“FinTech Legal Center” is a trading name of ExoBooks OÜ and ExoLegal OÜ. This Privacy Policy describes the information that we gather, how we use and disclose such information.
We process personal data about you as a client in connection with the business operations of our firm, when you visit our website, subscribe to our newsletter or attend our events.
The conditions of our processing of your personal data and your personal rights in this connection are further described below in accordance with the rules of the General Data Protection Regulation (the ‘GDPR’).
Contact information
If you have any questions about our processing of your personal data or you wish to exercise your rights, you are always welcome to contact us:
FinTech Legal Center Valge 13, 11415 Tallinn Estonia Telephone: +372 6028411 e-mail: privacy@fintechlegalcenter.eu
Categories of personal data, purpose and governing law
As part of the administration of our client, we are processing personal data about you. In all relationships with clients, we are processing information with a view to establishing a relationship with the client, client management and performance of the business operations of our firm. Below is specified the personal data processed in this connection.
Client management
In order to administer, manage and cultivate the relationship with our clients, we process personal data about you as a client or a potential client. As part of our client management, the following types of information are processed.
Ordinary personal data. These include identification information and contact information about clients, owners of the client and/or contact persons, as well as representatives of the client. Furthermore, we process information about our relationship with the client, including correspondence. In certain cases, we collect credit information about clients.
The legal basis for the processing is Article 6(1)(b) of the GDPR, according to which personal data can be processed if necessary for the performance of a contract, in this case the task or the potential task. Furthermore, personal data can be processed if necessary for the purposes of FLC’s legitimate interests, including the establishment and cultivation of a relationship with a client, see Article 6(1)(f) of the GDPR; just as there might be situations where we store your personal data even if we do not enter into an agreement.
Money laundering
There are a number of requirements in the anti-money laundering legislation that we must meet. In order to meet these requirements for the prevention of money laundering and financing of terrorism, we process personal data about you.
Ordinary personal data. Including processing of information, such as name, personal code (alternatively passport number or another national identification number), the information is compared with a reliable and independent source, digital signature, or copy of picture ID (e.g. passport, driver’s licence or the like), owner and control structure, beneficial owners, alternatively the day-to-day management.
The legal basis for the processing is Article 6(1)(c) of the GDPR, according to which personal data can be processed when necessary for compliance with a legal obligation. In exceptional cases, sensitive personal data can be processed, and such processing will be based on Article 9(2)(g) of the GDPR; just like information about criminal offences can be processed pursuant to the Personal Data Protection Act.
Case management
When providing advice, we process personal data about you as, for example, business owner, beneficial owner, board member, employee, customer and supplier. This data is processed in order to advise our clients.
| Ordinary information | Sensitive information | |
| Information | Identification information, including personal code, contact information, copy of ID, information about criminal offences, family matters, bank and payment information, financial matters, contractual relationships, tax matters, staff matters, other relevant information available. | Any relevant data concerning health, data revealing trade union membership, etc. |
| Basis of processing | Basis of processing when processing is necessary for the performance of a contract (the task), compliance with a legal obligation, FLC and the client’s legitimate interests in relation to conducting legal proceedings, advising and practising law, see Article 6(1)(b)(c) and (f) of the GDPR. | The legal basis for processing is Article 9(2)(f) of the GDPR. |
Marketing
We process personal data in connection with marketing activities, including the provision of courses, events, etc., as well as sending out newsletters. Processing is necessary in order to provide services to interested parties.
In this context, ordinary personal data is processed, including name, contact information and possible interests or preference for topics, as well as language.
The legal basis for processing of personal data in connection with courses, events, sending out newsletters, etc. is our legitimate interests in marketing our business (see Article 6(1)(f) of the GDPR.)
We send out newsletters and other marketing material if we have obtained your explicit consent. You can always withdraw your consent by contacting us via the above contact information or follow the instructions at the bottom of our newsletters.
Business operations
In connection with our business operations, we process personal data concerning our suppliers and business partners.
In this connection, ordinary personal data is processed, including name, place of work and contact information, as well as information about the relationship and correspondence.
