which it is not possible to take the due diligence measures using information technology means;
• information on the circumstances of termination of a business relationship in connection with the impossibility of application of the due diligence measures;
• information serving as the basis for the duty to report under AML regulation;
• upon making transactions with a civil law partnership, community or another legal arrangement, trust fund or trustee, the fact that the person has such status.
3.3. When and if required by AML regulation, TASMetals shall verify the correctness of the data provided by the Data Subject from national registries or other trustworthy sources (e.g. credit institution). If necessary, personal data provided by Data Subject shall be amended.
4. LEGAL BASIS FOR PROCESSING PERSONAL DATA
4.1. TASMetals processes Data Subject’s personal data because it is necessary for the fulfilment of a contract concluded between TASMetals and Customer (see sections 3.1.a) and 3.1.b) or for taking steps at the Customer’s request prior to entering into contract (see section 3.1.b)). In such a case the legal basis for processing data is the contract concluded between TASMetals and the Customer or the Customer’s request prior to entering into a contract.
4.2. TASMetals processes Data Subject’s personal data for sending Customer marketing e-mails under legitimate interest pursued by TASMetals (see section 3.1.c)). It is TASMetals’ legitimate interest to inform Customer as a client of any features or enhancements to the Services. This in turn allows for TASMetals to provide the best Service possible.
4.3. TASMetals processes the Data Subject’s personal data for enforcing and defending TASMetals’ legal rights under legitimate interest pursued by TASMetals (see section 3.1.d)). It is TASMetals’ legitimate interest to enforce and defend its legal rights if TASMetals sees it as necessary.
4.4. TASMetals processes personal data for complying with legal or regulatory obligations or requests, including regarding AML regulation, as the processing is necessary for compliance with legal obligation to which TASMetals is subject (see section 3.1.e)).
5. AML OBLIGATIONS
5.1. TASMetals is required by AML regulation to process the Data Subject’s data and determine the Customer’s risk category. For that, TASMetals mainly takes into consideration the data submitted to TASMetals (e.g. Data Subject’s residency, field of activity, whether he or she is politically exposed person; for a legal person whose representative is the Data Subject – location, field of activity and the transparency of management body and structure of the owners) and the nature of transactions conducted via Marketplace. Based on such analysis, TASMetals shall apply either simplified or enhanced due diligence measures.
5.2. If Data Subject fails to provide any data requested by TASMetals which is required by AML regulation, TASMetals shall not provide Services to the Customer.
6. DISCLOSING THE PERSONAL DATA
6.1. TASMetals shall not transfer Data Subject’s personal data to third parties except for the following cases:
a) to companies which provide TASMetals server computing services in which TASMetals stores and processes personal data, e.g. [sisestada praegune teenusepakkuja] ([sisestada teenusepakkuja asukohamaa - kui väljaspool EL-i, tuleb lisada veel täiendavat infot]);
b) to companies which provide TASMetals e-mail server services where TASMetals uses emails for transferring personal data between TASMetals employees, e.g. Zone Media OÜ (Estonian entity);
c) to companies which provide TASMetals service for developing and maintaining TASMetals’ ICT systems where it is necessary for providing Services, e.g. Dealport OÜ (Estonian entity);
d) to companies which provide TASMetals accounting service where it is necessary for providing Services, e.g. Dealport OÜ (Estonian entity).
e) [lisada, kui isikuandmeid saadetakse veel kolmandatele isikutele]
6.2. TASMetals takes steps to verify that processors that are appointed to process personal data on TASMetals’ behalf will protect that personal data as required under data protection law.
6.3. TASMetals also has the right to disclose personal data to the following persons in the following cases:
a) to a respective seller or buyer, in the event that TASMetals sells or buys any business or assets;
b) to a third party acquiring TASMetals or substantially all of its assets, if such acquisition should take place and in which case personal data held by TASMetals about Data Subjects will be one of the transferred assets;
c) to a relevant institution requiring Customer’s personal data, if TASMetals is under a duty to disclose or share such personal data in order to comply with any legal or regulatory obligation or request deriving from law (including AML regulation);
d) to other companies and organisations for the purposes of fraud protection and credit risk reduction, in order to protect the rights, property or safety of TASMetals’ business, its clients or others.
7. HOW LONG PERSONAL DATA IS STORED
7.1. TASMetals only processes and stores personal data for as long as it is necessary to fulfil the purpose for which it is processed – once the purpose has ceased, the personal data will be erased or anonymised.
7.2. Data Subject’s personal data will be stored:
a) up to 3 years after the last transaction conducted by the Customer, where TASMetals processes personal data regarding providing Services (see section 3.1.a));
b) up to 3 years after last contact with the Customer, where TASMetals processes personal data regarding communicating and providing customer support (see section 3.1.b));
c) up to 3 years after the last transaction conducted by the Customer, where TASMetals processes personal data regarding alerting Customer of services, features or enhancements to Services by e-mail (see section 3.1.c));
d) up to 3 years after the last transaction conducted by the Customer, where TASMetals processes personal data regarding enforcing and defending TASMetals’ legal rights (see section 3.1.d));
e) up to 5 years from the end of the business relationship with the Customer, where TASMetals processes Data Subject’s personal data regarding complying with legal or regulatory obligations or requests, including the obligations and requests regarding AML regulation (see section (see section 3.1.e)).
f) [lisada, kui ülesse lisandus eesmärke]
7.3. The data of importance for prevention, detection or investigation of money laundering or terrorist financing retained as set forth in section 7.2.e) may be retained for a longer period, but not for more than 5 years after the expiry of the first time limit, if so requested by a precept of the competent supervisory authority.
7.4. Personal data contained in any accounting documents (e.g. invoices) shall be stored for 7 years from the end of the last financial year they relate to.
8. DATA SUBJECT’S RIGHTS
8.1. Data Subject has the right to contact TASMetal’s by writing an e-mail at [*] to exercise Data Subject’s rights concerning processing of personal data. Such rights include the:
a) right to request access of personal data;
b) right to request rectification of personal data;
c) right to request erasure of personal data;
d) right to request restriction of processing of personal data;
e) right to object to processing of personal data;
f) right to request portability of personal data;
g) right that decisions are not taken concerning the Data Subject which are based on automated decision-making;
h) right to withdraw a consent;
i) right to lodge a complaint with a supervisory authority (Estonian Data Protection Inspectorate).
9. THIRD PARTY SITES
9.1. The Marketplace may, from time to time, contain links to and from the websites of TASMetals’ partner networks, advertisers and affiliates (including, but not limited to, websites on which TASMetals and the Marketplace are advertised). If Data Subject follows a link to any of these websites, it must be considered that these websites and any services that may be accessible through them have their own privacy policies and that TASMetals does not accept any responsibility or liability for these policies or for any personal data that may be collected through these websites or services. TASMetals recommends checking these policies before submitting any personal data to these websites or using any of these services.