The legal basis is our legitimate interests in managing and practising law, see Article 6(1)(f) of the GDPR. In some cases, the legal basis is Article 6(1)(b) of the GDPR, according to which processing is necessary for the performance of a contract to which the data subject is a party.
FLC’s website
When you visit our website, we collect and process information about you in connection with our use of cookies for marketing and statistical purposes, e.g. to optimize our website and target ads.
You can find an outline of the types of cookies used by us and how to delete them, etc. in our Cookie Policy.
Ordinary personal data is processed in the form of your IP address in connection with our use of cookies. In addition, we process the following information about you in an aggregate form (i.e. non-personally identifiable): demography, including gender and age, interests, geography and information about your browser, device and service provider.
We use Google Analytics to track social shares made at our website. Google automatically collect and store certain information in their server logs which includes device event information such as crashes, system activity, hardware settings, browser type, browser language, the date and time of your request and referral URL, cookies that may uniquely identify your browser or your Google Account, in accordance with their data privacy policy.
The legal basis is our legitimate interests in generating statistics and, by this process, analysing the use of our website, e.g. to optimize it (see Article 6(1)(f) of the GDPR.)
Social media
We are active on social media. When you interact with us on these media, you are making information available to us and the social media, e.g. when you respond to our postings, comment on or share them, just like we process information that you ‘like’ FLC or follow us on the social media.
In addition, ordinary information is processed about you in the form of, for example, identification information, contact information, your profile photo, etc.
Furthermore, we will in some cases share, for example, a piece of news in which your identification information (name) is included. In these cases, we always request your prior consent. You can always withdraw your consent by contacting us via the above contact information. The purpose of the processing is branding and marketing of FLC.
The legal basis for the processing is our legitimate interests in marketing us as a firm on social media and knowledge sharing in the form of sharing of articles, etc. (see Article 6(1)(f) of the GDPR.)
Information on social media is deleted when we delete a posting or when you delete your comment, share, reaction or indication that you ‘like’ or follow us.
Visitors
We obtain basic personal information from you in our visitor’s database and/or the archive of visitor registration cards, which includes but is not limited to name, phone number, reason for visit, date & time. Video footage might also be recorded on our CCTV system installed on company premises.
We collect and process information to ensure the physical security of the people and items, security of confidential information located in our premises or accessible from our premises. This is done to prevent loss, frauds, thefts, injuries, terrorism and other events of such kind in our premises.
Our visitors’ personal data is maintained in a secure manner. Only authorized employees have access to it. We will only keep such personal data for as long as is reasonably necessary for the purposes outlined above or to comply with legal requirements under applicable law(s).
Sources of personal data
In connection with client management, case management and professional advice, FLC primarily obtains information from the client but may also obtain information from publicly available sources, public authorities and opponents.
Information for the prevention of money laundering and financing of terrorism is generally obtained from the client but may also be obtained from your employer (our client) and public registers.
We obtain information in connection with marketing from you as a data subject, and in connection with various events and courses, the information may be collected from the company where you are employed.
Please note that when you visit our website, you automatically submit information about your activities, usage, etc. on our website to us and third parties. Read more in our Cookie Policy.
In connection with our business operations, information is likewise obtained from the data subject (supplier, business partner, etc.), or from the company where the person is employed.
In connection with our visitors, information is obtained from the visitors themselves.
Disclosure and transfer of personal data
Your personal data is disclosed only in connection with case management and professional advice, and only when FLC is legally obliged to do so, or when you have given your consent. You can always withdraw your consent by contacting us via the above contact information.
Data may be disclosed to the following parties:
- The parties to the case
- Public authorities, including the courts, the bailiff’s court, the probate court, the registration court, the relevant tax authorities, the prosecuting authority.
In addition, we disclose your personal data to data processors, who are assisting us in our business operations.
In principle, we do not transfer your information to countries outside the EU/EEA. However, transfer may take place if you or a party to the case is located in a so-called third country. In this case, the legal basis is Article 49(1)(e) of the GDPR, according to which transfer may take place if necessary for the establishment, exercise or defence of legal claims, just like transfer may take place if you have given your consent. You can always withdraw your consent by contacting us via the above contact information.
In certain cases, we also use data processors located outside the EU/EEA. At your request, we can inform you where you can obtain a copy of the basis of transfer in question.
Business partners
We are joint data controllers with some of our business partners. Pursuant to Article 26 of the GDPR, joint data control exists when two or more data controllers jointly determine the purposes and means of processing of personal data. Agreements on joint data responsibility have been entered into with the business partners and cooperating lawyers in question.
We are, according to the agreements entered into, responsible for making systems available and the security of such systems, just like we are responsible for the administration of compliance with the anti-money laundering and terrorist financing legislation, including the whistle-blower system, and the overall compliance with the data protection legislation. Our business partners are responsible for compliance with the obligation to provide information to their clients, etc. and to have a legal basis for the processing of personal data.
In respect to the rights of the data subjects, we are responsible for the right of access, right to erasure, obligation to provide information in connection with rectification, erasure or restriction, as well as right to data portability. Thus, the business partners are responsible for providing information, rectification, restriction of processing and objection to processing. Whatever right you want to exercise, you can always contact us via the above contact information, and your request will be passed on to the business partners, where relevant.
Recruitment
We process each candidate’s personal data in accordance with this paragraph, unless such processing, unless such processing conflicts with the requirements of applicable law, in which case applicable law will prevail.
We usually collect personal data directly from you when you apply for a role with us, such as your name, address, contact information, photographs and videos, work and educational history, achievements, identity documents, and test results. If you receive an offer from us, we may then conduct a background check and, to the extent permitted by applicable law. We may also collect data related to criminal offences and proceedings. We also collect similar personal data about you from third parties, such as professional recruiting firms, your references, prior employers, our employees with whom you have interviewed or who recommended your candidacy, and, to the extent permitted by applicable law, employment background check providers. We may also collect personal data about you online to the extent that you have chosen to make this information publicly available. For example, we may find your profile on professional social media websites (such as LinkedIn), and contact you about suitable roles.
Sensitive personal data is a subset of personal data that includes ethnicity, health, trade union membership, philosophical beliefs, sexual orientation, and other categories as prescribed by law. We may collect sensitive personal data about a candidate to the extent permitted to do so by applicable laws and to support our efforts to create an inclusive and diverse work environment. We may also collect sensitive personal data to the extent that you choose, without being asked, to voluntarily disclose it during the recruiting process.
We collect and use your personal data for legitimate human resources and business management reasons, including:
- identifying and evaluating candidates for potential employment, as well as for future roles that may become available;
- maintaining records in relation to recruiting and hiring;
- ensuring compliance with legal requirements;
- fostering our diversity and inclusion programs and practices;
- conducting criminal history checks to the extent permitted by applicable law, and if you receive an offer from us;
- protecting our legal rights to the extent authorized or permitted by law;
- emergency situations where the health or safety of one or more individuals may be endangered.
Our processing of your personal data for the purposes mentioned above is based:
- in part, on our legitimate business interest in evaluating your application to manage our relationship with you, to ensure that we recruit appropriate employees, and to evaluate and maintain the efficacy of our recruiting process more generally;
- in part, on our performing contractual and precontractual measures relating to our potential employment relationship with you;
- in part, on our complying with applicable law with regard to personal data necessary to satisfy our legal or regulatory obligations;
- in part, on your consent, if we collect sensitive personal data, to the extent permitted by applicable law.
If you accept an offer of employment with us, any relevant personal data collected during your pre-employment period will become part of your personnel records and will be retained in accordance with the privacy notice applicable to our employees, which will be provided during the on-boarding process.
If we do not employ you, we may nevertheless continue to retain and use your personal data for a period of time for system administration purposes, to consider you for potential future roles, and to perform research. Thereafter, we retain a minimal amount of your personal data to record your recruiting activity with us. It’s your right to withdraw your consent at any time, by contacting us at privacy@fintechlegalcenter.eu.
Confidentiality
All our employees are subject to strict confidentiality, including the processing of personal data.
Erasure
We process your information for as long as it is necessary to fulfil the purpose of the processing.
Client management, case management and money laundering
In connection with client management, case management and professional advice, FLC generally stores your information for five years from the end of the year in which the case was closed, unless otherwise required according to legislation or in case of original documents.
If no case has been created and we have registered information about you only in connection with creating a possible relationship, we will store your information for up to six months after ending the correspondence.
Information for money laundering control and counter-terrorist financing purposes is stored for five years after the case is closed pursuant to the money laundering legislation.
Business operations
Information about you as a supplier or cooperating partner is stored for up to five years after the end of the year during which the delivery took place or the cooperation was terminated.
Marketing and website
FLC stores your information for up to two years after you have participated in an event or unsubscribed to our newsletter. For deletion of cookies, please refer to our Cookie Policy.
Visitors
FLC stores your information for up to six months after you have entered our premises.
Rights
As a data subject, you have certain rights according to the GDPR when your personal data are being processed. Below is a specification of your rights when we process personal data about you.
If you want to exercise one or more of your rights as a data subject, you must contact us in writing via the email address indicated above. Please state your full name and your e-mail address. You may be requested to provide further identification.
In general, you can exercise your rights at any time. However, exercising your rights must not affect the rights and freedoms of others and in such an event, we may therefore refuse to comply with your rights wholly or in part.
Right of access
As a data subject, you have the right to obtain access to your personal data being processed by FLC. By contacting FLC, you can obtain information about the categories of personal data that we as a data controller are processing about you, the purpose of the processing, the recipients to whom the personal data have been disclosed, etc.
If you request further copies of the personal data undergoing processing, we may charge a fee. If the inquiry is manifestly unfounded or excessive, we may either charge a fee for providing the information or reject your request.
Right to rectification
You have the right to obtain rectification of your personal data if these are inaccurate or misleading. If we do not agree that the data are inaccurate, however, we are not obliged to correct them, but to add that you as a data subject do not think that the data are correct.
Right to erasure
In certain cases, you have the right to obtain erasure of your personal data if FLC no longer has a purpose in processing your personal data or you object to the processing of your personal data for the purposes of direct marketing or pursuant to Article 6(1)(f) of the GDPR. If FLC can demonstrate overriding legitimate grounds for the processing that override your interests, rights and freedoms, or the processing is necessary for a legal claim to be established, exercised or defended, however, FLC is not obliged to erase your personal data.
Right to restriction of processing
In certain cases, you have the right to obtain restriction of processing of your personal data, e.g. if you contest the accuracy of the personal data collected about you or if you have objected to the processing of your personal data based on legitimate interests pursuant to Article 6(1)(f) of the GDPR. In such an event, FLC will only store your personal data until your objection has been considered. If we lift the restriction of our processing of your personal data, you will be notified in advance.
Right to object
On grounds relating to your particular situation, you have the right to object to FLC’s processing of your personal data, if the processing is based on legitimate interests, see Article 6(1)(f) of the GDPR. If you object to FLC’s processing of your personal data, we are no longer entitled to process your personal data, unless we can demonstrate overriding legitimate grounds for the continued processing that override your interests, rights or freedoms, or the processing is necessary for a legal claim to be established, exercised or defended.
You always have the right to object to the processing of your personal data if the processing takes place for the purposes of direct marketing.
Right to data portability
In certain cases, you have the right to receive your personal data in a structured, commonly used and machine-readable format and to have those data transmitted from one data controller to another data controller. This right applies only when the processing of your personal data is based on a contract pursuant to Article 6(1)(b) of the GDPR or your consent, see Article 6(1)(a) of the GDPR.
Right not to be subject to a decision based solely on automated processing, including profiling
Your personal data are not subject to decisions based solely on automated processing, including profiling.
Right to withdraw your consent
To the extent that we process your personal data based on your consent, you can always withdraw your consent to any future processing. You can withdraw your consent by sending an email to privacy@fintechlegalcenter.eu.
Lodge a complaint with a supervisory authority
As a data subject, you can lodge a complaint with FLC as a data controller if you are not satisfied with the way that we process your personal data. You can find our contact information above.
You can always lodge a complaint with the Estonian Data Protection Inspectorate (www.aki.ee; Tatari tn 39, 10134 Tallinn, Estonia; phone +372 627 4135; email info@aki.ee).
Changes to this Privacy Policy
This Privacy Policy will be updated on an ongoing basis so that it is always up-to-date. Below you can always find the date of the last updated version of this Privacy Policy.
Last update: 26.01.2024.